Registering outside peer to Asterisk via nat mikrotik

Gents,

I need external peer to register to Asterisk which is behind nat mikrotik.

/ip firewall filter
add chain=input comment=“Accept established connections Mikrotik” connection-state=established
add chain=forward comment=“Accept established connections My Network” connection-state=established
add chain=input comment=“Accept related connections Mikrotik” connection-state=related
add chain=forward comment=“Accept related connections My Network” connection-state=related
add action=drop chain=input comment=“Drop invalid connections Mikrotik” connection-state=invalid
add action=drop chain=forward comment=“Drop invalid connections My Network” connection-state=invalid
add chain=input comment=“Access to router only from My Network” in-interface=ether5-lan src-address=192.168.1.0/24
add chain=input comment=“” dst-port=58291,65022 protocol=tcp
add chain=forward comment=“” src-address-list=Internet
add chain=forward comment=“” src-address=192.168.1.198
add chain=forward comment=“” dst-port=3389 protocol=tcp
add chain=input comment=“” port=1701,500,4500 protocol=udp
add chain=input protocol=ipsec-esp
add chain=forward comment=“SIP” dst-address=212.x.x.x dst-port=5060-5180 protocol=udp
add action=drop chain=input comment=“All other drop” in-interface=!ether5-lan
add action=drop chain=forward comment=“All other drop” log=yes

/ip firewall nat
add action=masquerade chain=srcnat comment=nat1-isp1 out-interface=ether1-gateway1
add action=masquerade chain=srcnat comment=nat2-isp2 out-interface=ether2-gateway2
add action=netmap chain=dstnat comment=“Port fowarding to 1C server (RDP)” disabled=yes dst-address=212.x.x.x dst-port=63389 protocol=tcp
to-addresses=192.168.1.39 to-ports=3389
add action=netmap chain=dstnat comment=“Port fowarding to Video server” dst-address=212.x.x.x dst-port=8000 protocol=tcp to-addresses=192.168.1.5
to-ports=8000
add action=netmap chain=dstnat comment=“Port fowarding to Jurist PC (RDP)” dst-address=212.x.x.x dst-port=61389 protocol=tcp to-addresses=
192.168.1.11 to-ports=3389
add action=netmap chain=dstnat comment=“Port fowarding to CDS (SSH)” dst-address=212.x.x.x dst-port=65522 protocol=tcp to-addresses=192.168.1.7
to-ports=65522
add action=netmap chain=dstnat comment=“Port fowarding to RDP” dst-port=53389 in-interface=ether1-gateway1 protocol=tcp to-addresses=192.168.1.200
to-ports=3389
add action=src-nat chain=srcnat comment=“Port fowarding to RDP” disabled=yes dst-port=3389 out-interface=ether1-gateway1 protocol=tcp to-addresses=
192.168.1.200 to-ports=53389
add action=dst-nat chain=dstnat comment=SIP dst-address=212.x.x.x dst-port=5060-5180 protocol=udp to-addresses=192.168.1.198 to-ports=5060-5180
add action=dst-nat chain=dstnat dst-address=212.x.x.x dst-port=10000-20000 protocol=udp to-addresses=192.168.1.198 to-ports=10000-20000
/ip firewall service-port
set sip disabled=yes

In case of enabled firewall rule ‘All other drop’, registration fails, if I disable ‘drops all’ rule, the registration succeeds.
Could you please advise what additional rule I should add in firewall

Thank you in advance

nat rules get processed before filter rules.

The filter rule “add chain=forward comment=“SIP” dst-address=212.x.x.x dst-port=5060-5180 protocol=udp” will never match because by this time, the dst-address has already been changed to 192.168.1.198. Change the dst-address to 192.168.1.198 and it should work.

It looks like you’re doing the load-balancing thing (mangle table not shown but I see signs of it in your NAT rules).
Make sure that your connection marking marks routing so that the reply packets will be forced out the appropriate interface, and not subject to load balancing choosing the wrong outbound route.