NAT table not cleared correctly

RouterOS General
1

Issue:
PBX cannot re-register with the SIP trunk, after connection loss

Description:
I am using an Asterisk based PBX behind a Microtik RB3011UiAS. The PBX connects to a SIP trunk. Every 24 hours we have a forced disconnection of the internet connection. After the forced disconnection, the PBX tries to log on to the SIP trunk again. The PBX sends packets to the SIP trunk, but there are no response packets in the RouterBoard. A new connection can only be established after restarting the RouterBoard, disconnecting the PBX connection or changing the SIP port.

Versions affected:
6.39.3, 6.40.4, 6.40.5 tested

How to reproduce:

  1. Establish Internet connection via PPPoE
  2. Register Asterisk based PBX (e.g. FreePBX) to SIP trunk
  3. Disable PPPoE interface and wait a few seconds
  4. Enable PPPoE interface

Network setup:

+----------------+          +---------------+          +------------+            +-------------+
|       PBX      |  ether6  |   RB3011UiAS  |  ether1  | VDSL modem |  Internet  |  SIP trunk  |
| 192.168.111.79 |----------| 192.168.111.1 |----------|  10.0.0.1  |------------| 95.128.80.5 |
+----------------+          +---------------+          +------------+            +-------------+

Firewall settings:

/ip firewall filter
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=accept chain=input comment="OpenVPN remote connection" dst-port=443 in-interface=pppoe-telekom protocol=tcp
add action=drop chain=input comment="drop all from WAN" in-interface=pppoe-telekom
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=reject chain=forward comment="reject connection from guest to office lan" in-interface=bridge_guest out-interface=!pppoe-telekom reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="drop invalid connection" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-telekom

/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade wan1" out-interface=pppoe-telekom

Connection tracking before internet connection reset:

[admin@router01] /ip firewall connection> print where src-address~"192.168.111.79:5060"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 #          PROTOCOL SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT     ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS      ORIG-BYTES      REPL-BYTES
 0  SAC Fs  udp      192.168.111.79:5060   95.128.80.5:5060                  2m57s            0bps      0bps            1            3             588           1 067

Connection tracking after internet connection reset:

[admin@router01] /ip firewall connection> print where src-address~"192.168.111.79:5060"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 #          PROTOCOL SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT     ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS      ORIG-BYTES      REPL-BYTES
 0    C  s  udp      192.168.111.79:5060   95.128.80.5:5060                  58s           9.4kbps      0bps            5            0           2 940               0

Notes:
There seems to be a problem with NAT, because after restarting the RouterBoard or changing the port, the connection is immediately reestablished. Deleting the connection from the connection tracking does not solve the problem.

Support TicketID:
Ticket#2017112222000777

Best regards,
Stefan

2

What type of NAT do you use? Auto associate NAT only on masquerade works.

3

I just have set up src-nat with masquerade.

4

And?

5

Well, that’s it? :slight_smile: I don’t know what information you are asking for. If you can specify them I will provide you all information I can get to solve my problem!

6

If you’re already using masquerade, then I don’t know what is the problem. Maybe in Asterisk server.

7

The problem seems to be that there are some old connection states saved, even if I clear the connection table. I have every 24h a disconnect and after the disconnect the asterisk doesn’t connect to my SIP trunk anymore. I can only reconnect if I disconnect the asterisk for 5-10 minutes or if I reboot the router. I used wireshark and can see that asterisk is sending REGISTER packets, but I never receive a packet from the SIP trunk.

8

Firewall configuration added to first post

9

Do you receive new IP on wan interface thought DHCP or there’s static one? Sip providers often firewalling clients connection and make a static entry user-ip. Sip use udp, udp-timeout (time; Default: 10s)


Yours respectfully!

10

Hello kujo,
my public IP is static. It makes no difference if I set a timeout of 1 minute, 10 seconds, 1 second or 0.
Like I said, if I reboot the router everything is working fine. If I disconnect the PBX for at least 5 Minutes everything works fine. And another method I tried: If I change the PBX port from 5060 to another port like 5080 it also works fine.
If I remove the connection from the connection table it creates a new connection in a few seconds, but it’s still a non working connection. The PBX is sending SIP REGISTER packets but I don’t get answer packets. I tried to log them with a firewall rule, but nothing. That makes sense, because there seems to be a problem with the NAT. The router remembers something that I cannot remove. For me it looks like a bug in the routerOS.

11

You may try In firewall services disable sip helper


Yours respectfully!

12

Hi kujo,

thank you for the advice. It’s already disabled. I just forgot to mention it.

Best regards
Stefan

13

Ok. Can you past /ip firewall nat export compact?


Yours respectfully!

14

Ok. Can you past /ip firewall nat export compact?


Yours respectfully!

15

You can find my settings in the start post. I will change that from “codebox” to “code”. It should be better visible :slight_smile:

For NAT it’s just that:

/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade wan1" out-interface=pppoe-telekom
16

Ok. There are all good in ip firewall. Try turn on packet sniffer on all interface and udp and port 5060. How the packers arrive? Look at connection tracker when you make outgoing call. Look at asterisk console, ‘sip show peers’, and calls log. You also can turn on debug on specific sip channel!


Yours respectfully!

17

I already did that with wireshark. Before the connection was lost everything works fine. PBX is sending SIP REGISTER/OPTIONS packet and gets an answer from the SIP trunk. After the connection was lost the PBX is sending out SIP REGISTER/OPTIONS packets to the SIP trunk, but I don’t receive any packets from the SIP trunk. I tested that with 2 different SIP trunks and after a reboot of the RouterBoard it is working again.
Debugging on the PBX makes no sense, because it doesn’t receive packets from the SIP trunk.

18

What usually happens om my network is the reply dst-address is incorrect.

Instead of it being the public ip address it ends up being the private ip address of the router or sip device.

Its almost as if NAT did not work when the link came back up.

Manually removing the connection from connection tracking solves the problem for me at least.

19

Hi p3rad0x,

the Reply Dst. Address is correct. It’s my public IP.
It’s also correct in the SIP message header.

Removing the connection manually or by script from the connection tracking doesn’t solve the problem.

Best regards
Stefan

20

Stefan, can you start packet sniffer at mikrotik router? /tool packet sniffer


Yours respectfully!