I have a PBX behind my RB2011 and it is running SIP trunks. I am having 1 way audio issues (inbound from carrier being blocked). I cannot seem to get the setup correct in IP/Firewall/NAT for this.
Here’s what I need in a basic description:
-UDP ports 10020 through 10531 need to come inbound from the SIP carrier through the RB2011 to 192.168.201.201…same internal UDP ports 10020-10531.
Everything else is good currently. My SIP registration is occurring w/o issue (5060&5061), though I’ve no specific rules in place for this. I suspect a defconf is allowing this. So no worries there.
Any thoughts? I have lost count on the combination’s I have already tried in IP/Firewall/NAT for adding a new rule.
Very sure it is blocked at the RB2011. I can wireshark at the PBX and the ISP (Impact Telecom) is capturing as well. We see the traffic leaving the PBX to Impact, Impact sees traffic to the PBX, but I do not see the returned UDP traffic in wireshark.
Again, this is only the audio stream that uses UDP ports 10020-10531. The SIP registration that setups up and tears down the call is moving in and out of the RB2011 unmolested.
STUN, I am unfamiliar with that…that’s not a RB setting, is it? It isn’t an option in the PBX, that I do know.
I am sorry all, I am a phone guy first, not a traditional IT guy.
I am learning my new RB2011 and haven’t figured it out well enough to be fluent yet. How can I go about providing the current settings I have? I’m in the web GUI and/or WinBox but I don’t see a way to easily copy the data. I know how to do a dbase back up.
Also, Blajah, I can’t seem to find where in WinBox or the GUI I attempt the command you provided? If it matters, the PBX is not using a PRI, but SIP trunking.
Those current rules are for other devices/IPs on my LAN and are not actually the ones I'm currently troubleshooting, so really, there is not a current NAT rule for this post.
The Filter Rules are at default values as well. Here's that stuff:
[admin@MikroTik_Router] /ip firewall> export
I am also new to RouterOS but I had similar problem. As I can see you set up some NAT rules which should be fine. But your firewall seems to drop them. You have to set up forward rules for every entry in your NAT table.
Example; you want to run a FTP Service:
NAT so that port 21 is NATed to 192.168.0.200 (f.e)
Firewall rule (forward chain) so that port 21 is accepted
Man, I’m starting to lose it. For kicks, I blew out all the NAT rules, save for:
chain=srcnat action=masquerade src-address=192.168.201.0/24
dst-address=0.0.0.0/0 out-interface=ether1 log=no log-prefix=“”
Then I went to Filter Rules and disabled all them.
So effectively (by my fractured logic ) there should be no Filter Rules or NAT rules enabled. I have then made a test inbound call and I still do not have 2 way audio…inbound UDP 10020-10531 packets are not making it to the PBX from the SIP provider.
Where else in the RB2011 would incoming traffic be blocked? I have not done a whole lot of config changes on this setup, so it isn’t exactly super densely programmed.
I’m actually not about to lose my s***, just a bad example of trying to be funny in text..dooh!
I just tweaked my NAT rules:
admin@MikroTik_Router] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=“”
Ok, I have a really good handle on NAT programming now…thank you all for the assistance.
I have proven the forwarding sequence is correct in the RB2011, which led to a discovery that has nothing to do w/ the router.
I have 2 way audio now on incoming and outgoing calls.
I have learned much today with the NAT setup and also the Terminal print command. Very handy.
Thank you all for your patience and assistance. Hopefully, I’ll be good for a while now.
