Hello,
I am very new to Mikrotik and would like some help with a basic firewall config. I am an outside contractor managing a network set up by someone else, and the company that set up their phones has made a request to me.Please see the request below (ip addresses have been omitted for privacy) and help me with the best way to set up these rules. I tried reading on how to do this and I wasn't quite sure I understood it correctly so I turn to you kind people to point me in the right direction.
"Please allow all outbound traffic for the following ports to the following IP's
a.a.a.a (omitted)
b.b.b.b (omitted)
TCP ports:
TCP ports 80, 443, 8001 (for web UI)
TCP port 3306 (open from any server on a different network)
TCP port 5060 (SIP TCP)
TCP port 5061 (TLS)
UDP ports:
UDP port 5060 (for SIP signaling)
UDP ports 20000-27999 (for SIP RTP)
UDP/TCP ports:
21 (FTP Control)
69 (Trivial File Transfer Protocol (TFTP) )
For their paging to work we require Multicast address 224.0.2.60:50001 to be allowed, and are using codec g7.22"
From what I have read I thought I would make a rule on the forward chain but not sure if it should be a different chain?
When I'm making a rule and need to lock it down to certain destination ports do I have to make separate rules for multiple ports or can I create a group of ports or 'service' with and reference that service as the destination port(s)?
Same question for destination IP, can I make an address object that contains both IP addresses and reference the address object instead of making separate rules for each IP? And where should I put this rule in terms of priority/order?
As for the multicast rule I'm clueless on that one. Any and all help is appreciated as these devices are so new to me.
Thanks in advance
Re: Firewall rules allowing specific ports outbound
It says "Outbound" firewall. By default Mikrotik doesn't have an outbound firewall. It's not common for a company network to have outbound firewall rules applied. Maybe banks and institutions with full time I.T. departments. You can read the rules under IP > Firewall, click the Filters tab.
If one is enabled on that Mikrotik, I'd merely create a rule stating all outbound and inbound connections to/from the IP of the phone company are allowed. Rules are processed top to bottom, so your allow rules should be above the deny rules.
As for Port Forwarding, Mikrotik includes a NAT helper for VoIP. So NO port forwarding for VoIP is required.
Is the PBX internal? If so, don't worry about the multicast for paging. It should just work. If the PBX is external, i don't know how they expect multicasting to work over the internet.
In firewall rules, and NAT rules, you can specify a list and range of ports in a rule. Such as 21, 5000-6000. IPs can have a range such as 192.168.88.0-192.168.88.254 (or 192.168.88.0/24)
When I install a phone system (pbx internal rather than hosted pbx) and the gateway router is a Mikrotik, there is truly nothing to configure for VoIP to work.
What is the issue with your phones?
If one is enabled on that Mikrotik, I'd merely create a rule stating all outbound and inbound connections to/from the IP of the phone company are allowed. Rules are processed top to bottom, so your allow rules should be above the deny rules.
As for Port Forwarding, Mikrotik includes a NAT helper for VoIP. So NO port forwarding for VoIP is required.
Is the PBX internal? If so, don't worry about the multicast for paging. It should just work. If the PBX is external, i don't know how they expect multicasting to work over the internet.
In firewall rules, and NAT rules, you can specify a list and range of ports in a rule. Such as 21, 5000-6000. IPs can have a range such as 192.168.88.0-192.168.88.254 (or 192.168.88.0/24)
When I install a phone system (pbx internal rather than hosted pbx) and the gateway router is a Mikrotik, there is truly nothing to configure for VoIP to work.
What is the issue with your phones?
Who is online
Users browsing this forum: No registered users and 72 guests