1:1 Nat killing VoIP Service

dwright · Thu Jun 16, 2005 9:34 pm

Well we just cut over to private ip address for our customers, and are using 1:1 Nat for a few of our business customers. When adding this in one of our customers using VoIP no longer has the service.

This is the setup
------ Wan Ip-------- MT----------- Private Add.------ Linksys----- Customer Net.
69.X.X.140 <---->1:1 Nat <----->208.x.x.140 --->Nat ---->192.168.0.0/24

The his ATA has a ip address in the 192.168. Range.

Does anyone know of anything that we are missing? Could it be the problem of going through 2 Nat firewalls? Customer can surf the internet, and going to whatismyip.com he is getting the 69.X.X.140 so the 1:1 Nat is setup correctly.

Thanks for any info you can share.

D~

jarosoup · Fri Jun 17, 2005 6:28 am

Have you tried it without the Linksys router in place?

wildbill442 · Fri Jun 17, 2005 7:57 am

did you create a dst-nat and src-nat rule for the 1:1 translation?

Roman · Fri Jun 17, 2005 2:54 pm

What protocol are that ATA device is using? h323 or SIP? If 1st one then try to enable h323 nat helper in `/ip firewall service-port'. If this will not help then blame Linksys

dwright · Fri Jun 17, 2005 5:31 pm

Thanks for the replys. The customer is using AT&T Call Vantage. I just enabled the h323 helper in the firewall, but I think they use SIP. While doing some research, I've read that port forwarding needs be done, but these were all old articles/posts. Does anyone know if this still needs to be implemented, or did they fix these problems?

EDIT: Yes I have dst-nat/src-nat rules for 1:1 Nat

 0   chain=srcnat out-interface=To Router src-address=208.x.x.140 
      action=src-nat to-addresses=69.x.x.140 to-ports=0-65535 

 1   chain=srcnat out-interface=To Router action=masquerade 

 2   chain=dstnat in-interface=To Router dst-address=69.x.x.140 
     action=dst-nat to-addresses=208.x.x.140 to-ports=0-65535

Ill keep all posted with the outcome.

D~

wildbill442 · Fri Jun 17, 2005 10:46 pm

Have you tried it without the Linksys router in place?

could be a CPE issue... They may not have the necessary ports forwarded. I'd have the user try using the phones directly connected to the internet connection.

Cameron Earnshaw · Fri Jun 17, 2005 11:22 pm

Many of the phones and ATAs have two ports, so you can put the phone on the WAN side of the client's router. Even if you get it to work, QoS will be better if the VoIP doesn't have to pass through the client's router.

Roman · Tue Jun 21, 2005 1:24 pm

EDIT: Yes I have dst-nat/src-nat rules for 1:1 Nat

 0   chain=srcnat out-interface=To Router src-address=208.x.x.140 
      action=src-nat to-addresses=69.x.x.140 to-ports=0-65535 

 1   chain=srcnat out-interface=To Router action=masquerade 

 2   chain=dstnat in-interface=To Router dst-address=69.x.x.140 
     action=dst-nat to-addresses=208.x.x.140 to-ports=0-65535

seems like you need to disable/remove rule #1...

dwright · Wed Jun 22, 2005 10:30 am

why would I need to remove rule # 1. Rule #0 matches this customers src-address, and anything else gets matched by rule #1.

Could you elaborate more on your post?

D~

dwright · Wed Jun 22, 2005 10:35 am

Have you tried it without the Linksys router in place?
could be a CPE issue... They may not have the necessary ports forwarded. I'd have the user try using the phones directly connected to the internet connection.

Well, he says that he has tried that, but it still didn't work. This is also a customer, who has had problems in the past, and insisted is was a problem on are side, only to come out to his house and find that he had a bad router, and on another occation, had a bad switch. He is supposed to be an IT consultant, but I just don't see how.

We are going out tommorow to take a look ourselves. I just can't believe that the 1:1 Nat has broken his VOIP, so I would like to see for myself.

D~

Roman · Wed Jun 22, 2005 5:34 pm

why would I need to remove rule # 1. Rule #0 matches this customers src-address, and anything else gets matched by rule #1.

Could you elaborate more on your post?

