One way video - PBX

julianov · October 17, 2017, 2:16pm

Hello All. How are you doing?

I’ve implemented a PBX with asterisk in my LAN but the problem that I’m having is that when there is a video call between a softphone that is in the lan and one that is in an external network the mikrotik router RB2011 is filtering the incoming video, not the outcoming. I don’t have this problem if the video call is make between softphones that are in the LAN. Also, I don’t have problem with the audio signal, just the video.

As the ISP gives me just one public IP, there is a NAT. This is the firewall nat configuration:

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether6
add action=dst-nat chain=dstnat dst-port=5060 protocol=udp to-addresses=\
    100.64.0.99 to-ports=5060
add action=dst-nat chain=dstnat dst-address=100.64.0.0/24 dst-port=10000-20000
    protocol=udp src-port=10000-20000 to-addresses=100.64.0.0/24 to-ports=\
    10000-20000

As you can see the first action is regarding the generic nat NAT. The second action allow me to stablish a signaling with the PBX which is in the LAN with a softphone which is out the LAN (without this line the connection is not stablish).

And the last line is a try to allow the video incoming stream but it’s not working. You can see here that the Private IP pool is 100.64.0.0/24 and the ports for rtp package are random between the ports ranges 10000-20000 (this is an Asterisk
characteristic) and I can changes the ports ranges but for every call I need 2 rtp ports and if there is a video stream 4 ports for every 2 softphones which stablish a video call. The rtp ports ranges 10000-20000 is an standar in asterisk.
Also the mikrotik port which is connected to the public network is ether6 and the port that connect the LAN is ether2, there is there a switch configuration with the ports ether1, ether3, ether4 and ether5 with the ether2 as master-ports.

How I must configure the nat ? What I’m missing?

Best regards.

bramwittendorp · October 17, 2017, 2:24pm

I’m not sure your problem lies in the NAT-policy. Are you allowing incoming traffic through your firewall on the given ports? A good NAT-translastion doesn’t mean the traffic is actually entering your network

julianov · October 17, 2017, 5:24pm

Thanks for the reply.

Well first I tried with this rules:

/ip firewall filter
add action=accept chain=input port=22,8291,80,443 protocol=tcp
add action=accept chain=input connection-state=established,related
add action=drop chain=input in-interface=ether6
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface=ether6
add action=accept chain=forward dst-port=10000-20000 protocol=udp src-port=\
    10000-20000

Where you can see that there is a chain=forwards with an action accept in the last line and it taking cares thats ports. But it don’t fix the problem.

julianov · October 18, 2017, 1:10am

Just a doubt that I have, define a port range like this

src-port=10000-20000

Is that sentence fine?

Paternot · October 18, 2017, 1:50am

If I’m not mistaken, the video used is H323 - a “joy” to work, with NAT. I don’t remember the caveats, but take a look at the H323 signaling, and NAT behavior.

julianov · October 18, 2017, 4:04pm

Something that I’ve note is that when the softphone that is in the public network makes a voice call, the comunications is stablish but just for a seconds and then the call get off. That not happens when the softphone in the lan makes the call.

There is any documentation about this? regarding the wiki Firewall/Nat is not complete for this type of problem.

JohnTRIVOLTA · October 18, 2017, 4:16pm

just try this :
/ip fi service-port disable sip,h323

k6ccc · October 18, 2017, 5:25pm

add action=accept chain=forward dst-port=10000-20000 protocol=udp src-port=
10000-20000

>

I would leave off the src-port part of that rule.  Source ports can be all over the place.

julianov · October 18, 2017, 7:49pm

Thanks, the problem was the src-ports.

Can I make you a question k6ccc? Why it is? It supposed that the softphones must works in a fixed ranges of ports?

I found in RFC 768 for udp

“Source Port is an optional field, when meaningful, it indicates the port
of the sending process, and may be assumed to be the port to which a
reply should be addressed in the absence of any other information. If
not used, a value of zero is inserted.”

k6ccc · October 19, 2017, 4:26am

Very simple. The device that is originating the packet picks a semi-random port number to use for the origination. It will always be a port number that is otherwise not used on that device. High port numbers are normally used.