Community discussions

MikroTik App
 
stabmegane
just joined
Topic Author
Posts: 12
Joined: Tue Mar 31, 2015 1:43 pm

Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's

Tue Apr 06, 2021 3:32 pm

Hi ,
I built recently ( about 6 months ago) a site to site VPN (OpenVpn) using two Mikrotiks , one on each site .
They both communicate fine and everything is working as it should. I mean RDP is working with no problems, some special tax machines work flawlessly , printers shared across VPN and everyone is happy.
Suddenly another guy comes to the company and Installs a second PBX on the remote site. Lets call it B site.
At the first site (lets call it A site), there used to be a panasonic PBX which was working with analog lines fine. Sometimes that technician made some changes through VPN (from site B) which means that VPN was fine.
Since he installed the second PBX on site B, he wanted to install a VOIP phone which as he says , it must communicate with the PBX on site A.
The two PBX's should be connected thriough VPN and actually you can ping anything from everywhere.
Now here comes the problem. If you call using the VOIP phone on site B, or you try to call the VOIP phone on site B, usually the line disconnects after a couiple of rings. If you are lucky you may establish a connection , but there is one way audio. Or sometimes the call is rejected from the beginning. Sounds like Nat problems but everything is disabled in IP>Firewall>NAT
As theother technician say , its my fault, i didn't configure the VPN right and i have to fix it.
I am in trouble with all this situation and i try to find a way to solve it.
Is there anyone who has experience with Panasonic PBX's and has any idea?

Some info ,
On site A the PBX is a NS500, it's IP is 192.168.1.101 and the network is 192.168.1.0/24

On site B the PBX is a NCP500 it's IP is 172.16.255.101 and the network is 172.16.0.0/16

I already disabled sip helper service on both routers and of course NAT is not enabled for any port.

Thank you in advance for your time and if you have any idea to help me i would appreciate iif you could share it.

Stavros.
P.S I also tried to use wireshark to capture packets going in or out from the PBX but i didn't have any luck.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's

Tue Apr 06, 2021 4:56 pm

Are the subnets you've shown the only ones used at each site? I.e. is the VoIP phone also in 172.16.0.0/16 at site B?

That other guy is right in terms that on a usual VoIP PBX, the phone exchanges signalling information only with the PBX which controls it, but the media (audio) stream is established directly with the remote device participating in the call. So when a call gets established between two VoIP phones, they send the media stream directly to each other even if each one is controlled by another PBX. If a call is established between a VoIP phone and an analog line, the media stream runs between the phone and the media gateway converting it into an analog interface; some PBXes use a different IP address for signalling and for the media gateway(s).

Do you have any firewall rules in place at all? NAT is the most popular cause of VoIP suprises, but not the only one.

So I'd recommend to post the anonymized configuration exports of both Mikrotiks, see a mini-howto in my automatic signature just below.

I don't know how exactly you've "sniffed using Wireshark". To see what's going on, I'd recommend to connect the PC running WIreshark to the LAN on one of the sites, configure the sniffer at the Mikrotik on that site with streaming-enabled=yes streaming-server=ip.of.wireshark.pc, start sniffing on Wireshark with capture filter host ip.of.the.mikrotik and udp, and then run /tool sniffer quick ip-address=ip.of.pbx.A,ip.of.pbx.B,ip.of.the.phone interface=the-vpn-interface-name on the Mikrotik. This way, the sniffer will send a TZSP-encapsulated copy of each packet of the VoIP traffic passing through the VPN tunnel to the PC running Wireshark.
 
