Community discussions

 
luke
just joined
Topic Author
Posts: 4
Joined: Mon Oct 31, 2011 6:32 am

SIP ALG vs SIP Helper

Mon Oct 31, 2011 6:39 am

Hi,
A VoIP technician asked me to to turn off SIP ALG in my RouterBoard RB750. Unfortunately, I have no idea what that is so I researched it & the closest thing I could find was the SIP Helper. First question; are they the same thing? Second question; to turn off SIP Helper (assuming that's what I'm supposed to do) Do I just disable the SIP entry under Service Ports in the Firewall page?

Thanks.
Luke.
 
itcoresys
newbie
Posts: 26
Joined: Mon Oct 03, 2011 7:14 am

Re: SIP ALG vs SIP Helper

Mon Oct 31, 2011 7:50 pm

Usually SIP ALG refers to B2BUA (Back to Back User Agent).

I dont think its related to firewall service SIP which is a helper, not a B2BUA

Sonicwall's, Cisco ASA's, Motorola Cable Modem/Routers, Cisco Small Business (Linksys) routers, all have SIP ALG. Sonicwall in particular calls theirs "SIP Transformations" which usually spells disaster for most proprietary SIP phone systems.

Others like the one present in the Cisco Small Business/Linksys cant be turned off.

Im new to Mikrotik so I cant yet comment on it except that my Allworx SIP phone system works fine through it, and my Allworx dies with SIP ALG turned on.
 
User avatar
JJCinAZ
Member
Member
Posts: 473
Joined: Fri Oct 22, 2004 8:03 am
Location: Tucson, AZ
Contact:

Re: SIP ALG vs SIP Helper

Tue Nov 01, 2011 8:34 am

Yes, the VoIP technician is referring to the SIP Helper. Disable it with the command:
/ip firewall service-port disable sip
 
luke
just joined
Topic Author
Posts: 4
Joined: Mon Oct 31, 2011 6:32 am

Re: SIP ALG vs SIP Helper

Wed Nov 02, 2011 12:27 am

Yes, the VoIP technician is referring to the SIP Helper. Disable it with the command:
/ip firewall service-port disable sip
Thanks, guys! Just out of curiosity, is that command the same as disabling it in the Service Ports tab on the Firewall page of WinBox?
 
User avatar
JJCinAZ
Member
Member
Posts: 473
Joined: Fri Oct 22, 2004 8:03 am
Location: Tucson, AZ
Contact:

Re: SIP ALG vs SIP Helper

Wed Nov 02, 2011 1:27 am

Yes, it's the same.
 
User avatar
otgooneo
Trainer
Trainer
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: SIP ALG vs SIP Helper

Wed Nov 02, 2011 7:25 am

Hi all, I always interested in NAT helpers. How it works in background. What is the exactly mechanism?
----------------------------
Want to learn more and more...
 
Openet
just joined
Posts: 1
Joined: Fri Apr 19, 2013 4:18 am

Re: SIP ALG vs SIP Helper

Wed Apr 24, 2013 8:04 am

does anyone have information on how the SIP helper works for the Mirkotik products?
 
CblP
newbie
Posts: 29
Joined: Mon Mar 25, 2013 11:05 am

Re: SIP ALG vs SIP Helper

Mon Apr 29, 2013 1:23 pm

I think it catches SIP messages on configured ports and changes local IPs to public mapping in Contact, Via etc.
Also it changes the media address in SDP, so, you don't have to worry about STUN etc.
However, it doesn't help with incoming media streams, so, you have to fix a port range for RTP on your SIP client and dst-nat it to client
 
mennowz
Trainer
Trainer
Posts: 84
Joined: Tue Apr 09, 2013 8:50 pm
Location: The Netherlands
Contact:

Re: SIP ALG vs SIP Helper

Mon Apr 29, 2013 4:54 pm

I think it catches SIP messages on configured ports and changes local IPs to public mapping in Contact, Via etc.
Also it changes the media address in SDP, so, you don't have to worry about STUN etc.
However, it doesn't help with incoming media streams, so, you have to fix a port range for RTP on your SIP client and dst-nat it to client
Yep.. correct :) , but helper usually breaks more than it fixes.

