VoIP and NAT, no connection

Toby7 · Sun Oct 16, 2016 6:04 pm

Hi,

I am very frustrated with the problems I have with my Mikrotik Router and VoIP. The RB3011 hast connected a Vigor V120 modem which is used for setting up the internet connection. There is src NAT as well as some firewall rules. Now I wanted to use VoIP by sipgate behind the NAT in my home network but I cannot get it running. I tried two VoIP Clients one softphone called "PhonerLite" and a FritzBox 7490. Both of them cannot register there number towards the SIP Provider. The sip helper is already disabled in the "Service Ports" section.

Browsing the web as well as normal internet usage works as expceted. My provider gives my a public IPv4 address, so there is no Dual Stack lite NAT between my IP and the public internet.

What I have tried so far:
- Open UDP ports 3478, 5060-5066, 7077-709 and 10000-20000
- Forward them to the VoIP Client, currently 192.168.0.110
- SIP Helper is disabled

I am not sure if I have to add filter rules in the forward chain if I open a port by using dstnat in the NAT? Is it enough to just do a destination nat on the specific port?
Please help me, I don't know how to solve this problem

Here is my config:

	
/ip firewall filter
add action=accept chain=forward comment=VoIP dst-address=192.168.0.110 \
    dst-port=5060 in-interface-list=ListPPPoE_Intf protocol=udp
add action=accept chain=forward comment=VoIP dst-address=192.168.0.110 \
    dst-port=3478 in-interface-list=ListPPPoE_Intf protocol=udp
add action=accept chain=forward comment=VoIP dst-address=192.168.0.110 \
    dst-port=10000-20000 in-interface-list=ListPPPoE_Intf protocol=udp
add action=accept chain=forward comment=VoIP connection-nat-state=dstnat \
    in-interface-list=ListPPPoE_Intf
add action=accept chain=input comment="ALLOW all ICMP" protocol=icmp
add action=accept chain=input comment=\
    "ACCEPT established and related packets on INPUT" connection-state=\
    established,related
add action=drop chain=input comment="DROP all from WAN" in-interface-list=\
    ListPPPoE_Intf
add action=accept chain=forward comment=\
    "Accept established and related packets on FORWARD" connection-state=\
    established,related
add action=drop chain=forward comment="DROP all invalid packets" \
    connection-state=invalid
add action=drop chain=forward comment="Drop all packets arriving at the WAN in\
    terface and traversing the router towards the LAN, unless there's a explic\
    it dst-nat rule matching it, i.e. a port forwarding from the router to an \
    inside host." connection-nat-state=!dstnat connection-state=new \
    in-interface-list=ListPPPoE_Intf

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT Inexio WAN" \
    out-interface-list=ListPPPoE_Intf
add action=dst-nat chain=dstnat comment="VoIP FritzBox" dst-port=3478 \
    in-interface-list=ListPPPoE_Intf protocol=udp to-addresses=192.168.0.110 \
    to-ports=3478
add action=dst-nat chain=dstnat dst-port=5060-5066 in-interface-list=\
    ListPPPoE_Intf protocol=udp to-addresses=192.168.0.110 to-ports=5060-5066
add action=dst-nat chain=dstnat dst-port=7077-7109 in-interface-list=\
    ListPPPoE_Intf protocol=udp to-addresses=192.168.0.110 to-ports=7077-7109
add action=dst-nat chain=dstnat dst-port=10000-20000 in-interface-list=\
    ListPPPoE_Intf protocol=udp to-addresses=192.168.0.110 to-ports=\
    10000-20000
	
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

Toby7 · Mon Oct 17, 2016 11:14 pm

Meanwhile I did som further investigation of the issue. The software StarTrinity SIPTester is able to register the SIP number on my local PC. The I tried to get PhonerLite running but it could not even register the SIP number.
The strange thing here is that I do not see outgoing UDP packets on my WAN gateway (PPPoE). I would expect to see some UDP packets from port 5060.... Could there be any filter rule preventing this?

Rick · Thu Dec 29, 2016 11:03 pm

Hi,

Did you get anywhere with this? I am having a similar problem, although for me I see the packets go out but I never seem to get a response from sipgate. However if I switch my phone from wifi (Mikrotik) to 4G mobile connection, it connects straight away (ruling out a client problem).

Van9018 · Fri Dec 30, 2016 3:37 am

I've used Mikrotik's with SIP providers before, not sipgate though.

But I've always used the SIP helper, and do not configure any port forwarding at all for VOIP. For the SIP helper to work, your WAN port must be a public IP.

For the sip helper to work, your phone needs to use unencrypted SIP. Generally I stay away from encrypted SIP unless my phone/pbx has a public IP to avoid NAT problems.

PORT 5060 is for SIP signalling. Your phone will always send out a registration packet every 2 or 3 minutes. With Mikrotik's packet sniffer, you should see these packets. Because Mikrotiks dynamically forward UDP ports for a short period, you do not need to forward port 5060. It'll remain dynamically forwarded.

PORT 5061 is for SIP TLS. SIP helper won't work with this but it's what you'd use if you wanted an encrypted VOIP connection.

PORT 5062-5066 Not related to VOIP.
PORT 7077-7090 Not related to VOIP.

PORT 3478 is for a STUN server. Your phone needs to know your Public IP and may use a stun server to find it. You as the client, do not host the stun server. Don't forward this port. Without a stun server, your phone will use it's private IP in SIP packets. With Mikrotik's SIP helper enabled, the Mikrotik will inspect and replace your private IP with it's WAN IP. This removes the need for a stun server.

PORTS 10,000-20,000 would be your dynamic RTP/UDP ports for audio. If you choose to forward ports instead of using the sip helper, the phone must support using this IP range for audio ports. With the SIP Helper enabled, the ports used for audio are negotiated in the SIP packets. The SIP helper will automatically forward ports negotiated between your phone and the provider.

You do not need to add filter rules to allow forwarded ports to work.

Van9018 · Fri Dec 30, 2016 3:40 am

Meanwhile I did som further investigation of the issue. The software StarTrinity SIPTester is able to register the SIP number on my local PC. The I tried to get PhonerLite running but it could not even register the SIP number.
The strange thing here is that I do not see outgoing UDP packets on my WAN gateway (PPPoE). I would expect to see some UDP packets from port 5060.... Could there be any filter rule preventing this?

The software you downloaded may have STUN built in, or some other method for determining your public IP as it is required to establish audio connections.

You should see outgoing UDP packets on port 5060 going out your WAN gateway. If you don't, that's a good place to start. With default config, the Mikrotik won't be blocking these ports. Try using packet sniffer on the lan interface to see if sip packets are coming into the router. Perhaps with your phone, it won't try to register if it cannot determine your public IP via a stun server.

Van9018 · Fri Dec 30, 2016 3:46 am

Hi,

Did you get anywhere with this? I am having a similar problem, although for me I see the packets go out but I never seem to get a response from sipgate. However if I switch my phone from wifi (Mikrotik) to 4G mobile connection, it connects straight away (ruling out a client problem).

Does your 4G connection use public IP? Use the SIP helper in Mikrotik. Or do a packet capture and view it in Wireshark to find if your SIP phone is using private IPs. Some VOIP providers would recognize that it should reply to the IP in which the registration it was sent, or the provider may be more strict and reply to the IP specified noted in the registration packet.

VoIP and NAT, no connection

VoIP and NAT, no connection

Re: VoIP and NAT, no connection

Re: VoIP and NAT, no connection

Re: VoIP and NAT, no connection

Re: VoIP and NAT, no connection

Re: VoIP and NAT, no connection

Who is online