I need to find a solution to the following scenario.
There is a VoIP PBX which is able to register SIP accounts via different gateways. The IP address of it is 10.1.1.240
I have two gateways in the network, each one is dedicated for a SIP account.
I have configured two IPs in MT to the same interface, 10.1.1.10 and 10.1.1.20.
For SIP account A I have set the PBX to have as gateway 10.1.1.10 and for SIP account B 10.1.1.20.
I need MT to reroute packages for 10.1.1.10 to 10.1.10.1 and for 10.1.1.20 to 10.1.20.1.
All the necessary VLANs are configured correctly, I have inter-VLAN routing working correctly, but I can’t make it work for the above mentioned routing.
I tried making a mangle, marking the packages with destination 10.1.1.10 with a mark GW A and for 10.1.1.20 with a mark GW B,and then route packages marked “GW A” to 10.1.10.1 and the ones marked “GW B” to 10.1.20.1,but there is no success. MT follows the routing of the default gateway only.
Do you think there is a solution to this?
The problem is that the destination of the SIP registration is the same for both accounts, so there is no way to discriminate and route based on this.
I can explain you why it does not work, but I don’t have a solution which I would be sure to work on a single Mikrotik.
The problem is that when the PBX sends a packet outside its subnet via a gateway, it uses the IP address of the gateway only to obtain its MAC address using an ARP request, and then sends the real packet to the MAC address of the gateway with an IP destination address of the final destination.
So the firewall rules cannot trigger on the gateway IP address as it is not present in the packet header at all. Worse than that, as both your gateway addresses are attached to the same port or bridge of your Mikrotik, also the destination MAC address doesn’t differ because the ARP response provides the same MAC address for both.
So if you use more than one Ethernet interface in the same bridge where the PBX is connected, you may try to move the IP address of one of the gateways from the bridge to the Ethernet port form which the bridge has not inherited its own MAC address, but the chances that this would help are not high.
If the PBX allows to configure the SIP domain name separately from the IP address of the SIP public exchange (or if you can configure a proxy IP address), this could be a solution, as you could set the IP address for one of the SIP accounts to Mikrotik’s own one and use a dst-nat rule in Mikrotik’s ****
/ip firewall nat chain=dstnat
to change it back to the real address of the public exchange after marking it in
/ip firewall mangle chain=prerouting
first. If you cannot use domain name or if it is automatically resolved to IP using DNS and this cannot be disabled, this won’t work either.