NAT table not cleared correctly

HExSM · Fri Nov 17, 2017 4:01 pm

Issue:
PBX cannot re-register with the SIP trunk, after connection loss

Description:
I am using an Asterisk based PBX behind a Microtik RB3011UiAS. The PBX connects to a SIP trunk. Every 24 hours we have a forced disconnection of the internet connection. After the forced disconnection, the PBX tries to log on to the SIP trunk again. The PBX sends packets to the SIP trunk, but there are no response packets in the RouterBoard. A new connection can only be established after restarting the RouterBoard, disconnecting the PBX connection or changing the SIP port.

Versions affected:
6.39.3, 6.40.4, 6.40.5 tested

How to reproduce:
1) Establish Internet connection via PPPoE
2) Register Asterisk based PBX (e.g. FreePBX) to SIP trunk
3) Disable PPPoE interface and wait a few seconds
4) Enable PPPoE interface

Network setup:

+----------------+          +---------------+          +------------+            +-------------+
|       PBX      |  ether6  |   RB3011UiAS  |  ether1  | VDSL modem |  Internet  |  SIP trunk  |
| 192.168.111.79 |----------| 192.168.111.1 |----------|  10.0.0.1  |------------| 95.128.80.5 |
+----------------+          +---------------+          +------------+            +-------------+

Firewall settings:

/ip firewall filter
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=accept chain=input comment="OpenVPN remote connection" dst-port=443 in-interface=pppoe-telekom protocol=tcp
add action=drop chain=input comment="drop all from WAN" in-interface=pppoe-telekom
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=reject chain=forward comment="reject connection from guest to office lan" in-interface=bridge_guest out-interface=!pppoe-telekom reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="drop invalid connection" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-telekom

/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade wan1" out-interface=pppoe-telekom

Connection tracking before internet connection reset:

[admin@router01] /ip firewall connection> print where src-address~"192.168.111.79:5060"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 #          PROTOCOL SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT     ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS      ORIG-BYTES      REPL-BYTES
 0  SAC Fs  udp      192.168.111.79:5060   95.128.80.5:5060                  2m57s            0bps      0bps            1            3             588           1 067

Connection tracking after internet connection reset:

[admin@router01] /ip firewall connection> print where src-address~"192.168.111.79:5060"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 #          PROTOCOL SRC-ADDRESS           DST-ADDRESS           TCP-STATE   TIMEOUT     ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS      ORIG-BYTES      REPL-BYTES
 0    C  s  udp      192.168.111.79:5060   95.128.80.5:5060                  58s           9.4kbps      0bps            5            0           2 940               0

Notes:
There seems to be a problem with NAT, because after restarting the RouterBoard or changing the port, the connection is immediately reestablished. Deleting the connection from the connection tracking does not solve the problem.

Support TicketID:
Ticket#2017112222000777

Best regards,
Stefan

Anumrak · Fri Nov 17, 2017 9:20 pm

What type of NAT do you use? Auto associate NAT only on masquerade works.

HExSM · Fri Nov 17, 2017 9:48 pm

I just have set up src-nat with masquerade.

Anumrak · Fri Nov 17, 2017 10:26 pm

I just have set up src-nat with masquerade.

And?

HExSM · Fri Nov 17, 2017 11:38 pm

Well, that's it?

I don't know what information you are asking for. If you can specify them I will provide you all information I can get to solve my problem!

Anumrak · Sat Nov 18, 2017 10:25 am

If you're already using masquerade, then I don't know what is the problem. Maybe in Asterisk server.

HExSM · Sat Nov 18, 2017 1:03 pm

The problem seems to be that there are some old connection states saved, even if I clear the connection table. I have every 24h a disconnect and after the disconnect the asterisk doesn't connect to my SIP trunk anymore. I can only reconnect if I disconnect the asterisk for 5-10 minutes or if I reboot the router. I used wireshark and can see that asterisk is sending REGISTER packets, but I never receive a packet from the SIP trunk.

HExSM · Mon Nov 20, 2017 3:28 pm

Firewall configuration added to first post

kujo · Mon Nov 20, 2017 11:20 pm

Do you receive new IP on wan interface thought DHCP or there's static one? Sip providers often firewalling clients connection and make a static entry user-ip. Sip use udp, udp-timeout (time; Default: 10s)

Yours respectfully!

