We have a router from fiber connection provider that we can't touch, so a lan cable is connected to the mikrotik.Does the mikrotik router have the public IP itself, or is connected to the provider router through a private address WAN on the Mikrotik?
messagenet.it is voip provider, and i have a gigaset with this settingsThat packet indicates the phone is asking for a SRV type DNS record for _sip._tcp.sip.messagenet.it, which doesn't exist. These SRV DNS records are often used by SIP equipment for dynamic configuration of sip server ip address and port when "auto" or stun/proxy server settings are used.
Do you control such DNS server?
I have tried with proxy outbound on "never", no luck!This query is most likely triggered on the C610 by the proxy setting. Have you tried setting it up for a "direct" connection with no proxy setting, i.e. just the server and port?
Are you using fasttrack?
In this posts you see a little overview of my settings...What I am trying to determine is if the C610 -> SIP server passes double or multiple NAT stages, as that will give you problems with SIP.
What is the IP of the mikrotik router interface connected to the fiber router?
/export hide-sensitive
Thanks for the command hint!!Saw it, but crucial settings are missing, not sure if your WAN is 77.89.x.x is as the in-interface is the LAN bridge...
Is that your public ip? is your fiber router in bridge mode?
To generate an export of the whole config, open a New Terminal and issue:
So you can copy & paste here into code blocks.Code: Select all/export hide-sensitive
It may cause issues, but the SIP provider should have NAT traversal in place that can work around these issues.What I am trying to determine is if the C610 -> SIP server passes double or multiple NAT stages, as that will give you problems with SIP.
/interface bridge port
add bridge=LAN horizon=1 interface="ether1 - Acantho"
add bridge=LAN horizon=1 interface="ether3 - quantility"
add bridge=LAN horizon=1 interface="ether4 - mido"
add bridge=LAN horizon=1 interface="ether5 - brini"
/ip address
add address=192.168.88.1/24 comment="default configuration" interface="ether2 - admin" network=192.168.88.0
add address=77.89.x.106/30 comment="WAN Acantho" interface="ether1 - Acantho" network=77.89.x.104
add address=192.168.1.1/24 comment="IP Quantility" interface=LAN network=192.168.1.0
add address=192.168.2.1/24 comment="IP mido" interface=LAN network=192.168.2.0
add address=192.168.3.1/24 comment="IP Brini" interface=LAN network=192.168.3.0
add address=192.168.4.1/24 comment="IP Obst" interface=LAN network=192.168.4.0
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - Acantho"
More isolated subnets (one for office) that can access internet you see here what i want to obtainWhat do you exactly want to achieve with such configuration?
Did you mean removing the "port" ether1 from LAN bridge? Right?Try removing ether1 from LAN bridge, and reboot. Does the phone register now?
So, i have do all things wrongI'd cleanup your configuration following best practices:
1.- Isolate WAN port (remove it form the bridge)
2.- If you want to serve different network segments:
- delete the LAN bridge
- Assign IP addresses on each ether port
3.- Create a multiple DHCP server instances, on top of each interface, so that you can control each dhcp server individually depending on network.
4.- (If you want all the networks to reach the internet) change the firewall masquerade rule to
Code: Select all/ip firewall nat add action=masquerade chain=srcnat out-interface="ether1 - Acantho"
Please can you post a proper .pcap packet capture?
Here a test, thanks!Please can you post a proper .pcap packet capture?
Which setting i have to use for do this trace correctly?This appears to be from the LAN side only, do you also have a trace from the WAN side? I can see your device is sending REGISTER requests but doesn't receive a response.
This could be because your provider is not implementing NAT traversal and the responses are going back to 192.168.1.22, or it could be that your F/W is blocking the responses.
A WAN side SIP trace should indicate what's going on.
File is very big... it is filled in seconds, i have a lot of traffic on this eth.Run the packet capture on the ether1 - Acantho interface.
