But, also I thought about the phones (clients of PBX I mean) . Of course, I can't put them in public net with public addresses.
I envy you
I definitely don't have enough public addresses to assign them to all my phones.
But I'm not sure if the PBX will send correct SDP in case it isn't NATed. I mean if Mikrotik doesn't have to NAT the PBX, will it change connection address field in the SDP from my the PBX?
There is a certain air of mystery about private and public IP addresses, but it is actually very simple. There's nothing illegal on routing between public and private addresses
inside your network, you just cannot expect anything outside your network to be able to reach your private IPs (and you usually even don't want that to be possible), so you only actually need NAT between the private addresses inside your network and the public addresses outside it. So your phones may stay at private addresses and talk to the PBX on a public address, without any NAT betwen them.
But your biggest trouble is how to make all of the following scenarios work with a single network configuration:
- two of your own phones call each other
- your own phone talks to someone in the public voice network via your VoIP provider's exchange
- your PBX forwards a call coming from outside to a number of your phone back to a number in public network while it remains in the signalling path (so some kind of RTP loopback to the VoIP provider's exchange is necessary)
So you have several possibilities:
- if both the VoIP provider's exchange and your PBX are at public addresses, and your IP phones stay at private addresses and there is a NAT with SIP ALG activated between the phones and the "rest of the world" (which means both your PBX and the VoIP provider's exchange), the SIP ALG is doing what it has been created for. The only thing I'm not sure about is how the SIP ALG behaves if the PBX asks the phones to send RTP directly to each other, so you may end up having silent calls between your own phones. Here you may need to test both settings of "ip firewall service-port set sip-direct-media", i.e. "yes" and "no". If you try this way, I'd be really interested in the result, especially in the SDPs before and after transit through the Mikrotik
- if you permit transparent routing (i.e. without NAT) between the PBX and the phones and the SIP ALG will not interfere, the SDPs will be OK between the PBX and the phones in any case (no NAT = no problems), but the question is what happens when the phones call outside.
- If you can configure your PBX to force itself into the RTP path between the phones and the uplink trunk (or also the RTP path between your phones as you say it is anything but flexible), you're good and this would be my preferred solution
- if you cannot and thus the PBX will forward SDPs provided by the phones to the VoIP provider, you would have to configure NAT between the phones and the VoIP provider's IP address. It would be actually used only for the RTP as the signalling doesn't flow directly between the phones and the VoIP provider. Now,
- either the VoIP provider is able to ignore the connection address in the SDPs coming from a client and instead send RTP to the remote socket from which it actually receives it, and make an exception if the connection address in the SDP is one of its own ones (for the forwarded calls). If this is the case, the ALG must be off.
- or, if the above does not work, you would need the SIP ALG to manipulate SDPs in SIP packets between your PBX and the VoIP provider's one to make ordinary calls between your phones and the world work, but this is the scenario we've started from and needed to avoid because it breaks the forwarded calls, so game over at this point.