HExSM · Tue Nov 21, 2017 12:18 am

Hello kujo,
my public IP is static. It makes no difference if I set a timeout of 1 minute, 10 seconds, 1 second or 0.
Like I said, if I reboot the router everything is working fine. If I disconnect the PBX for at least 5 Minutes everything works fine. And another method I tried: If I change the PBX port from 5060 to another port like 5080 it also works fine.
If I remove the connection from the connection table it creates a new connection in a few seconds, but it's still a non working connection. The PBX is sending SIP REGISTER packets but I don't get answer packets. I tried to log them with a firewall rule, but nothing. That makes sense, because there seems to be a problem with the NAT. The router remembers something that I cannot remove. For me it looks like a bug in the routerOS.

kujo · Tue Nov 21, 2017 8:24 am

You may try In firewall services disable sip helper

Yours respectfully!

HExSM · Tue Nov 21, 2017 10:07 am

Hi kujo,

thank you for the advice. It's already disabled. I just forgot to mention it.

Best regards
Stefan

kujo · Tue Nov 21, 2017 3:44 pm

Ok. Can you past /ip firewall nat export compact?

Yours respectfully!

kujo · Tue Nov 21, 2017 3:44 pm

Ok. Can you past /ip firewall nat export compact?

Yours respectfully!

HExSM · Tue Nov 21, 2017 5:19 pm

Ok. Can you past /ip firewall nat export compact?

You can find my settings in the start post. I will change that from "codebox" to "code". It should be better visible

For NAT it's just that:

/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade wan1" out-interface=pppoe-telekom

kujo · Wed Nov 22, 2017 7:24 am

Ok. There are all good in ip firewall. Try turn on packet sniffer on all interface and udp and port 5060. How the packers arrive? Look at connection tracker when you make outgoing call. Look at asterisk console, 'sip show peers', and calls log. You also can turn on debug on specific sip channel!

Yours respectfully!

HExSM · Wed Nov 22, 2017 10:34 am

I already did that with wireshark. Before the connection was lost everything works fine. PBX is sending SIP REGISTER/OPTIONS packet and gets an answer from the SIP trunk. After the connection was lost the PBX is sending out SIP REGISTER/OPTIONS packets to the SIP trunk, but I don't receive any packets from the SIP trunk. I tested that with 2 different SIP trunks and after a reboot of the RouterBoard it is working again.
Debugging on the PBX makes no sense, because it doesn't receive packets from the SIP trunk.

p3rad0x · Wed Nov 22, 2017 11:03 am

What usually happens om my network is the reply dst-address is incorrect.

Instead of it being the public ip address it ends up being the private ip address of the router or sip device.

Its almost as if NAT did not work when the link came back up.

Manually removing the connection from connection tracking solves the problem for me at least.

HExSM · Wed Nov 22, 2017 11:19 am

Hi p3rad0x,

the Reply Dst. Address is correct. It's my public IP.
It's also correct in the SIP message header.

Removing the connection manually or by script from the connection tracking doesn't solve the problem.

Best regards
Stefan

kujo · Wed Nov 22, 2017 11:25 am

Stefan, can you start packet sniffer at mikrotik router? /tool packet sniffer

Yours respectfully!

HExSM · Wed Nov 22, 2017 11:32 am

Stefan, can you start packet sniffer at mikrotik router? /tool packet sniffer

I did and redirected the output to wireshark.

Before the connection was lost everything works fine. PBX is sending SIP REGISTER/OPTIONS packet and gets an answer from the SIP trunk. After the connection was lost the PBX is sending out SIP REGISTER/OPTIONS packets to the SIP trunk, but I don't receive any packets from the SIP trunk.

kujo · Thu Nov 23, 2017 12:01 am

Response packet arrive to Wan interface?

Yours respectfully!

kujo · Thu Nov 23, 2017 12:05 am

Response packet from SIP provider arrive to Wan interface?

HExSM · Thu Nov 23, 2017 9:42 am

No, I don't receive any response packets after internet reset from the SIP provider. I already tried another SIP provider and there it's the same problem.

tangram · Thu Nov 23, 2017 4:55 pm

If you restart the modem from telekom instead of the mikrotik does it work ?

HExSM · Thu Nov 23, 2017 6:29 pm

If you restart the modem from telekom instead of the mikrotik does it work ?

Hi tangram,

that's something I hadn't tried yet. That's why I just tested it and I have the same problem that the PBX doesn't register anymore.

