Another SIP (Gigaset C610 A IP) is not registering with RB1100AHx2

simbus82 · Fri Apr 22, 2016 6:48 pm

The base of voip phone is connected to a subnet 192.168.1.0, and his IP is 192.168.1.22

The connection settings for the voip phone are:
https://www.messagenet.com/it/images/vo ... ip_web.gif

In my mikrotik i have tried everything that i have read on this forum about SIP.

I have tried a complicated script for packet mark and prioritizing too... but... my phone not register to the voip provider...

It is so weird that a so simple thing not work!!

I'm inspecting connections, there is a little traffic from the UDP 5060 and 5061 port related to SIP registration... but it fails ever...

I've tried to set the voip phone with dynamic ip or static ip too, tried to make static in DHCP Leases, etc etc...

Now i'm desperate!
See here:

sip-mikrotik.PNG

Is it correct that the connection works in this manner?
The ip that start with 77.89.xx.xx is the dedicated IP from internet WAN.

Why ports are changing? Voip provider require 5061 in settings, why i see 5060 in connection?

Please, help a newbie

Van9018 · Mon Apr 25, 2016 3:13 am

Voip registrations would use very little data. Your phone is sending and receiving on port 5060, voip provider is sending and receiving on port 5061. That's why you see two ports in the connection info window. That's ok.

Your settings look correct. Next step in troubleshooting is to go to Tools > Packet Sniffer and capture packets (and save it to a file on the Mikrotik). You can filter by your device IP or voip server ip. After some packets are captured, stop the capture view the capture file in Wireshark. Or post the capture file on this forum. Maybe the server is replying with an error message.

marrold · Mon Apr 25, 2016 12:21 pm

I'd suggest disabling the SIP helper, and as mentioned above grab a packet trace, ideally from the LAN and WAN side of your router.

Im happy to take a look.

simbus82 · Tue Apr 26, 2016 10:38 am

Ether3 is the lan port for the subnet 192.168.1.0/24
"LAN" is a bridge.
This is the packet sniff for all interfaces:

packet-sniff-eth.PNG

This is a packet sniff for the ip of gigaset (only ether3)

packet-sniff-all.PNG

I don't see traffic for the eth1 that is the WAN port, is it normal?

pe1chl · Tue Apr 26, 2016 11:01 am

Did you already disable the SIP helper?

simbus82 · Tue Apr 26, 2016 12:49 pm

Yes, the helper is disabled!

i see this strange thing in packet sniffing with WireShark

26 27.731126 213.174.160.1 192.168.1.22 DNS 139 Standard query response 0x3a5f No such name SRV _sip._tcp.sip.messagenet.it SOA dns1.messagenet.it

pukkita · Tue Apr 26, 2016 1:27 pm

Does the mikrotik router have the public IP itself, or is connected to the provider router through a private address WAN on the Mikrotik?

That packet indicates the phone is asking for a SRV type DNS record for _sip._tcp.sip.messagenet.it, which doesn't exist. These SRV DNS records are often used by SIP equipment for dynamic configuration of sip server ip address and port when "auto" or stun/proxy server settings are used.

Do you control such DNS server?

This query is most likely triggered on the C610 by the proxy setting. Have you tried setting it up for a "direct" connection with no proxy setting, i.e. just the server and port?

Are you using fasttrack?

simbus82 · Tue Apr 26, 2016 2:09 pm

Does the mikrotik router have the public IP itself, or is connected to the provider router through a private address WAN on the Mikrotik?

We have a router from fiber connection provider that we can't touch, so a lan cable is connected to the mikrotik.

In Mikrotik we have set ip, subnet, gateway and dns that the provider of fiber connection give us.

That packet indicates the phone is asking for a SRV type DNS record for _sip._tcp.sip.messagenet.it, which doesn't exist. These SRV DNS records are often used by SIP equipment for dynamic configuration of sip server ip address and port when "auto" or stun/proxy server settings are used.

Do you control such DNS server?

messagenet.it is voip provider, and i have a gigaset with this settings

ConnessioniC610A_IP.png

Configurazione-IP_C610A-IP.png

This query is most likely triggered on the C610 by the proxy setting. Have you tried setting it up for a "direct" connection with no proxy setting, i.e. just the server and port?

Are you using fasttrack?

