Community discussions

MikroTik App
 
djferdinad
just joined
Topic Author
Posts: 14
Joined: Wed Apr 06, 2022 5:12 am

CHR port forwarding to Local MK

Sat Apr 16, 2022 1:28 am

Hi Community,

I have a CHR running and an Open VPN tunnel from it, I can push the traffic through the VPN just fine, I can access my devices on my Local network just fine.

My issue is:
I need to set up a PBX and I need that the traffic coming to from any devices on internet ends on the local PBX WITHOUT IP masqueranding.

So I need to set up a port forward to my PBX that does not masquerades the IP neither the external devices or the PBX IP.

Any clues?

Thanks
 
tangent
Forum Guru
Forum Guru
Posts: 1353
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: CHR port forwarding to Local MK

Sat Apr 16, 2022 2:07 am

If your requirement is literally true, you need to arrange for a static IP block from your ISP, then assign one of them to the PBX.

However, what I want to know is why you have this strange requirement? What’s wrong with IP address translation in this application?

(Note that MikroTik uses the word “masquerade” in a very particular way. My read of what you’re asking is not specifically about masquerading in the ROS sense, but NAT more generally.)
 
djferdinad
just joined
Topic Author
Posts: 14
Joined: Wed Apr 06, 2022 5:12 am

Re: CHR port forwarding to Local MK

Thu Apr 21, 2022 4:39 am

If your requirement is literally true, you need to arrange for a static IP block from your ISP, then assign one of them to the PBX.

However, what I want to know is why you have this strange requirement? What’s wrong with IP address translation in this application?

(Note that MikroTik uses the word “masquerade” in a very particular way. My read of what you’re asking is not specifically about masquerading in the ROS sense, but NAT more generally.)
Hi Tangent,

Thanks for your reply.

If you let me, I will dig deep into technical SIP protocol on the RFC 3261 https://www.rfc-editor.org/rfc/rfc3261. ... on-8.1.1.8 on section 8.1.1.8 the contact MUST have the UA (user Agent) Contact Info and that contact is being masquerade from a Router the audio and the SIP messages are not going reach the another UA.

Did I make myself clear? I will clear it up if not. But this is basically why I need the port forwarding with no masquerade .

Thank you in dvance
 
tangent
Forum Guru
Forum Guru
Posts: 1353
Joined: Thu Jul 01, 2021 3:15 pm
Contact:

Re: CHR port forwarding to Local MK

Thu Apr 21, 2022 6:16 am

that contact is being masquerade from a Router the audio and the SIP messages are not going reach the another UA.

I'm not willing to debug SIP for you. I have the barest awareness of what the protocol does, and zero expertise in actually using and managing it.

However, I will say two things:

1. I tried to get you to be clearer about the term "masquerade." In RouterOS terms, what you're talking about isn't masquerading at all. Port forwarding and masquerading are types of NAT, but they aren't the same thing at all. Until you clear that up, I think only an expert can help you short of guessing.

2. If there's something about your SIP implementation that simply cannot work through port-forwarding (a.k.a. dstnat) then I repeat my earlier advice: get a static IP block from your ISP and assign one of them to the VoIP server. Now there's no NAT, so no problem.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: CHR port forwarding to Local MK

Thu Apr 21, 2022 3:00 pm

If you want port forwarding (which involves NAT) and at the same time keep public address, you can't really do that, it's one or the other. What you can do is to forward public address from CHR to PBX. If you can get another public address for CHR, it's simple. If that's not an option, it may be possible to do something with CHR's public address too, using action=route in prerouting. Not very nice solution, but basic idea is:
/ip firewall mangle
add chain=prerouting dst-address=<CHR's public address> protocol=<something> dst-port=<something> action=route route-dst=<gateway to PBX>
I'm not into SIP myself, so I don't know what exactly it needs, if it's few static ports or if it's more dynamic. But in extreme you should be able to route everything except few ports required by CHR:
/ip firewall mangle
add chain=prerouting dst-address=<CHR's public address> protocol=tcp dst-port=1194 action=accept comment="OpenVPN on CHR"
add chain=prerouting dst-address=<CHR's public address> protocol=tcp dst-port=22,8291 src-address=<admin's address> action=accept comment="CHR admin access"
add chain=prerouting dst-address=<CHR's public address> protocol=<something> dst-port=<something> action=route route-dst=<gateway to PBX>
For the record, action=route seems to be either broken or works somehow differently in v7 than it used to in v6.
 
djferdinad
just joined
Topic Author
Posts: 14
Joined: Wed Apr 06, 2022 5:12 am

Re: CHR port forwarding to Local MK

Thu Apr 21, 2022 9:10 pm

that contact is being masquerade from a Router the audio and the SIP messages are not going reach the another UA.

I'm not willing to debug SIP for you. I have the barest awareness of what the protocol does, and zero expertise in actually using and managing it.

However, I will say two things:

1. I tried to get you to be clearer about the term "masquerade." In RouterOS terms, what you're talking about isn't masquerading at all. Port forwarding and masquerading are types of NAT, but they aren't the same thing at all. Until you clear that up, I think only an expert can help you short of guessing.

2. If there's something about your SIP implementation that simply cannot work through port-forwarding (a.k.a. dstnat) then I repeat my earlier advice: get a static IP block from your ISP and assign one of them to the VoIP server. Now there's no NAT, so no problem.
Oh no, Tangent. I understand your advise and tahnk you also. Your comments and reading clearer my doubts regarding the "PF" and the masquerading.

As I can not get any public IP (from my provider) I am using a CHR with one. But actually I do not need the Public IP for nothing else than the PBX at the moment.

I just need to route the PBX back and forth

Thank you
 
djferdinad
just joined
Topic Author
Posts: 14
Joined: Wed Apr 06, 2022 5:12 am

Re: CHR port forwarding to Local MK

Thu Apr 21, 2022 9:14 pm

If you want port forwarding (which involves NAT) and at the same time keep public address, you can't really do that, it's one or the other. What you can do is to forward public address from CHR to PBX. If you can get another public address for CHR, it's simple. If that's not an option, it may be possible to do something with CHR's public address too, using action=route in prerouting. Not very nice solution, but basic idea is:
/ip firewall mangle
add chain=prerouting dst-address=<CHR's public address> protocol=<something> dst-port=<something> action=route route-dst=<gateway to PBX>
I'm not into SIP myself, so I don't know what exactly it needs, if it's few static ports or if it's more dynamic. But in extreme you should be able to route everything except few ports required by CHR:
/ip firewall mangle
add chain=prerouting dst-address=<CHR's public address> protocol=tcp dst-port=1194 action=accept comment="OpenVPN on CHR"
add chain=prerouting dst-address=<CHR's public address> protocol=tcp dst-port=22,8291 src-address=<admin's address> action=accept comment="CHR admin access"
add chain=prerouting dst-address=<CHR's public address> protocol=<something> dst-port=<something> action=route route-dst=<gateway to PBX>
For the record, action=route seems to be either broken or works somehow differently in v7 than it used to in v6.
Hi Sob,

I think your comment is getting closer to what I am trying to do. I just need the public IP for the PBX so I will try the config you posted later on.

For SIP I just need from 5000 to 6000 and from 10000 to 20000.

THanks for your advise will comment back when I tried it

Who is online

Users browsing this forum: GoogleOther [Bot] and 16 guests