Best regards
Stefan

kujo · Thu Nov 23, 2017 9:45 pm

Try open a ticket in support system of tour SIP provider. If provider don't send to you SIP responses it means, that problem not at router point view!

Yours respectfully!

HExSM · Thu Nov 23, 2017 11:04 pm

Well, I tried 2 different SIP provider and both have the same problem. And why does it work directly, if I restart the router? For the provider it shouldn't make a difference if the router restarts or if the internet connection is gone.

kujo · Fri Nov 24, 2017 9:29 am

My friend, i'am work with two SIP provider simultaneously without any problem(one asterisk server with different external IP address nated through mikrotik). If your router don't receive any packets from provider of SIP, where you mean problem occur?

Yours respectfully!

HExSM · Fri Nov 24, 2017 9:50 am

I receive packets from the SIP provider, but only until the Internet connection is disconnected. If I restart the router, the internet connection is also disconnected. But after the restart the connection to the SIP provider is immediately reestablished without any problems.
If it would be a problem of the SIP provider, then the problem would have to occur after a restart of the router, but it does not.

kujo · Fri Nov 24, 2017 12:39 pm

Packet sniffer on mikrotik can view all packets to the wan interface(before nat and after nat! No packets no SIP service))) Try change mikrotik to the ... dlink, still problem occur?

Yours respectfully!

kujo · Fri Nov 24, 2017 12:44 pm

You can also export compact, without sensitive info, your config and put here...

Yours respectfully!

HExSM · Fri Nov 24, 2017 2:22 pm

I tried it with our old pfsense router and at the beginning it looked like the problem was the same. I have reset the internet connection and the PBX could no longer log on to the SIP trunk. BUT here it was enough to delete the connection from the connection table and a new connection was established immediately. Exactly this doesn't seem to work properly with the Mikrotik Router, so that there are still some leftovers.

Here is my complete configuration:

