Hi guys.

I'm a noob to Mikrotik and RouterOS and am learning as I go. I have managed to get my home network set up with 1 Fibre ISP over PPPOE and failover to my WISP via static IP.
Fibre is on ETH1 and WISP is on ETH2. My PC runs on ETH3 and the Wireless AP and internal network run on ETH4.
The issue I am having is with my VoIP. I'm trying to get it running on ETH5 after trying for 2 weeks to get it to run on the bridged netwrk that was ETH3 to ETH5. I have since removed ETH5 on the bridge in order to dedicate the port to VoIP but, for the life of me, I simply cannot get it to work.

As a noob, I fully expect you guys to roast my config but, once you're done roasting me, would someone please help me get this VoIP to work before it takes a long flight out of my window?

Thanks in advance!

My config:

/interface bridge
add name=Network
/interface ethernet
set [ find default-name=ether1 ] name=C_Access-pppoe
set [ find default-name=ether2 ] name=C_Net-wan
set [ find default-name=ether3 ] name=Dad
set [ find default-name=ether4 ] name=Kids
set [ find default-name=ether5 ] name=VoIP
/interface pppoe-client
add add-default-route=yes disabled=no interface=C_Access-pppoe name=CA user=\
bruc22745@clearaccess
/disk
set sd1 type=hardware
add parent=sd1 partition-number=1 partition-offset=512 partition-size=\
"63 864 569 344" type=partition
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=Network lease-time=1d name=Metered
/port
set 0 name=serial0
/queue simple
add max-limit=80M/100M name=All priority=1/1 target=192.168.3.0/24
add max-limit=80M/100M name="Access Point" parent=All priority=3/3 target=\
192.168.3.252/32
add max-limit=80M/100M name=Dad parent=All priority=2/2 target=\
192.168.3.10/32
add max-limit=80M/100M name="Dad Phone" parent=All priority=3/3 target=\
192.168.3.244/32
add max-limit=80M/100M name="Dad Work" parent=All priority=3/3 target=\
192.168.3.243/32
add name="Dad Work Laptop" parent=All target=192.168.3.238/32
add max-limit=80M/100M name="Mom PC" parent=All priority=2/2 target=\
192.168.3.14/32
add max-limit=80M/100M name="Mom Phone" parent=All priority=3/3 target=\
192.168.3.248/32
add max-limit=80M/100M name=Kiki-PC parent=All priority=3/3 target=\
192.168.3.11/32
add max-limit=80M/100M name="Kiki Phone" parent=All priority=4/4 target=\
192.168.3.245/32
add max-limit=80M/100M name="Scally PC" parent=All priority=3/3 target=\
192.168.3.12/32
add max-limit=80M/100M name="Scally Phone" parent=All priority=4/4 target=\
192.168.3.246/32
add max-limit=80M/100M name="Scally Tab" parent=All priority=4/4 target=\
192.168.3.250/32
add max-limit=1M/1M name="Loretta A" parent=All target=192.168.3.249/32
add max-limit=1M/1M name="Loretta B" parent=All target=192.168.3.247/32
add disabled=yes max-limit=1M/1M name=DSTV parent=All target=192.168.3.253/32
add max-limit=1M/1M name="Cedric Tab" parent=All target=192.168.3.240/32
/dude
set enabled=yes
/interface bridge port
add bridge=Network interface=Dad
add bridge=Network interface=Kids
/ip neighbor discovery-settings
set mode=rx-only
/ip address
add address=192.168.3.1/24 interface=Dad network=192.168.3.0
add address=192.168.2.2/24 interface=C_Net-wan network=192.168.2.0
add address=192.168.4.1/24 interface=VoIP network=192.168.4.0
/ip dhcp-client
add default-route-distance=5 interface=C_Net-wan
/ip dhcp-server lease
add address=192.168.3.252 client-id=1:4:95:e6:b0:11:38 mac-address=\
04:95:E6:B0:11:38 server=Metered use-src-mac=yes
add address=192.168.3.250 client-id=1:e4:40:e2:e5:87:5c mac-address=\
E4:40:E2:E5:87:5C server=Metered use-src-mac=yes
add address=192.168.3.251 client-id=1:0:15:65:f8:c9:a3 mac-address=\
00:15:65:F8:C9:A3 server=Metered use-src-mac=yes
add address=192.168.3.248 client-id=1:4a:5e:35:c:72:4a mac-address=\
4A:5E:35:0C:72:4A server=Metered use-src-mac=yes
add address=192.168.3.245 client-id=1:48:9d:d1:13:df:6d mac-address=\
48:9D:D1:13:DF:6D server=Metered use-src-mac=yes
add address=192.168.3.249 client-id=1:3c:bb:fd:9:c7:6a mac-address=\
