Community discussions

MikroTik App
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

SIP ALG issue not resolving.

Sat Jul 31, 2021 5:15 pm

I am trying to make a gsm gateway using usb modem with chan_dongle, asterisk, and 3cx on docker. The main reason behind choosing 3cx was its softphone functionality in dynamic IP’s. Currently, 3cx running on a raspberry pi and asterisk on a virtual machine.
So, far I was able to configure chan_dongle on asterisk.

Issue No.1 On local Lan, It was successful using making calls with audio using zoiper with local LAN IP(192.168.88.24). Issues arise when I switch to 3cx. So, I followed the 3cx port forwarding guide and forwarded all the ports https://www.3cx.com/docs/mikrotik-firew ... iguration/. But the weird thing is that when the ports are forwarded 3cx trunk doesn’t register with asterisk, but if I turn off the NAT rules it connects to the asterisk trunk.
add action=dst-nat chain=dstnat comment="3CX SIP UDP" dst-port=5060 protocol=\
    udp to-addresses=192.168.188.29 to-ports=5060
add action=dst-nat chain=dstnat comment="3CX SIP TCP" dst-port=5060 protocol=\
    tcp to-addresses=192.168.188.29 to-ports=5060
After, 3cx registers to asterisk it doesn't get disconnected when the NAT rules get re-enabled.

Issue No.2
I can call others and hear their voice, but they can’t hear me. But, if someone calls me, none of us can hear each other. Every forum on the net pointed out a firewall issue.
Issue No.3
Following all the guidelines from 3cx website I still get "3CX SIP Server... failed" & "detecting SIP ALG... failed". Here, is my firewall,nat export:
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow ADMIN to Router" \
    in-interface-list=LAN src-address-list=allowed_to_router
add action=accept chain=input in-interface-list=LAN port=53 protocol=tcp
add action=accept chain=input in-interface-list=LAN port=53 protocol=udp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment=" Allow Port Forwarding - DSTNAT" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="ENABLE LAN to WAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.188.0/24 src-address=\
    192.168.88.0/24
add action=accept chain=forward dst-address=192.168.88.0/24 src-address=\
    192.168.188.0/24
add action=drop chain=forward comment="Drop All Else"

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=pihole_bypass dst-address=\
    192.168.188.25 dst-port=53 protocol=udp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment=pihole_bypass dst-address=\
    192.168.188.25 dst-port=53 protocol=tcp to-addresses=192.168.88.1
add action=dst-nat chain=dstnat comment="Resilio Sync (UDP)" dst-address=\
    0.0.0.0 dst-port=58444 in-interface-list=WAN protocol=udp to-ports=58444
add action=dst-nat chain=dstnat comment="3CX Presence and Provisioning HTTPS" \
    dst-port=5001 protocol=tcp to-addresses=192.168.188.29 to-ports=5001
add action=dst-nat chain=dstnat comment="3CX SIP UDP" dst-port=5060 protocol=\
    udp to-addresses=192.168.188.29 to-ports=5060
add action=dst-nat chain=dstnat comment="3CX SIP TCP" dst-port=5060 protocol=\
    tcp to-addresses=192.168.188.29 to-ports=5060
add action=dst-nat chain=dstnat comment="3CX SIP TLS" dst-port=5061 protocol=\
    tcp to-addresses=192.168.188.29 to-ports=5061
add action=dst-nat chain=dstnat comment="3CX Media UDP" dst-port=9000-10999 \
    protocol=udp to-addresses=192.168.188.29 to-ports=9000-10999
add action=dst-nat chain=dstnat comment="3CX Tunnel TCP" dst-port=5090 \
    protocol=tcp to-addresses=192.168.188.29 to-ports=5090
add action=dst-nat chain=dstnat comment="3CX Tunnel UDP" dst-port=5090 \
    protocol=udp to-addresses=192.168.188.29 to-ports=5090

/ip firewall service-port
set sip disabled=yes
To my understanding, my firewall is already is on per with 3cx guidelines. Any help will be highly appreciated. Will implement VPN once routerOS 7 is out of beta. Additional information is that my router has two subnets 192.168.88.xx(main subnet) & 192.168.188.xx. Where, 3cx on 192.168.188.29.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: SIP ALG issue not resolving.

Sat Jul 31, 2021 6:23 pm

Start by removing to-ports=9000-10999 from the dstnat rule with comment="3CX Media UDP".

The thing is that if you specify the to-ports range, the firewall randomly assigns a port from that range to each connection; if you don't specify it, it only changes the address but keeps the original port.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: SIP ALG issue not resolving.

Sat Jul 31, 2021 6:40 pm

Thank you for replying. Did you mean:
 ;;; 3CX Media UDP
      chain=dstnat action=dst-nat to-addresses=192.168.188.29 protocol=udp dst-port=9000-10999 log=no log-prefix="" 
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: SIP ALG issue not resolving.

Sat Jul 31, 2021 7:33 pm

Yes.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: SIP ALG issue not resolving.

Sat Jul 31, 2021 7:34 pm

Still same.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: SIP ALG issue not resolving.

Sat Jul 31, 2021 7:46 pm

With asterisk/Freepbx you need to define "local" networks that do not need nat. If this is not set then it will try to nat the traffic and you will get one way audio.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: SIP ALG issue not resolving.