Fix your firewalling. Currently all traffic is allowed and your server is vulnerably to dns amplification attacks.File is very big... it is filled in seconds, i have a lot of traffic on this eth.
Thanks i have added this filtering rules:Fix your firewalling. Currently all traffic is allowed and your server is vulnerably to dns amplification attacks.File is very big... it is filled in seconds, i have a lot of traffic on this eth.
I don't have any mangle rule active. Service SIP is disabled too.Try disable your mangle rules that are added for sip phones. Startrinity make a good sip test tool where you can run tests from windows. worth downloading and testing.
I have set the packet sniffer to "all interfaces" and ports 5060 and 5061Looking at your recent SIP-only capture....
it looks like you're showing the LAN side and the WAN side.
Yes, my provider support says that my sip phone send the registration call and is it ok, the provider registration server answer correctly... but the sip phone not "hear" the provider answer and it repeats the request for registration process...It's very clear that the server is not replying to your phone's register requests, or that the replies are being dropped before they reach your router's WAN interface.
My provider supports says that port 5060 or 5061 are indifferent.Something in your captures is 'wonky' because there are no MAC addresses visible in the captures.... but the interesting thing I see is that the outgoing registration requests from the phone are being sent to UDP port 5060, and you stated that the provider wants you to use 5061.
How can i give you more data to help me solve this problem? ... I do not know where to look ...Double-check your phone's settings regarding the host:port that is should register to.
can you run a traceroute from the same network you sip phone is on to your sip server and post results.
The sip phone is a Gigaset C610A IP.If there's a configuration in the SIP phone for NAT traversal, especially one where you can tell the phone what public IP address it's being nat-translated to, then put your public IP in there and see if things don't start working better. USUALLY, though, SIP providers' servers should be smart enough to automatically detect such NAT situations and correct for it without anything special being configured on your side, but if not, that could be a likely source of your problem.
tracert sip.messagenet.itcan you run the traceroute from the lan side ie a computer
;;; Blocca attacchi DNS dall'esterno verso WAN: CONSIGLIATO!
chain=input action=drop protocol=udp in-interface=ether1 - WAN - Acantho
dst-port=53 log=no log-prefix=""
1 ;;; Blocca attacchi DNS dall'esterno verso WAN: CONSIGLIATO!
chain=input action=drop protocol=tcp in-interface=ether1 - WAN - Acantho
dst-port=53 log=no log-prefix=""
2 ;;; Protegge utenti reti interne dagli attacchi DNS
chain=forward action=drop protocol=udp out-interface=!ether1 - WAN - Acantho
dst-port=53 log=no log-prefix=""
3 ;;; Protegge utenti reti interne dagli attacchi DNS
chain=forward action=drop protocol=tcp out-interface=!ether1 - WAN - Acantho
dst-port=53 log=no log-prefix=""
4 ;;; drop ftp brute forcers
chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21
log=no log-prefix=""
5 chain=output action=accept protocol=tcp content=530 Login incorrect
dst-limit=1/1m,9,dst-address/1m log=no log-prefix=""
6 chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklis>
address-list-timeout=3h content=530 Login incorrect log=no log-prefix=""
7 ;;; drop ssh brute forcers
chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22
log=no log-prefix=""
8 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d
dst-port=22 log=no log-prefix=""
9 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m