stabmegane
just joined
Topic Author
Posts: 12
Joined: Tue Mar 31, 2015 1:43 pm

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's

Tue Apr 06, 2021 5:51 pm

Site A
# apr/06/2021 17:45:35 by RouterOS 6.48.1
# software id = xxxxxxxx
#
# model = 951Ui-2HnD
# serial number = xxxxxxxx
/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-full
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add add-default-route=yes comment="xxxxxxxx" disabled=no interface=\
    ether1 keepalive-timeout=900 max-mru=1492 max-mtu=1492 name=pppoe-out1 \
    use-peer-dns=yes user=xxxxxxxx
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n country=\
    no_country_set disabled=no frequency=2462 frequency-mode=manual-txpower \
    mode=ap-bridge ssid=xxxxxxxx wireless-protocol=802.11
/interface ovpn-client
add certificate=cert_export_larisis.crt_0 cipher=aes256 connect-to=\
    xxxxxxxx mac-address=xxxxxxxx name=ovpn-out1 user=larisis
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.250
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge1 name=dhcp1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,passw\
    ord,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 hw=no interface=ether2
add bridge=bridge1 hw=no interface=ether3
add bridge=bridge1 hw=no interface=ether4
add bridge=bridge1 hw=no interface=ether5
/interface list member
add interface=pppoe-out1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4,1.1.1.1,192.168.1.1 \
    gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=212.205.212.205,8.8.8.8,8.8.4.4,1.1.1.1
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=5060 in-interface=\
    ovpn-out1 protocol=tcp to-addresses=192.168.1.101 to-ports=5060
add action=masquerade chain=srcnat src-address=192.168.1.0/24
/ip firewall raw
add action=notrack chain=prerouting disabled=yes src-address=192.168.1.101
add action=notrack chain=prerouting disabled=yes dst-address=192.168.1.101
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
/ip route
add distance=1 dst-address=172.16.0.0/16 gateway=192.168.8.1
/ip service
set telnet address=192.168.1.0/24
set ftp address=192.168.1.0/24
set www address=192.168.1.0/24
set ssh address=192.168.1.0/24
set api address=192.168.1.0/24
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24
/system clock
set time-zone-name=Europe/Athens
/system leds
set 5 interface=wlan1
/system ntp client
set enabled=yes primary-ntp=62.103.129.253 secondary-ntp=194.177.210.54 \
    server-dns-names=""
/tool sniffer
set file-name=capture-pharment-201 filter-ip-address=172.16.255.101/32