I have tried with proxy outbound on "never", no luck!

No, i'm not using fasttrack, i don't know what it is

pukkita · Tue Apr 26, 2016 3:08 pm

What I am trying to determine is if the C610 -> SIP server passes double or multiple NAT stages, as that will give you problems with SIP.

What is the IP of the mikrotik router interface connected to the fiber router?

simbus82 · Tue Apr 26, 2016 4:13 pm

What I am trying to determine is if the C610 -> SIP server passes double or multiple NAT stages, as that will give you problems with SIP.

What is the IP of the mikrotik router interface connected to the fiber router?

In this posts you see a little overview of my settings...

http://forum.mikrotik.com/viewtopic.php ... 97#p534388

PS: how can i export from winbox/webfig an overview of my setting, without doing screeshots?

pukkita · Tue Apr 26, 2016 6:05 pm

Saw it, but crucial settings are missing, not sure if your WAN is 77.89.x.x is as the in-interface is the LAN bridge...

Is that your public ip? is your fiber router in bridge mode?

To generate an export of the whole config, open a New Terminal and issue:

/export hide-sensitive

So you can copy & paste here into code blocks.

simbus82 · Tue Apr 26, 2016 8:45 pm

Saw it, but crucial settings are missing, not sure if your WAN is 77.89.x.x is as the in-interface is the LAN bridge...

Is that your public ip? is your fiber router in bridge mode?

To generate an export of the whole config, open a New Terminal and issue:
Code: Select all
/export hide-sensitive
So you can copy & paste here into code blocks.

Thanks for the command hint!!

An attachment is good

too much indexable data!

marrold · Wed Apr 27, 2016 1:16 pm

What I am trying to determine is if the C610 -> SIP server passes double or multiple NAT stages, as that will give you problems with SIP.

It may cause issues, but the SIP provider should have NAT traversal in place that can work around these issues.

Please can you post a proper .pcap packet capture?

Thanks

pukkita · Wed Apr 27, 2016 2:09 pm

@simbus82:

/interface bridge port
add bridge=LAN horizon=1 interface="ether1 - Acantho"
add bridge=LAN horizon=1 interface="ether3 - quantility"
add bridge=LAN horizon=1 interface="ether4 - mido"
add bridge=LAN horizon=1 interface="ether5 - brini"

/ip address
add address=192.168.88.1/24 comment="default configuration" interface="ether2 - admin" network=192.168.88.0
add address=77.89.x.106/30 comment="WAN Acantho" interface="ether1 - Acantho" network=77.89.x.104
add address=192.168.1.1/24 comment="IP Quantility" interface=LAN network=192.168.1.0
add address=192.168.2.1/24 comment="IP mido" interface=LAN network=192.168.2.0
add address=192.168.3.1/24 comment="IP Brini" interface=LAN network=192.168.3.0
add address=192.168.4.1/24 comment="IP Obst" interface=LAN network=192.168.4.0

You have the WAN IP assigned to ether1, and that same interface added to the LAN bridge where you assigned private ips "on top".

When adding interfaces to bridges, IPs, services, etc should be assigned to the bridge, not to individual interfaces as this can lead to unpredictable behaviour.

On top of that you used same bridge horizon values for the interfaces in the bridge, then used the firewall...

To firewall in Layer3, wan ether port shouldn't be on the same L2 segment as the LAN ports.

What do you exactly want to achieve with such configuration?

Try removing ether1 from LAN bridge, and reboot. Does the phone register now?

I'd cleanup your configuration following best practices:

1.- Isolate WAN port (remove it form the bridge)
2.- If you want to serve different network segments:
- delete the LAN bridge
- Assign IP addresses on each ether port
3.- Create a multiple DHCP server instances, on top of each interface, so that you can control each dhcp server individually depending on network.
4.- (If you want all the networks to reach the internet) change the firewall masquerade rule to

/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - Acantho"

simbus82 · Mon May 02, 2016 11:51 am

What do you exactly want to achieve with such configuration?

More isolated subnets (one for office) that can access internet

you see here what i want to obtain
http://forum.mikrotik.com/viewtopic.php ... 97#p534206

I have only followed pieces of information that i have read in this forum and in the wiki.

Try removing ether1 from LAN bridge, and reboot. Does the phone register now?

