I am having problem with VoIP passthrough Mikrotik Router. the phone cannot register to the server. there is not firewall filter.
i have tried with:
but it doesn’t help.
if i change to router like Cisco, it can work well.
Does anyone know what is the problem???
Is the help from “ip firewall service ports”?
Sometime, i need to disable SIP or H323 to make VoIP work properly?
i am using:
ROS version is 3.17.
System: x86
Which VoIP protocol is being used on your network ?
I have about 4 sip devices behind my nat’ed mikrotik router running 3.18 and it passes sip all day long. And always has all the way back to 3.0 which is what i started out with.
My customer is using www.vonage.com product.
Do you have any proxy Configured…???
no, it works as router and shaping only
connect to the terminal, type in
/export file=forreview
go to Files (WinBox), grab that .rsc file, edit it with WordPad or a more serious editor to remove any passwords and attach it here. We can look at it and see what’s happening.
you can tell me what do you want to see? i will post it on the forum. so, it is easier to read.
mm … firewall, nat, QoS, L7, ip addressing, routes.. pretty much everything.
pls see below:
[badmin@MKN-BM-2] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; basic firewall
chain=input action=accept connection-state=established
1 chain=input action=accept connection-state=related
2 chain=input action=drop connection-state=invalid
3 chain=forward action=accept connection-state=established
4 chain=forward action=accept connection-state=related
5 chain=forward action=drop connection-state=invalid
[badmin@MKN-BM-2] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; nat-list
chain=srcnat action=src-nat to-addresses=203.176.129.48-203.176.129.63 src-address-list=nat-list out-interface=ether1-Outside
1 ;;; redirect dns
chain=dstnat action=redirect to-ports=53 protocol=tcp dst-port=53
2 chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53
[badmin@MKN-BM-2] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; customer
chain=forward action=mark-connection new-connection-mark=cus-conn passthrough=yes src-address=10.3.0.34
1 chain=forward action=mark-packet new-packet-mark=cus-up passthrough=no in-interface=vlan717 connection-mark=cus-conn
2 chain=forward action=mark-packet new-packet-mark=cus-down passthrough=no connection-mark=cus-conn
[badmin@MKN-BM-2] /queue tree> print
Flags: X - disabled, I - invalid
0 name=“Total-Download” parent=global-out packet-mark=“” limit-at=40000000 queue=default priority=8 max-limit=40000000
burst-limit=0 burst-threshold=0 burst-time=0s
1 name=“Total-Upload” parent=global-out packet-mark=“” limit-at=40000000 queue=default priority=8 max-limit=40000000 burst-limit=0 burst-threshold=0 burst-time=0s
2 name=“384k-down” parent=Total-Download packet-mark=“” limit-at=0 queue=default priority=8 max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s
3 name=“384k-up” parent=Total-Upload packet-mark=“” limit-at=384000 queue=default priority=8 max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s
4 name=“cus-down” parent=384k-down packet-mark=cus-down limit-at=0 queue=default priority=8 max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s
5 name=“cus-up” parent=384k-3-up packet-mark=cus-up limit-at=384000 queue=default priority=8 max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s
i am not using L7.
chain=srcnat action=src-nat to-addresses=203.176.129.48-203.176.129.63 src-address-list=nat-list out-interface=ether1-Outside
could it be this? try with masquerade for a while…
That could be!
but i tried with public IP, it doesn’t work also. 
Can you fire up a couple of Wireshark protocol analyzers, one at the Server and one at the client, and see what is missing from the protocol?
Can the client ping the server? Can you establish a connection to another service on the servers ip address if any is running there?
Inside the equipment itself, voip device, has some tools that can test the connection from client side to server. the testing reported success all steps. but when the client try to connect and get service, the client report Error connection. that error reports that the connection was filtered by firewall ??? 
maybe Connection-Tracking is enable?? however, i cannot test to disable connection-tracking since the router is in operation (NAT).
Maybe your ISP is filtering a port or two…
Please try to sniff users packets during test and then during real service (failure). Could it be packets have some options set… ?
From what i wonder is that if i change to other router like Cisco Router, the connection works well. so, i think it should have some wrong with the mikrotik router.
What is the configuration of the Cisco router ? Exactly the same? Can you watch the connections on the Cisco router and see which ports are used… and gather other info to compare to the MikroTik router?
Contact Vonage support for connection and protocol technical details…
p.s. I could also look at the MT while it’s live if you create an account for me.
NetworkPro, many thanks for your support. Really appreciate that!!!
My customer is using Cisco Router that is impossible me for to down again and interrupt him for test again. by the way, can i know you email address? will drop you an email if i have change to test with that customer again.
my purpose is find possible solution which i can work around later if i have the same problem happen again.
So, your solution is to monitor the traffic flow?? and do comparision?
cont.
on the cisco, it was simple routing configuration only.
Could it be a tunnel protocol problem?