Hello All,
I have set up a VOIP server with address 10.10.1.1 .
Also i have VOIP service that comes from VOIP Provider in a private network (VOIP Gateway Address 10.105.20.134) and i have set up 10.123.232.61/24 on my router. I can ping voip gateway ip address fine.
Now i need some rule to receive request from voip provider same as this

0 chain=dstnat action=dst-nat to-addresses=10.10.1.1 to-ports=5060
protocol=udp src-address=10.105.20.134 dst-address=10.123.232.61
dst-port=5060 log=no log-prefix=“”

But does not work

I used Torch for monitoring interface

Eth. Protocol Protocol Src. Dst. VLAN Id DSCP Tx Rate Rx Rate Tx Packet Rate Rx Packet Rate

0 800 (ip) 17 (udp) 10.105.20.134:5060 (sip) 10.123.232.61:5060 (sip) 0 bps 3.1 kbps 0 0

Where is my mistake?

Hi

The forward needs to be allowed in filter table too. In default config, it’s done auto for all “dst-nat”-ed connections. If you have modified it, you need to allow it.

/ip firewall filter add chain=forward …

Thanks for your replay.

There is no rule in filter table.

would you mind posting your config?

“/export hide-sensitive compact”

model = CCR1036-12G-4S

serial number = 76C182F2Y7S9

/interface ethernet
set [ find default-name=ether1 ] disabled=yes
set [ find default-name=ether2 ] name=ether2-Clients
set [ find default-name=ether3 ] name=ether3-pbx
set [ find default-name=ether11 ] name=ether11-tctvoip
set [ find default-name=ether12 ] name=ether12-internet
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether12-internet name=
internet user=aaa
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.26.1-192.168.26.100
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2 lease-time=
3d10m name=dhcp1
/tool user-manager customer
set admin access=
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface detect-internet
set detect-interface-list=all
/interface pptp-server server
set enabled=yes
/ip address
add address=10.10.1.254/24 interface=ether3-pbx network=10.10.1.0
add address=10.123.232.61/24 interface=ether11-tctvoip network=10.123.232.0
add address=192.168.26.254/24 interface=ether2-Clients network=192.168.26.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=
ether11-tctvoip use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=192.168.26.0/24 dns-server=10.2.1.1,4.2.2.4,8.8.8.8 gateway=
192.168.26.254

/ip firewall nat
add action=dst-nat chain=dstnat comment=“tct voip----> local voip server”
dst-address=10.123.232.61 dst-port=5060 protocol=udp src-address=
10.105.20.134 to-addresses=10.10.1.1 to-ports=5060
add action=masquerade chain=srcnat comment=“VOIP server<====>Clients”
dst-address=10.10.1.1 out-interface=ether2-Clients src-address=
192.168.26.0/24
add action=masquerade chain=srcnat comment=“my laptop” out-interface=
internet src-address=192.168.26.11
add action=src-nat chain=srcnat dst-address=192.168.100.1 src-address=
192.168.26.11 to-addresses=192.168.100.1
add action=masquerade chain=srcnat src-address=1.1.1.2

/ip route
add check-gateway=ping distance=1 gateway=10.123.232.1 routing-mark=TEST
add comment=“To tct gateway” distance=1 dst-address=10.105.20.134/32 gateway=
10.123.232.1

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=51.37.172.106/23 disabled=yes port=8021
set ssh disabled=yes
set winbox port=23321
set api-ssl disabled=yes
/ppp secret
add local-address=1.1.1.1 name=sohraab remote-address=1.1.1.2 service=pptp

These look all wrong to me…
add action=masquerade chain=srcnat comment=“VOIP server<====>Clients”
dst-address=10.10.1.1 out-interface=ether2-Clients src-address=
192.168.26.0/24
add action=masquerade chain=srcnat comment=“my laptop” out-interface=
internet src-address=192.168.26.11
add action=src-nat chain=srcnat dst-address=192.168.100.1 src-address=
192.168.26.11 to-addresses=192.168.100.1
add action=masquerade chain=srcnat src-address=1.1.1.2


Plus dont see any firewall rules and thus the config is not ready to put on the net!
(in the forward chain of firewall rules you would want this one)
action=accept chain=forward comment=
“Allow Port Forwarding - DSTNAT” connection-nat-state=dstnat

Some observations

# You know what your internet interface is => pppoe, would suggest to disable it as it caused issues in other instances
/interface detect-internet
set detect-interface-list=all

# There is a fixed ip set & dhcp together? dhcp-client can / should probably be disabled/removed.
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=\
ether11-tctvoip use-peer-dns=no use-peer-ntp=no

# out interface is .26. and src too?, is that even needed both have router as default gateway anyway
add action=masquerade chain=srcnat comment="VOIP server<====>Clients" \
dst-address=10.10.1.1 out-interface=ether2-Clients src-address=\
192.168.26.0/24

# you should remove the src-address, as you want all traffic to be masqueraded 
add action=masquerade chain=srcnat comment="my laptop" out-interface=\
internet src-address=192.168.26.11

# .100. address is not set on this router. This rule should be removed.
add action=src-nat chain=srcnat dst-address=192.168.100.1 src-address=\
192.168.26.11 to-addresses=192.168.100.1

# 1.2 address is not set on this router. This rule should be removed.
add action=masquerade chain=srcnat src-address=1.1.1.2

# This one is currently unused
add check-gateway=ping distance=1 gateway=10.123.232.1 routing-mark=TEST

currently there is no filtering at all: so once dstnat-ed it will pass to voip → pbx. but in reverse there is also translation needed, src-nat pbx → voip

add action=src-nat chain=srcnat out-interface=ether11-tctvoip to-addresses=10.123.232.61

you would want to secure the router if connected to internet: see https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router