Did you mean removing the "port" ether1 from LAN bridge? Right?

I'd cleanup your configuration following best practices:

1.- Isolate WAN port (remove it form the bridge)
2.- If you want to serve different network segments:
- delete the LAN bridge
- Assign IP addresses on each ether port
3.- Create a multiple DHCP server instances, on top of each interface, so that you can control each dhcp server individually depending on network.
4.- (If you want all the networks to reach the internet) change the firewall masquerade rule to
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - Acantho"

So, i have do all things wrong

I will wait that our office is empty and the i will try!

thanks!!

PS: if in one interface (for example ether3) i want two subnets because i have a wifi accesspoint that can handle multiple ssid and vlan?

simbus82 · Mon May 02, 2016 4:29 pm

Ok, i have "re-configured" my network! Lot of thanks to you, the network is working very well and configuration is more clean and simple!

I have added an Hairpin Nat for two internal webserver (192.168.1.150 and 192.168.1.63), all is working!

But... Sip is not registering!

Here my new settings:

new-config.txt

marrold · Tue May 03, 2016 2:26 pm

Please can you post a proper .pcap packet capture?

simbus82 · Tue May 03, 2016 5:02 pm

Please can you post a proper .pcap packet capture?

Here a test, thanks!

test_4.pcap.txt

marrold · Tue May 03, 2016 7:54 pm

This appears to be from the LAN side only, do you also have a trace from the WAN side? I can see your device is sending REGISTER requests but doesn't receive a response.

This could be because your provider is not implementing NAT traversal and the responses are going back to 192.168.1.22, or it could be that your F/W is blocking the responses.

A WAN side SIP trace should indicate what's going on.

simbus82 · Mon May 09, 2016 10:23 am

This appears to be from the LAN side only, do you also have a trace from the WAN side? I can see your device is sending REGISTER requests but doesn't receive a response.

This could be because your provider is not implementing NAT traversal and the responses are going back to 192.168.1.22, or it could be that your F/W is blocking the responses.

A WAN side SIP trace should indicate what's going on.

Which setting i have to use for do this trace correctly?

pukkita · Mon May 09, 2016 1:33 pm

Run the packet capture on the ether1 - Acantho interface.

simbus82 · Mon May 09, 2016 6:35 pm

Run the packet capture on the ether1 - Acantho interface.

File is very big... it is filled in seconds, i have a lot of traffic on this eth.

Which filters can i set in addition to slim down the packet sniff file?

EDIT: i have attached the trace filtered on ports 5060-5061

nescafe2002 · Mon May 09, 2016 6:48 pm

File is very big... it is filled in seconds, i have a lot of traffic on this eth.

Fix your firewalling. Currently all traffic is allowed and your server is vulnerably to dns amplification attacks.

simbus82 · Mon May 09, 2016 6:54 pm

File is very big... it is filled in seconds, i have a lot of traffic on this eth.
Fix your firewalling. Currently all traffic is allowed and your server is vulnerably to dns amplification attacks.

Thanks i have added this filtering rules:
http://wiki.mikrotik.com/wiki/Manual:IP ... c_examples
and
http://www.mtin.net/blog/?p=297

Not solve the SIP problem, but now i have a good firewall, thanks!

dgnevans · Mon May 09, 2016 7:49 pm

Try disable your mangle rules that are added for sip phones. Startrinity make a good sip test tool where you can run tests from windows. worth downloading and testing.

simbus82 · Mon May 09, 2016 8:02 pm

Try disable your mangle rules that are added for sip phones. Startrinity make a good sip test tool where you can run tests from windows. worth downloading and testing.

I don't have any mangle rule active. Service SIP is disabled too.

Mon May 09, 2016 8:17 pm

Looking at your recent SIP-only capture....

it looks like you're showing the LAN side and the WAN side. It's very clear that the server is not replying to your phone's register requests, or that the replies are being dropped before they reach your router's WAN interface.

Something in your captures is 'wonky' because there are no MAC addresses visible in the captures.... but the interesting thing I see is that the outgoing registration requests from the phone are being sent to UDP port 5060, and you stated that the provider wants you to use 5061.

Double-check your phone's settings regarding the host:port that is should register to.

simbus82 · Mon May 09, 2016 8:27 pm

Looking at your recent SIP-only capture....

it looks like you're showing the LAN side and the WAN side.

