I am new to Mikrotik and have enjoyed setting up my RB2011. I am impressed with the feature set, but I can’t seem to get a SIP phone up and running correctly. Here are a few facts about my setup:
I have one public IP
My SIP desk phone is the only VOIP device / SIP device I have
I need to forward SIP/RTP traffic to my SIP phone
My SIP phone is assigned a static private IP on my lan
I am not currently using any VLANS
I have played around with different firewall rules but can’t seem to figure out the secret sauce to get it working. Eventually I would want to perform QoS, but for now, I need to set up the very minimal rules to get the phone working through the firewall/NAT.
Could you guys offer a sample script for setting this up or a sample config that works for you?
It’s odd that you’re required to forward ports to the IP phone - certainly the phone is registering as an endpoint on a server out on the Internet somewhere… Most service providers have NAT-aware systems, so in general it’s better to do nothing special on your side.
Disable the SIP helper in the IP Firewall Service Ports menu, and get rid of all of your phone-related port maps, and see if this makes things better for you.
(you can just disable the rules instead of deleting them so that you don’t “lose your work” if taking them away doesn’t help)
If the service provider offers a STUN server and your phone has a STUN setting, then that’s likely to be the best solution for you if a “basic” configuration doesn’t work.
Thanks for the reply! My SIP provider offers a STUN server and those settings have been configured with the SIP phone. I have tried with the SIP helper both enabled and disabled but here is the problem that remains: I can successfully make a call out and I can successful make a call in, but those calls are disconnected after 3-4 seconds. Initially you can hear audio, but then the session drops.
The phone has a PCAP export feature. When you export the PCAP, you can see that the phone gets the invite and starts ringing. When you pick up the phone, initially voice packets are transferred. The non SIP phone ( in this case a cell phone) shows that the call is terminated, the SIP phone shows that the call is in progress but there is no audio. This happens if I use my cell to call the SIP phone or use the SIP phone to call my cell.
This sounds like a breakdown in the signalling process.
re-invites, ACKs, etc might be getting dropped or sent wrong.
One quick test to tell whether your router is to blame or not would be to simply put the public IP directly on the phone and test that way.
Also, if you have lots of firewall filter rules, try relaxing those - or inserting a quickie “allow all dst-address=priv.ip.of.phone” rule right at the top of the forward chain.
I definitely recommend the SIP helper be disabled - I’ve seen it cause very subtle issues that only happen over time, and disabling it made the “creeping death” go away completely.
FWIW - 4 seconds sounds to me like the CONNECT part of the call setup isn’t getting acknowledged properly - but that the initial INVITE messages must also contain the SDP information (which tells the two endpoints where the audio should be sent, what codec used, etc) because you’re getting immediate audio.
Apparently all of the signalling is working properly during the calling phase. You can test this a bit - see what happens if you hang up the call from the calling party side before answering the phone - does the called party phone keep ringing? (that would be incorrect behavior)
If that works as it should, then it’s very likely something in the behavior of the phone/SIP service - SIP is a very broadly-defined protocol, and many vendors have their own extensions to it or their own interpretation of certain standards. This leads to a wide variety of things that can go wrong, unfortunately. It seems like either a disagreement over some final parameters - some systems perform a re-invite whenever the call is established, and some systems will accept this or reject it, etc.
Most telling will be the results of a direct-to-internet connection on the phone… removing the “firewall” component completely.
I followed your advice and disabled the SIP helper and removed the firewall rules that I was playing around with. I was finally able to get it to work! I have tested SRTP, but SRTP calls do not make it past the 4 second mark. I am working with my SIP provider to figure this one out.