[admin@router01] > /export compact hide-sensitive 
/caps-man channel
add band=5ghz-a/n/ac control-channel-width=20mhz extension-channel=Ceee frequency=5180 name=ch36
add band=2ghz-g/n control-channel-width=20mhz extension-channel=disabled frequency=2472 name=ch13
/interface bridge
add name=bridge_guest
add name=bridge_office
/interface ethernet
set [ find default-name=ether1 ] name=ether1_wan
set [ find default-name=ether2 ] name=ether2_wan
set [ find default-name=ether6 ] name=ether6_switch_master
set [ find default-name=ether7 ] master-port=ether6_switch_master name=ether7_switch
set [ find default-name=ether8 ] master-port=ether6_switch_master name=ether8_switch
set [ find default-name=ether9 ] master-port=ether6_switch_master name=ether9_switch
set [ find default-name=ether10 ] master-port=ether6_switch_master name=ether10_switch
/ip neighbor discovery
set ether1_wan discover=no
/caps-man datapath
add bridge=bridge_office client-to-client-forwarding=yes name=default
add bridge=bridge_guest client-to-client-forwarding=no name=guest
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=default
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm name=guest
/caps-man configuration
add channel=ch13 country=germany datapath=default mode=ap name=cfg_2,4 rx-chains=0,1 security=default ssid=Office tx-chains=0,1
add datapath=guest mode=ap name=cfg_guest security=guest ssid=Guest
add channel=ch36 country=germany datapath=default mode=ap name=cfg_5 rx-chains=0,1,2 security=default ssid=Office tx-chains=0,1,2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_default ranges=192.168.111.101-192.168.111.199
add name=dhcp_guest ranges=192.168.112.101-192.168.112.199
add name=dhcp_ovpn10 ranges=192.168.113.37-192.168.113.38
add name=dhcp_ovpn9 next-pool=dhcp_ovpn10 ranges=192.168.113.33-192.168.113.34
add name=dhcp_ovpn8 next-pool=dhcp_ovpn9 ranges=192.168.113.29-192.168.113.30
add name=dhcp_ovpn7 next-pool=dhcp_ovpn8 ranges=192.168.113.25-192.168.113.26
add name=dhcp_ovpn6 next-pool=dhcp_ovpn7 ranges=192.168.113.21-192.168.113.22
add name=dhcp_ovpn5 next-pool=dhcp_ovpn6 ranges=192.168.113.17-192.168.113.18
add name=dhcp_ovpn4 next-pool=dhcp_ovpn5 ranges=192.168.113.13-192.168.113.14
add name=dhcp_ovpn3 next-pool=dhcp_ovpn4 ranges=192.168.113.9-192.168.113.10
add name=dhcp_ovpn2 next-pool=dhcp_ovpn3 ranges=192.168.113.5-192.168.113.6
add name=dhcp_ovpn1 next-pool=dhcp_ovpn2 ranges=192.168.113.1-192.168.113.2
/ip dhcp-server
add address-pool=dhcp_default disabled=no interface=bridge_office lease-time=10h name=dhcp_default
add address-pool=dhcp_guest disabled=no interface=bridge_guest lease-time=12h name=dhcp_guest
/ppp profile
add dns-server=192.168.111.1 local-address=dhcp_ovpn1 name=ovpn remote-address=dhcp_ovpn1 use-encryption=required
add change-tcp-mss=yes name=wan
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1_wan name=pppoe-telekom profile=wan use-peer-dns=yes user=user@t-online-com.de
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=cfg_2,4 slave-configurations=cfg_guest
add action=create-dynamic-enabled hw-supported-modes=ac,an master-configuration=cfg_5 slave-configurations=cfg_guest
/interface bridge port
add bridge=bridge_office interface=ether6_switch_master
/interface ovpn-server server
set auth=sha1 certificate=OVPN-Server cipher=aes128 default-profile=ovpn enabled=yes port=443 require-client-certificate=yes
/ip address
add address=192.168.111.1/24 interface=bridge_office network=192.168.111.0
add address=192.168.112.1/24 interface=bridge_guest network=192.168.112.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1_wan
/ip dhcp-server network
add address=192.168.111.0/24 dns-server=192.168.111.1 domain=office gateway=192.168.111.1
add address=192.168.112.0/24 dns-server=192.168.112.1 gateway=192.168.112.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=accept chain=input comment="OpenVPN remote connection" dst-port=443 in-interface=pppoe-telekom protocol=tcp
add action=drop chain=input comment="drop all from WAN" in-interface=pppoe-telekom
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=reject chain=forward comment="reject connection from guest to office lan" in-interface=bridge_guest out-interface=!pppoe-telekom reject-with=icmp-admin-prohibited
add action=drop chain=forward comment="drop invalid connection" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=pppoe-telekom
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade wan1" out-interface=pppoe-telekom
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set www disabled=yes
/lcd
set time-interval=hour
/ppp secret
add name=openvpnuser profile=ovpn service=ovpn
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=router01
/system scheduler
add comment="move daily DSL-disconnect to late night" interval=1d name="DSL reconnect" on-event=dsl_reconnect policy=reboot,read,write start-date=oct/26/2017 start-time=03:00:00
/system script
add name=dsl_reconnect owner=admin policy=reboot,read,write source=\
    \n:log info \"Script dsl_reconnect - scheduled DSL-disconnect executed.\"\r\
    \n\
    \n/system reboot"
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=pppoe-telekom
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=pppoe-telekom
/tool sniffer
set filter-direction=rx filter-interface=pppoe-telekom filter-ip-address=95.128.80.5/32 filter-stream=yes streaming-enabled=yes streaming-server=192.168.111.199

kujo · Fri Nov 24, 2017 3:20 pm

/ppp profile add dns-server=192.168.111.1 local-address=dhcp_ovpn1 name=ovpn remote-address=dhcp_ovpn1 use-encryption=required add change-tcp-mss=yes name=wan
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1_wan name=pppoe-telekom profile=wan use-peer-dns=yes user=user@t-online-com.de

Can you change profile to default in your pppoe connection?
Show your routing table when all work, and after connection reset!
In connection tracker Winbox view, display options Reply src.addr and Reply dst. addr

HExSM · Fri Nov 24, 2017 3:58 pm

I just copied the default profile to wan to add an interface up/down script for wan interfaces, so I can clear the connection table if the state changes. But I changed it back to default for testing and it doesn't help.
Because I don't want to make our public IP public I changed it to a pseudo IP.

