Community discussions

MikroTik App
 
kup4ooo
just joined
Topic Author
Posts: 10
Joined: Tue Apr 15, 2014 12:43 pm

Problem with external SIP clients and IpSec/L2TP

Tue Apr 15, 2014 12:56 pm

Hi All,
I have problem with my external SIP phones.
When I am in the same lan with the laptop and one of the phones as example
and I make a ipsec/l2tp connection from the laptop the phone disconects from the SIP and give time out on registraton.
When some time pass after I disconnect the vpn connection the phone makes the registration successfull.


RB2011UAS-2HnD
This are my firewall settings:

192.168.20.2 - IP of the SIP Server
XXX.XXX.XXX.XXX - external IP of the router

# apr/15/2014 09:09:01 by RouterOS 6.4
# software id = 9LHA-SJ05
#
/ip firewall filter
add chain=input dst-port=5060-5082,10000-20000 protocol=udp
add chain=forward dst-port=5060-5082,10000-20000 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="Default NAT  rule" out-interface=\
    bridgeWan src-address=192.168.20.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=5060-5082,10000-20000 \
    protocol=udp to-addresses=192.168.20.2
add action=dst-nat chain=dstnat disabled=yes dst-port=5060-5061 protocol=tcp \
    to-addresses=192.168.20.2
add action=netmap chain=dstnat comment="SIP TCP 5060 IN" dst-address=\
    XXX.XXX.XXX.XXX  dst-port=5060 in-interface=bridgeWan protocol=tcp \
    src-address=0.0.0.0/0 to-addresses=192.168.20.2 to-ports=5060
add action=netmap chain=dstnat comment="SIP UDP 5060-5082 IN" dst-address=\
    XXX.XXX.XXX.XXX  dst-port=5060-5082 in-interface=bridgeWan protocol=udp \
    src-address=0.0.0.0/0 to-addresses=192.168.20.2 to-ports=5060-5082
add action=netmap chain=dstnat comment="RTP 10000-20000 IN" dst-address=\
    XXX.XXX.XXX.XXX dst-port=10000-20000 in-interface=bridgeWan protocol=udp \
    src-address=0.0.0.0/0 to-addresses=192.168.20.2 to-ports=10000-20000
add action=netmap chain=srcnat comment="SIP TCP 5060 OUT" protocol=tcp \
    src-address=192.168.20.2 src-port=5060 to-ports=5060
add action=netmap chain=srcnat comment="SIP UDP 5060-5082 OUT" protocol=udp \
    src-address=192.168.20.2 src-port=5060-5082 to-ports=5060
add action=netmap chain=srcnat comment="RTP UDP 10000-20000 OUT" protocol=udp \
    src-address=192.168.20.2 src-port=10000-20000 to-ports=10000-20000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
Also I have problems whith the SIP provider - The server works perfectly on one linksys router with forwarded
5060 TCP/UDP, 5061-5082UDP, 10000-20000UDP to the server.
Now I cant make external SIP calls. Nothing is changed in the server, so I think that the problem is in the firewall.

Where I am wrong?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Problem with external SIP clients and IpSec/L2TP

Tue Apr 15, 2014 2:01 pm

Hi All,
I have problem with my external SIP phones.
When I am in the same lan with the laptop and one of the phones as example
and I make a ipsec/l2tp connection from the laptop the phone disconects from the SIP and give time out on registraton.
When some time pass after I disconnect the vpn connection the phone makes the registration successfull.


RB2011UAS-2HnD
This are my firewall settings:

192.168.20.2 - IP of the SIP Server
XXX.XXX.XXX.XXX - external IP of the router

# apr/15/2014 09:09:01 by RouterOS 6.4
# software id = 9LHA-SJ05
#
/ip firewall filter
add chain=input dst-port=5060-5082,10000-20000 protocol=udp
add chain=forward dst-port=5060-5082,10000-20000 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="Default NAT  rule" out-interface=\
    bridgeWan src-address=192.168.20.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=5060-5082,10000-20000 \
    protocol=udp to-addresses=192.168.20.2
add action=dst-nat chain=dstnat disabled=yes dst-port=5060-5061 protocol=tcp \
    to-addresses=192.168.20.2
add action=netmap chain=dstnat comment="SIP TCP 5060 IN" dst-address=\
    XXX.XXX.XXX.XXX  dst-port=5060 in-interface=bridgeWan protocol=tcp \
    src-address=0.0.0.0/0 to-addresses=192.168.20.2 to-ports=5060
add action=netmap chain=dstnat comment="SIP UDP 5060-5082 IN" dst-address=\
    XXX.XXX.XXX.XXX  dst-port=5060-5082 in-interface=bridgeWan protocol=udp \
    src-address=0.0.0.0/0 to-addresses=192.168.20.2 to-ports=5060-5082
add action=netmap chain=dstnat comment="RTP 10000-20000 IN" dst-address=\
    XXX.XXX.XXX.XXX dst-port=10000-20000 in-interface=bridgeWan protocol=udp \
    src-address=0.0.0.0/0 to-addresses=192.168.20.2 to-ports=10000-20000
add action=netmap chain=srcnat comment="SIP TCP 5060 OUT" protocol=tcp \
    src-address=192.168.20.2 src-port=5060 to-ports=5060
add action=netmap chain=srcnat comment="SIP UDP 5060-5082 OUT" protocol=udp \
    src-address=192.168.20.2 src-port=5060-5082 to-ports=5060
add action=netmap chain=srcnat comment="RTP UDP 10000-20000 OUT" protocol=udp \
    src-address=192.168.20.2 src-port=10000-20000 to-ports=10000-20000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
Also I have problems whith the SIP provider - The server works perfectly on one linksys router with forwarded
5060 TCP/UDP, 5061-5082UDP, 10000-20000UDP to the server.
Now I cant make external SIP calls. Nothing is changed in the server, so I think that the problem is in the firewall.