Site B
# apr/06/2021 14:34:47 by RouterOS 6.48.1
# software id = 
#
# model = 951Ui-2nD
# serial number = xxxxxxxx
/interface ethernet
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
   xxxxxxxxxx name=WAN1-port2
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
    xxxxxxxxxxx name=WAN2-port3
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
     xxxxxxxxxxx name=WAN3-port4
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=\
    xxxxxxxxxxx
/interface pppoe-client
add interface=WAN2-port3 keepalive-timeout=60 max-mru=1480 max-mtu=1480 name=pppoe-out1 user= xxxxxxxxxxx
add disabled=no interface=WAN1-port2 keepalive-timeout=60 max-mru=1480 max-mtu=1200 name=pppoe-out2 user=\
     xxxxxxxxxxx
add interface=WAN3-port4 keepalive-timeout=60 max-mru=1480 max-mtu=1480 name=pppoe-out3 user= xxxxxxxxxxx
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 country=no_country_set frequency-mode=manual-txpower ssid=MikroTik \
    station-roaming=enabled
/interface ethernet switch port
set 0 vlan-mode=fallback
set 1 vlan-mode=fallback
set 2 vlan-mode=fallback
set 3 vlan-mode=fallback
set 5 vlan-mode=fallback
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp_pool1 ranges=172.16.0.2-172.16.255.254
add name=ovpn-pool ranges=192.168.8.20
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay disabled=no interface=ether1 lease-time=1d name=dhcp1
/ppp profile
add local-address=192.168.8.1 name=ovpn remote-address=ovpn-pool
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/system logging action
set 1 disk-file-name=log
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes require-client-certificate=yes
/ip address
add address=172.16.0.1/16 interface=ether1 network=172.16.0.0
/ip dhcp-server network
add address=172.16.0.0/16 dns-server=8.8.8.8,8.8.4.4,195.170.0.2 gateway=172.16.0.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=172.16.255.239 list=user-no-pcc
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=port88 passthrough=no protocol=tcp src-port=88
add action=mark-routing chain=prerouting new-routing-mark=port89 passthrough=no protocol=tcp src-port=89
add action=accept chain=prerouting src-address-list=user-no-pcc
add action=accept chain=prerouting disabled=yes in-interface=pppoe-out1
add action=accept chain=prerouting in-interface=pppoe-out2
add action=accept chain=prerouting disabled=yes in-interface=pppoe-out3
add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=wan1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/0 src-address=172.16.0.0/16
add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=wan2_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/1 src-address=172.16.0.0/16
add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=wan3_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:3/2 src-address=172.16.0.0/16
add action=mark-routing chain=prerouting connection-mark=wan1_conn new-routing-mark=to_wan1 passthrough=yes \
    src-address=172.16.0.0/16
add action=mark-routing chain=prerouting connection-mark=wan2_conn new-routing-mark=to_wan2 passthrough=yes \
    src-address=172.16.0.0/16
add action=mark-routing chain=prerouting connection-mark=wan3_conn new-routing-mark=to_wan3 passthrough=yes \
    src-address=172.16.0.0/16
add action=mark-connection chain=prerouting comment=VOIP dst-port=5060 new-connection-mark=VOIP passthrough=yes \
    protocol=tcp
add action=mark-packet chain=prerouting connection-mark=VOIP new-packet-mark=VOIP passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=pppoe-out1 src-address=172.16.0.0/16
add action=masquerade chain=srcnat out-interface=pppoe-out2 src-address=172.16.0.0/16
add action=masquerade chain=srcnat disabled=yes out-interface=pppoe-out3 src-address=172.16.0.0/16
add action=dst-nat chain=dstnat dst-port=3389 in-interface=!WAN1-port2 protocol=tcp to-addresses=172.16.255.239 \
    to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=5060 in-interface=!WAN1-port2 protocol=tcp to-addresses=\
    172.16.255.101 to-ports=5060
add action=dst-nat chain=dstnat dst-port=3333 in-interface=!WAN1-port2 protocol=udp to-addresses=172.16.35.20 to-ports=\
    3333
add action=dst-nat chain=dstnat disabled=yes dst-port=21 in-interface=!WAN1-port2 protocol=tcp to-addresses=\
    172.16.255.239 to-ports=21
add action=dst-nat chain=dstnat disabled=yes dst-address-type="" dst-port=89 in-interface=!WAN1-port2 protocol=tcp \
    src-address-type="" to-addresses=172.16.10.11 to-ports=89
add action=dst-nat chain=dstnat disabled=yes dst-address-type="" dst-port=88 in-interface=!WAN1-port2 protocol=tcp \
    src-address-type="" to-addresses=172.16.10.10 to-ports=88
add action=dst-nat chain=dstnat dst-port=8081 in-interface=!WAN1-port2 protocol=tcp to-addresses=172.16.255.252 \
    to-ports=8081
add action=dst-nat chain=dstnat dst-port=3341 in-interface=!WAN1-port2 protocol=tcp to-addresses=172.16.255.239 \
    to-ports=1433
add action=dst-nat chain=dstnat disabled=yes dst-port=3390 in-interface=!WAN3-port4 protocol=tcp to-addresses=\
    172.16.255.239 to-ports=3389
/ip firewall raw
add action=notrack chain=output disabled=yes out-interface=pppoe-out2 src-address=172.16.255.101
add action=notrack chain=prerouting disabled=yes dst-address=172.16.255.101 in-interface=pppoe-out2
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=web-proxy1
/ip route
add check-gateway=arp distance=7 gateway=pppoe-out2 routing-mark=port88
add check-gateway=arp distance=7 gateway=pppoe-out2 routing-mark=port89
add check-gateway=ping disabled=yes distance=1 gateway=pppoe-out1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=pppoe-out2 routing-mark=to_wan2
add check-gateway=ping disabled=yes distance=1 gateway=pppoe-out3 routing-mark=to_wan3
add check-gateway=ping distance=1 gateway=pppoe-out2
add check-gateway=ping disabled=yes distance=1 gateway=pppoe-out2
add check-gateway=ping disabled=yes distance=1 gateway=pppoe-out3
add disabled=yes distance=3 gateway=pppoe-out2
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.8.20
/ip service
set telnet address=172.16.0.0/16
set ftp address=172.16.0.0/16
set www address=172.16.0.0/16
set ssh address=172.16.0.0/16
set api address=172.16.0.0/16
/ip smb shares
set [ find default=yes ] directory=/pub
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=larisis profile=ovpn
/system clock
set time-zone-autodetect=no
/system ntp client
set enabled=yes primary-ntp=194.177.210.54

I hope i pasted it right here
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's  [SOLVED]

Tue Apr 06, 2021 6:36 pm

Multiple issues exist.