I have set the packet sniffer to "all interfaces" and ports 5060 and 5061

It's very clear that the server is not replying to your phone's register requests, or that the replies are being dropped before they reach your router's WAN interface.

Yes, my provider support says that my sip phone send the registration call and is it ok, the provider registration server answer correctly... but the sip phone not "hear" the provider answer and it repeats the request for registration process...

Something in your captures is 'wonky' because there are no MAC addresses visible in the captures.... but the interesting thing I see is that the outgoing registration requests from the phone are being sent to UDP port 5060, and you stated that the provider wants you to use 5061.

My provider supports says that port 5060 or 5061 are indifferent.

Double-check your phone's settings regarding the host:port that is should register to.

How can i give you more data to help me solve this problem? ... I do not know where to look

...

dgnevans · Mon May 09, 2016 8:39 pm

can you run a traceroute from the same network you sip phone is on to your sip server and post results.

simbus82 · Mon May 09, 2016 8:46 pm

can you run a traceroute from the same network you sip phone is on to your sip server and post results.

hop.PNG

Mon May 09, 2016 8:49 pm

I would recommend setting up sniffer on the Mikrotik as follows:
interface=WAN interface
IP protocol = udp
port = ! 53

Then run the capture for a bit, and then save/download it to your machine and open it in Wireshark.

I recommend these looser settings because if your filter is too specific, you might miss some interesting packets - in my time at a SIP provider, one thing that filters might miss would be if a customer's router wasn't doing NAT properly, and we'd see the replies coming from the wrong IP address - filtering to their IP address made these packets invisible - so sometimes you just have to accept more packets and sift through it by hand or by using the analysis tools built into Wireshark itself.

The first thing to look for would be if you see what looks like SIP replies, but coming from a different IP and/or port number than the one your requests were sent to. If there's other noisy non-sip udp traffic in the results, you can filter the view down to just SIP in Wireshark by just typing sip into the filter and clicking apply. (of course, any SIP traffic that Wireshark doesn't recognize as being SIP would also get filtered out - that's why you might want to look at it as unfiltered as possible first)

If you're not seeing SIP on unexpected IP addresses, then you can safely filter your view in Wireshark based on the SIP provider's IP.
e.g. ip.addr==212.97.59.76

----

Anyway, based on your previously-posted capture, it looks like you're not seeing any replies at all. Remember that the packet sniffer will see packets before any firewall rules get to discard/mangle/nat/fasttrack them, so if there are no packets in the capture, and your sniffer filter rules weren't too restrictive, then that means they simply weren't there.

The reasons they might not be there:
SIP server didn't receive your outgoing requests
- wrong dst port in the request
- some network entity is dropping them on their way to the provider
- the provider is dropping them for some reason

SIP server is not replying to your requests for some reason
- perhaps too many failed attempts have tripped a blacklist on their side
- other reasons....

SIP server's replies aren't making it to you:
- some network entity is dropping them before they reach you
- perhaps the SIP provider is trying to send replies to your phone's private IP and not its public IP
(most likely cause in my opinion)

If there's a configuration in the SIP phone for NAT traversal, especially one where you can tell the phone what public IP address it's being nat-translated to, then put your public IP in there and see if things don't start working better. USUALLY, though, SIP providers' servers should be smart enough to automatically detect such NAT situations and correct for it without anything special being configured on your side, but if not, that could be a likely source of your problem.

dgnevans · Mon May 09, 2016 8:49 pm

can you run the traceroute from the lan side ie a computer

simbus82 · Mon May 09, 2016 8:57 pm

If there's a configuration in the SIP phone for NAT traversal, especially one where you can tell the phone what public IP address it's being nat-translated to, then put your public IP in there and see if things don't start working better. USUALLY, though, SIP providers' servers should be smart enough to automatically detect such NAT situations and correct for it without anything special being configured on your side, but if not, that could be a likely source of your problem.

The sip phone is a Gigaset C610A IP.