3C:BB:FD:09:C7:6A server=Metered use-src-mac=yes
add address=192.168.3.243 client-id=1:c4:1c:7:5a:54:bb mac-address=\
C4:1C:07:5A:54:BB server=Metered use-src-mac=yes
add address=192.168.3.247 client-id=1:d6:5b:3c:43:2d:10 mac-address=\
D6:5B:3C:43:2D:10 server=Metered use-src-mac=yes
add address=192.168.3.253 client-id=1:b0:5d:d4:f5:89:45 mac-address=\
B0:5D:D4:F5:89:45 server=Metered use-src-mac=yes
add address=192.168.3.244 client-id=1:d0:87:e2:96:e0:67 mac-address=\
D0:87:E2:96:E0:67 server=Metered use-src-mac=yes
add address=192.168.3.246 client-id=1:92:f2:99:46:36:95 mac-address=\
92:F2:99:46:36:95 server=Metered use-src-mac=yes
add address=192.168.3.240 client-id=1:fc:50:a0:65:a4:d0 mac-address=\
FC:50:A0:65:A4:D0 server=Metered use-src-mac=yes
/ip dhcp-server network
add address=192.168.3.0/24 dns-server=8.8.8.8,1.1.1.1 gateway=192.168.3.1
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
"MC, Class D, IANA # Check if you need this subnet before enable it" \
list=Bogons
/ip firewall filter
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=CA
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=C_Access-pppoe
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=C_Net-wan
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=CA
add action=drop chain=input in-interface=C_Access-pppoe
add action=drop chain=input in-interface=C_Net-wan
/ip firewall mangle
add action=mark-connection chain=forward comment=SIP dst-address=\
196.216.192.0/24 dst-port=5060 new-connection-mark=SIP_Connection \
passthrough=yes protocol=udp src-address=192.168.4.2
add action=mark-packet chain=forward connection-mark=SIP_Connection \
dst-address=0.0.0.0 new-packet-mark=SIP_Packet passthrough=yes \
src-address=192.168.4.2
add action=mark-connection chain=forward comment=RTP dst-address=\
196.216.192.0/24 new-connection-mark=RTP_Connection passthrough=yes port=\
10000-12000 protocol=udp src-address=192.168.4.2
add action=mark-packet chain=forward connection-mark=RTP_Connection \
new-packet-mark=RTP_Packet passthrough=yes protocol=udp
add action=mark-connection chain=forward comment=SIP dst-address=\
196.216.192.0/24 dst-port=5060 new-connection-mark=SIP_Connection \
passthrough=yes protocol=udp src-address=192.168.4.2
add action=mark-packet chain=forward connection-mark=SIP_Connection \
new-packet-mark=SIP_Packet passthrough=yes
add action=mark-packet chain=forward connection-mark=RTP_Connection \
new-packet-mark=RTP_Packet passthrough=yes protocol=udp
add action=change-dscp chain=postrouting comment="DSCP Priority" dst-address=\
196.216.192.0/24 new-dscp=46 packet-mark=RTP_Packet passthrough=yes \
src-address=192.168.4.2
/ip firewall nat
add action=masquerade chain=srcnat
/ip firewall service-port
set sip disabled=yes
/ip route
add disabled=no distance=1 dst-address=10.222.255.26/32 gateway="" \
routing-table=main suppress-hw-offload=no
add check-gateway=ping comment="Host lookup CA" disabled=no distance=1 \
dst-address=1.1.1.1/32 gateway=10.222.255.26 pref-src="" routing-table=\
main scope=10 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="Host lookup C_Net" disabled=no distance=2 \
dst-address=8.8.8.8/32 gateway=192.168.2.1 pref-src="" routing-table=main \
scope=10 suppress-hw-offload=no target-scope=10
add check-gateway=ping comment="CA Default Route" disabled=no distance=1 \
dst-address=0.0.0.0/0 gateway=1.1.1.1 pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=11
add check-gateway=ping comment="C_Net Backup Route" disabled=no distance=2 \
dst-address=0.0.0.0/0 gateway=8.8.8.8 pref-src="" routing-table=main \
scope=30 suppress-hw-offload=no target-scope=11
/system clock
set time-zone-name=Africa/Johannesburg
/system note
set show-at-login=no
/user-manager
set certificate=*0
/user-manager router
add address=192.168.4.10 name=Home

As a noob, I fully expect you guys to roast my config but, once you're done roasting me, would someone please help me get this VoIP to work before it takes a long flight out of my window?