First, at the OVPN client side (Site A), your only action=masquerade rule there is not restricted to out-interface=pppoe-out1 or out-interface-list=WAN (adding either of these match condition is sufficient as a fix), so connections whose first packet is sent from Site A to Site B get src-nated to the own address assigned to ovpn-out1.

Second, the mangle rules at Site B do not exempt the traffic between the two LAN subnets from getting routing-mark values assigned, nor are there any /ip route rule items neutralizing such assignment, nor do any dedicated routes to 192.168.1.0/24 and 172.16.0.0/16 with these routing-mark values exist. The only exemption is for src-address-list=user-no-pcc, and the sole item on this address-list is 172.16.255.239. So I suppose this is the address of the only server you actually access from Site A. The easiest, but not necessarily most clear to understand, way to deal with this is the following:
/ip route rule
add dst-address=192.168.1.0/24 action=lookup-only-in-table table=main
add dst-address=172.16.0.0/16 action=lookup-only-in-table table=main


Third, and maybe most important, there are no firewall rules whatsoever in the filter table; restriction of permitted source addresses on /ip service rows may not be equally safe as using firewall filter rules.
 
stabmegane
just joined
Topic Author
Posts: 12
Joined: Tue Mar 31, 2015 1:43 pm

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's

Tue Apr 06, 2021 8:08 pm

First of all thank you very much for your time and effort, i really appreciate it.
I will try later today and i will let you know.
Thanks again
 
stabmegane
just joined
Topic Author
Posts: 12
Joined: Tue Mar 31, 2015 1:43 pm

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's

Wed Apr 07, 2021 10:51 am

And finally yes, it looks like everything is working right!!
I made the changes and told them to test it for a couple of days.
I sure need a lot to read and study, but your recomendations were right. And now when i look at my config , i see my mistakes.
Thank you again Sindy, you were a real help.
 
User avatar
Znevna
Forum Guru
Forum Guru
Posts: 1347
Joined: Mon Sep 23, 2019 1:04 pm

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's

Wed Apr 07, 2021 1:17 pm

You were running that config for 6 months and haven't spotted any problems with it?..
Well, @sindy saves the day again, but "the other tehnician" was right in the end: you misconfigured those things.
Also running OpenVPN on a single core 600MHz CPU / 650MHz on the other side, and PPPoE on both of them .... that's an incoming bottleneck.
Might want to look in upgrade options.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's

Wed Apr 07, 2021 2:03 pm

Also running OpenVPN on a single core 600MHz CPU / 650MHz on the other side, and PPPoE on both of them .... that's an incoming bottleneck.
For me, a bigger problem with OpenVPN is its use of TCP as transport (which is a limitation of RouterOS 6.x, not of OpenVPN itself), which may amplify eventual issues with packet loss (most often caused by insuccifient bandwidth) for VoIP. So if you ever experience issues with sound quality when calling between the sites, you'll have to think about QoS handling and bare IPsec or "something" over IPsec. And QoS is also a CPU intensive task.

What are the bandwidths (DL/UL) of the internet connections at both sites?
 
stabmegane
just joined
Topic Author
Posts: 12
Joined: Tue Mar 31, 2015 1:43 pm

Re: Mikrotik -Mikrotik VPN site to site Problem with Panasonic Pbx's

Fri Apr 09, 2021 9:11 pm

Both sites have 100MBps down/10Mbps upload speeds.
There is only one extension which is VOIP , everything else is analog and they have two PBX's one on each side.
That one extension is used for internal communication , but not very often.
They already had the mikrotiks and the PBX's they just added that VOIP extension to the site A which supports VOIP.
I was called to fix this and with the help of sindy everything looks fine so far.
And yes the first install was made by me , but they used to have 3-4 pc's on each side.
Now they grew much more and i will suggest them to install a better Mikrotik.
Thanks for everything for one more time

Who is online

Users browsing this forum: hjf and 78 guests