RouterOS 6.11 - dropping UDP flows?

jml · July 23, 2014, 3:06am

Hi,
I have a RB2011 running 6.11 with a very simple routing setup.
On this network there are VoIP phones, all of which work fine, except for a new phone which was just recently added.
I’ve traced the problem to the Mikrotik router not forwarding the UDP packets from the phone (it will forward maybe 1 in 100 or 200).
Using the packet sniffer, I see the UDP arrive on ether1 and it should be leaving on ether5, but it never makes it:

247 263.021 ether1… xxx.xxx.xxx.2:51748 yyy.yyy.yyy.3:5060 (sip) udp 643
248 266.893 ether1… xxx.xxx.xxx.2:51749 yyy.yyy.yyy.3:5060 (sip) udp 744
249 267.042 ether1… xxx.xxx.xxx.2:51750 yyy.yyy.yyy.3:5060 (sip) udp 643
250 270.882 ether1… xxx.xxx.xxx.2:51751 yyy.yyy.yyy.3:5060 (sip) udp 744
251 271.03 ether1… xxx.xxx.xxx:51752 yyy.yyy.yyy:5060 (sip) udp 643
252 274.87 ether1… xxx.xxx.xxx:51753 yyy.yyy.yyy.3:5060 (sip) udp 744

And for whatever reason, occasionally, one will be forwarded properly:

334 402.885 ether1… xxx.xxx.xxx.2:51851 yyy.yyy.yyy.3:5060 (sip) udp 744
335 402.885 ether5 xxx.xxx.xxx.2:51851 yyy.yyy.yyy.3:5060 (sip) udp 744

I don’t have any firewall rules that would affect these packets:

/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=tcp src-address=zzz.zzz.zzz.0/22 dst-port=21-23

1 chain=input action=drop protocol=tcp dst-port=21-23

2 X chain=forward action=log protocol=udp src-address=xxx.xxx.xxx.2 dst-address=yyy.yyy.yyy.3 out-interface=ether5 log-prefix=“”

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic

/ip route print
0 A S 0.0.0.0/0 xxx.xxx.xxx.57 1

/ip addresses print
10 xxx.xxx.xxx.58/30 xxx.xxx.xxx.56 ether5

Any ideas?

Thanks.

rextended · July 23, 2014, 5:53am

The phone are exactly same model and have exactly same firmware and have exactly same provider and config? (obviously except username and password).

On firewall / service ports sip are active? on what port?
Try to change the default inbound (not the exit port to provider) to 5061 and make one new nat rule like:

dst-nat
dst-address=public ip
dst-port=5061
to address=ip of ip phone
to port=5061

jml · July 23, 2014, 11:43am

This is actually a new Cisco 7942 phone (we typically use the 5xx series).
I cannot control the outbound high ports (50000+). The phone automatically uses those ports.

jml · July 23, 2014, 11:52am

It appears as though the Mikrotik does not like high UDP ports (50000+)…
If I src-nat the ports down to the 10000-20000 range, it seems to pass the traffic ok.

WTF!

rextended · July 23, 2014, 12:55pm

Port 32768 to 65535 is used for NAT.

Is not MikroTik problem.

jml · July 23, 2014, 1:27pm

What do you mean ports 32768-65535 are “used for NAT”?
What if I have traffic that comes across the Mikrotik on those ports? It just dumps it?
Normally I do not have NAT running (there were no NAT rules installed before I tried the src-nat rule - this is a building router and does not NAT).

– James

rextended · July 23, 2014, 2:38pm

are you sure your provider accept that range? as I mentioned above, usually 32768 to 65535 are used by NAT and software usually do not accept to send NEW connection on that ports…

jml · July 23, 2014, 2:41pm

Cisco 79xx phones now send outbound packets from 50000+ for “extra security”.
Since I’m the VoIP provider, yes I do accept SIP packets coming from those ports

But the fact of the matter is, the Mikrotik shouldn’t care that the packets originate from ports 50000+ unless I tell it to care.

jml · July 23, 2014, 6:04pm

Apparently it has something to do with the Mikrotik SIP helper. Disabling it allowed the packets to flow.
Does anyone know what the SIP Helper is actually doing?