I am having problem with VoIP passthrough Mikrotik Router. the phone cannot register to the server. there is not firewall filter.
i have tried with:
1. private ip
2. public ip
3. disable H323
4. disable SIP
5. disable H323 and SIP.

but it doesn't help.

if i change to router like Cisco, it can work well.

Does anyone know what is the problem???

Is the help from "ip firewall service ports"?
Sometime, i need to disable SIP or H323 to make VoIP work properly?

i am using:
ROS version is 3.17.
System: x86

Which VoIP protocol is being used on your network ?

I have about 4 sip devices behind my nat'ed mikrotik router running 3.18 and it passes sip all day long. And always has all the way back to 3.0 which is what i started out with.

My customer is using www.vonage.com product.

Do you have any proxy Configured...???

no, it works as router and shaping only

connect to the terminal, type in
/export file=forreview
go to Files (WinBox), grab that .rsc file, edit it with WordPad or a more serious editor to remove any passwords and attach it here. We can look at it and see what's happening.

you can tell me what do you want to see? i will post it on the forum. so, it is easier to read.

mm ... firewall, nat, QoS, L7, ip addressing, routes.. pretty much everything.

pls see below:

[badmin@MKN-BM-2] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; basic firewall
chain=input action=accept connection-state=established

1 chain=input action=accept connection-state=related

2 chain=input action=drop connection-state=invalid

3 chain=forward action=accept connection-state=established

4 chain=forward action=accept connection-state=related

5 chain=forward action=drop connection-state=invalid

[badmin@MKN-BM-2] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; nat-list
chain=srcnat action=src-nat to-addresses=203.176.129.48-203.176.129.63 src-address-list=nat-list out-interface=ether1-Outside

1 ;;; redirect dns
chain=dstnat action=redirect to-ports=53 protocol=tcp dst-port=53

2 chain=dstnat action=redirect to-ports=53 protocol=udp dst-port=53

[badmin@MKN-BM-2] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; customer
chain=forward action=mark-connection new-connection-mark=cus-conn passthrough=yes src-address=10.3.0.34

1 chain=forward action=mark-packet new-packet-mark=cus-up passthrough=no in-interface=vlan717 connection-mark=cus-conn

2 chain=forward action=mark-packet new-packet-mark=cus-down passthrough=no connection-mark=cus-conn

[badmin@MKN-BM-2] /queue tree> print
Flags: X - disabled, I - invalid
0 name="Total-Download" parent=global-out packet-mark="" limit-at=40000000 queue=default priority=8 max-limit=40000000
burst-limit=0 burst-threshold=0 burst-time=0s

1 name="Total-Upload" parent=global-out packet-mark="" limit-at=40000000 queue=default priority=8 max-limit=40000000 burst-limit=0 burst-threshold=0 burst-time=0s

2 name="384k-down" parent=Total-Download packet-mark="" limit-at=0 queue=default priority=8 max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s

3 name="384k-up" parent=Total-Upload packet-mark="" limit-at=384000 queue=default priority=8 max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s

4 name="cus-down" parent=384k-down packet-mark=cus-down limit-at=0 queue=default priority=8 max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s

5 name="cus-up" parent=384k-3-up packet-mark=cus-up limit-at=384000 queue=default priority=8 max-limit=384000 burst-limit=0 burst-threshold=0 burst-time=0s

i am not using L7.

chain=srcnat action=src-nat to-addresses=203.176.129.48-203.176.129.63 src-address-list=nat-list out-interface=ether1-Outside

could it be this? try with masquerade for a while...

That could be!

but i tried with public IP, it doesn't work also.

Can you fire up a couple of Wireshark protocol analyzers, one at the Server and one at the client, and see what is missing from the protocol?

Can the client ping the server? Can you establish a connection to another service on the servers ip address if any is running there?

Inside the equipment itself, voip device, has some tools that can test the connection from client side to server. the testing reported success all steps. but when the client try to connect and get service, the client report Error connection. that error reports that the connection was filtered by firewall ???? maybe Connection-Tracking is enable?? however, i cannot test to disable connection-tracking since the router is in operation (NAT).

Maybe your ISP is filtering a port or two...

Please try to sniff users packets during test and then during real service (failure). Could it be packets have some options set... ?

From what i wonder is that if i change to other router like Cisco Router, the connection works well. so, i think it should have some wrong with the mikrotik router.

