Community discussions

MUM Europe 2020
 
User avatar
bholler
Trainer
Trainer
Topic Author
Posts: 82
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

SIP behind hotspot

Tue Sep 06, 2005 10:58 pm

hello,

Can anyone assist me with the guide pf hoe to make SIP work behind HS. SIP phone did not work after i setup on the MT controller.

Thanks
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
spire2z
Long time Member
Long time Member
Posts: 517
Joined: Mon Feb 14, 2005 2:48 am

Wed Sep 07, 2005 2:44 pm

I have used SIP through a NAT MT router successfully but not using Hotspot. Is the hotspot just authenticating or does it do more firewalling etc?
 
User avatar
bholler
Trainer
Trainer
Topic Author
Posts: 82
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Wed Sep 07, 2005 4:33 pm

yes it is doing firelwalling. and the only firewall rule i applied wass the virus rules what i exported from demo.mt.lv. i palced it behing another MT router that is without HS but with firewall rule but there was no problem.
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
spire2z
Long time Member
Long time Member
Posts: 517
Joined: Mon Feb 14, 2005 2:48 am

Sat Sep 10, 2005 2:55 pm

I guess you must check your not blocking any SIP ports first. I don't fully get your config either when you say you have 2 MT boxes one behind another? Maybe there is some problem in how your network is setup? Can you give more detail?
 
User avatar
bholler
Trainer
Trainer
Topic Author
Posts: 82
Joined: Wed Feb 09, 2005 10:22 pm
Location: Nigeria
Contact:

Sat Sep 10, 2005 8:35 pm

=======MT1===========CYBERCAFE
|
FC2===|
|
=======MT2(HOTSPOT CONTROLLER)===APs


that is my network setup.

the sip fone did not work behind MT2 but worked behind MT1. i have source-nat and lots of firewall rules on MT1 than MT2. the only firewall rules on MT2 are the one of hotspot and the virus rules i fetched from the demo router from mikrotik.

can anyone tell me what is missing ? below is the export from the firewall.