I will go to try your advices, thanks a lot!

can you run the traceroute from the lan side ie a computer

tracert sip.messagenet.it

Traccia instradamento verso sip.messagenet.it [212.97.59.76]
su un massimo di 30 punti di passaggio:

1 1 ms <1 ms <1 ms 192.168.1.1
2 2 ms 3 ms 1 ms 77.89.1.105
3 3 ms 3 ms 3 ms 213.209.207.193
4 * * * Richiesta scaduta.
5 * * * Richiesta scaduta.
6 * * * Richiesta scaduta.
7 * * * Richiesta scaduta.
8 11 ms 9 ms 10 ms quark.messagenet.it [212.97.59.76]

dgnevans · Mon May 09, 2016 9:08 pm

What firewall rules are you running? can you post print of firewall rules.

simbus82 · Fri May 27, 2016 5:48 pm

 ;;; Blocca attacchi DNS dall'esterno verso WAN: CONSIGLIATO!
      chain=input action=drop protocol=udp in-interface=ether1 - WAN - Acantho 
      dst-port=53 log=no log-prefix="" 

 1    ;;; Blocca attacchi DNS dall'esterno verso WAN: CONSIGLIATO!
      chain=input action=drop protocol=tcp in-interface=ether1 - WAN - Acantho 
      dst-port=53 log=no log-prefix="" 

 2    ;;; Protegge utenti reti interne dagli attacchi DNS
      chain=forward action=drop protocol=udp out-interface=!ether1 - WAN - Acantho 
      dst-port=53 log=no log-prefix="" 

 3    ;;; Protegge utenti reti interne dagli attacchi DNS
      chain=forward action=drop protocol=tcp out-interface=!ether1 - WAN - Acantho 
      dst-port=53 log=no log-prefix="" 

 4    ;;; drop ftp brute forcers
      chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21 
      log=no log-prefix="" 

 5    chain=output action=accept protocol=tcp content=530 Login incorrect 
      dst-limit=1/1m,9,dst-address/1m log=no log-prefix="" 

 6    chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklis>
      address-list-timeout=3h content=530 Login incorrect log=no log-prefix="" 

 7    ;;; drop ssh brute forcers
      chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 
      log=no log-prefix="" 

 8    chain=input action=add-src-to-address-list connection-state=new protocol=tcp 
      src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d 
      dst-port=22 log=no log-prefix="" 

 9    chain=input action=add-src-to-address-list connection-state=new protocol=tcp 
      src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m 
      dst-port=22 log=no log-prefix="" 

10    chain=input action=add-src-to-address-list connection-state=new protocol=tcp 
      src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m 
      dst-port=22 log=no log-prefix="" 

11    ;;; drop invalid connections
      chain=forward action=drop connection-state=invalid protocol=tcp log=no 
      log-prefix="" 

12    ;;; allow already established connections
      chain=forward action=accept connection-state=established log=no log-prefix="" 

13    ;;; allow related connections
      chain=forward action=accept connection-state=related log=no log-prefix="" 

14    ;;; Drop "BOGON" Address
      chain=forward action=drop src-address=0.0.0.0/8 log=no log-prefix="" 

15    chain=forward action=drop dst-address=0.0.0.0/8 log=no log-prefix="" 

16    chain=forward action=drop src-address=127.0.0.0/8 log=no log-prefix="" 

17    chain=forward action=drop dst-address=127.0.0.0/8 log=no log-prefix="" 

18    chain=forward action=drop src-address=224.0.0.0/3 log=no log-prefix="" 

19    ;;; jumps to new chains
      chain=forward action=jump jump-target=tcp protocol=tcp log=no log-prefix="" 

20    chain=forward action=jump jump-target=udp protocol=udp log=no log-prefix="" 

21    chain=forward action=jump jump-target=icmp protocol=icmp log=no log-prefix="" 

22    ;;; deny TFTP
      chain=tcp action=drop protocol=tcp dst-port=69 log=no log-prefix="" 

23    ;;; deny RPC portmapper
      chain=tcp action=drop protocol=tcp dst-port=111 log=no log-prefix="" 

24    ;;; deny RPC portmapper
      chain=tcp action=drop protocol=tcp dst-port=135 log=no log-prefix="" 

25    ;;; deny NBT
      chain=tcp action=drop protocol=tcp dst-port=137-139 log=no log-prefix="" 

26    ;;; deny cifs
      chain=tcp action=drop protocol=tcp dst-port=445 log=no log-prefix="" 