dst-port=22 log=no log-prefix=""
10 chain=input action=add-src-to-address-list connection-state=new protocol=tcp
src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m
dst-port=22 log=no log-prefix=""
11 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid protocol=tcp log=no
log-prefix=""
12 ;;; allow already established connections
chain=forward action=accept connection-state=established log=no log-prefix=""
13 ;;; allow related connections
chain=forward action=accept connection-state=related log=no log-prefix=""
14 ;;; Drop "BOGON" Address
chain=forward action=drop src-address=0.0.0.0/8 log=no log-prefix=""
15 chain=forward action=drop dst-address=0.0.0.0/8 log=no log-prefix=""
16 chain=forward action=drop src-address=127.0.0.0/8 log=no log-prefix=""
17 chain=forward action=drop dst-address=127.0.0.0/8 log=no log-prefix=""
18 chain=forward action=drop src-address=224.0.0.0/3 log=no log-prefix=""
19 ;;; jumps to new chains
chain=forward action=jump jump-target=tcp protocol=tcp log=no log-prefix=""
20 chain=forward action=jump jump-target=udp protocol=udp log=no log-prefix=""
21 chain=forward action=jump jump-target=icmp protocol=icmp log=no log-prefix=""
22 ;;; deny TFTP
chain=tcp action=drop protocol=tcp dst-port=69 log=no log-prefix=""
23 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=111 log=no log-prefix=""
24 ;;; deny RPC portmapper
chain=tcp action=drop protocol=tcp dst-port=135 log=no log-prefix=""
25 ;;; deny NBT
chain=tcp action=drop protocol=tcp dst-port=137-139 log=no log-prefix=""
26 ;;; deny cifs
chain=tcp action=drop protocol=tcp dst-port=445 log=no log-prefix=""
27 ;;; deny NFS
chain=tcp action=drop protocol=tcp dst-port=2049 log=no log-prefix=""
28 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=12345-12346 log=no log-prefix=""
29 ;;; deny NetBus
chain=tcp action=drop protocol=tcp dst-port=20034 log=no log-prefix=""
30 ;;; deny BackOriffice
chain=tcp action=drop protocol=tcp dst-port=3133 log=no log-prefix=""
31 ;;; deny DHCP
chain=tcp action=drop protocol=tcp dst-port=67-68 log=no log-prefix=""
32 ;;; deny TFTP
chain=udp action=drop protocol=udp dst-port=69 log=no log-prefix=""
33 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=111 log=no log-prefix=""
34 ;;; deny PRC portmapper
chain=udp action=drop protocol=udp dst-port=135 log=no log-prefix=""
35 ;;; deny NBT
chain=udp action=drop protocol=udp dst-port=137-139 log=no log-prefix=""
36 ;;; deny NFS
chain=udp action=drop protocol=udp dst-port=2049 log=no log-prefix=""
37 ;;; deny BackOriffice
chain=udp action=drop protocol=udp dst-port=3133 log=no log-prefix=""
38 ;;; echo reply
chain=icmp action=accept protocol=icmp icmp-options=0:0 log=no log-prefix=""
39 ;;; net unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:0 log=no log-prefix=""
40 ;;; host unreachable
chain=icmp action=accept protocol=icmp icmp-options=3:1 log=no log-prefix=""
41 ;;; host unreachable fragmentation required
chain=icmp action=accept protocol=icmp icmp-options=3:4 log=no log-prefix=""
42 ;;; allow source quench
chain=icmp action=accept protocol=icmp icmp-options=4:0 log=no log-prefix=""
43 ;;; allow echo request
chain=icmp action=accept protocol=icmp icmp-options=8:0 log=no log-prefix=""
44 ;;; allow time exceed
chain=icmp action=accept protocol=icmp icmp-options=11:0 log=no log-prefix=""
45 ;;; allow parameter bad
chain=icmp action=accept protocol=icmp icmp-options=12:0 log=no log-prefix=""
46 ;;; deny all other types
chain=icmp action=drop log=no log-prefix=""
i don't have any specific rule, can you give me an help to set this thing right?I cannot see a rule to allow UDP 5060 traffic through the firewall. Can you confirm if you have added anything allowing VOIP traffic through the firewall.