I won't roast you (my oven isn't big enough ) but one thing you have missed is that you've removed ether5 - VoIP from the bridge but not put in any rules to handle traffic to or from your VoIP network. Since you are only using 1 port for VoIP you can write the rules specifically for that port rather than adding another bridge and writing the rules for that (you could add the bridge if you want but you don't need to).

--
Backups are your friend. Always make a backup!

/system backup save encryption=aes-sha256 name=MyBackup

Please, export and attach your current config to your post if you want help with a config issue:

RouterOS v6 code

/export hide-sensitive file=MyConfig

RouterOS v7 code

/export file=MyConfig

Hi MickeyT!

Thank you so much for getting back to me! I will post the config tonight as I am at work at the moment.

As a noob, I fully expect you guys to roast my config but, once you're done roasting me, would someone please help me get this VoIP to work before it takes a long flight out of my window?

I won't roast you (my oven isn't big enough ) but one thing you have missed is that you've removed ether5 - VoIP from the bridge but not put in any rules to handle traffic to or from your VoIP network. Since you are only using 1 port for VoIP you can write the rules specifically for that port rather than adding another bridge and writing the rules for that (you could add the bridge if you want but you don't need to).

--
Backups are your friend. Always make a backup!

/system backup save encryption=aes-sha256 name=MyBackup

Please, export and attach your current config to your post if you want help with a config issue:

RouterOS v6 code

/export hide-sensitive file=MyConfig

RouterOS v7 code

/export file=MyConfig

Hi MickeyT

I have attached the .cfg file as instructed Thanks very much

Okay, before I start making silly suggestions (although they are my speciality), what do you want to use your VoIP network for (aside from the obvious)? Specifically:

1. Are you running a VoIP PBX on the network (e.g.: 3CX),
2. Are you running an SBC on the network (if you don't know what it is then you probably aren't),
3. Does the VoIP network need to be reachable form your other home networks, and
4. Does the VoIP network need to be reachable from the Internet (usually required if you're running a local PBX).

All of the above influence the exact configuration that is required and having 2 Internet connections further complicates the config.

--
Backups are your friend. Always make a backup!

/system backup save encryption=aes-sha256 name=MyBackup

Please, export and attach your current config to your post if you want help with a config issue:

RouterOS v6 code

/export hide-sensitive file=MyConfig

RouterOS v7 code

/export file=MyConfig

Hi Mickey.

None of the above. It's just a VoIP phone that needs to be able to dial out and receive incoming calls. Nothing fancy. I toyed around with the settings and such this weekend again but, needless to say, got nowhere.

Thank you.

None of the above. It's just a VoIP phone that needs to be able to dial out and receive incoming calls.

In that case, I wouldn't bother with a separate network for the phone. Just put Ether5 on your standard network, let the phone pick up an IP by DHCP and configure it to connect to your SIP/VoIP provider directly (ideally by TLS for improved security if they support it).

Who's your SIP/VoIP provider and what sort of phone is it (make and model)?

--
Backups are your friend. Always make a backup!

/system backup save encryption=aes-sha256 name=MyBackup

Please, export and attach your current config to your post if you want help with a config issue:

RouterOS v6 code

/export hide-sensitive file=MyConfig

RouterOS v7 code

/export file=MyConfig

Your masquerade rule doesn't have a direction specified, so it will probably do NAT in both directions, which is highly unusual. I'm not completely sure if this is the cause of the issue or not, but it should not be set up this way. Usually you would have out-interface or out-interface-list set for the masquerade rule, and it is like this in the MikroTik default configuration.

You may have to reboot after fixing that as well, as existing connections will continue to be NATted until they time out or the connection is closed.

Hi mducharme.
I will definitely take a look at that this evening. Thank you!

Hi I'm new to Mikrotik
Is there a way for my telephone connected to my home network modem be able to call and receive call from from my ISP modem?

My setup is


ISP MODEM with tel ------ MK rb5009 ---- OLT -----ONU with tel port

is it possible?