27    ;;; deny NFS
      chain=tcp action=drop protocol=tcp dst-port=2049 log=no log-prefix="" 

28    ;;; deny NetBus
      chain=tcp action=drop protocol=tcp dst-port=12345-12346 log=no log-prefix="" 

29    ;;; deny NetBus
      chain=tcp action=drop protocol=tcp dst-port=20034 log=no log-prefix="" 

30    ;;; deny BackOriffice
      chain=tcp action=drop protocol=tcp dst-port=3133 log=no log-prefix="" 

31    ;;; deny DHCP
      chain=tcp action=drop protocol=tcp dst-port=67-68 log=no log-prefix="" 

32    ;;; deny TFTP
      chain=udp action=drop protocol=udp dst-port=69 log=no log-prefix="" 

33    ;;; deny PRC portmapper
      chain=udp action=drop protocol=udp dst-port=111 log=no log-prefix="" 

34    ;;; deny PRC portmapper
      chain=udp action=drop protocol=udp dst-port=135 log=no log-prefix="" 

35    ;;; deny NBT
      chain=udp action=drop protocol=udp dst-port=137-139 log=no log-prefix="" 

36    ;;; deny NFS
      chain=udp action=drop protocol=udp dst-port=2049 log=no log-prefix="" 

37    ;;; deny BackOriffice
      chain=udp action=drop protocol=udp dst-port=3133 log=no log-prefix="" 

38    ;;; echo reply
      chain=icmp action=accept protocol=icmp icmp-options=0:0 log=no log-prefix="" 

39    ;;; net unreachable
      chain=icmp action=accept protocol=icmp icmp-options=3:0 log=no log-prefix="" 

40    ;;; host unreachable
      chain=icmp action=accept protocol=icmp icmp-options=3:1 log=no log-prefix="" 

41    ;;; host unreachable fragmentation required
      chain=icmp action=accept protocol=icmp icmp-options=3:4 log=no log-prefix="" 

42    ;;; allow source quench
      chain=icmp action=accept protocol=icmp icmp-options=4:0 log=no log-prefix="" 

43    ;;; allow echo request
      chain=icmp action=accept protocol=icmp icmp-options=8:0 log=no log-prefix="" 

44    ;;; allow time exceed
      chain=icmp action=accept protocol=icmp icmp-options=11:0 log=no log-prefix="" 

45    ;;; allow parameter bad
      chain=icmp action=accept protocol=icmp icmp-options=12:0 log=no log-prefix="" 

46    ;;; deny all other types
      chain=icmp action=drop log=no log-prefix=""

dgnevans · Fri May 27, 2016 8:24 pm

I cannot see a rule to allow UDP 5060 traffic through the firewall. Can you confirm if you have added anything allowing VOIP traffic through the firewall.

simbus82 · Fri May 27, 2016 8:29 pm

I cannot see a rule to allow UDP 5060 traffic through the firewall. Can you confirm if you have added anything allowing VOIP traffic through the firewall.

i don't have any specific rule, can you give me an help to set this thing right?

dgnevans · Fri May 27, 2016 8:55 pm

Here as example copy of some firewall rules for a working rb1100ahx2 with sip. I have removed some rules which would not apply necessarily and removed sensitive info.

 0    ;;; LAN Traffic
      chain=forward action=accept src-address=172.17.0.0/16 dst-address=172.17.0.0/16 log=no log-prefix="" 

 1    ;;; drop invalid connections
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 2    ;;; Allow LAN access to router and Internet
      chain=input action=accept connection-state=new in-interface=lan-interface log=no log-prefix="" 

 3    ;;; Allow Established Connections
      chain=input action=accept connection-state=established log=no log-prefix="" 

 4    ;;; Allow connections that originated from LAN
      chain=input action=accept connection-state=related log=no log-prefix="" 

 5    ;;; Allow ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 6    ;;; SSH
      chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix="" 

 7    ;;; WINBOX
      chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix="" 

 8    ;;; PPTP-VPN
      chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix="" 

 9    ;;; PPTP-VPN
      chain=input action=accept protocol=gre log=no log-prefix="" 

10    ;;; Drop Traffic from anywhere
      chain=input action=drop log=no log-prefix="" 

11    ;;; drop invalid connections
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