0 ;;; LAN Traffic
chain=forward action=accept src-address=172.17.0.0/16 dst-address=172.17.0.0/16 log=no log-prefix=""
1 ;;; drop invalid connections
chain=input action=drop connection-state=invalid log=no log-prefix=""
2 ;;; Allow LAN access to router and Internet
chain=input action=accept connection-state=new in-interface=lan-interface log=no log-prefix=""
3 ;;; Allow Established Connections
chain=input action=accept connection-state=established log=no log-prefix=""
4 ;;; Allow connections that originated from LAN
chain=input action=accept connection-state=related log=no log-prefix=""
5 ;;; Allow ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
6 ;;; SSH
chain=input action=accept protocol=tcp dst-port=22 log=no log-prefix=""
7 ;;; WINBOX
chain=input action=accept protocol=tcp dst-port=8291 log=no log-prefix=""
8 ;;; PPTP-VPN
chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""
9 ;;; PPTP-VPN
chain=input action=accept protocol=gre log=no log-prefix=""
10 ;;; Drop Traffic from anywhere
chain=input action=drop log=no log-prefix=""
11 ;;; drop invalid connections
chain=forward action=drop connection-state=invalid log=no log-prefix=""
12 ;;; ICMP
chain=forward action=accept protocol=icmp log=no log-prefix=""
13 ;;; FTP-DATA
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=20 log=no log-prefix=""
14 ;;; FTP-DATA
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=20 log=no log-prefix=""
15 ;;; FTP-CONTROL
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=21 log=no log-prefix=""
16 ;;; SSH
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=22 log=no log-prefix=""
17 ;;; Telnet
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=23 log=no log-prefix=""
18 ;;; SMTP
chain=forward action=accept protocol=tcp src-address=172.17.0.126 dst-address=0.0.0.0/0 dst-port=25 log=no log-prefix=""
19 ;;; Incoming SMTP
chain=forward action=accept protocol=tcp dst-address=172.17.0.0/16 dst-port=25 log=no log-prefix=""
20 ;;; DNS
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=53 log=no log-prefix=""
21 ;;; DNS
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=53 log=no log-prefix=""
22 ;;; DNS
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=53 log=no log-prefix=""
23 ;;; HTTP
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=80 log=no log-prefix=""
24 ;;; POP3
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=110 log=no log-prefix=""
25 ;;; NTP
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=123 log=no log-prefix=""
26 ;;; NTP
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=123 log=no log-prefix=""
27 ;;; Microsoft RPC Locator Service
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=135 log=no log-prefix=""
28 ;;; Microsoft RPC Locator Service
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=135 log=no log-prefix=""
29 ;;; Microsoft RPC Locator Service
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=135 log=no log-prefix=""
30 ;;; Netbios
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=139 log=no log-prefix=""
31 ;;; Netbios
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=139 log=no log-prefix=""
32 ;;; Netbios
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=139 log=no log-prefix=""
33 ;;; IMAP
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=143 log=no log-prefix=""
34 ;;; HTTPS
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=443 log=no log-prefix=""
35 ;;; Incoming Outlook Anywhere
chain=forward action=accept protocol=tcp dst-address=172.17.0.0/16 dst-port=443 log=no log-prefix=""
36 ;;; HTTPS
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=443 log=no log-prefix=""
37 ;;; HTTPS
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=443 log=no log-prefix=""
38 ;;; SMTPS
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=465 log=no log-prefix=""
39 ;;; ISAKMP
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=500 log=no log-prefix=""
40 ;;; ISAKMP
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=500 log=no log-prefix=""
41 ;;; ISAKMP
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=500 log=no log-prefix=""
42 ;;; SMTP
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=587 log=no log-prefix=""
43 ;;; IMAPS
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=993 log=no log-prefix=""
44 ;;; POP3S
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=995 log=no log-prefix=""
49 ;;; SMTP
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=2525 log=no log-prefix=""
50 ;;; BlackBerry
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=3101 log=no log-prefix=""
51 ;;; Active Directory
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=3268 log=no log-prefix=""
52 ;;; Incoming Active Directory