Sat Jul 31, 2021 7:48 pm

How, can I do that? Please, elaborate a little, two servers on two different subnets.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: SIP ALG issue not resolving.

Sat Jul 31, 2021 7:51 pm

 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: SIP ALG issue not resolving.

Sat Jul 31, 2021 7:58 pm

Like this ?
You do not have the required permissions to view the files attached to this post.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: SIP ALG issue not resolving.

Sat Jul 31, 2021 8:20 pm

Yes
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: SIP ALG issue not resolving.

Sat Jul 31, 2021 8:21 pm

Didn't worked. Changed the IPs as the picture above. Zoiper5 works if I login with a local IP of the asterisk server. Probably 3cx and firewall-related issue.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: SIP ALG issue not resolving.

Sun Aug 01, 2021 2:35 am

My guess is that 3cx has a similar setting.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: SIP ALG issue not resolving.

Sun Aug 01, 2021 9:45 am

Its only has server IP and dynamic or static external address. If dynamic it's then uses FQDN.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: SIP ALG issue not resolving.

Sun Aug 01, 2021 3:24 pm

Is 3cx always going to asterisk for the primary connection? If so there is no need for any firewall rule for this server. The router will just route packets normally between subnets.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: SIP ALG issue not resolving.

Sun Aug 01, 2021 3:34 pm

If this is going to replace asterisk, then you should set in-interface or out-interface on your nat rules so that the router does not nat the traffic between subnets and only going out of your wan interface.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: SIP ALG issue not resolving.

Sun Aug 01, 2021 4:47 pm

Probably this diagram will clarify things. Issue No.1 is similar to this viewtopic.php?f=2&t=130314&p=870450#p640205. But, for me adding WAN in incoming interface didn't yield any results.
Update: Issue No.1 probably resolved by using
/ip firewall nat 
add chain=dstnat action=dst-nat to-ports=5060 protocol=udp dst-port=5060 comment="3CX SIP UDP"

add chain=dstnat action=dst-nat to-ports=5060 protocol=tcp dst-port=5060 comment="3CX SIP TCP"
But, if I am not mistaken this exposes the 5060 port to the internet for my network?
You do not have the required permissions to view the files attached to this post.
 
biomesh
Long time Member
Long time Member
Posts: 561
Joined: Fri Feb 10, 2012 8:25 pm

Re: SIP ALG issue not resolving.  [SOLVED]

Sun Aug 01, 2021 5:10 pm

A dst-nat to the same port is not really of any use.

For dst-nat rules these are for non natted networks to natted networks - like your wan interface. Generally you would not want to use the from/to ports but use to/from address. This would mean that if you want asterisk and 3cx available from your wan, they would need to use unique ports(well at least from the client side of you use dst-nat to remap ports). If 3cx is the only pbx that needs external access then change those rules to use the to-addresses option along with setting the in-interface to your wan.
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: SIP ALG issue not resolving.

Sun Aug 01, 2021 5:16 pm

Thank you for the reply. I will try to implement what you said. New tinkering with the NAT rules yield this:

3cx firewall checker returns when I remove the to address

detecting SIP ALG... not detected
testing port 5060... full cone test failed


But, if I add the to-address in nat rules 3cx yields
detecting SIP ALG... failed
testing port 5060... done
 
shafiqrahman
Member Candidate
Member Candidate
Topic Author
Posts: 132
Joined: Wed Apr 12, 2017 1:42 am

Re: SIP ALG issue not resolving.

Sun Aug 01, 2021 6:34 pm

Thank you very much @biomesh and @sindy. All issues solved. Though, the voice is too noisy and broken but works. I will mark the thread solved soon. Here is the nat rule if someone encounters the same issues.
/ip firewall service-port disable sip

/ip firewall nat 

add chain=dstnat action=dst-nat to-addresses=192.168.188.29 to-ports=5001 protocol=tcp dst-port=5001 comment="3CX Presence and Provisioning HTTPS"

add chain=dstnat action=dst-nat to-addresses=192.168.188.29 to-ports=5060 in-interface-list=WAN protocol=udp dst-port=5060 comment="3CX SIP UDP"

add chain=dstnat action=dst-nat to-addresses=192.168.188.29 to-ports=5060 in-interface-list=WAN protocol=tcp dst-port=5060 comment="3CX SIP TCP"

add chain=dstnat action=dst-nat to-addresses=192.168.188.29 to-ports=5061 protocol=tcp dst-port=5061 comment="3CX SIP TLS"

add chain=dstnat action=dst-nat to-addresses=192.168.188.29 protocol=udp dst-port=9000-10999 comment="3CX Media UDP"

add chain=dstnat action=dst-nat to-addresses=192.168.188.29 to-ports=5090 protocol=tcp dst-port=5090 comment="3CX Tunnel TCP"

add chain=dstnat action=dst-nat to-addresses=192.168.188.29 to-ports=5090 protocol=udp dst-port=5090 comment="3CX Tunnel UDP"
Here,
Freepbx server:192.168.88.24
3cx server:192.168.188.29

Who is online

Users browsing this forum: anav, Andrey05 and 88 guests