12    ;;; ICMP
      chain=forward action=accept protocol=icmp log=no log-prefix="" 

13    ;;; FTP-DATA
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=20 log=no log-prefix="" 

14    ;;; FTP-DATA
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=20 log=no log-prefix="" 

15    ;;; FTP-CONTROL
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=21 log=no log-prefix="" 

16    ;;; SSH
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=22 log=no log-prefix="" 

17    ;;; Telnet
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=23 log=no log-prefix="" 

18    ;;; SMTP
      chain=forward action=accept protocol=tcp src-address=172.17.0.126 dst-address=0.0.0.0/0 dst-port=25 log=no log-prefix="" 

19    ;;; Incoming SMTP
      chain=forward action=accept protocol=tcp dst-address=172.17.0.0/16 dst-port=25 log=no log-prefix="" 

20    ;;; DNS
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=53 log=no log-prefix="" 

21    ;;; DNS
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=53 log=no log-prefix="" 

22    ;;; DNS
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=53 log=no log-prefix="" 

23    ;;; HTTP
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=80 log=no log-prefix="" 

24    ;;; POP3
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=110 log=no log-prefix="" 

25    ;;; NTP
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=123 log=no log-prefix="" 

26    ;;; NTP
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=123 log=no log-prefix="" 

27    ;;; Microsoft RPC Locator Service
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=135 log=no log-prefix="" 

28    ;;; Microsoft RPC Locator Service
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=135 log=no log-prefix="" 

29    ;;; Microsoft RPC Locator Service
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=135 log=no log-prefix="" 

30    ;;; Netbios
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=139 log=no log-prefix="" 
31    ;;; Netbios
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=139 log=no log-prefix="" 

32    ;;; Netbios
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=139 log=no log-prefix="" 

33    ;;; IMAP
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=143 log=no log-prefix="" 

34    ;;; HTTPS
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=443 log=no log-prefix="" 

35    ;;; Incoming Outlook Anywhere
      chain=forward action=accept protocol=tcp dst-address=172.17.0.0/16 dst-port=443 log=no log-prefix="" 

36    ;;; HTTPS
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=443 log=no log-prefix="" 

37    ;;; HTTPS
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=443 log=no log-prefix="" 

38    ;;; SMTPS
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=465 log=no log-prefix="" 

39    ;;; ISAKMP
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=500 log=no log-prefix="" 

40    ;;; ISAKMP
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=500 log=no log-prefix="" 

41    ;;; ISAKMP
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=500 log=no log-prefix="" 

42    ;;; SMTP
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=587 log=no log-prefix="" 

43    ;;; IMAPS
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=993 log=no log-prefix="" 

44    ;;; POP3S
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=995 log=no log-prefix="" 

49    ;;; SMTP
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=2525 log=no log-prefix="" 

50    ;;; BlackBerry
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=3101 log=no log-prefix="" 

51    ;;; Active Directory
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=3268 log=no log-prefix="" 

52    ;;; Incoming Active Directory
      chain=forward action=accept protocol=tcp dst-address=172.17.0.0/16 dst-port=3268 log=no log-prefix="" 

53    ;;; Viber,whatsapp
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=3478 log=no log-prefix="" 

54    ;;; Viber,whatsapp
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=3478 log=no log-prefix="" 

55    ;;; Viber,whatsapp
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=4244 log=no log-prefix="" 

56    ;;; Liquid Crashplan
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=4282 log=no log-prefix="" 

57    ;;; NON500-ISAKMP
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=4500 log=no log-prefix="" 

58    ;;; NON500-ISAKMP
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=4500 log=no log-prefix="" 

59    ;;; NON500-ISAKMP
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=4500 log=no log-prefix="" 

60    ;;; SIP
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=5060 log=no log-prefix="" 

61    ;;; SIP
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=5060 log=no log-prefix="" 
62    ;;; SIP
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 dst-port=5060 log=no log-prefix="" 

63    ;;; Whatsapp
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=5222 log=no log-prefix="" 

64    ;;; Whatsapp
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=5223 log=no log-prefix="" 

65    ;;; Whatsapp
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=5228 log=no log-prefix="" 

66    ;;; Whatsapp
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=5242 log=no log-prefix="" 

67    ;;; Viber
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=5243 log=no log-prefix="" 