What is the configuration of the Cisco router ? Exactly the same? Can you watch the connections on the Cisco router and see which ports are used... and gather other info to compare to the MikroTik router?

Contact Vonage support for connection and protocol technical details...

p.s. I could also look at the MT while it's live if you create an account for me.

NetworkPro, many thanks for your support. Really appreciate that!!!

My customer is using Cisco Router that is impossible me for to down again and interrupt him for test again. by the way, can i know you email address? will drop you an email if i have change to test with that customer again.

my purpose is find possible solution which i can work around later if i have the same problem happen again.

So, your solution is to monitor the traffic flow?? and do comparision?

cont.

on the cisco, it was simple routing configuration only.

Could it be a tunnel protocol problem?

Try a SrcNat using a single public IP for the sip device. A sip call is composed of two separate connections -- the sip call control and the rstp audio streams. You will likely be using different IPs for the srcnat on those and many sip/nat compensation schemes will not like that.

or maybe try using 'action=same' instead of 'action=src-nat'

if i use private IP, it would be NAT problem. but why public IP also has problem?

Any follow up on this I am having the exact same problem. Is it because the customer is behind a NAT on the AP and the CPE has a NAT? If this is correct I src/dst nat'd a separate public IP to the CPE's internal address and I then forwarded this onto the Vonage box. No luck just the same error of "Error Code 0004"

Any advice would be greatly appreciated thanks guys.

-Sincerely,
DesertAdmin

Try capturing the SIP packets from the customer and open the capture file with Wireshark. Notice the SDP message in the SIP Invite and see what IP the device is telling the SIP partner to send audio back to.

Ok how about using a pseudo bridge? Just a thought..

I have the setup like this.

Public IP on the AP xxx.xxx.xxx.10 and then the internal is using a masquarde of 192.168.183.1 so the CPE connects via MT with an external side of the CPE as 192.168.183.21 then it has its internal nat'd address of 192.168.165.1 so the Vonage then sits at 192.168.165.5. With knowing this would you suggest that the problem could be because it is a double nat?

I will run the wireshark tomorrow but for this evening I am just trying to draw it out. If I could I would rather not use a public Ip address or a bridge network I like to keep our customers behind double Nats like this. IS this a bad practice? If so what is recommended. I am not the smartest so please explain in details a better route or point out my faults on this. Thank you

-Sincerely,
DesertAdmin

Try capturing the SIP packets from the customer and open the capture file with Wireshark. Notice the SDP message in the SIP Invite and see what IP the device is telling the SIP partner to send audio back to.

This would be the next step to diagnosing this problem. Also monitor the replies from Vonage on UDP port 5060/5061. SIP is a signaling protocol, used to establish an RTP media session on another UDP port. There is no way to statically forward ports back to the customers SIP device as you don't know which ephemeral RTP port is being used for the audio. I believe there are iptables/conntrack decoders for SIP that will allow it through the firewall dynamically.

Vonage targets the consumer, who 99% of the time has a little wifi AP in their home, so most of their target market is behind NAT. I believe they use the STUN protocol to traverse NAT routers. Do you know what specific ATA the customer has?

The ATA they are using ( i think this is what you are referring to) is the Vonage V-portal router with support for up to 2 Vonage lines and one WAN port and one LAN port .


-Sincerely,
DesertAdmin

Here is what Vonage says about ports: http://www.vonage.com/support.php?article=1098&topic=20

Does the call signaling work at all (if you call your cell phone from the Vonage line, does your cell phone ring), or is this a problem with audio not being passed (if so, in one direction .. or both?)

Well the Pseudo bridge did work I guess Vonage doe snot like to exist behind a double nat'ed firewall. The problem was resolved with the error on the VBOX. The problem is now it sound slike water. So I have implemented the VOIP QOS through our our network. This has helped but I thinkt he problem now is their TX up fluctuates due to some noise on the CPE side via their wireless connection. I am currently going to re-work that tower and see if we can get a better signal out to him. Thanks for all of your help and suggestions.

-Sincerely,
DesertAdmin

See this URL from Vonage, it seems to be port forwarding issue, I have the same problem, I solve the Inbound but Outbound is not working, it is a one-way-audio.
https://support.vonage.com/app/answers/ ... forwarding

Appreciate your inputs here...

Thanks in advance,
RAM