VoWifi - do not work

sharkys · December 10, 2023, 11:22pm

Hi,
I’m struggling already for years with multifunctional VoWifi calls, but from Samsung phones only (S21 & S20, I knew in the past Oneplus 9 worked but had it only shortly). I thought it could be previously by my previous config (Edge Router with Openwrt) but it turned out, that actually after I switched over to Mikrotik, it’s the same - when I enable VoWifi on phone, I see icon but any outgoing calls are silent and better to say are ringing forever (I know that they rings on other side but are never connected trough - when answered on other side, the phone stays in the “calling” phase).

I have contacted even my ISP, who didn’t identify any problem and actually nobody reported such issue so far.
It’s also not phone problem, because it works on other locations (Openwrt routers, different ISPs) so it’s something specific to my ISP in combination to Samsung phones but no idea what.

Reading forums, I understood that the VoWifi traffic is happening on UDP / port 4500 - also Telec. provider says : Minimum requirements: For the call to proceed smoothly, the used Wi-Fi router must support the Internet security transfer of IP Sec and meet the following parameters: IP Protocol Type=ESP 50 and/or IP Protocol Type=UDP (Port=500), IP Protocol Type=UDP (Port=4500), NAT translation time-out setting under 2 minutes. The sending speed must be at least 100 kbit/s for a voice call and 1 Mbit/s for a video call.

Would anyone have any idea please, what could be wrong ?

/ip dns cache print where name~"3gpp"
Columns: NAME, TYPE, DATA, TTL
# NAME                               TYPE  DATA                TTL     
0 mnc001.mcc230.pub.3gppnetwork.org  NS    freya.t-mobile.cz.  9h12m44s
1 mnc001.mcc230.pub.3gppnetwork.org  NS    idunn.t-mobile.cz.  9h12m44s

AP has disabled firewall, I have tried also to setup AP via laptop to rule out AP issue - same behavior.

Sharing relevant configs for Routerboard (but I don’t think it’s issue - tried already some settings related to IPSEC, 4500 ports etc. - didn’t have any effect)

# 2023-12-11 00:05:25 by RouterOS 7.13rc3
# software id = S5MY-N4ZX
#
# model = RB960PGS
# serial number = HF1XXXXXX
/interface bridge
add admin-mac=78:9A:XX:4D:XX:XX arp=proxy-arp auto-mac=no name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
set [ find default-name=ether2 ] arp=proxy-arp comment="AP DOWN"
set [ find default-name=ether3 ] arp=proxy-arp comment="AP UP"
set [ find default-name=ether4 ] arp=proxy-arp
set [ find default-name=ether5 ] arp=proxy-arp
set [ find default-name=sfp1 ] 
    mac-address=E0:5A:9F:XX:XX:XX name="sfp1 IGN WAN"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge settings
set use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set icmp-timeout=30s loose-tcp-tracking=no udp-stream-timeout=6m udp-timeout=\
    30s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set arp-timeout=20m max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface l2tp-server server
set default-profile=pptp_profile use-ipsec=yes
/interface list member
add interface=bridge list=LAN
add interface="sfp1 IGN WAN" list=WAN
/ip firewall address-list
add address=10.2.0.1-10.2.0.10 list=safe_ip_never_block
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=accept chain=input comment="VPN: allow L2TP" dst-port=1701 \
    in-interface=all-ethernet protocol=udp
add action=accept chain=input comment="VPN: allow IPsec NAT-T" dst-port=4500 \
    in-interface=all-ethernet protocol=udp
add action=accept chain=input in-interface="sfp1 IGN WAN" protocol=ipsec-esp
add action=accept chain=input in-interface="sfp1 IGN WAN" protocol=ipsec-ah
add action=accept chain=input comment=Allow-ISAKMP dst-port=500 in-interface=\
    "sfp1 IGN WAN" protocol=udp
add action=drop chain=input comment="DNS block from WAN" dst-port=53 \
    in-interface="sfp1 IGN WAN" protocol=tcp src-address-list=\
    !safe_ip_never_block
add action=drop chain=input comment="DNS block from WAN" dst-port=53 \
    in-interface="sfp1 IGN WAN" protocol=udp src-address-list=\
    !safe_ip_never_block
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid in-interface=!bridge src-address-list=!safe_ip_never_block
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN src-address-list=!safe_ip_never_block
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid in-interface=!bridge out-interface=!bridge
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=add-src-to-address-list address-list=FW_Block_unkown_port \
    address-list-timeout=1d chain=input comment=\
    "Add IP of user to access list if they have tried port that is not open." \
    in-interface="sfp1 IGN WAN" log-prefix=FI_AS_port-test src-address-list=\
    !safe_ip_never_block
add action=drop chain=input comment=\
    "Drop packets that has not been allowed or dropped before." in-interface=\
    "sfp1 IGN WAN" log=yes log-prefix=FI_D_port-test
/ip firewall mangle
add action=set-priority chain=prerouting comment="sip=p7" connection-type=sip \
    new-priority=7 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set h323 ports=1720
set sip ports=5060,5061,500,4500,5222,3478,80,443 sip-timeout=3m
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Prague
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.cz.pool.ntp.org
add address=1.cz.pool.ntp.org