68    ;;; Viber
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=5243 log=no log-prefix="" 

71    ;;; HTTP
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=8080 log=no log-prefix="" 

72    ;;; SSL
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=8443 log=no log-prefix="" 

73    ;;; Viber
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=9785 log=no log-prefix="" 

74    ;;; Viber
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=9785 log=no log-prefix="" 

75    ;;; VPN 
      chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=10000 log=no log-prefix="" 

76    ;;; VPN 
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=10000 log=no log-prefix="" 

77    ;;; VPN 
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=10000 log=no log-prefix="" 
78    ;;; GoodApp
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=12000 log=no log-prefix="" 

79    ;;; GoodApp
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=12000 log=no log-prefix="" 

81    ;;; Whatsapp
      chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-port=45395 log=no log-prefix="" 

82    ;;; Whatsapp
      chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=45395 log=no log-prefix="" 

83    ;;; Whatsapp
      chain=forward action=accept src-address=172.17.0.0/16 dst-address-list=Whatsapp log=no log-prefix="" 

84    ;;; Whatsapp
      chain=forward action=accept dst-address=172.17.0.0/16 src-address-list=Whatsapp log=no log-prefix="" 

85    chain=input action=accept protocol=ipsec-ah dst-address=224.0.0.18 log=no log-prefix="" 

95    ;;; VOIP
      chain=forward action=accept src-address=172.17.0.0/16 dst-address=sip-server-ip log=no log-prefix="" 

97    ;;;  VOIP
      chain=forward action=accept src-address=sip-server-ip dst-address=172.17.0.0/16 log=no log-prefix="" 

98    ;;; TCP Established
      chain=forward action=accept connection-state=established protocol=tcp log=no log-prefix="" 

99    ;;; Allow connections originating from Lan
      chain=forward action=accept connection-state=related protocol=tcp log=no log-prefix="" 

100    chain=forward action=log log=yes log-prefix="" 

101    chain=forward action=drop log=no log-prefix=""

haik01 · Sat May 28, 2016 6:24 pm

What happens if you connect the phone directly to the provider's modem / router?

What happens if you use a default router configuration of Mikrotik? The one they setup when they ship it. System --> Reset configuration?

Before you do that, make a backup of your existing configuration, so it is easily restored.

Will that work?

Mon May 30, 2016 2:25 am

Again-

The packet capture showed requests going out but no replies coming back. (Including the WAN interface) and since sniffer sees traffic BEFORE the firewall can take a bite at it - the firewall is NOT dropping replies from the SIP service. They're not making it to you at all.

Ask the SIP provider what IP they're seeing for your registration attempts. If it's anything other than your public IP then there's the problem.

simbus82 · Tue May 31, 2016 12:40 pm

Again-

The packet capture showed requests going out but no replies coming back. (Including the WAN interface) and since sniffer sees traffic BEFORE the firewall can take a bite at it - the firewall is NOT dropping replies from the SIP service. They're not making it to you at all.

Ask the SIP provider what IP they're seeing for your registration attempts. If it's anything other than your public IP then there's the problem.

SIP provider says to me: they see the request from my phone, then they ask the registering but my phone continue to ask... without responding.

Last thing is hilariuos... i have installed Zoiper (app android for Voip) on my smartphone connected to the same wifi, in the same network, in the same subnet.

All work perfectly!

So, Gigaset is the problem?

pe1chl · Tue May 31, 2016 2:01 pm

It very much looks like the problem with the SIP helper. I had issues like you describe and it completely disappeared
once I disabled the SIP helper. I could also solve it by using a different port than 5060 for the phone.

simbus82 · Tue May 31, 2016 2:17 pm

It very much looks like the problem with the SIP helper. I had issues like you describe and it completely disappeared
once I disabled the SIP helper. I could also solve it by using a different port than 5060 for the phone.

SIP helper is the first thing we have disabled...

pe1chl · Tue May 31, 2016 2:28 pm

SIP helper is the first thing we have disabled...

Sorry I have not read the entire long thread... but did you already try to set a different UDP port number to be used
by the phone (is now probably 5060, make it 5065 or so).
Not all providers accept that change, but when they do you avoid all "clever handling" by any equipment along the
way for SIP traffic.

Who is online