D~

With this rule enabled your other clients will not get VoIP working.
Try to remove Linksys router -- it's probably not mapping needed ports

mperdue · Fri Jun 24, 2005 10:07 pm

For port fowarding on voip that uses sip:

Foward udp ports 5060,, 5061, 10000, and 16384.

I setup fowards for just about every time I put a ata (sipura) behind nat. It makes it a lot more reliable.

-Michael

Roman · Mon Jun 27, 2005 12:13 pm

For port fowarding on voip that uses sip:

Foward udp ports 5060,, 5061, 10000, and 16384.

I setup fowards for just about every time I put a ata (sipura) behind nat. It makes it a lot more reliable.

-Michael

yes, sip _usually_ uses 5060/udp but rtp (voice packets) can use any port from 5000 to 30000 and maybe more -- depends on server/client

cybertime · Mon Jun 27, 2005 6:10 pm

why would I need to remove rule # 1. Rule #0 matches this customers src-address, and anything else gets matched by rule #1.
With this rule enabled your other clients will not get VoIP working.
Try to remove Linksys router -- it's probably not mapping needed ports

Roman, you are telling him to remove masquerading, but since all his customers are on private net, he must do masquerading.

If his goal is to make people pay extra for a private IP, and the extra services it offers, then his private net idea will do that.

As for the Linksys, since it was working before, it should be working now. However, it is easy to pull it from the loop and try things, so it is worth doing.

As for why the 1:1 NAT is not working, when the customer worked 100% before, I am not sure. I have done this same exact thing before when we started doing wireless. It was just with a non-MikroTik router. It worked perfectly well.

The only thing I can think of is if the customer has some IP confusion on their end. I saw that once, but not for VoIP.

The customer had a remote service that needed to know his IP. He kept on giving the remote service his private IP. On top of that, he put his public IP in the router on his end, which was doing PAT. Once he finally did what I said, and gave the remote service the public IP, and put the private IP on his router, his PAT worked fine.

Roman · Mon Jun 27, 2005 6:34 pm

Roman, you are telling him to remove masquerading, but since all his customers are on private net, he must do masquerading.

I'm not telling him to remove masquerading, I'm telling him to try whether it'll work without Linksys or not, nothing else. If it won't he must configure Linksys properly.

cybertime · Mon Jun 27, 2005 8:32 pm

I'm not telling him to remove masquerading, I'm telling him to try whether it'll work without Linksys or not, nothing else. If it won't he must configure Linksys properly.

You did say to remove masquerading in your Tue Jun 21, 2005 2:24 am post when you wrote "seems like you need to disable/remove rule #1" When asked for clarification, your Wed Jun 22, 2005 6:34 am post added, "With this rule enabled your other clients will not get VoIP working."

If all you meant is exactly what you said in the Wed Jun 22, 2005 6:34 am post, that the non-1:1 natted users won't have VoIP, fine.

I think the OP understands that the non-1:1 natted users won't have as many options available to them. I think that is the OPs goal. Conserve IP space, and make people pay for added features, if they need them.

But all of that has little to do with the OPs issue of why a customer who had a Linksys router was working 100% with VoIP before, but after going to 1:1 nat in the MikroTik router, that customer stopped being able to do VoIP.

Since the Linksys allowed VoIP before, I do not think it mysteriously stopped passing VoIP. But I do agree it is well worth bypassing the Linksys.

If things work fine w/o the Linksys, then the problem is somewhere in that unit. If the problems continue without the Linksys, then they are somewhere else. Process of elimination.

But by saying, "seems like you need to disable/remove rule #1" in a reply to the topic, with no original explanation as to why, and little later explanation, you simply confuse the issue. This is because it seems like you are saying that removing masquerading will address the OPs issue.

wildbill442 · Tue Jun 28, 2005 3:40 am

He's got 1:1 NAT setup disabling the masquarading rule will only cripple his network and leave all his clients without an internet connection..

1:1 NAT forwards all ports destined for a specific public IP address to a private IP address.. theres nothing else that needs to be done (unless theres a firewall rule blocking the required VoIP ports). This is most likely a client side issue.

I have a question for dwright.. how are you using a public network (208.xx.xx.xx) for a private address space?

Valid reserved IPv4 addresses are as follows (according to RFC1918):

10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)