Community discussions

MikroTik App
 
sharkys
just joined
Topic Author
Posts: 22
Joined: Sun Jun 22, 2014 2:01 am

VoWifi - do not work

Mon Dec 11, 2023 1:22 am

Hi,
I'm struggling already for years with multifunctional VoWifi calls, but from Samsung phones only (S21 & S20, I knew in the past Oneplus 9 worked but had it only shortly). I thought it could be previously by my previous config (Edge Router with Openwrt) but it turned out, that actually after I switched over to Mikrotik, it's the same - when I enable VoWifi on phone, I see icon but any outgoing calls are silent and better to say are ringing forever (I know that they rings on other side but are never connected trough - when answered on other side, the phone stays in the "calling" phase).

I have contacted even my ISP, who didn't identify any problem and actually nobody reported such issue so far.
It's also not phone problem, because it works on other locations (Openwrt routers, different ISPs) so it's something specific to my ISP in combination to Samsung phones but no idea what.

Reading forums, I understood that the VoWifi traffic is happening on UDP / port 4500 - also Telec. provider says : Minimum requirements: For the call to proceed smoothly, the used Wi-Fi router must support the Internet security transfer of IP Sec and meet the following parameters: IP Protocol Type=ESP 50 and/or IP Protocol Type=UDP (Port=500), IP Protocol Type=UDP (Port=4500), NAT translation time-out setting under 2 minutes. The sending speed must be at least 100 kbit/s for a voice call and 1 Mbit/s for a video call.

Would anyone have any idea please, what could be wrong ?

/ip dns cache print where name~"3gpp"
Columns: NAME, TYPE, DATA, TTL
# NAME                               TYPE  DATA                TTL     
0 mnc001.mcc230.pub.3gppnetwork.org  NS    freya.t-mobile.cz.  9h12m44s
1 mnc001.mcc230.pub.3gppnetwork.org  NS    idunn.t-mobile.cz.  9h12m44s
AP has disabled firewall, I have tried also to setup AP via laptop to rule out AP issue - same behavior.

Sharing relevant configs for Routerboard (but I don't think it's issue - tried already some settings related to IPSEC, 4500 ports etc. - didn't have any effect)
# 2023-12-11 00:05:25 by RouterOS 7.13rc3
# software id = S5MY-N4ZX
#
# model = RB960PGS
# serial number = HF1XXXXXX
/interface bridge
add admin-mac=78:9A:XX:4D:XX:XX arp=proxy-arp auto-mac=no name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
set [ find default-name=ether2 ] arp=proxy-arp comment="AP DOWN"
set [ find default-name=ether3 ] arp=proxy-arp comment="AP UP"
set [ find default-name=ether4 ] arp=proxy-arp
set [ find default-name=ether5 ] arp=proxy-arp
set [ find default-name=sfp1 ] 
    mac-address=E0:5A:9F:XX:XX:XX name="sfp1 IGN WAN"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10 trusted=yes
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10 trusted=yes
/interface bridge settings
set use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set icmp-timeout=30s loose-tcp-tracking=no udp-stream-timeout=6m udp-timeout=\
    30s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set arp-timeout=20m max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=WAN internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface l2tp-server server
set default-profile=pptp_profile use-ipsec=yes
/interface list member
add interface=bridge list=LAN
add interface="sfp1 IGN WAN" list=WAN
/ip firewall address-list
add address=10.2.0.1-10.2.0.10 list=safe_ip_never_block
/ip firewall filter
add action=jump chain=forward comment="jump to kid-control rules" \
    jump-target=kid-control
add action=accept chain=input comment="VPN: allow L2TP" dst-port=1701 \
    in-interface=all-ethernet protocol=udp
add action=accept chain=input comment="VPN: allow IPsec NAT-T" dst-port=4500 \
    in-interface=all-ethernet protocol=udp
add action=accept chain=input in-interface="sfp1 IGN WAN" protocol=ipsec-esp
add action=accept chain=input in-interface="sfp1 IGN WAN" protocol=ipsec-ah
add action=accept chain=input comment=Allow-ISAKMP dst-port=500 in-interface=\
    "sfp1 IGN WAN" protocol=udp
add action=drop chain=input comment="DNS block from WAN" dst-port=53 \
    in-interface="sfp1 IGN WAN" protocol=tcp src-address-list=\
    !safe_ip_never_block
add action=drop chain=input comment="DNS block from WAN" dst-port=53 \
    in-interface="sfp1 IGN WAN" protocol=udp src-address-list=\
    !safe_ip_never_block
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid in-interface=!bridge src-address-list=!safe_ip_never_block
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN src-address-list=!safe_ip_never_block
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid in-interface=!bridge out-interface=!bridge
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=add-src-to-address-list address-list=FW_Block_unkown_port \
    address-list-timeout=1d chain=input comment=\
    "Add IP of user to access list if they have tried port that is not open." \
    in-interface="sfp1 IGN WAN" log-prefix=FI_AS_port-test src-address-list=\
    !safe_ip_never_block
add action=drop chain=input comment=\
    "Drop packets that has not been allowed or dropped before." in-interface=\
    "sfp1 IGN WAN" log=yes log-prefix=FI_D_port-test
/ip firewall mangle
add action=set-priority chain=prerouting comment="sip=p7" connection-type=sip \
    new-priority=7 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set h323 ports=1720
set sip ports=5060,5061,500,4500,5222,3478,80,443 sip-timeout=3m
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Prague
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.cz.pool.ntp.org
add address=1.cz.pool.ntp.org
This is what sniffer shows (filtered to IP addresses = 31.30.69.152 and 31.30.69.153):
packets_protocols.png
sniffer_hosts.png
sniff_packets.png
Thank you for any reply, I'm already desperate, to be honest....
You do not have the required permissions to view the files attached to this post.
 
rplant
Member Candidate
Member Candidate
Posts: 260
Joined: Fri Sep 29, 2017 11:42 am

Re: VoWifi - do not work

Mon Dec 11, 2023 3:47 am

This might not fix your problem but do it anyway and restart from there.

