/ip firewall connection remove [find where src-address~"\^client's_ip:"]
/ip firewall connection remove [/find where dst-address~"192.168.2.200"]
I tried the script but it doesn't work. I did include an ip address. I don't see anything in my logs te help me find the fault.
sounds a bit like 'RouterOS routes the SIP client through the VPN, but still NATted with WAN address - because it's imppossible to re-NAT established connection'...Once the interface does come up (seconds after the WAN is online), Mikrotik will not route the SIP client down the VPN, but continue it out the WAN.
and all that time pppoe is up, without disconnects?SIP UDP sessions need to be refreshed with a script every few hours to maintain registration when gateway is a pppoe interface.
can't you just forbid (in Firewall Filter) that connection over Internet, and allow it only via PPTP?PPTP connection takes some time to establish, so routerboard first tries to route the connection over internet NAT and remembers this wrong route for an hour! I have to kill the connection manually to get the phone working.
Timeout is being reset each time a packet matching the state hits the router, no matter what direction this packet is passing in.However, the issue as I see it is that it should only do this for as long as the timeout is valid. After which it should drop the rule and re-establish it when required. What it does instead is that the timeout starts counting up instead of down and never disappears.
I'm not really sure of it ..I've just made a test monitoring 'sip' conn tracking: making a call (sip invite) I've seen no update on timeout.Timeout is being reset each time a packet matching the state hits the router, no matter what direction this packet is passing in.
I've different 'masquerade/src-nat' rules for every outbound wan connections (so I presume the rule must go 'invalid' changing wan conn); I've just made a simple test and the 'assured contrack item' never invalidates on failover.Not sure if it helps, but have you tried specifying out-interface in your NAT rules? Please note though that in this case you might need to have several NAT rules (one for each out-interface).
/ip firewall connection remove [/ip firewall connection find where connection-type="sip" and connection-mark="w1c" and reply-dst-address~"184.108.40.206"] /ip firewall connection remove [/ip firewall connection find where connection-type="sip" and connection-mark="w2c" and reply-dst-address~"220.127.116.11"]
/ip firewall connection remove [/ip firewall connection find where connection-type="sip" and assured="no"]
[admin@MikroTik] > /ip firewall service-port disable sip
Nathan, if I've a Sip-PBX in lan I've usually disable SipAlg/helper and I make manual/specific rules for SIP and RTP, but if I've several Sip Phones which have to register to external it's really difficult to set up things (not all sip phones permit sip parameters fine tuning) ..you must do sip/rtp rules for each one's. Sometimes impossible, sometimes only .. boringCan your SIP application work without the Linux SIP ALG/NAT helper, and if so, have you tried just turning it off...
interesting .. but not really promisingIt sounds like the Linux SIP NAT helper disregards the UDP connection timeouts you specify for connection tracking. From http://www.dslreports.com/forum/r26935307-: "The reason I suggest disabling it is that one of its 'features' is that it causes SIP connections to disrespect the UDP Timeouts and time out after one hour."
Well, no, it's both interesting and promising. If we can pinpoint where the problem is, then that makes it easier to get specific when filing tickets with MikroTik, and perhaps even makes it easier to devise a workaround that can be used in the meantime. The better your understanding of the problem is, the more effective (and creative) you can be when you go to tackle it.interesting .. but not really promising
..from this point of view you are absolutely right!Well, no, it's both interesting and promising. If we can pinpoint where the problem is .. (cut)
This is really interesting and worth a try! ..time to setup an Asterisk test bed(cut) .. RTP audio (directmedia=no, directrtpsetup=no) and then force-enable "rport"/RFC3581 behavior and symmetric RTP port response for every remote peer (nat=yes) .. (cut) .. multiple SIP phones .. (cut) .. all phones work fine. No manual SIP or RTP rules per phone require ..(cut)
Still in 6.42.3Still got this issue in 6.41.
I've tried deleting connections but this doesnt always work. In this case the only thing to do is to reboot it. But it gals me to do that - this is about the only thing I have to reboot Mikrotik for. How sad thats its something so basic.
HI,Have you tried adding your custom ports to SIP Helper?
I found that a reboot on the router OR de-registering the sip phone and registering it again brings the extension back online after failover has taken place onto the new connection.
Good point. However, I've obtained an impression that this "zombie" behaviour is specific to connections handled by the SIP helper, and what I've pointed out was that in @Shane77's specific case, the SIP helper can be disabled completely with no impact on the service.If the connections get in that wierd state where the timeout starts counting up even deleting them doesn't work - even though they are gone from the connection list I think the that fact they have a timeout value means they still in effect somewhere. ... Only a reboot or disabling the wan interface clears them out properly.
In all my setups where SIP phones are behind a NAT, one of which is on Mikrotik, all the phones are registered to phone exchanges which deal with client side NAT themselves, which means that the SIP helpers of any kind are just disabled. And unfortunately none of my setups uses some type of failover setup and hosts SIP phones at the same time, it's either-or.May i ask one more thing of you and thats to point out a similar setup on the client side which i can follow in detail to check if i have accommodated for all that i can possible from the modem side right down to the MK.
Disabled the SIP port under IP -> Firewall - > Service Ports (ROS 6.47)Guys,
Can your SIP application work without the Linux SIP ALG/NAT helper, and if so, have you tried just turning it off...
...to see if that fixes the problem for you?
[admin@MikroTik] > /ip firewall service-port disable sip