Community discussions

MikroTik App
 
danieltnc1981
newbie
Topic Author
Posts: 32
Joined: Sun Jul 16, 2017 1:27 pm

Problems With 5060 Sip Wildixin

Mon Sep 20, 2021 10:14 pm

Good evening
I have a Mikrotik configured in the following way

WAN 1
LAN 1
LAN 2

ETH1 - Wan 1 - Public address
ETH2 - Lan 1 - 192.168.1.0
ETH 3 - Lan 2 - 192.168.2.0 (Wildixin On 192.168.2.200)

I have a WILDIXIN switchboard in Lan 2
I opened the doors, but 5060 and 5061 won't work.
The other ports work, but the 5060 udp and the 5061 udp no, or rather from the console wildix reports that they are closed

Here is my Firewall configuration

ip firewal nat print

;;; Wildixin 5060 Udp
chain=dstnat action=dst-nat to-addresses=192.168.2.200 to-ports=5060
protocol=udp in-interface=ether1 dst-port=5060 log=no log-prefix=""

4 ;;; Wildixin 5060 Tcp
chain=dstnat action=dst-nat to-addresses=192.168.2.200 to-ports=5060
protocol=tcp in-interface=ether1 dst-port=5060 log=no log-prefix=""

5 ;;; Wildix Udp 11001-15001
chain=dstnat action=dst-nat to-addresses=192.168.2.200
to-ports=10000-15000 protocol=udp in-interface=ether1
dst-port=10000-15000 log=no log-prefix=""

4 ;;; Wildixin 5060 Tcp
chain=dstnat action=dst-nat to-addresses=192.168.2.200 to-ports=5060
protocol=tcp in-interface=ether1 dst-port=5060 log=no log-prefix=""

5 ;;; Wildix Udp 11001-15001
chain=dstnat action=dst-nat to-addresses=192.168.2.200
to-ports=10000-15000 protocol=udp in-interface=ether1
dst-port=10000-15000 log=no log-prefix=""

;;; Wildix Tcp 443
chain=dstnat action=dst-nat to-addresses=192.168.2.200 to-ports=443
protocol=tcp in-interface=ether1 dst-port=443 log=yes log-prefix=""

7 ;;; Wildix 80
chain=dstnat action=dst-nat to-addresses=192.168.2.200 to-ports=80
protocol=tcp in-interface=ether1 dst-port=80 log=yes log-prefix=""

8 ;;; Wildix 4443
chain=dstnat action=dst-nat to-addresses=192.168.2.200 to-ports=4443
protocol=tcp in-interface=ether1 dst-port=4443 log=yes log-prefix=""

Wildixin 5061 Tcp
chain=dstnat action=dst-nat to-addresses=192.168.2.200 to-ports=5061
protocol=tcp in-interface=ether1 dst-port=5061 log=no log-prefix=""

11 ;;; Wildixin 5061 Udp
chain=dstnat action=dst-nat to-addresses=192.168.2.200 to-ports=5061

Sip Alg disabled on Microtik

Looking forward to your response, or your support

Thanks
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problems With 5060 Sip Wildixin

Wed Sep 22, 2021 11:46 pm

Post the export of the complete configuration, there may be filter rules that break it.

An unrelated remark: don't use to-ports in the NAT rules unless you need to change the port. With dst-port=1234 to-ports=1234, it is just a waste of CPU but nothing bad happens; with dst-port=10000-15000 to-ports=10000-15000, you introduce a mess because the port is "randomly" changed, which is not good for VoIP.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Problems With 5060 Sip Wildixin

Wed Sep 22, 2021 11:51 pm

@sindy, is like the other topic..

1) Missing dst-address=<WAN_PUBLIC_IP> on all rules

2) I work with VoIP from 2010 and everytime SIP ALG IS ON, without using stun and proxy, never a problem.

default code

/ip firewall service-port
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h

3) Some ISP provider (like me) do not allow any use of 5060 and 5061, any protocol,
because often are used from bittorrent and other things, and I do not want give near the top priority to that traffic, using this hack.
Obviously valid SIP use is still permitted, but the client must ask first, for free, to add SIP server not already on whitelist.

the rule 11 is incomplete?

missing code

protocol=udp in-interface=ether1 dst-port=5061 log=no log-prefix="" 
but I think is a copy-paste error

Paste this on terminal after you replace <WAN_PUBLIC_IP> with..... WAN Public IP...
/ip firewall nat
set [find where comment~"wildix"] dst-address=<WAN_PUBLIC_IP> !in-interface !to-port
Thanks to @sindy for !in-interface and !to-port suggestion
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Problems With 5060 Sip Wildixin

Thu Sep 23, 2021 12:21 am

1) Missing dst-address=<WAN_PUBLIC_IP> on all rules
yes, but he's got in-interface=ether1, so the absence of dst-address=<WAN_PUBLIC_IP> doesn't break anything
2) I work with VoIP from 2010 and everytime SIP ALG IS ON, without using stun and proxy, never a problem.
SIP ALG is great if phones are at LAN side and the exchange is at WAN side. But things like phones at WAN side and PBX at LAN side may get more troublesome (e.g. if the PBX doesn't forward the RTP between the phones), and an exchange at LAN side that uses one IP address for SIP and several other IP addresses for RTP is a disaster for the SIP ALG.

I see the world from the SIP provider perspective, and the message is clear: no L7 processing at the routers and firewalls - no problems. Mikrotik SIP ALG was dropping SIP messages because it didn't like some item in the SDP where one RFC says it must be a proper fqdn and another RFC only says it must be a string. Another ALG did not adjust the Content-Length value after modifying the IP addresses in the SDP, so the parser at the SBC considered the SDP invalid. Yet another SIP ALG was changing RTP source port to 0, etc. And then you stand there puzzled why the message has not arrived, or why the exchange says the SDP is a garbage...

Who is online

Users browsing this forum: AkosGergely, araqiel, Maggiore81, Marc1963 and 96 guests