Community discussions

 
julianov
newbie
Topic Author
Posts: 32
Joined: Wed Sep 06, 2017 4:04 pm

One way video - PBX

Tue Oct 17, 2017 5:16 pm

Hello All. How are you doing?

I've implemented a PBX with asterisk in my LAN but the problem that I'm having is that when there is a video call between a softphone that is in the lan and one that is in an external network the mikrotik router RB2011 is filtering the incoming video, not the outcoming. I don't have this problem if the video call is make between softphones that are in the LAN. Also, I don't have problem with the audio signal, just the video.

As the ISP gives me just one public IP, there is a NAT. This is the firewall nat configuration:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether6
add action=dst-nat chain=dstnat dst-port=5060 protocol=udp to-addresses=\
    100.64.0.99 to-ports=5060
add action=dst-nat chain=dstnat dst-address=100.64.0.0/24 dst-port=10000-20000
    protocol=udp src-port=10000-20000 to-addresses=100.64.0.0/24 to-ports=\
    10000-20000
As you can see the first action is regarding the generic nat NAT. The second action allow me to stablish a signaling with the PBX which is in the LAN with a softphone which is out the LAN (without this line the connection is not stablish).

And the last line is a try to allow the video incoming stream but it's not working. You can see here that the Private IP pool is 100.64.0.0/24 and the ports for rtp package are random between the ports ranges 10000-20000 (this is an Asterisk
characteristic) and I can changes the ports ranges but for every call I need 2 rtp ports and if there is a video stream 4 ports for every 2 softphones which stablish a video call. The rtp ports ranges 10000-20000 is an standar in asterisk.
Also the mikrotik port which is connected to the public network is ether6 and the port that connect the LAN is ether2, there is there a switch configuration with the ports ether1, ether3, ether4 and ether5 with the ether2 as master-ports.

How I must configure the nat ? What I'm missing?

Best regards.
 
User avatar
bramwittendorp
Frequent Visitor
Frequent Visitor
Posts: 96
Joined: Thu Jun 16, 2016 3:48 pm
Location: The Netherlands
Contact:

Re: One way video - PBX

Tue Oct 17, 2017 5:24 pm

I'm not sure your problem lies in the NAT-policy. Are you allowing incoming traffic through your firewall on the given ports? A good NAT-translastion doesn't mean the traffic is actually entering your network
Bram - MikroTik enthusiast - MTCNA / MTCRE / MTCWE / MTCIPv6E
Don't be shy, share your /export hide-sensitive and make sure to read this.
 
julianov
newbie
Topic Author
Posts: 32
Joined: Wed Sep 06, 2017 4:04 pm

Re: One way video - PBX

Tue Oct 17, 2017 8:24 pm

Thanks for the reply.

Well first I tried with this rules:
/ip firewall filter
add action=accept chain=input port=22,8291,80,443 protocol=tcp
add action=accept chain=input connection-state=established,related
add action=drop chain=input in-interface=ether6
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface=ether6
add action=accept chain=forward dst-port=10000-20000 protocol=udp src-port=\
    10000-20000


Where you can see that there is a chain=forwards with an action accept in the last line and it taking cares thats ports. But it don't fix the problem.
 
julianov
newbie
Topic Author
Posts: 32
Joined: Wed Sep 06, 2017 4:04 pm

Re: One way video - PBX

Wed Oct 18, 2017 4:10 am

Just a doubt that I have, define a port range like this
src-port=10000-20000

Is that sentence fine?
 
Paternot
Long time Member
Long time Member
Posts: 607
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: One way video - PBX

Wed Oct 18, 2017 4:50 am

If I'm not mistaken, the video used is H323 - a "joy" to work, with NAT. I don't remember the caveats, but take a look at the H323 signaling, and NAT behavior.
 
julianov
newbie
Topic Author
Posts: 32
Joined: Wed Sep 06, 2017 4:04 pm

Re: One way video - PBX

Wed Oct 18, 2017 7:04 pm

Something that I've note is that when the softphone that is in the public network makes a voice call, the comunications is stablish but just for a seconds and then the call get off. That not happens when the softphone in the lan makes the call.

There is any documentation about this? regarding the wiki Firewall/Nat is not complete for this type of problem.
 
User avatar
JohnTRIVOLTA
Member Candidate
Member Candidate
Posts: 202
Joined: Sun Dec 25, 2016 2:05 pm
Location: BG/Sofia

Re: One way video - PBX

Wed Oct 18, 2017 7:16 pm

just try this :
/ip fi service-port disable sip,h323
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: One way video - PBX  [SOLVED]

Wed Oct 18, 2017 8:25 pm

add action=accept chain=forward dst-port=10000-20000 protocol=udp src-port=\
    10000-20000
I would leave off the src-port part of that rule. Source ports can be all over the place.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim
 
julianov
newbie
Topic Author
Posts: 32
Joined: Wed Sep 06, 2017 4:04 pm

Re: One way video - PBX

Wed Oct 18, 2017 10:49 pm

Thanks, the problem was the src-ports.

Can I make you a question k6ccc? Why it is? It supposed that the softphones must works in a fixed ranges of ports?

I found in RFC 768 for udp

"Source Port is an optional field, when meaningful, it indicates the port
of the sending process, and may be assumed to be the port to which a
reply should be addressed in the absence of any other information. If
not used, a value of zero is inserted."
 
User avatar
k6ccc
Member
Member
Posts: 479
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)

Re: One way video - PBX

Thu Oct 19, 2017 7:26 am

Thanks, the problem was the src-ports.

Can I make you a question k6ccc? Why it is? It supposed that the softphones must works in a fixed ranges of ports?
Very simple. The device that is originating the packet picks a semi-random port number to use for the origination. It will always be a port number that is otherwise not used on that device. High port numbers are normally used.
RB750Gr3, RB750r2, CRS326-24G-2S (in SwitchOS), CSS326-24G-2S, CSS106-5G-1S, RB260GS
Not sure if I beat them in submission, or they beat me into submission


Jim

Who is online

Users browsing this forum: No registered users and 23 guests