Hi,
Encountering an issue with a particular src-nat → netmap rule with SIP registration authorization failure due to incorrect Public IP in registration.
In this sample:
private IP PBX host: IP 10.254.1.105/24
public IP PBX host: 24.1.0.44/27
cloud router WAN IP: 24.1.0.40/27 (assigned 24.1.0.33/27 IPs on WAN)
port UDP dst: 5060
Registration occurs but the IP it registers to is the cloud router (24.1.0.40) and not the actual public IP assigned with netmap for the IP PBX (24.1.0.44) hence the auth failure when calls are made via the trunk.
chain=srcnat action=src-nat to-addresses=24.1.0.44 to-ports=0-65535 protocol=tcp src-address=10.254.1.105
out-interface=ether1_WAN dst-port="" log=no log-prefix=""
chain=dstnat action=netmap to-addresses=10.254.1.105 to-ports=5060 protocol=udp dst-address=24.1.0.44 dst-port=5060
log=no log-prefix=""
I seem to be missing something?
Are you sure these rules are actually the first rules under the IP > NAT configuration. The way MikroTik walks to the NAT-table is from top to bottom, so if there is for instance a masquerare rule for traffic leaving on ether1-WAN first, that rule is applied.
Also under IP > Firewall > Service Port (/ip firewall service-port) make sure you disable SIP. As it will trigger routerOS to do SIP-ALG, and I don’t think you’ll want it.
Hi Bram,
We also run GRE with IPSec so I have a src-net at the top for a remote admin office, should this be at the bottom?
/ip firewall nat print
0 chain=srcnat action=accept src-address=10.254.1.0/24
dst-address=10.254.8.0/26 log=no log-prefix=""
1 chain=srcnat action=src-nat to-addresses=24.1.0.42 to-ports=0-65535
protocol=tcp src-address=10.254.1.99 src-address-list=""
out-interface=ether1_WAN log=yes log-prefix=""
2 ;;; Rule
chain=srcnat action=src-nat to-addresses=24.1.0.41 to-ports=0-65535
protocol=tcp src-address=10.254.1.3 src-address-list=""
out-interface=ether1_WAN log=no log-prefix=""
3 X chain=srcnat action=src-nat to-addresses=24.1.0.45 to-ports=0-65535
protocol=tcp src-address=10.254.1.6 src-address-list=""
out-interface=ether1_WAN log=no log-prefix=""
4 chain=srcnat action=src-nat to-addresses=24.1.0.45 to-ports=0-65535
protocol=tcp src-address=10.254.1.5 src-address-list=""
out-interface=ether1_WAN log=no log-prefix=""
5 chain=srcnat action=src-nat to-addresses=24.1.0.46 to-ports=0-65535
protocol=tcp src-address=10.254.1.24 src-address-list=""
out-interface=ether1_WAN log=no log-prefix=""
6 chain=srcnat action=src-nat to-addresses=24.1.0.44 to-ports=0-65535
protocol=tcp src-address=10.254.1.105 out-interface=ether1_WAN dst-port=""
log=no log-prefix=""
7 chain=srcnat action=src-nat to-addresses=24.1.0.43 to-ports=0-65535
protocol=tcp src-address=10.254.1.224 src-address-list=""
out-interface=ether1_WAN log=no log-prefix=""
8 chain=srcnat action=masquerade src-address=10.254.1.0/24
dst-address=10.254.1.0/24 log=no log-prefix=""
9 chain=srcnat action=masquerade out-interface=ether1_WAN log=no
log-prefix=""
Service ports:
/ip firewall service-port
# NAME PORTS
0 XI ftp 21
1 XI tftp 69
2 XI irc 6667
3 XI h323
4 XI sip 5060
5061
5 XI pptp
6 XI udplite
7 dccp
8 XI sctp
Hi Jim,
The order you have is correct as is, the rules would be triggered correctly for this rule to work properly.
Consider replacing it for the following rule. This is less specific but might work better, because in your current config your only applying the rule to TCP-traffic.
/ip firewall nat
add chain=srcnat action=src-nat to-addresses=24.1.0.44 src-address=10.254.1.105 out-interface=ether1_WAN log=no
Hi Bram
Yup that did it.. I copied the previous src-nat and failed to notice the protocol and port assignments..
Thank you for your quick response.