Community discussions

MikroTik App
 
haakon
just joined
Topic Author
Posts: 19
Joined: Sat May 02, 2009 6:02 pm

Too perfect / too conformant

Thu Nov 26, 2009 4:11 pm

Hi,

We are installing a RouterBoard 1000 at a customers site, to control their network.

The problem is that they are hosting AltiGen phones using H323 with a firmware with a TCP bug.

Only half the time you start a phone call, the call gets set up, the other half the phone aborts. After a lot of wiresharking, I have found out that EACH time you start a new call, the phone tries to connect to port 1720 (h225) to set up the call.

BUT, it uses the same sequence number in the TCP packet EVERY TIME.

I guess that router os sees that the sequence number suddenly is too low, and rejects the packet. Which in all other cases would be a good thing. But in my case, this makes the phones unusable. :(

Is there any posibility to make RouterOS not automatically reject routing of these packets?

Firmware upgrade of the phones is not an option, as Altigen has stopped using H323. But lisensing costs prevents us from converting all the phones to sip.
It would have cost a fortune!

A linux router was firewalling the network before, and did just let the malformed TCP packets pass.

Regards,
Håkon
--
Håkon Nessjøen
<haakon.nessjoen[a]gmail.com>
 
andreacoppini
Trainer
Trainer
Posts: 489
Joined: Wed Apr 13, 2005 11:51 pm
Location: Malta, Europe

Re: Too perfect / too conformant

Thu Nov 26, 2009 4:19 pm

If you're not using any Mangle or NAT rules, you could turn Connection Tracking off. This way you would lose all stateful inspection features of the firewall, and this way it should ignore the sequence number.
- No strings attached -

<< Please give good Karma if this post helped you. Press the + button above the Location entry
 
haakon
just joined
Topic Author
Posts: 19
Joined: Sat May 02, 2009 6:02 pm

Re: Too perfect / too conformant

Thu Nov 26, 2009 4:44 pm

If you're not using any Mangle or NAT rules, you could turn Connection Tracking off. This way you would lose all stateful inspection features of the firewall, and this way it should ignore the sequence number.
Thanks! I searched for a option like this.. But I didn't see the forest for the trees ;)

I am using NAT and mangle, but I set the timeout variables to lower values, and now everything works!

Thanks!
--
Håkon Nessjøen
<haakon.nessjoen[a]gmail.com>

Who is online

Users browsing this forum: andriys, petertosh, wispmikrotik and 63 guests