HI there,

I'm not sure what I've done but I've seem to have messed up my firewall and I cant get my ports to work correctly.

Could someone take a look please because I've done something stupid and I just cant see it.

[admin@MikroTik] /ip firewall service-port> print
Flags: X - disabled, I - invalid
# NAME PORTS
0 ftp 21
1 tftp 69
2 irc 6667
3 h323
4 sip 5060
5061
5 pptp
[admin@MikroTik] /ip firewall service-port> /
[admin@MikroTik] > ip firewall export
# may/26/2010 20:16:39 by RouterOS 4.9
# software id = 5E9K-MKY7
#
/ip firewall address-list

add address=192.168.1.0/24 comment="" disabled=no list=lan_list
add address=192.168.0.0/24 comment="" disabled=no list=lan_list
add address=192.168.1.0/24 comment="" disabled=no list=lan_list
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
udp-timeout=10s
/ip firewall filter
add action=log chain=input comment="log invalid connections" connection-state=invalid disabled=yes log-prefix=INVALID
add action=accept chain=input comment="accept established connections" connection-state=established disabled=no
add action=accept chain=input comment="accept related connections" connection-state=related disabled=no
add action=accept chain=input comment="accept hosts from lan" disabled=no src-address-list=lan_list
add action=accept chain=input comment="accept hosts from trusted list" disabled=no src-address-list=trusted_list
add action=add-src-to-address-list address-list=trusted_list address-list-timeout=15m chain=input comment="port knock stage 2" disabled=no dst-port=XXXXXXX \
protocol=tcp src-address-list=knock_list
add action=add-src-to-address-list address-list=knock_list address-list-timeout=15s chain=input comment="port knock stage 1" disabled=no dst-port=XXXXXXX \
protocol=tcp
add action=drop chain=input comment="Drop FTP Brute Forcers" disabled=no dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment="" content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/2m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment="" content="530 Login incorrect" disabled=no \
protocol=tcp
add action=drop chain=input comment="Drop SSH Brute Forcers" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="" connection-state=new disabled=no dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="" connection-state=new disabled=no dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="" connection-state=new disabled=no dst-port=22 \
protocol=tcp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="" connection-state=new disabled=no dst-port=\
22 protocol=tcp src-address-list=ssh_stage3
add action=drop chain=input comment="drop invalid connections" connection-state=invalid disabled=no
add action=drop chain=input comment="drop everything else" disabled=no
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Network 192.168.0.0/24" disabled=no new-routing-mark=first passthrough=yes src-address=192.168.0.0/24
add action=mark-routing chain=prerouting comment="Network 192.168.1.0/24" disabled=no new-routing-mark=second passthrough=yes src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT outbound traffic through ether1" disabled=no out-interface=ether1 src-address-list=lan_list
add action=masquerade chain=srcnat comment="NAT outbound traffic through ether2" disabled=no out-interface=ether2 src-address-list=lan_list
add action=dst-nat chain=dstnat comment=HTTPserver-PBX disabled=no dst-port=80 protocol=tcp to-ports=80
add action=dst-nat chain=dstnat comment=Cassini-PBX disabled=no dst-port=5000 protocol=tcp to-addresses=192.168.0.200 to-ports=5000
add action=dst-nat chain=dstnat comment=SIP-PBX disabled=no dst-port=5060 protocol=udp to-addresses=192.168.0.200 to-ports=5060
add action=dst-nat chain=dstnat comment=Tunnel-PBX disabled=no dst-port=5080 protocol=tcp to-addresses=192.168.0.200 to-ports=5080
add action=dst-nat chain=dstnat comment=Tunnel2-PBX disabled=no dst-port=5081 protocol=tcp to-addresses=192.168.0.200 to-ports=5081
add action=dst-nat chain=dstnat comment=TunnelSrv-PBX disabled=no dst-port=5090 protocol=tcp to-addresses=192.168.0.200 to-ports=5090
add action=dst-nat chain=dstnat comment=FaxSrv-PBX disabled=no dst-port=5100 protocol=udp to-addresses=192.168.0.200 to-ports=5100
add action=dst-nat chain=dstnat comment=PhoneDB-PBX disabled=no dst-port=5480 protocol=tcp to-addresses=192.168.0.200 to-ports=5480
add action=dst-nat chain=dstnat comment=CassiniRM-PBX disabled=no dst-port=5481 protocol=tcp to-addresses=192.168.0.200 to-ports=5481
add action=dst-nat chain=dstnat comment=PhoneDB-PBX disabled=no dst-port=5482 protocol=tcp to-addresses=192.168.0.200 to-ports=5482
add action=dst-nat chain=dstnat comment=IVR-PBX disabled=no dst-port=5484 protocol=tcp to-addresses=192.168.0.200 to-ports=5484
add action=dst-nat chain=dstnat comment=ConfServer-PBX disabled=no dst-port=5485 protocol=tcp to-addresses=192.168.0.200 to-ports=5485
add action=dst-nat chain=dstnat comment=AsstServer-PBX disabled=no dst-port=5486 protocol=udp to-addresses=192.168.0.200 to-ports=5486
add action=dst-nat chain=dstnat comment=RTPports-PBX disabled=no dst-port=7000-7499 protocol=udp to-addresses=192.168.0.200 to-ports=7000-7499
add action=dst-nat chain=dstnat comment=RTPMedia-PBX disabled=no dst-port=9000-9049 protocol=udp to-addresses=192.168.0.200 to-ports=9000-9049
add action=dst-nat chain=dstnat comment=FaxSrv-PBX disabled=no dst-port=10000 protocol=udp to-addresses=192.168.0.200 to-ports=10000
add action=dst-nat chain=dstnat comment=OrbitParkSIP-PBX disabled=no dst-port=40000 protocol=udp to-addresses=192.168.0.200 to-ports=40000
add action=dst-nat chain=dstnat comment=OrbitParkRTP-PBX disabled=no dst-port=40010-40138 protocol=udp to-addresses=192.168.0.200 to-ports=40010-40138
add action=dst-nat chain=dstnat comment=ConSrv-PBX disabled=no dst-port=40300 protocol=udp to-addresses=192.168.0.200 to-ports=40300
add action=dst-nat chain=dstnat comment=ConPl-PBX disabled=no dst-port=40310-40438 protocol=udp to-addresses=192.168.0.200 to-ports=40310-40438
add action=dst-nat chain=dstnat comment=IVRSIP-PBX disabled=no dst-port=40600 protocol=udp to-addresses=192.168.0.200 to-ports=40600
add action=dst-nat chain=dstnat comment=IVRRTP-PBX disabled=no dst-port=40610-40866 protocol=udp to-addresses=192.168.0.200 to-ports=40610-40866

