I've set up a basic firewall as per Steve Discher's book but am struggling to get it to do a simple port redirection from an external source (in this case, UDP 5060 for SIP traffic)

Current firewall config is below. I've left in a couple of the additional rules that I've put in there to get it working. Namely, the first rule under /ip firewall filter and the first rule under /ip firewall nat.

Am I on the right lines with these rules? I want to get this working and then restrict the rule so that only our SIP provider's IP addresses are allowed to initiate a connection.

Thanks,

Steve

mar/19/2014 13:17:21 by RouterOS 6.10

software id = HNU4-J2ZJ

/ip firewall address-list
add address=192.168.0.0/24 list=MyLAN
/ip firewall filter
add chain=forward dst-port=5060 in-interface="BT Infinity" protocol=udp src-port=""
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-state=invalid
add chain=input src-address-list=MyLAN
add chain=input connection-state=established
add action=drop chain=input
add chain=forward connection-state=new src-address-list=MyLAN
add chain=forward connection-state=related
add chain=forward connection-state=established
add action=drop chain=forward
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=5060 in-interface="BT Infinity" protocol=udp
to-addresses=192.168.0.210
add action=masquerade chain=srcnat out-interface="BT Infinity"
/ip firewall service-port
set sip disabled=yes

The only thing I see is that you have specified a src-port which is empty. Maybe that is holding back the traffic.
And at NAT i always do config to-ports also if they are the same as dst-port.

Thanks Rudios,

Just tried both of those without any success.

The weird thing is I can see the packet counts going up on both of my rules but the traffic doesn’t seem to get through.

Since udp is a connectionless protocol I guess the returning packets are dropped.
The are not passed by the established or related rule. And I believe neither does the rule with connection-state=new.
Try removing the connection-state=new parameter in the forward chain rule.
Also move that rule below the related/established rules.

Tried those changes, Rudios. No change.

I’ve tried disabling all drop rules, specifically allowing UDP from the SIP provider, turned the SIP helper off (and on) and various other things. Nothing seems to get them through.

I’m going to do some more reading but would be grateful for any other suggestions as to why this isn’t working.

Steve

this is the solution, only regardin the VoIP parts.
VoIP connection from trusted SIP providers are already accepted
in this example I use my real productoin configuration

/ip firewall address-list
add address=217.10.64.0/20 comment=sipgate.de list=lista_ip_VoIP
add address=70.42.62.0/24 comment=VIVOX list=lista_ip_VoIP
add address=77.72.169.0/24 comment=sip.voipcheap.com list=lista_ip_VoIP
add address=83.211.0.0/16 comment="VoIP Eutelia" list=lista_ip_VoIP
add address=85.119.136.0/23 comment="VoIP Telio" list=lista_ip_VoIP
add address=87.238.28.0/22 comment="VoIP Cheapnet" list=lista_ip_VoIP
add address=212.97.32.0/19 comment=messagenet.it list=lista_ip_VoIP
/ip firewall filter
add chain=forward src-address-list=lista_ip_VoIP
add chain=forward dst-address-list=lista_ip_VoIP
/ip firewall nat
add chain=dstnat in-interface="BT Infinity" protocol=udp dst-port=5060 action=dst-nat to-addresses=192.168.0.210

If someone use my Idea, please add Karma.