SIP behind hotspot

bholler · September 6, 2005, 7:58pm

hello,

Can anyone assist me with the guide pf hoe to make SIP work behind HS. SIP phone did not work after i setup on the MT controller.

Thanks

spire2z · September 7, 2005, 11:44am

I have used SIP through a NAT MT router successfully but not using Hotspot. Is the hotspot just authenticating or does it do more firewalling etc?

bholler · September 7, 2005, 1:33pm

yes it is doing firelwalling. and the only firewall rule i applied wass the virus rules what i exported from demo.mt.lv. i palced it behing another MT router that is without HS but with firewall rule but there was no problem.

spire2z · September 10, 2005, 11:55am

I guess you must check your not blocking any SIP ports first. I don’t fully get your config either when you say you have 2 MT boxes one behind another? Maybe there is some problem in how your network is setup? Can you give more detail?

bholler · September 10, 2005, 5:35pm

=======MT1===========CYBERCAFE
|
FC2===|
|
=======MT2(HOTSPOT CONTROLLER)===APs

that is my network setup.

the sip fone did not work behind MT2 but worked behind MT1. i have source-nat and lots of firewall rules on MT1 than MT2. the only firewall rules on MT2 are the one of hotspot and the virus rules i fetched from the demo router from mikrotik.

can anyone tell me what is missing ? below is the export from the firewall.

