Community discussions

MikroTik App
 
msatter
Forum Guru
Forum Guru
Topic Author
Posts: 2897
Joined: Tue Feb 18, 2014 12:56 am
Location: Netherlands / Nīderlande

SIP in, to NAT or to ROUTE

Sun Aug 07, 2022 11:57 am

In a topic about SIP not conveying the source address SIP server NAT was the cause of looking a correct dst-NAT not working out like expected. This because there was simple src-masquerade present in NAT.

Underneath the packet flows and you see on the top right dst-NAT which is the rule being used by user and thought then it would work correctly.

Image

When you look in the post-routing line you will see the third rectangle with the name src-NAT and the one replaces the src-address of the packet. Then the incoming packet gets a new destination by the dst-NAT and then in the end it loops through NAT again and is also handled by the src-NAT.

Coming out of Postrouting the src-address 1.2.3.4 and dst-address 4.3.2.1 are changed to 192.168.88.1 and 192.168.88.10 for example. 192.168.88.1 is the internal IP address of the router and 192.168.88.10 is the IP address of the SIP server.

You can do two things to avoid the src-address being changed.

A simple one is enable the SIP-ALG helper and let that do the handling of SIP traffic and this also handles STUN for the speech during a phone call.

The second is to avoid NAT for a incoming call. This is done by using Route in Mangle with a unchecked Passthrough mark. This will avoid the packed looping further through firewall and NAT ( NAT being avoided is undocumented so I can't confirm that here).

If you look the packet-flow scheme above you see just before the dst-Nat the box the Mangle pre-routing box. When you use that then src/dst addresses of the traffic are not changed and are still 1.2.3.4 and 4.3.2.1 and routing only point to which gateway/exit the traffic should go and where there is listening ear (answers the call) for it.

Now traffic has reached the SIP server it will answer, however it will use it's 192.168.88.10 address as source so you will have to src-NAT that traffic. The src-Masquerade from the beginning will do that for you.

Who is online

Users browsing this forum: No registered users and 62 guests