/ ip firewall
set input name="input" policy=accept comment=""
set forward name="forward" policy=accept comment=""
set output name="output" policy=accept comment=""
add name="virus" policy=none comment=""
add name="hotspot-temp" policy=none comment="limit unauthorized hotspot \
clients"
add name="hotspot" policy=none comment="account authorized hotspot clients"
/ ip firewall rule forward
add in-interface=hotspot1 action=jump jump-target=hotspot-temp comment="limit \
access for unauthorized hotspot clients" disabled=no
add action=jump jump-target=hotspot comment="account traffic for authorized \
hotspot clients" disabled=no
add action=jump jump-target=virus log=yes comment="jump 2 virus" disabled=no
/ ip firewall rule hotspot
/ ip firewall rule hotspot-temp
add flow=hs-auth action=return comment="return, if connection is authorized" \
disabled=no
add protocol=icmp action=return comment="allow ping requests" disabled=no
add dst-address=:53 protocol=udp action=return comment="allow dns requests" \
disabled=no
add action=reject comment="reject access for unauthorized hotspot clients" \
disabled=no
/ ip firewall rule input
add in-interface=hotspot1 dst-address=:80 protocol=tcp action=jump \
jump-target=hotspot comment="account traffic from hotspot clients to \
hotspot servlet" disabled=no
add in-interface=hotspot1 dst-address=:80 protocol=tcp action=accept \
comment="accept requests for hotspot servlet" disabled=no
add in-interface=hotspot1 dst-address=:67 protocol=udp action=accept \
comment="accept requests for local DHCP server" disabled=no
add in-interface=hotspot1 action=jump jump-target=hotspot-temp comment="limit \
access for unauthorized hotspot clients" disabled=no
add dst-address=:53 protocol=udp action=accept comment="" disabled=no
add action=jump jump-target=virus comment="jump2 virus" disabled=no
/ ip firewall rule output
add src-address=:80 out-interface=hotspot1 protocol=tcp action=jump \
jump-target=hotspot comment="account traffic from hotspot servlet to \
hotspot clients" disabled=yes
/ ip firewall rule virus
add dst-address=:135-139 protocol=tcp action=drop comment="Drop Blaster Worm" \
disabled=no
add dst-address=:135-139 protocol=udp action=drop comment="Drop Messenger \
Worm" disabled=no
add dst-address=:445 protocol=tcp action=drop comment="Drop Blaster Worm" \
disabled=no
add dst-address=:445 protocol=udp action=drop comment="Drop Blaster Worm" \
disabled=no
add dst-address=:593 protocol=tcp action=drop comment="________" disabled=no
add dst-address=:1024-1030 protocol=tcp action=drop comment="________" \
disabled=no
add dst-address=:1080 protocol=tcp action=drop comment="Drop MyDoom" \
disabled=no
add dst-address=:1214 protocol=tcp action=drop comment="________" disabled=no
add dst-address=:1363 protocol=tcp action=drop comment="ndm requester" \
disabled=no
add dst-address=:1364 protocol=tcp action=drop comment="ndm server" \
disabled=no
add dst-address=:1368 protocol=tcp action=drop comment="screen cast" \
disabled=no
add dst-address=:1373 protocol=tcp action=drop comment="hromgrafx" \
disabled=no
add dst-address=:1377 protocol=tcp action=drop comment="cichlid" disabled=no
add dst-address=:1433-1434 protocol=tcp action=drop comment="Worm" \
disabled=no
add dst-address=:2745 protocol=tcp action=drop comment="Bagle Virus" \
disabled=no
add dst-address=:2283 protocol=tcp action=drop comment="Drop Dumaru.Y" \
disabled=no
add dst-address=:2535 protocol=tcp action=drop comment="Drop Beagle" \
disabled=no
add dst-address=:2745 protocol=tcp action=drop comment="Drop Beagle.C-K" \
disabled=no
add dst-address=:3127 protocol=tcp action=drop comment="Drop MyDoom" \
disabled=no
add dst-address=:3410 protocol=tcp action=drop comment="Drop Backdoor \
OptixPro" disabled=no
add dst-address=:4444 protocol=tcp action=drop comment="Worm" disabled=no
add dst-address=:4444 protocol=udp action=drop comment="Worm" disabled=no
add dst-address=:5554 protocol=tcp action=drop comment="Drop Sasser" \
disabled=no
add dst-address=:8866 protocol=tcp action=drop comment="Drop Beagle.B" \
disabled=no
add dst-address=:9898 protocol=tcp action=drop comment="Drop Dabber.A-B" \
disabled=no
add dst-address=:10000 protocol=tcp action=drop comment="Drop Dumaru.Y" \
disabled=no
add dst-address=:10080 protocol=tcp action=drop comment="Drop MyDoom.B" \
disabled=no
add dst-address=:12345 protocol=tcp action=drop comment="Drop NetBus" \
disabled=no
add dst-address=:17300 protocol=tcp action=drop comment="Drop Kuang2" \
disabled=no
add dst-address=:27374 protocol=tcp action=drop comment="Drop SubSeven" \
disabled=no
add dst-address=:65506 protocol=tcp action=drop comment="Drop PhatBot, \
Agobot, Gaobot" disabled=no
add dst-address=:5555 protocol=tcp action=drop comment="" disabled=no
add src-address=:445 protocol=tcp action=drop comment="Drop Blaster Worm" \
disabled=yes
add src-address=:135-139 protocol=udp action=drop comment="Drop Messenger \
Worm" disabled=yes
add src-address=:445 protocol=udp action=drop comment="Drop Blaster Worm" \
disabled=yes
add src-address=:135-139 protocol=tcp action=drop comment="Drop Messenger \
Worm" disabled=yes
/ ip firewall service-port
set ftp ports=21 disabled=no
set pptp disabled=yes
set gre disabled=yes
set h323 disabled=yes
set mms disabled=no
set irc ports=6667 disabled=no
set quake3 disabled=no
set tftp ports=69 disabled=no
/ ip firewall mangle
add in-interface=internet action=passthrough mark-flow=internet_packet \
comment="" disabled=yes
add in-interface=hotspot1 action=passthrough mark-flow=local_packet \
comment="" disabled=yes
/ ip firewall src-nat
add src-address=10.5.50.0/24 action=masquerade comment="masquerade hotspot \
network" disabled=yes
/ ip firewall dst-nat
add dst-address=:53 protocol=udp action=redirect comment="intercept all DNS \
requests" disabled=no
add in-interface=hotspot1 protocol=tcp flow=!hs-auth action=redirect \
to-dst-port=80 comment="redirect unauthorized hotspot clients to hotspot \
service" disabled=no
add dst-address=:25 protocol=tcp action=nat to-dst-address=192.168.28.254 \
comment="send e-mails through our SMTP server" disabled=no
add in-interface=hotspot1 dst-address=:80 protocol=tcp action=redirect \
to-dst-port=80 comment="transparent HTTP proxy for hotspot clients" \
disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=2m tcp-syn-received-timeout=1m \
tcp-established-timeout=5d tcp-fin-wait-timeout=2m \
tcp-close-wait-timeout=1m tcp-last-ack-timeout=30s \
tcp-time-wait-timeout=2m tcp-close-timeout=10s udp-timeout=30s \
udp-stream-timeout=3m icmp-timeout=30s generic-timeout=10m
Mikrotik Certified Trainer Partner, MTCNA, MTCTCE, MTCWE, MTCRE. YIM: oseniabiola Skye: habholler1, Tel.+2348060319130, +2348182556717, Email: abiola@trisatcom.net
 
goldclick
Frequent Visitor
Frequent Visitor
Posts: 51
Joined: Fri Sep 17, 2004 10:48 pm
Location: Nigeria
Contact:

Sun Sep 11, 2005 12:21 am

bholler,

Remember that every device behind the hotspot requires to login to the hotspot before traffic can pass. Your SIP phone will not work behind MT2 because the hotspot firewall rules redirects all the traffic untill authenticated. You can use the walled garden feature to allow your SIP phone register and make calls. Another way is to setup a mangle rule bypassing the ip address of your SIP phone from the hotspot as this would save you time finding out the register and session ports of your SIP server.

/ ip firewall mangle add src-address=192.168.3.200/32 action=accept mark-flow=hs-auth

above assumes your SIP ohone ip is 192.168.3.200 and that the default MT hotspot setup process was used.

In 2.9, this is much easier using the bypass feature in IP hotspot binding which allows you bypass a hosts mac/ip pair from hotspot.

Sonny.

Who is online

Users browsing this forum: Baidu [Spider] and 77 guests