SIP phone → D-link DGS-1210 switch → Mikrotik RB4100 → DSL modem

If SIP (Yealink W70B) is on default LAN, it gets 192.168.88.20 & Registers fine at VoIP provider on Internet via DSL line out

If I make the port on D-link untagged VLAN 21, W70B gets 192.168.21.2 and Registration FAILS (yet full access to Internet from this VLAN exists)

I can even add rule (not needed for normal operation with existing rules below) to explicitly allow forward from 192.168.21.2 and then the log shows:

--Yealink-- forward: in:vlan21-ipphone out:pppoe-out1, connection-state:new,snat src-mac 80:5e:0c:cb:db:34, proto UDP, 192.168.21.2:5090->212.23.7.235:5060, NAT (192.168.21.2:5090->external_static_IP:4686)->212.23.7.235:5060, len 596

I cannot see what could be causing it, as for the exercise, I chose the very basic set of rules (none of them stops the communication)

Config removed as 
it seems to have been of no value to any help received

VoiP NAT rules are only needed for the INCOMING calls (so not involved in the Register process)
Any help would be appreciated

sebus

Anybody?

You need routes between you ip range or move the pbx to the same vlan as your phone and update address of your phone sip server to pbx

so you need ip route if you phone on is on vlan 21 with ip range 192.168.21.2 and your pbx sit in ip range 192.168.88.xx

you will need route such as 192.168.21.xxx router via gateway to ip range your pbx is in

If SIP (Yealink W70B) is on default LAN, it gets 192.168.88.20 & Registers fine at VoIP provider

If I make the port on D-link untagged VLAN 21, W70B gets 192.168.21.2 and Registration FAILS

It is EXTERNAL VoIP provider on the internet (nothing local)

Nobody has any idea?

hello sebus46,

SIP (Yealink W70B) is on default LAN, it gets 192.168.88.20 & Registers fine at VoIP provider on Internet via DSL line out

hmm, can you post your

interface print

interface bridge vlan print

and your ip firewall rules related to your incoming sip.

let us see what exactly is being the difference between default lan and these vlan interface.

please don’t put very long output - sorry my eyes can’t no longer read long config.

Incoming SIP rules do not matter, we are talking about OUT connection for now (Register)

I have posted full config (which is always what is asked for), but here are the bits:

Flags: R - RUNNING; S - SLAVE
Columns: NAME, TYPE, ACTUAL-MTU, L2MTU, MAX-L2MTU, MAC-ADDRESS
 #    NAME              TYPE       ACTUAL-MTU  L2MTU  MAX-L2MTU  MAC-ADDRESS      
 0 R  ether1            ether            1500   1592       9578  48:A9:8A:A3:8B:48
 1 RS ether2            ether            1500   1592       9578  48:A9:8A:A3:8B:49
 2    ether3            ether            1500   1592       9578  48:A9:8A:A3:8B:4A
 3    ether4            ether            1500   1592       9578  48:A9:8A:A3:8B:4B
 4    ether5            ether            1500   1592       9578  48:A9:8A:A3:8B:4C
 5    ether6            ether            1500   1592       9578  48:A9:8A:A3:8B:4D
 6    ether7            ether            1500   1592       9578  48:A9:8A:A3:8B:4E
 7    ether8            ether            1500   1592       9578  48:A9:8A:A3:8B:4F
 8    ether9            ether            1500   1592       9578  48:A9:8A:A3:8B:50
 9    ether10           ether            1500   1592       9578  48:A9:8A:A3:8B:51
10 RS sfp1              ether            1500   1600       9586  48:A9:8A:A3:8B:52
11 R  bridge            bridge           1500   1592             48:A9:8A:A3:8B:49
12 R  pppoe-out1        pppoe-out        1480                                     
13 R  vlan21-ipphone    vlan             1500   1588             48:A9:8A:A3:8B:49
14 R  vlan99-wifiguest  vlan             1500   1588             48:A9:8A:A3:8B:49
15 R  vlan100-ipcam     vlan             1500   1588             48:A9:8A:A3:8B:49

Flags: X, D - DYNAMIC
Columns: BRIDGE, VLAN-IDS
#   BRIDGE  VLAN-IDS
0   bridge         1

@ sebus46

i thought i have requested you for

interface bridge vlan print

Yes, and it is above

Flags: X, D - DYNAMIC
Columns: BRIDGE, VLAN-IDS

BRIDGE VLAN-IDS

0 bridge 1

I do NOT use it in my setup, VLANs are on bridge, I use ONLY 1 interface (ether2)
Everything is in full config on original post

@ sebus,

If I make the port on D-link > untagged VLAN 21> , W70B gets 192.168.21.2 and Registration FAILS (yet full access to Internet from this VLAN exists)

that was your first problem correct?

now, this on your router - where did you put vlan bridge config for tagged and untagged port?

13 R vlan21-ipphone vlan

that vlan 21 interface should be linked on the bridge and you need to activate bridge vlan filter in order to make any vlan member interface got correctly tagged (trunk mode) or untagged (access mode).

if you don’t have it - your vlan config isn’t right. hence there you are your phone problem.

if you don’t have correct vlan interface setup - then better to put your phone on basic lan setup 88.0/24.

hope this helps.

As per full config, there is nothing UNTAGGED on Mikrotik (that is done on the switch to where the unit(s) actually connect (because they are PoE)

Bridge is tagged for all required VLANs, I do not need VLAN filtering

[admin@MikroTik] /interface/vlan> print
Flags: R - RUNNING
Columns: NAME, MTU, ARP, VLAN-ID, INTERFACE
#   NAME               MTU  ARP      VLAN-ID  INTERFACE
0 R vlan21-ipphone    1500  enabled       21  bridge   
1 R vlan99-wifiguest  1500  enabled       99  bridge   
2 R vlan100-ipcam     1500  enabled      100  bridge

From above, other 2 VLANs that are setup in an identical way, work fine - VLAN99 & VLAN100 (obviously for different purposes)

I think that just saying “your setup is not right” does not help much, but thanks for trying

Just in case anybody ever comes across it
Of course the “gods” here can say that I have this or that wrong etc, but the fix was to get one extra rule in IP Firewall/Filters as first in forward chain

;;; voip2 allow
chain=forward action=accept protocol=udp src-address=VOIP_SERVER_IP dst-port=5090 log=yes
log-prefix="--Yealink-VLAN21 in voip2--"

Phone connects/registers & works