You shouldn't have to open RTP ports, the firewall should 'see' that the packets are RELATED and it will open up the ports as needed.

Bye!

Menno
Certified Mikrotik trainer in the BeNeLux!. http://www.mikrotiktraining.nl
 
CblP
newbie
Posts: 29
Joined: Mon Mar 25, 2013 11:05 am

Re: SIP ALG vs SIP Helper

Mon Apr 29, 2013 10:48 pm

helper usually breaks more than it fixes.
Menno
do you have an example? I have tested this thoroughly some time ago, and found only 1 problem with it, which I will disclose later if it is different from yours :) Just curious to see if I missed something.
In general, it works fine for me, no major issues
 
User avatar
otgooneo
Trainer
Trainer
Posts: 570
Joined: Tue Dec 01, 2009 3:24 am
Location: Mongolia
Contact:

Re: SIP ALG vs SIP Helper

Thu May 02, 2013 4:06 pm

I never had problem when SIP helper is enabled. I solved VoIP issue using ROS with SIP helper, when Watchguard X550 could not do it.
----------------------------
Want to learn more and more...
 
User avatar
NathanA
Forum Veteran
Forum Veteran
Posts: 793
Joined: Tue Aug 03, 2004 9:01 am

Re: SIP ALG vs SIP Helper

Fri May 10, 2013 8:44 am

Many (most?) routers that have built-in SIP ALG/helper have a crap one, but the one built into RouterOS (which I suspect is probably very similar to the one that comes with the Linux kernel, if not the same) has always functioned just fine for me, both in testing as well as in the field.

-- Nathan
 
User avatar
awacenter
Member Candidate
Member Candidate
Posts: 198
Joined: Thu Dec 09, 2004 12:58 pm
Location: Castellón
Contact:

Re: SIP ALG vs SIP Helper

Mon May 11, 2015 3:47 pm

Vey useful.
I do not know about this SIP feature en MT config.
ImageImage
 
marrold
Member
Member
Posts: 406
Joined: Wed Sep 04, 2013 10:45 am

Re: SIP ALG vs SIP Helper

Mon May 11, 2015 3:54 pm

helper usually breaks more than it fixes.
Menno
do you have an example? I have tested this thoroughly some time ago, and found only 1 problem with it, which I will disclose later if it is different from yours :) Just curious to see if I missed something.
In general, it works fine for me, no major issues
Off the top of my head I can think of a good example where SIP ALG has caused issues. However this wasn't on a Mikrotik product.

The ALG was changing private IP's to the Public IP in the SIP and SDP messages, but it wasn't updating the content length, so the packets were being rejected by a strict SIP Proxy.

SIP ALG is often poorly coded, probably by someone with little understanding of SIP, which is why it can cause issues.
I'm a SIP / VoIP engineer. Feel free to ask questions...
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: SIP ALG vs SIP Helper

Mon May 11, 2015 5:11 pm

SIP ALG is often poorly coded, probably by someone with little understanding of SIP, which is why it can cause issues.
Not only that, but the RFC is somewhat open to interpretation (at least that's what the engineers at a couple of different SIP vendors I've spoken with have told me) because the protocol is so generic. (it started the whiteboard for the old MSN messenger client, for instance)

In general, you want one and only one device doing the NAT workaround. If there are multiple then things can slowly drift into the unusual. (I call it "haunted phones"). For instance, our SIP gateway recognized phones behind NAT, and allowed for "short circuit" if two phones on the same virtual PBX wanted to call "extension-to-extension" and it could see they were behind the same NAT, it would direct them to use each other's private IP as the media address. However, an ALG would see this SIP message telling the phone to use a private IP as the media address, and alter the message to some other IP (the sip gw, or the router itself) and that would break the audio... the SIP gw really did intend for the phone to send its media to a private IP, but the ALG thought it was being helpful by obscuring this in the messages by the time they reached the phones.....