Remove 500 and 4500 from the sip helper (service port).
Ideally disable the sip helper.

Set the udp stream timeout back to its default of 3 minutes from current 6 minutes,
(Or maybe even to 2 minutes, as specified in "NAT translation time-out setting under 2 minutes")
 
sharkys
just joined
Topic Author
Posts: 22
Joined: Sun Jun 22, 2014 2:01 am

Re: VoWifi - do not work

Mon Dec 11, 2023 8:24 am

Thank you, I have disabled SIP helper - indeed this will not help, because it didn't work even prior to these "advised" corrections I found in another threads.
Tested again, no change :-(
/ip firewall service-port
set h323 ports=1720
set sip disabled=yes ports=5060,5061,5222,3478,80,443 sip-timeout=3m
/ip firewall connection tracking
set icmp-timeout=30s loose-tcp-tracking=no udp-stream-timeout=2m udp-timeout=30s
Happy to try anything else or prove to my ISP, they have a problem ;-) Will probably ask my neighbors, if they have Samsung, to test it.
 
sharkys
just joined
Topic Author
Posts: 22
Joined: Sun Jun 22, 2014 2:01 am

Re: VoWifi - do not work

Mon Dec 11, 2023 2:59 pm

Btw, upon activation, I see following comm - do you see anything missing or does it look OKay ?
vowifi_initial.png
Obviously, obfuscated part is my public IP
You do not have the required permissions to view the files attached to this post.
 
rplant
Member Candidate
Member Candidate
Posts: 260
Joined: Fri Sep 29, 2017 11:42 am

Re: VoWifi - do not work

Mon Dec 11, 2023 11:21 pm

It kind of looks like it should almost be working, not sure, wait a while?

My phone (not a samsung) will often take a while to decide to use vowifi if it has an ok 4g signal.
From memory (I think but am not sure) it might be less picky if the 4g signal is rubbish.
 
ToTheCLI
Frequent Visitor
Frequent Visitor
Posts: 82
Joined: Mon Jan 04, 2016 3:54 am

Re: VoWifi - do not work  [SOLVED]

Mon Dec 11, 2023 11:42 pm

Looks like your ISP is the issue try connecting to an IPsec/IKEv2 PSK VPN tunnel from the native Android VPN Client as it uses the same ports and Protocol.
 
sharkys
just joined
Topic Author
Posts: 22
Joined: Sun Jun 22, 2014 2:01 am

Re: VoWifi - do not work

Tue Dec 12, 2023 4:18 pm

Thank you, would you have some recommendation on Trial VPN IPsec/IKEv2 PSK for Android, confirmed working on Android native ?
For sure, VPNs like eg. OpenVPN or L2TP VPN works but that's not IPSEC/IKEv2 - tried yesterday vpnjantit, just saw Connecting status...
NordVPN ?
 
sharkys
just joined
Topic Author
Posts: 22
Joined: Sun Jun 22, 2014 2:01 am

Re: VoWifi - do not work

Tue Dec 12, 2023 9:37 pm

Hm, so tested Uplinks VPN - it works when using data, it do not work using my ISP. So I guess problem is with my ISP indeed.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3031
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: VoWifi - do not work

Tue Dec 12, 2023 11:34 pm

Or your firewall/NAT rule... That's IPSec tunnel it uses, not SIP.

The default firewall explicit allows IPSec, but if your firewall doesn't...that could be the issue. e.g. lines like:

/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
 
sharkys
just joined
Topic Author
Posts: 22
Joined: Sun Jun 22, 2014 2:01 am

Re: VoWifi - do not work

Wed Dec 13, 2023 12:16 am

Thank you - tested, no change.
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
This rule I had already...
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
Added those, moved to the top...but counters are still 0, even if I keep them as the only rule ? Strange.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3031
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: VoWifi - do not work

Wed Dec 13, 2023 12:52 am

Hard to know. But my bet is there might be some IPSec setting wrong — what/where, IDK.

Do you have any other VPNs running on the same router? e.g. you have this:
/interface l2tp-server server set default-profile=pptp_profile use-ipsec=yes

But if your not using l2tp, you might want to disable the server.
Last edited by Amm0 on Wed Dec 13, 2023 12:57 am, edited 1 time in total.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3031
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: VoWifi - do not work

Wed Dec 13, 2023 12:53 am

Also, is there any reason you're using proxy-arp on the bridge/ports?
 
sharkys
just joined
Topic Author
Posts: 22
Joined: Sun Jun 22, 2014 2:01 am

Re: VoWifi - do not work

Wed Dec 13, 2023 8:23 am

Thank you @Amm0, appreciate your help. l2tp is there only as leftover, the server itself is disabled, I just re-checked - using OpenVPN instead.

proxy-arp is recommendation due to the LAN sub-nets routing/access for/via OpenVPN - I guess that"s not issue, or is there any other sidefect, having this enabled ?
 
sharkys
just joined
Topic Author
Posts: 22
Joined: Sun Jun 22, 2014 2:01 am

Re: VoWifi - do not work

Wed Dec 13, 2023 10:06 pm

Btw, it was not ISP fault...it was ISP of the ISP fault ;-)

Thanks for help and all the reactions !

Who is online

Users browsing this forum: GoogleOther [Bot], Maggiore81, stevenbg and 68 guests