Where I am wrong?
set sip disabled=no

put "/export compact" results on the forum
 
kup4ooo
just joined
Topic Author
Posts: 10
Joined: Tue Apr 15, 2014 12:43 pm

Re: Problem with external SIP clients and IpSec/L2TP

Tue Apr 15, 2014 2:14 pm

I try this befor - but isn't work.
I have ports 5060 and 5061 on SIP service port.

I add some other rules to the filter and try again with enabled sip service port,
but there is the same situation:
I am now in outside for the router lan network. I can't make a VPN brige to the router.
In this lan I have only one computer and one phone.
When the computer makes a vpn connection to the router the phone disconnects from the sip.
In all other time everything working well.
Is there some mess between vpn tunel and sip rules?

I folow this tutorial for the VPN:
http://mahidulsblog.blogspot.com/search ... 0router%3A
/ip firewall filter
add chain=input dst-port=5060-5082,10000-20000 protocol=udp
add chain=input dst-port=5060-5061 protocol=tcp
add chain=forward dst-port=5060-5082,10000-20000 protocol=udp
add chain=forward dst-port=5060-5061 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="Default NAT  rule" out-interface=\
    bridgeWan src-address=192.168.20.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=5060-5082,10000-20000 \
    protocol=udp to-addresses=192.168.20.2
add action=dst-nat chain=dstnat disabled=yes dst-port=5060-5061 protocol=tcp \
    to-addresses=192.168.20.2
add action=netmap chain=dstnat comment="SIP TCP 5060 IN" dst-address=\
    XXX.XXX.XXX.XXX dst-port=5060 in-interface=bridgeWan protocol=tcp \
    src-address=0.0.0.0/0 to-addresses=192.168.20.2 to-ports=5060
add action=netmap chain=dstnat comment="SIP UDP 5060-5082 IN" dst-address=\
    XXX.XXX.XXX.XXX dst-port=5060-5082 in-interface=bridgeWan protocol=udp \
    src-address=0.0.0.0/0 to-addresses=192.168.20.2 to-ports=5060-5082
add action=netmap chain=dstnat comment="RTP 10000-20000 IN" dst-address=\
    XXX.XXX.XXX.XXX dst-port=10000-20000 in-interface=bridgeWan protocol=udp \
    src-address=0.0.0.0/0 to-addresses=192.168.20.2 to-ports=10000-20000
add action=netmap chain=dstnat comment="HTTP" dst-address=\
    XXX.XXX.XXX.XXX dst-port=8182 in-interface=bridgeWan protocol=tcp \
    src-address=0.0.0.0/0 to-addresses=192.168.20.2 to-ports=80
add action=netmap chain=dstnat comment=SSH dst-address=XXX.XXX.XXX.XXX \
    dst-port=22022 in-interface=bridgeWan protocol=udp src-address=0.0.0.0/0 \
    to-addresses=192.168.20.2 to-ports=22
add action=netmap chain=dstnat comment=SSH dst-address=XXX.XXX.XXX.XXX \
    dst-port=22022 in-interface=bridgeWan protocol=tcp src-address=0.0.0.0/0 \
    to-addresses=192.168.20.2 to-ports=22
add action=netmap chain=srcnat comment="SIP TCP 5060 OUT" disabled=yes \
    protocol=tcp src-address=192.168.20.2 src-port=5060 to-ports=5060
add action=netmap chain=srcnat comment="SIP UDP 5060-5082 OUT" disabled=yes \
    protocol=udp src-address=192.168.20.2 src-port=5060-5082 to-ports=5060
add action=netmap chain=srcnat comment="RTP UDP 10000-20000 OUT" disabled=yes \
    protocol=udp src-address=192.168.20.2 src-port=10000-20000 to-ports=\
    10000-20000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set pptp disabled=yes
 
ibm
Member
Member
Posts: 306
Joined: Mon May 12, 2014 5:16 pm

Re: Problem with external SIP clients and IpSec/L2TP

Fri Jul 29, 2016 5:00 pm

I've this same problem with 6.34.6
Anyone solved it?
 
anschluss
just joined
Posts: 14
Joined: Fri Mar 30, 2018 3:46 pm

Re: Problem with external SIP clients and IpSec/L2TP

Wed Apr 14, 2021 8:00 pm

I know it's an old thread - but I still have this problem with 6.47.9. Does anybody have an idea why as soon as an L2TP/IPsec connection is made from a device in the same subnet, SIP fails (connected devices de-register, and cannot re-register)?

Who is online

Users browsing this forum: CGGXANNX, godel0914 and 67 guests