Community discussions

MikroTik App
 
jfoshee
just joined
Topic Author
Posts: 13
Joined: Thu May 19, 2011 6:20 pm

NAT masquerade outbound port problem

Wed Jul 11, 2012 7:40 am

I have a problem with NAT masquerade on a Mikrotik RB750.

Here is the setup

Server <----> Internet <-----> RB750 <------> Phones

The phones that I am using are Cisco SPA942.

All phones have the local sip port and remote sip port set as 5080.

Here is the example IPs that I will be using for my example of what is happening.

Server 66.x.x.1
RB750 Public side 74.x.x.1 Private side 192.168.1.1
Phone - Phone1 192.168.1.100 Phone2 192.168.1.101

What is happing is that both phones will regiester to the server at 66.x.x1. When the router board gets the packet it will masquerade the packet as its public IP address but it will not change the source ports. So when the 200 OK message comes back it will only go to one of the phones since the routerboard doesn't change the source ports of the packets when it nat/masquerades the internal address. Should the routerboard not change the source port so that it can keep track of the different clients in the private LAN that might source from the same port?
 
jandafields
Forum Guru
Forum Guru
Posts: 1515
Joined: Mon Sep 19, 2005 6:12 pm

Re: NAT masquerade outbound port problem

Wed Jul 11, 2012 7:45 am

I have a problem with NAT masquerade on a Mikrotik RB750.

Here is the setup

Server <----> Internet <-----> RB750 <------> Phones

The phones that I am using are Cisco SPA942.

All phones have the local sip port and remote sip port set as 5080.

Here is the example IPs that I will be using for my example of what is happening.

Server 66.x.x.1
RB750 Public side 74.x.x.1 Private side 192.168.1.1
Phone - Phone1 192.168.1.100 Phone2 192.168.1.101

What is happing is that both phones will regiester to the server at 66.x.x1. When the router board gets the packet it will masquerade the packet as its public IP address but it will not change the source ports. So when the 200 OK message comes back it will only go to one of the phones since the routerboard doesn't change the source ports of the packets when it nat/masquerades the internal address. Should the routerboard not change the source port so that it can keep track of the different clients in the private LAN that might source from the same port?

That's not how masquerade works, it doesn't change the source port. NAT with SIP is difficult. Do LOTS of forum reading, there have been lots of trials and errors here, and you should be able to piece together to make something work for your particular scenario.
 
jfoshee
just joined
Topic Author
Posts: 13
Joined: Thu May 19, 2011 6:20 pm

Re: NAT masquerade outbound port problem

Wed Jul 11, 2012 7:50 am

I have done lots of forum reading. My two choices are either to have every phone internaly use a different sip port or turn on sip AGL. What disavantage does sip AGL have?
 
jandafields
Forum Guru
Forum Guru
Posts: 1515
Joined: Mon Sep 19, 2005 6:12 pm

Re: NAT masquerade outbound port problem

Wed Jul 11, 2012 8:00 am

I have done lots of forum reading. My two choices are either to have every phone internaly use a different sip port or turn on sip AGL. What disavantage does sip AGL have?
You may be referring to SIP HELPER, not AGL because Mikrotik doesn't have the actual SIP AGL. Anyway, it seems that many people have better success when disabling the SIP HELPER because it does things behind the scenes that you are unaware of and you can't troubleshoot... it really is more trouble than help.
 
Prometej
just joined
Posts: 17
Joined: Sat Mar 10, 2012 6:58 am

Re: NAT masquerade outbound port problem

Wed Jul 11, 2012 9:58 am

Example for setting NAT:
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT Networks private" \
disabled=no src-address-list=SRC-NAT
/ip firewall address-list
add address=10.254.23.128/28 disabled=no list=SRC-NAT
add address=192.168.30.2 disabled=no list=SRC-NAT
add address=192.168.21.0/24 disabled=no list=SRC-NAT

To change the destination port should use the SNAT or DNAT.

Typically, IP phones use for incoming connections except for outgoing. It should make a port forwarding.
Please show your the NAT configuration.
 
jfoshee
just joined
Topic Author
Posts: 13
Joined: Thu May 19, 2011 6:20 pm

Re: NAT masquerade outbound port problem

Wed Jul 11, 2012 5:47 pm

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
chain=srcnat action=masquerade out-interface=ether1-gateway

Very basic nat here just anything that goes out eth 1.

My problem is why doesn't the NAT change the source port when it does not. It basically just copies the port that were used internal and applies them to the masquerade address. The problem is that the internal clients are using the same source ports. So when packets come back the firewall doesn't know which internal address to send to send the packets coming back are on the same source address.
 
User avatar
karina
Member
Member
Posts: 462
Joined: Sat Feb 06, 2010 2:18 am
Location: Spain

Re: NAT masquerade outbound port problem

Thu Jul 12, 2012 3:00 am

I have done lots of forum reading. My two choices are either to have every phone internaly use a different sip port or turn on sip AGL. What disavantage does sip AGL have?
Trust me on this one. I spent many years struggling with sip & NAT

Mikrotik is the best router around for SIP,
Zyxel is the worst. if you have any Zyxel Router in your topology, you must remove it before anything else and replace with RB equivalent.

I have 2000+ sip endpoints behind 1 public IP, some behind triple NAT scenario

In the SIP Device:
Every end point must use unique local sip port ( in the admin, advanced, line.1 config page) do not use 5060 as local port
In the same page enable " sip keep alive"
In the same Page reduce the sip registration timeout from default 3600 to 60
Do not use stun or proxy servers

Mt router sip helper = no
Non MT router SIP ALG normally = yes (trial and error)

Try the above, I am confident your problems will be solved
 
User avatar
karina
Member
Member
Posts: 462
Joined: Sat Feb 06, 2010 2:18 am
Location: Spain

Re: NAT masquerade outbound port problem

Thu Jul 12, 2012 3:10 am

Forgot to ask. is your server Asterisk based? the above solution assumes this.
 
jfoshee
just joined
Topic Author
Posts: 13
Joined: Thu May 19, 2011 6:20 pm

Re: NAT masquerade outbound port problem

Fri Jul 13, 2012 1:15 am

The server is freeswitch and I have aggressive nat on so it makes the client reg every 30 sec.

I have changed all the internal sip port and it does work well now.

It is a pain though to have to manually set all the internal sip ports. Is this the only way?
 
User avatar
karina
Member
Member
Posts: 462
Joined: Sat Feb 06, 2010 2:18 am
Location: Spain

Re: NAT masquerade outbound port problem

Fri Jul 13, 2012 2:19 am

The server is freeswitch and I have aggressive nat on so it makes the client reg every 30 sec.

I have changed all the internal sip port and it does work well now.

It is a pain though to have to manually set all the internal sip ports. Is this the only way?
With linksys cisco stuff I am afraid yes. Thompson, grandstream and some others can be set to use a random internal ports.

Who is online

Users browsing this forum: GoogleOther [Bot] and 17 guests