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
[admin@MikroTik] >

Trying to map these ports :

TCP:80 … If 3CX is installed for IIS, this is the default port number to reach the 3CX Management Console (http://<ip_of_pbx>/management) and the 3CX MyPhone Interface (http://<ip_of_pbx>/myphone)
TCP:5000 If 3CX is installed for Cassini, this is the default port number to reach the 3CX MyPhone Interface (http://<ip_of_pbx>:5000)
UDP:5060 3CX Phonesystem (SIP)
UDP&TCP:5080
UDP&TCP:5081
etc Listener for the 3CX Tunnel Protocol for bridge connections. Each tunneled bridge connection binds to a port number incrementally.
UDP&TCP:5090 3CX Tunnel Tunnel
UDP:5100 3CX Fax Receiving Service (SIP)
TCP:5480 3CX PhoneSystem Database Server (PostgreSQL)
TCP:5481 If 3CX is installed for Cassini, this is the default port number to reach the 3CX Management Console (http://<ip_of_pbx>:5481)
TCP:5482 3CX PhoneSystem for inter-process communications
TCP:5484 3CX IVR vXML Server (both IIS and Cassini install scenarios)
TCP:5485 3CX Configuration Server
UDP:5486 3CX Assistant Server
UDP:7000-7499 Default Range of ports for RTP Media Exchange with devices on the LAN (typically internal extensions, gateways, tunneled connections)
UDP:9000-9049 Default Range of ports for RTP Media Exchange with devices on the WAN (typically voip providers, external extensions)
UDP:10000 3CX FAX Receiving Service for T.38 UDPTL traffic
UDP:40000 3CX Parking Orbit Service (SIP)
UDP:40010-40138 3CX Parking Orbit Service (RTP)
UDP:40300 3CX Conference place Service (SIP)
UDP:40310-40438 Conference place Service (RTP)
UDP:40600 3CX IVR Service (SIP)
UDP:40610-40866



Edit:

Ok for some reason - the ports 'Seem' to be working but I'm unable to register my VOIP Provider - which uses 5060.
And on my internal extensions I'm getting one way audio.

Update - Internal audio issues have now been fixed (this was an issue with the SIP phones rather than the anything else.
But the issue with registering the SIP provider is still not working.

Any help on this would be great.

I just managed to get this working!
But to be honest I am not sure how I done it. Basically my firewall was setup on the port as mentioned in the guide; but now I have full NAT to the PBX (every port). I would be grateful if someone could explain why this worked yet the other rules didn't.

It has registered now, and firewall checker is still the same.

Just for information- Full NAT rule is:

add action=dst-nat chain=dstnat comment=\
"Full NAT - rule allowing access to the internal server from external network" disabled=\
no dst-address=EXTERNAL IP to-addresses=INTERNAL IP
add action=src-nat chain=srcnat comment="Full NAT 2 - rules allowing the internal server to ta\
lk to the outer networks having its source address " disabled=no src-address=\
INTERNAL IP 0 to-addresses=EXTERNAL IP