Route SIP over PPTP

debaser · May 26, 2025, 6:52am

Hello, I’m new to Mikrotik and new to SIP. I’ve been saddled with trying to route IP phones in a client’s office overseas via a PPTP VPN to our local server in Australia to a cloud ePABX. It’s doing my bloody head in and I’d appreciate any clues anyone is kind enough to provide.

The router in the overseas office is a Mikrotik RB5009UG+S+. I’ve set up the PPTP VPN and can ping through it. The VPN server IP is 192.168.61.82 and the router PPTP client typically pulls dynamic IP 192.168.61.81.

DST-ADDRESS       GATEWAY     DISTANCE

DAc 192.168.61.82/32  pptp-Perth         0

The broadband link in the remote office is working fine. The Yealink IP phones are connected directly to the Ethernet ports of the Mikrotik router and pull their IPs from the router’s DHCP. In this case: 192.168.15.254. The NAT rules are:

chain=srcnat action=masquerade protocol=tcp src-address=192.168.15.254 connection-type=sip 
out-interface=pptp-Perth src-port=5060-5061 dst-port=5060-5061 port=20000-50000 log=no 
log-prefix=""

chain=srcnat action=masquerade protocol=udp src-address=192.168.15.254 connection-type=sip 
out-interface=pptp-Perth src-port=5060,5061 dst-port=5060-5061 port=20000-50000 log=no 
log-prefix="" 

chain=dstnat action=accept protocol=tcp dst-address=192.168.15.254 src-address-list="" 
dst-address-list="" connection-type=sip in-interface=pptp-Perth src-port=5060,5061 
dst-port=5060,5061 port=20000-50000 log=no log-prefix="" 

 chain=dstnat action=accept protocol=udp dst-address=192.168.15.254 connection-type=sip 
 in-interface=pptp-Perth src-port=5060,5061 dst-port=5060,5061 port=20000-50000 log=no 
 log-prefix=""

And the SIP provider’s webpage says ports 3478 and 19302 ‘help STUN servers navigate NAT and firewalls’, so:

chain=dstnat action=accept protocol=udp dst-address=192.168.15.254 in-interface=pptp-Perth 
src-port=3478,19302 dst-port=3478,19302 log=no log-prefix="" 

chain=srcnat action=masquerade protocol=udp dst-address=192.168.15.254 
in-interface=pptp-Perth src-port=3478,19302 dst-port=3478,19302 log=no log-prefix=""

But when I start up a local IP phone it looks to be doing DNS lookups and receiving traffic on ports 47156 and 37886.

Please be gentle.

Thanks, Cameron.