chain=forward action=accept protocol=tcp dst-address=172.17.0.0/16 dst-port=3268 log=no log-prefix=""
53 ;;; Viber,whatsapp
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=3478 log=no log-prefix=""
54 ;;; Viber,whatsapp
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=3478 log=no log-prefix=""
55 ;;; Viber,whatsapp
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=4244 log=no log-prefix=""
56 ;;; Liquid Crashplan
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=4282 log=no log-prefix=""
57 ;;; NON500-ISAKMP
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=4500 log=no log-prefix=""
58 ;;; NON500-ISAKMP
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=4500 log=no log-prefix=""
59 ;;; NON500-ISAKMP
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=4500 log=no log-prefix=""
60 ;;; SIP
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=5060 log=no log-prefix=""
61 ;;; SIP
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=5060 log=no log-prefix=""
62 ;;; SIP
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 dst-port=5060 log=no log-prefix=""
63 ;;; Whatsapp
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=5222 log=no log-prefix=""
64 ;;; Whatsapp
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=5223 log=no log-prefix=""
65 ;;; Whatsapp
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=5228 log=no log-prefix=""
66 ;;; Whatsapp
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=5242 log=no log-prefix=""
67 ;;; Viber
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=5243 log=no log-prefix=""
68 ;;; Viber
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=5243 log=no log-prefix=""
71 ;;; HTTP
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=8080 log=no log-prefix=""
72 ;;; SSL
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=8443 log=no log-prefix=""
73 ;;; Viber
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=9785 log=no log-prefix=""
74 ;;; Viber
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=9785 log=no log-prefix=""
75 ;;; VPN
chain=forward action=accept protocol=tcp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=10000 log=no log-prefix=""
76 ;;; VPN
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=10000 log=no log-prefix=""
77 ;;; VPN
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=10000 log=no log-prefix=""
78 ;;; GoodApp
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-address=0.0.0.0/0 dst-port=12000 log=no log-prefix=""
79 ;;; GoodApp
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=12000 log=no log-prefix=""
81 ;;; Whatsapp
chain=forward action=accept protocol=udp src-address=172.17.0.0/16 dst-port=45395 log=no log-prefix=""
82 ;;; Whatsapp
chain=forward action=accept protocol=udp dst-address=172.17.0.0/16 src-port=45395 log=no log-prefix=""
83 ;;; Whatsapp
chain=forward action=accept src-address=172.17.0.0/16 dst-address-list=Whatsapp log=no log-prefix=""
84 ;;; Whatsapp
chain=forward action=accept dst-address=172.17.0.0/16 src-address-list=Whatsapp log=no log-prefix=""
85 chain=input action=accept protocol=ipsec-ah dst-address=224.0.0.18 log=no log-prefix=""
95 ;;; VOIP
chain=forward action=accept src-address=172.17.0.0/16 dst-address=sip-server-ip log=no log-prefix=""
97 ;;; VOIP
chain=forward action=accept src-address=sip-server-ip dst-address=172.17.0.0/16 log=no log-prefix=""
98 ;;; TCP Established
chain=forward action=accept connection-state=established protocol=tcp log=no log-prefix=""
99 ;;; Allow connections originating from Lan
chain=forward action=accept connection-state=related protocol=tcp log=no log-prefix=""
100 chain=forward action=log log=yes log-prefix=""
101 chain=forward action=drop log=no log-prefix=""
SIP provider says to me: they see the request from my phone, then they ask the registering but my phone continue to ask... without responding.Again-
The packet capture showed requests going out but no replies coming back. (Including the WAN interface) and since sniffer sees traffic BEFORE the firewall can take a bite at it - the firewall is NOT dropping replies from the SIP service. They're not making it to you at all.
Ask the SIP provider what IP they're seeing for your registration attempts. If it's anything other than your public IP then there's the problem.
SIP helper is the first thing we have disabled...It very much looks like the problem with the SIP helper. I had issues like you describe and it completely disappeared
once I disabled the SIP helper. I could also solve it by using a different port than 5060 for the phone.
Sorry I have not read the entire long thread... but did you already try to set a different UDP port number to be usedSIP helper is the first thing we have disabled...