This is what sniffer shows (filtered to IP addresses = 31.30.69.152 and 31.30.69.153):

Thank you for any reply, I’m already desperate, to be honest…

rplant · December 11, 2023, 1:47am

This might not fix your problem but do it anyway and restart from there.

Remove 500 and 4500 from the sip helper (service port).
Ideally disable the sip helper.

Set the udp stream timeout back to its default of 3 minutes from current 6 minutes,
(Or maybe even to 2 minutes, as specified in “NAT translation time-out setting under 2 minutes”)

sharkys · December 11, 2023, 6:24am

Thank you, I have disabled SIP helper - indeed this will not help, because it didn’t work even prior to these “advised” corrections I found in another threads.
Tested again, no change

/ip firewall service-port
set h323 ports=1720
set sip disabled=yes ports=5060,5061,5222,3478,80,443 sip-timeout=3m

/ip firewall connection tracking
set icmp-timeout=30s loose-tcp-tracking=no udp-stream-timeout=2m udp-timeout=30s

Happy to try anything else or prove to my ISP, they have a problem Will probably ask my neighbors, if they have Samsung, to test it.

sharkys · December 11, 2023, 12:59pm

Btw, upon activation, I see following comm - do you see anything missing or does it look OKay ?

Obviously, obfuscated part is my public IP

rplant · December 11, 2023, 9:21pm

It kind of looks like it should almost be working, not sure, wait a while?

My phone (not a samsung) will often take a while to decide to use vowifi if it has an ok 4g signal.
From memory (I think but am not sure) it might be less picky if the 4g signal is rubbish.

ToTheCLI · December 11, 2023, 9:42pm

Looks like your ISP is the issue try connecting to an IPsec/IKEv2 PSK VPN tunnel from the native Android VPN Client as it uses the same ports and Protocol.

sharkys · December 12, 2023, 2:18pm

Thank you, would you have some recommendation on Trial VPN IPsec/IKEv2 PSK for Android, confirmed working on Android native ?
For sure, VPNs like eg. OpenVPN or L2TP VPN works but that’s not IPSEC/IKEv2 - tried yesterday vpnjantit, just saw Connecting status…
NordVPN ?

sharkys · December 12, 2023, 7:37pm

Hm, so tested Uplinks VPN - it works when using data, it do not work using my ISP. So I guess problem is with my ISP indeed.

Amm0 · December 12, 2023, 9:34pm

Or your firewall/NAT rule… That’s IPSec tunnel it uses, not SIP.

The default firewall explicit allows IPSec, but if your firewall doesn’t…that could be the issue. e.g. lines like:

/ip firewall filter
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN

sharkys · December 12, 2023, 10:16pm

Thank you - tested, no change.

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

This rule I had already…

/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

Added those, moved to the top…but counters are still 0, even if I keep them as the only rule ? Strange.

Amm0 · December 12, 2023, 10:52pm

Hard to know. But my bet is there might be some IPSec setting wrong — what/where, IDK.

Do you have any other VPNs running on the same router? e.g. you have this:
/interface l2tp-server server set default-profile=pptp_profile use-ipsec=yes

But if your not using l2tp, you might want to disable the server.

Amm0 · December 12, 2023, 10:53pm

Also, is there any reason you’re using proxy-arp on the bridge/ports?

sharkys · December 13, 2023, 6:23am

Thank you @Amm0, appreciate your help. l2tp is there only as leftover, the server itself is disabled, I just re-checked - using OpenVPN instead.

proxy-arp is recommendation due to the LAN sub-nets routing/access for/via OpenVPN - I guess that"s not issue, or is there any other sidefect, having this enabled ?

sharkys · December 13, 2023, 8:06pm

Btw, it was not ISP fault…it was ISP of the ISP fault

Thanks for help and all the reactions !