Hey all,
I cannot figure out a way to get RouterOS to allow SIP RTCP packets back thru the NAT. These are those sender report packets that actually come from Asterisk on the RTP port + 1… so if your conversation is using 10233 → 5099, then its sent using 10234 → 5100. The SIP helper doesnt seem to track this and allow it back in. Any ideas?
Sam
Here is a packet capture showing these udp packets using rtp port + 1… and they get dropped because SIP Helper isn’t creating a pinhole. 4.6 RouterOS:
Bug or feature? : )
It doesnt work the way you think it would work. It wont create a pinhole automatically, it tracks outgoing connections.
I just did this on my router at home, using xlite to connect to my remote asterisk server.
add action=accept chain=input comment=“Accept Established/Related” connection-state=established disabled=no
add action=accept chain=input comment=“” connection-state=related disabled=no
add action=accept chain=forward comment=“” connection-state=related disabled=no
add action=accept chain=forward comment=“” connection-state=established disabled=no
add action=accept chain=forward comment=“” connection-state=new disabled=no dst-address=asterisk.ip.addr dst-port=5060 protocol=udp
add action=jump chain=forward comment=“” disabled=no dst-address=asterisk.ip.addr jump-target=drop
If the connection tracking module wasnt working, the RTP packets would not have traversed the firewall. They were obviously classified as related packets because not a single packet to my asterisk server was dropped and the 5060UDP rule only hit once for the new connection, the established/related took care of the rest.
EDIT: It also works perfecftly for marking connections/packets for QOS. I do it all the time like this:
add action=mark-connection chain=forward comment=“” connection-type=sip disabled=no new-connection-mark=voip-conn passthrough=yes
And the rtp/rtcp connections are marked.
It just doesnt automagically forward a port for you, but configuration of the PBX and client should negate that requirement.
im doing the exact same thing as you already, and its working with the RTP no problem. Calls are fine. However, RTCP packets (sender report), which I didnt even know of until today, aren’t coming back thru. They are getting dropped in my input chain because the nat table doesnt have an entry for them (to send them thru forward chain). Searching google lands me on juniper and cisco stuff that mention you have to track the RTP port, plus the one above it…
“The J Series device opens ports only for RTP and RTCP. Every RTP session has a corresponding Real Time Control Protocol (RTCP) session. Therefore, whenever a media stream uses RTP, the SIP ALG must reserve ports (create pinholes) for both RTP and RTCP traffic. By default, the port number for RTCP is one higher than the RTP port number.”
RTCP packets give back information about jitter / delay, timestamps, etc. Asterisk sends them, but the firewall on the sip client side blocks them. If you want to see whats in them use ‘rtcp debug’ in asterisk.
I guess I’m asking how the SIP helper works, if its supposed to track more than just RTP. And if not, can it get upgraded so I dont have to keep seeing dropped packets in my logs.