Hi,
we tried an installation with 2x CCR2116-12G-4S+ as follows:

- ROS 7.11.2
- each router connected externally with one ISP {ISP A | ISP B} via BGP
- announcing RIPE registered customer IPv4 /24 within BGP
- announcements are working and can be seen via external looking glass servers (i.e. HE / L3), Internet surfing works seamlessly
- External IPs are link addresses / serial IPs from each ISP
- The Routers have Loopback address in own /24
- VRRP is installed on both routers towards LAN (Firewall Cluster)
- Behind Mikrotik, no NAT or firewall rules installed -> public IPs on Mikrotik only (!).

Result: Internet working, but SIP trunk from 3CX to SIP Provider (external) is not working.

We disabled SIP ALG, but no change.

The installation works fine by using routers from another brand, but not with Mikrotik.


Is there a SIP issue on this hardware platform? Or can this be a special SIP issue with timeouts /connection tracking?

Some guesses.

3cx want a bunch of dst-nat entries, are these in place?

There have been issues in other places with the short udp initial timeouts.
You could change the UDP Timeout in tracking.
In Winbox, ip firewall, choose connections tab, and then tracking button.

Some guesses.

3cx want a bunch of dst-nat entries, are these in place?

There have been issues in other places with the short udp initial timeouts.
You could change the UDP Timeout in tracking.
In Winbox, ip firewall, choose connections tab, and then tracking button.

SInce on Mikrotik is public IP space, I do not see any need for DST-NAT entries on MT. NAT is done by the firewall cluster and the cluster is unchanged.
The "same" configuration (same configuration instructions) is running on the old routers (Huawei) without any NAT rules as well. As I wanted to describe, on MT is public IP only, no SRC-NAT, no DST-NAT, no port mapping ... The MTs should behave as routers, nothing else.

I can try changing the UDP timeouts in tracking, though. Is there any good advice for "UDP Timeout" and "UDP Stream Timeout" in combination with a 3CX?

Thanx!

The SIP ALG should only act if NAT rules are in place, which is not your case. To cover the case that this is eventually not true for 7.11.2, rather than disabling it, try setting it to act on an unused port like 65060. Also, what does /ip firewall connection print detail where dst-port~":506" show?

Another question, what exactly "does not work"? Incoming calls from the external server to the local 3CX, outgoing calls from 3CX to the external server, both?

Yes, it should not use SIP ALG, since there is no NAT. That's exactly what I thought at the beginning. Could be a bug in 7.11.2, this is a black box...

Since I just have the chance to do tests on Friday evenings, I will have to wait for the next time slot for another try. It might be better to set it up in a lab environment, a lot of work, though.



>Another question, what exactly "does not work"? Incoming calls from the external server to the local 3CX, outgoing calls from 3CX to the external server, both?

Both. The SIP trunk from LAN (behind Firewall) is not established to the outside SIP Provider (externally in the public Internet area). So there are no calls inbound or outbound since the whole trunk is not coming up. Normal Internet connections (i.e. NTP, DNS) are running on UDP normally and regular tcp services (http, https, ssh) are working like a charm.

Hi,
I solved the problem in my lab. Instead of 3cx with external provider,

I made a trunk connection between 2 FreePBX/RasPBX systems and used the configuration which was not working on-site @customer premises. And the trunk was working. So as I said before, in forwarding there should be no SIP ALG helper interference. And there is none.

I can today report, that ROS 7.13.5. with BGP routing configuration is working well with CCR2116-12G-4S+ and has no problem with SIP.

And the speed of the CCR2116-12G-4S+ is amazing