Community discussions

 
Xarconen
just joined
Topic Author
Posts: 1
Joined: Wed Feb 18, 2015 11:52 am

PBX and NAT

Wed Feb 18, 2015 11:56 am

Hello.

 Faced with such a problem: we have an ip-PBX connected to router Mikrotik rb750.(current firmwire 3.09)

 Our ISP has set strict conditions - service information should go to the ip-address 94.230.138.71
through 5060 port, and voice traffic to ip-address 94.230.138.77 on ports 9000-12000.
 
This PBX itself is not capable to work like that.
So it was decided to make a SIP-server on ip 94.230.138.77 and redirect all packages going to port 5060 to the  94.230.138.71 ip.
 
NAT rules were set to following:
 
ip firewall nat
add action = dst-nat chain = dstnat disabled = no dst-address = 172.29.35.36 \
     dst-port = 0-65535 protocol = udp to-addresses = 192.168.61.1
add action = dst-nat chain = dstnat disabled = no protocol = udp src-address = \
     192.168.61.1 src-port = 5060 to-addresses = 94.230.138.71 to-ports = 5060
add action = masquerade chain = srcnat comment = "Added by webbox" disabled = no \
     out-interface = ether1-gateway to-addresses = 0.0.0.0
 
But in the "Connections" we can see that the packages are still going to the *.77 ip.
Can you please point us to any mistakes in these rules and if it is possible provide the correct decision for our conditions?
 
Big thanks in advance.
 
lz1dsb
Member Candidate
Member Candidate
Posts: 222
Joined: Wed Aug 07, 2013 11:48 am

Re: PBX and NAT

Wed Feb 18, 2015 3:41 pm

That is because you use "masquarade" option. Masquarade menas to "mask" all sessions from inside to outside network using the outbound IP address. In order to change that, use "src-nat", this should fix it.
 
DLNoah
Member Candidate
Member Candidate
Posts: 144
Joined: Fri Nov 12, 2010 5:33 pm

Re: PBX and NAT

Wed Feb 18, 2015 4:01 pm

add action = dst-nat chain = dstnat disabled = no protocol = udp src-address = \
192.168.61.1 src-port = 5060 to-addresses = 94.230.138.71 to-ports = 5060
Your problem is most likely with this rule. What you're looking for is packets that match the following:
Source Address = 192.168.61.1:5060 (udp)
Destination = ANY:ANY

And then when you find those packets, you're rewriting the destination to be
New Destination = 94.230.138.71:5060

So, your rule won't match if (1) your phone server is on a different IP than 192.168.61.1 or (2) your phone server uses a randomly chosen high-numbered port for the source port for SIP traffic (which is actually quite possible).

The more precise matching rule, based on your description, would be:
add action = dst-nat chain = dstnat disabled = no protocol = udp dst-address = \
     94.230.138.77 dst-port = 5060 to-addresses = 94.230.138.71 to-ports = 5060
Caveats:
- If you're using SIP over TCP, then you need to change the protocol from udp to tcp. If you don't know which you're using, I would recommend copying the rule so you have both tcp and udp covered.
- Depending on how your VoIP provider handles NAT'd traffic, this may still wind up not working correctly. At a minimum, you need to make sure that the SIP "service port" is enabled within the MikroTik. With the SIP service port enabled, the MikroTik will use special handling for the SIP connections, to ensure that the NAT sessions stay open long enough that you will continue to receive calls. Even with the SIP service port, however, you need to make sure your phone server is registering with (or sending other SIP traffic to) your VoIP provider at least once every 60 minutes.

lz1dsb's post is completely wrong.

Who is online

Users browsing this forum: Google [Bot] and 96 guests