Hi every one here!
I've got a router Mikrotik 1100AHx2-RouterOS:6.38.7 (bugfix). Our PBX is located behind the router and NAT+SIP ALG were configured there. And now I've faced with a problem. The usual calls work OK. But if I use the call forwarding option it doesn't work, we can't hear each other. So, I sniffered the calls and figured out that there is a problem with Connection address field in SDP. When my PBX tries to forward the call it sends a new SDP with changed Connection address field there.The PBX replaces its own IP address in the field with address of ISP-PBX (And I can see that in the traffic dump). It seems the PBX tries to connect the two RTP streams(the caller side to the call forward side) directly. But when that SDP follows throught Mikrotik, the router changes the field back to the address of my PBX and, of course, the call forwarding doesn't work. Could you give me a hint how I can solve this problem?
Re: SIP ALG doesn't work in a proper way
You can give a try to but in general the SIP helper is not good for anything but individual SIP clients on the private side where the RTP address is the same like the signalling (SIP) address. The helper would have to have a crystal ball or a complex configuration to be able to properly manipulate the RTP address in cases where it is required and keep it untouched in other cases.
Imagine a simple case of two phones on public addresses and your PBX controlling them:
So the helper would have to distinguish between connection addresses in the "internal" domain and the "external" domain to choose the right action, but the problem is that not always "internal" means any private address and "external" means any public address.
So if the setting suggested above does not solve the situation by forcing the RTP through the Mikrotik (I've never tried), you need to either tell the PBX to either keep itself in the RTP path (this functionality is often called "media proxy"), or to transfer the two calls (the incoming and outgoing branch) to each other once the called party answers (which means that it won't be able to limit the duration of the call or even know it).
Code: Select all
/ip firewall service-port set sip sip-direct-media=noImagine a simple case of two phones on public addresses and your PBX controlling them:
- if the PBX puts itself into the RTP path, the fact that the helper changes the connection address in the SDP is correct because it must put there the outer address (of the Mikrotik) instead of the actual address of the PBX (which is most likely private so unreachable to the phones),
- if the PBX tells the phones to send RTP to each other directly, changing the connection address in the SDP is a wrong action to take
So the helper would have to distinguish between connection addresses in the "internal" domain and the "external" domain to choose the right action, but the problem is that not always "internal" means any private address and "external" means any public address.
So if the setting suggested above does not solve the situation by forcing the RTP through the Mikrotik (I've never tried), you need to either tell the PBX to either keep itself in the RTP path (this functionality is often called "media proxy"), or to transfer the two calls (the incoming and outgoing branch) to each other once the called party answers (which means that it won't be able to limit the duration of the call or even know it).
Re: SIP ALG doesn't work in a proper way
You can always disable the SIP ALG in the MikroTik.
/ip firewall service-port
set sip disabled=yes
But in general I would say: putting your SIP server behind NAT is a bad idea.
I would try everything to avoid that, including getting extra addresses on your internet connection or even making a VPN to some place where you can get them.
/ip firewall service-port
set sip disabled=yes
But in general I would say: putting your SIP server behind NAT is a bad idea.
I would try everything to avoid that, including getting extra addresses on your internet connection or even making a VPN to some place where you can get them.
Re: SIP ALG doesn't work in a proper way
@CZFan, what did you want to tell by that link? I've watched the presentation completely but it hasn't changed my understanding of what the thing can do and what it cannot, and the only topic which I was interested in, what is the difference between behaviours with sip-direct-media set to yes and set to no, has not been actually explained (no, you really cannot prohibit an INVITE from being sent, you can only modify its payload). And the last question from the audience was exactly the same like the OPs one here and the explanation didn't come either.
So I keep standing firmly where I did before - the way it is done, the ALG is fine for phones at the private side of the Mikrotik talking to an exchange at its public side, but cannot cover all scenarios which may happen when an exchange is at Mikrotik's private side and phones or other exchange talk to it from the public side. Unless sip-direct-media=no makes Mikrotik itself create RTP hairpins when the SDPs sent by the PBX indicate public connection addresses, there is no way to solve the OP's issue on Mikrotik and it has to be solved at the PBX.
So I keep standing firmly where I did before - the way it is done, the ALG is fine for phones at the private side of the Mikrotik talking to an exchange at its public side, but cannot cover all scenarios which may happen when an exchange is at Mikrotik's private side and phones or other exchange talk to it from the public side. Unless sip-direct-media=no makes Mikrotik itself create RTP hairpins when the SDPs sent by the PBX indicate public connection addresses, there is no way to solve the OP's issue on Mikrotik and it has to be solved at the PBX.
Re: SIP ALG doesn't work in a proper way
I always disable SIP ALG on MikroTik and let my phones and PBX handle NAT (they have options for this). If your phones and PBX can handle it, forgo using the included SIP helper.
Re: SIP ALG doesn't work in a proper way
SIP ALG's are bad news. Your provider should handle the NAT traversal.
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: SIP ALG doesn't work in a proper way
I asked Dr, Google for "sip call forward outbound trunk no audio" and a multitude of items came up. What I could gather from these, as long as your router is configured correctly, i.e. SIP and RTP port forwarding, etc, the problem seems to be related / corrected / workaround in the PBX systems
Re: SIP ALG doesn't work in a proper way
Thank you guys for your replies!