/ ip firewall
set input name=“input” policy=accept comment=“”
set forward name=“forward” policy=accept comment=“”
set output name=“output” policy=accept comment=“”
add name=“virus” policy=none comment=“”
add name=“hotspot-temp” policy=none comment=“limit unauthorized hotspot
clients”
add name=“hotspot” policy=none comment=“account authorized hotspot clients”
/ ip firewall rule forward
add in-interface=hotspot1 action=jump jump-target=hotspot-temp comment=“limit
access for unauthorized hotspot clients” disabled=no
add action=jump jump-target=hotspot comment=“account traffic for authorized
hotspot clients” disabled=no
add action=jump jump-target=virus log=yes comment=“jump 2 virus” disabled=no
/ ip firewall rule hotspot
/ ip firewall rule hotspot-temp
add flow=hs-auth action=return comment=“return, if connection is authorized”
disabled=no
add protocol=icmp action=return comment=“allow ping requests” disabled=no
add dst-address=:53 protocol=udp action=return comment=“allow dns requests”
disabled=no
add action=reject comment=“reject access for unauthorized hotspot clients”
disabled=no
/ ip firewall rule input
add in-interface=hotspot1 dst-address=:80 protocol=tcp action=jump
jump-target=hotspot comment=“account traffic from hotspot clients to
hotspot servlet” disabled=no
add in-interface=hotspot1 dst-address=:80 protocol=tcp action=accept
comment=“accept requests for hotspot servlet” disabled=no
add in-interface=hotspot1 dst-address=:67 protocol=udp action=accept
comment=“accept requests for local DHCP server” disabled=no
add in-interface=hotspot1 action=jump jump-target=hotspot-temp comment=“limit
access for unauthorized hotspot clients” disabled=no
add dst-address=:53 protocol=udp action=accept comment=“” disabled=no
add action=jump jump-target=virus comment=“jump2 virus” disabled=no
/ ip firewall rule output
add src-address=:80 out-interface=hotspot1 protocol=tcp action=jump
jump-target=hotspot comment=“account traffic from hotspot servlet to
hotspot clients” disabled=yes
/ ip firewall rule virus
add dst-address=:135-139 protocol=tcp action=drop comment=“Drop Blaster Worm”
disabled=no
add dst-address=:135-139 protocol=udp action=drop comment=“Drop Messenger
Worm” disabled=no
add dst-address=:445 protocol=tcp action=drop comment=“Drop Blaster Worm”
disabled=no
add dst-address=:445 protocol=udp action=drop comment=“Drop Blaster Worm”
disabled=no
add dst-address=:593 protocol=tcp action=drop comment=“" disabled=no
add dst-address=:1024-1030 protocol=tcp action=drop comment="”
disabled=no
add dst-address=:1080 protocol=tcp action=drop comment=“Drop MyDoom”
disabled=no
add dst-address=:1214 protocol=tcp action=drop comment=“________” disabled=no
add dst-address=:1363 protocol=tcp action=drop comment=“ndm requester”
disabled=no
add dst-address=:1364 protocol=tcp action=drop comment=“ndm server”
disabled=no
add dst-address=:1368 protocol=tcp action=drop comment=“screen cast”
disabled=no
add dst-address=:1373 protocol=tcp action=drop comment=“hromgrafx”
disabled=no
add dst-address=:1377 protocol=tcp action=drop comment=“cichlid” disabled=no
add dst-address=:1433-1434 protocol=tcp action=drop comment=“Worm”
disabled=no
add dst-address=:2745 protocol=tcp action=drop comment=“Bagle Virus”
disabled=no
add dst-address=:2283 protocol=tcp action=drop comment=“Drop Dumaru.Y”
disabled=no
add dst-address=:2535 protocol=tcp action=drop comment=“Drop Beagle”
disabled=no
add dst-address=:2745 protocol=tcp action=drop comment=“Drop Beagle.C-K”
disabled=no
add dst-address=:3127 protocol=tcp action=drop comment=“Drop MyDoom”
disabled=no
add dst-address=:3410 protocol=tcp action=drop comment=“Drop Backdoor
OptixPro” disabled=no
add dst-address=:4444 protocol=tcp action=drop comment=“Worm” disabled=no
add dst-address=:4444 protocol=udp action=drop comment=“Worm” disabled=no
add dst-address=:5554 protocol=tcp action=drop comment=“Drop Sasser”
disabled=no
add dst-address=:8866 protocol=tcp action=drop comment=“Drop Beagle.B”
disabled=no
add dst-address=:9898 protocol=tcp action=drop comment=“Drop Dabber.A-B”
disabled=no
add dst-address=:10000 protocol=tcp action=drop comment=“Drop Dumaru.Y”
disabled=no
add dst-address=:10080 protocol=tcp action=drop comment=“Drop MyDoom.B”
disabled=no
add dst-address=:12345 protocol=tcp action=drop comment=“Drop NetBus”
disabled=no
add dst-address=:17300 protocol=tcp action=drop comment=“Drop Kuang2”
disabled=no
add dst-address=:27374 protocol=tcp action=drop comment=“Drop SubSeven”
disabled=no
add dst-address=:65506 protocol=tcp action=drop comment=“Drop PhatBot,
Agobot, Gaobot” disabled=no
add dst-address=:5555 protocol=tcp action=drop comment=“” disabled=no
add src-address=:445 protocol=tcp action=drop comment=“Drop Blaster Worm”
disabled=yes
add src-address=:135-139 protocol=udp action=drop comment=“Drop Messenger
Worm” disabled=yes
add src-address=:445 protocol=udp action=drop comment=“Drop Blaster Worm”
disabled=yes
add src-address=:135-139 protocol=tcp action=drop comment=“Drop Messenger
Worm” disabled=yes
/ ip firewall service-port
set ftp ports=21 disabled=no
set pptp disabled=yes
set gre disabled=yes
set h323 disabled=yes
set mms disabled=no
set irc ports=6667 disabled=no
set quake3 disabled=no
set tftp ports=69 disabled=no
/ ip firewall mangle
add in-interface=internet action=passthrough mark-flow=internet_packet
comment=“” disabled=yes
add in-interface=hotspot1 action=passthrough mark-flow=local_packet
comment=“” disabled=yes
/ ip firewall src-nat
add src-address=10.5.50.0/24 action=masquerade comment=“masquerade hotspot
network” disabled=yes
/ ip firewall dst-nat
add dst-address=:53 protocol=udp action=redirect comment=“intercept all DNS
requests” disabled=no
add in-interface=hotspot1 protocol=tcp flow=!hs-auth action=redirect
to-dst-port=80 comment=“redirect unauthorized hotspot clients to hotspot
service” disabled=no
add dst-address=:25 protocol=tcp action=nat to-dst-address=192.168.28.254
comment=“send e-mails through our SMTP server” disabled=no
add in-interface=hotspot1 dst-address=:80 protocol=tcp action=redirect
to-dst-port=80 comment=“transparent HTTP proxy for hotspot clients”
disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m
tcp-established-timeout=5d tcp-fin-wait-timeout=2m
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m

goldclick · September 10, 2005, 9:21pm

bholler,

Remember that every device behind the hotspot requires to login to the hotspot before traffic can pass. Your SIP phone will not work behind MT2 because the hotspot firewall rules redirects all the traffic untill authenticated. You can use the walled garden feature to allow your SIP phone register and make calls. Another way is to setup a mangle rule bypassing the ip address of your SIP phone from the hotspot as this would save you time finding out the register and session ports of your SIP server.

/ ip firewall mangle add src-address=192.168.3.200/32 action=accept mark-flow=hs-auth

above assumes your SIP ohone ip is 192.168.3.200 and that the default MT hotspot setup process was used.

In 2.9, this is much easier using the bypass feature in IP hotspot binding which allows you bypass a hosts mac/ip pair from hotspot.

Sonny.