Other times, some endpoints would think they were registered and the server would think they were dead. Sometimes the phone would ring and when the person hits answer, nothing happens, it keeps ringing, or they hear fast busy when they pick up, but the caller still hears ringback.....

Basically you only want ALG if you have SIP clients behind it that are not configured to work around NAT, and they're talking to other simple SIP endpoints that are also not trying to work around NAT.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1651
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: SIP ALG vs SIP Helper

Tue May 12, 2015 6:31 am

sip + nat = problems
 
timo38
just joined
Posts: 9
Joined: Tue Mar 03, 2015 6:13 am

Re: SIP ALG vs SIP Helper

Tue May 12, 2015 9:44 am

Hi,
A VoIP technician asked me to to turn off SIP ALG in my RouterBoard RB750. Unfortunately, I have no idea what that is Do I just disable the SIP entry under Service Ports in the Firewall page?
Thanks.
Luke.
There is a lot of confusion about sip alg. As far as I can tell it has nothing to do with the sip entry in service ports. These are the ports that the MT is listening on for incoming Invites.
Sip alg is a setting in your gateway router (assuming you are not running pppoe in the MT)
It works a bit like stun and replaces your private addrs in sip pkts with the public one of your router. This can fool your voip provider into thinking the sip client is not behind a nat so the audio port in your SDP is used by the voip provider for rtp. If your sip client is behind a nat the nat may translate your local port to a different public port and one way audio can occur.
By leaving a local private addr in the sip pkt the voip provider knows you are behind a nat so can ignore the sdp port and wait for the first few pkts of rtp to arrive and then knows the public port these are coming from and sends rtp to this port. Not all voip providers are fooled by this but It is always best to disable it in your router to be on the safe side.
 
waleeed00
just joined
Posts: 1
Joined: Wed Mar 16, 2016 10:21 am

Re: SIP ALG vs SIP Helper

Wed Mar 16, 2016 10:23 am

I have tested this thoroughly some time ago, and found only 1 problem with it, which I will disclose later if it is different from yours :) Just curious to see if I missed something.
 
mpreissner
Member
Member
Posts: 356
Joined: Tue Mar 11, 2014 11:16 pm
Location: Columbia, MD

Re: SIP ALG vs SIP Helper

Wed Mar 16, 2016 12:45 pm

Personally, I like deploying SBC's instead of enabling SIP ALG's on routers. Of course, this requires multiple public IP's, which are not cheap. For the time being, I simply don't expose my VoIP system directly to the Internet. All my extensions are internal, or routed through VPN into my network, so no unencrypted RTP exists outside my network. I'm debating whether to even bother with an SBC, though, or just use SIP-TLS and SRTP.
Michael Preissner
CISSP, CCSP, CEH, PMP
 
User avatar
pennytone
just joined
Posts: 19
Joined: Wed Oct 09, 2013 10:50 pm
Location: USA

Re: SIP ALG vs SIP Helper

Tue May 30, 2017 8:37 pm

I just gave a presentation on SIP ALG at the Mikrotik MUM in Denver Colorado 2017 explaining everything about SIP ALG in RouterOS
watch here:
https://youtu.be/tM7wyKdnIKA
David
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4048
Joined: Wed May 11, 2011 6:08 pm

Re: SIP ALG vs SIP Helper

Tue May 30, 2017 9:54 pm

I was there. It was very informative as to what exact fields it modifies.

One question I thought of is this:

Suppose you have two phones on a LAN behind a Mikrotik router doing NAT with SIP helper activated, and they're talking to a SIP server on the public Internet. If phone1 calls phone2, would the SIP helper modify the A: component of the SDP messages when the two phones call each other and the server attempts to let the call perform direct media?

In other words, will both phones receive SDP messages telling them the remote media endpoint is "public.IP.of.Mikrotik" (requiring hairpin NAT)? Would enabling direct media support in the configuration on the Mikrotik prevent this?

In general, we disable SIP helper at our company because our SIP server has an SBC which does its own NAT discovery / work-around activities, and we've found that having two devices trying to do NAT workaround at the same time tends to lead to problems.
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: No registered users and 7 guests