But unfortunately I can't change the PBX. My PBX is Huawei u1911 and it isn't so flexible as opensource PBX. What's more it doesn't have any options to solve NAT problem. So, I think the Mirotik is my last hope
PS. I hoped somebody from MikroTik would say something
But unfortunately I can't change the PBX. My PBX is Huawei u1911 and it isn't so flexible as opensource PBX. What's more it doesn't have any options to solve NAT problem. So, I think the Mirotik is my last hope
PS. I hoped somebody from MikroTik would say something
Re: SIP ALG doesn't work in a proper way
Then do not use NAT, as I already mentioned. Put it on a public IP address.But unfortunately I can't change the PBX. My PBX is Huawei u1911 and it isn't so flexible as opensource PBX. What's more it doesn't have any options to solve NAT problem.
Re: SIP ALG doesn't work in a proper way
Thank you for your answer!Then do not use NAT, as I already mentioned. Put it on a public IP address.But unfortunately I can't change the PBX. My PBX is Huawei u1911 and it isn't so flexible as opensource PBX. What's more it doesn't have any options to solve NAT problem.
But there are only two interfaces on the PBX: mgmt and phones. And I think it isn't a good idea to public any of them. That's why I use NAT
Re: SIP ALG doesn't work in a proper way
If you can put the "phones" interface of the PBX to a public IP address and use a firewall to permit access to that interface of the PBX from the internet side only to the IP address of your VoIP provider, that approach is ways better than putting a NAT with an ALG between the PBX and the internet. I was expecting that you use that "emergency means" because do not have an available public IP you could use for the PBX.
Re: SIP ALG doesn't work in a proper way
So you rely on the "stateful firewall" implied by NAT. But it would be possible to make a stateful firewall that does the same thing, but without NAT.But there are only two interfaces on the PBX: mgmt and phones. And I think it isn't a good idea to public any of them. That's why I use NAT
Also, when you don't want to allow public access, it is better to setup a VPN with plain routing instead of using NAT/Firewalling techniques.
Re: SIP ALG doesn't work in a proper way
Thank you very much for your opinion. I've thought about rebuilding my current network. You're absolutely right I should get rid of NAT. But, also I thought about the phones (clients of PBX I mean) . Of course, I can't put them in public net with public addresses. But I'm not sure if the PBX will send correct SDP in case it isn't NATed. I mean if Mikrotik doesn't have to NAT the PBX, will it change connection address field in the SDP from my the PBX? You see? Of course I can just try it, but I hoped myabe someone could share his experience?If you can put the "phones" interface of the PBX to a public IP address and use a firewall to permit access to that interface of the PBX from the internet side only to the IP address of your VoIP provider, that approach is ways better than putting a NAT with an ALG between the PBX and the internet. I was expecting that you use that "emergency means" because do not have an available public IP you could use for the PBX.
Re: SIP ALG doesn't work in a proper way
I envy youBut, also I thought about the phones (clients of PBX I mean) . Of course, I can't put them in public net with public addresses.
I definitely don't have enough public addresses to assign them to all my phones.There is a certain air of mystery about private and public IP addresses, but it is actually very simple. There's nothing illegal on routing between public and private addresses inside your network, you just cannot expect anything outside your network to be able to reach your private IPs (and you usually even don't want that to be possible), so you only actually need NAT between the private addresses inside your network and the public addresses outside it. So your phones may stay at private addresses and talk to the PBX on a public address, without any NAT betwen them.But I'm not sure if the PBX will send correct SDP in case it isn't NATed. I mean if Mikrotik doesn't have to NAT the PBX, will it change connection address field in the SDP from my the PBX?
But your biggest trouble is how to make all of the following scenarios work with a single network configuration:
- two of your own phones call each other
- your own phone talks to someone in the public voice network via your VoIP provider's exchange
- your PBX forwards a call coming from outside to a number of your phone back to a number in public network while it remains in the signalling path (so some kind of RTP loopback to the VoIP provider's exchange is necessary)
So you have several possibilities:
- if both the VoIP provider's exchange and your PBX are at public addresses, and your IP phones stay at private addresses and there is a NAT with SIP ALG activated between the phones and the "rest of the world" (which means both your PBX and the VoIP provider's exchange), the SIP ALG is doing what it has been created for. The only thing I'm not sure about is how the SIP ALG behaves if the PBX asks the phones to send RTP directly to each other, so you may end up having silent calls between your own phones. Here you may need to test both settings of "ip firewall service-port set sip-direct-media", i.e. "yes" and "no". If you try this way, I'd be really interested in the result, especially in the SDPs before and after transit through the Mikrotik
- if you permit transparent routing (i.e. without NAT) between the PBX and the phones and the SIP ALG will not interfere, the SDPs will be OK between the PBX and the phones in any case (no NAT = no problems), but the question is what happens when the phones call outside.
- If you can configure your PBX to force itself into the RTP path between the phones and the uplink trunk (or also the RTP path between your phones as you say it is anything but flexible), you're good and this would be my preferred solution
- if you cannot and thus the PBX will forward SDPs provided by the phones to the VoIP provider, you would have to configure NAT between the phones and the VoIP provider's IP address. It would be actually used only for the RTP as the signalling doesn't flow directly between the phones and the VoIP provider. Now,
- either the VoIP provider is able to ignore the connection address in the SDPs coming from a client and instead send RTP to the remote socket from which it actually receives it, and make an exception if the connection address in the SDP is one of its own ones (for the forwarded calls). If this is the case, the ALG must be off.
- or, if the above does not work, you would need the SIP ALG to manipulate SDPs in SIP packets between your PBX and the VoIP provider's one to make ordinary calls between your phones and the world work, but this is the scenario we've started from and needed to avoid because it breaks the forwarded calls, so game over at this point.
Re: SIP ALG doesn't work in a proper way
Start your study of IPv6!I definitely don't have enough public addresses to assign them to all my phones.
Who is online
Users browsing this forum: Bing [Bot] and 42 guests