Routing table before internet reset:

[admin@router01] > /ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          pppoe-telekom             0
 1 ADC  192.168.111.0/24   192.168.111.1   bridge_office             0
 2 ADC  192.168.112.0/24   192.168.112.1   bridge_guest              0
 3 ADC  10.0.0.2/32        10.0.0.1        pppoe-telekom             0

Routing table after internet reset:

[admin@router01] > /ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          pppoe-telekom             0
 1 ADC  192.168.111.0/24   192.168.111.1   bridge_office             0
 2 ADC  192.168.112.0/24   192.168.112.1   bridge_guest              0
 3 ADC  10.0.0.2/32        10.0.0.1        pppoe-telekom             0

Detailed connection table before internet reset:

[admin@router01] > /ip firewall connection print detail where src-address~"192.168.111.79:5060"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 0  SAC Fs  protocol=udp src-address=192.168.111.79:5060 dst-address=95.128.80.5:5060 reply-src-address=95.128.80.5:5060 reply-dst-address=10.0.0.1:5060 timeout=2m51s orig-packets=738 orig-bytes=442 050 orig-fasttrack-packets=66 orig-fasttrack-bytes=43 380 repl-packets=3 426 repl-bytes=842 899 repl-fasttrack-packets=1 547 repl-fasttrack-bytes=576 377 orig-rate=0bps repl-rate=0bps

Detailed connection table after internet reset:

[admin@router01] > /ip firewall connection print detail where src-address~"192.168.111.79:5060"
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 
 0    C  s  protocol=udp src-address=192.168.111.79:5060 dst-address=95.128.80.5:5060 reply-src-address=95.128.80.5:5060 reply-dst-address=10.0.0.1:5060 timeout=53s orig-packets=25 orig-bytes=14 700 orig-fasttrack-packets=0 orig-fasttrack-bytes=0 repl-packets=0 repl-bytes=0 repl-fasttrack-packets=0 repl-fasttrack-bytes=0 orig-rate=0bps repl-rate=0bps

tangram · Fri Nov 24, 2017 4:04 pm

In firewall connection tracking there are some timeouts you can play with.
Talking about udp stream, timeout is at 3 mins and generic timeout at 10 min.
Try to lower the stream timeout to let them "expire" faster. Maybe you'll find a "sweet spot" that you're happy with so that other types of traffic are not affected.

HExSM · Fri Nov 24, 2017 4:17 pm

That's also something I already tried and no matter what time I choose, the problem remains.

It makes no difference if I set a timeout of 1 minute, 10 seconds, 1 second or 0.

kujo · Fri Nov 24, 2017 4:27 pm

Why in routes no pref.source in pppoe default route?
There must be your ext address.
This route is Dynamic. Remove from profile "add default route". Disable pppoe. Add this route manually with pref.source! Enable pppoe

HExSM · Fri Nov 24, 2017 4:53 pm

I don't know what this is good for, but I've tried it.

[admin@router01] > /ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0          10.0.0.1        pppoe-telekom             1
 1 ADC  192.168.111.0/24   192.168.111.1   bridge_office             0
 2 ADC  192.168.112.0/24   192.168.112.1   bridge_guest              0
 3 ADC  10.0.0.2/32        10.0.0.1        pppoe-telekom             0

There's no difference. The PBX cannot log on to the SIP trunk.

Can you perhaps explain to me what the advantage is if I enter this manually?

che · Fri Nov 24, 2017 9:35 pm

I highly suggest that you don't use double-NAT in cases of IP telephony. Judging by one of the posted connection details (reply-dst-address=10.0.0.1:5060) you are doing some sort of DMZ on VDSL modem? Put it in bridge mode, or if it is not possible try this after PPPoE disconnects:

/ip firewall connection remove [find reply-dst-address~"10.0.0.1"]

If it helps, add that line to PPP / Profiles / your profile / On Down:

kujo · Sat Nov 25, 2017 1:35 am

I hope that adsl mobem in bridge mobe(Disable dhcp client on ether1-wan interface ) Print sip connection at now, please

Yours respectfully!

HExSM · Sat Nov 25, 2017 11:50 am

This may have been a bit confusing, but 10.0.0.1 is just my public IP. Of course, the modem is in bridge mode. Otherwise I would not establish a PPPoE connection via the router but use the modem for it.

kujo · Sat Nov 25, 2017 7:14 pm

Yep, if you need hide your public IP use something like this 1.1.1.1, not private pools! Maybe its asterisk sip.config problem? Do you use provider recommend config? And try install bugfix only image on mikrotik

Yours respectfully!

blajah · Sat Nov 25, 2017 10:01 pm

Try to disable SIP helper in

/ip firewall service-port

razavim · Sun Nov 26, 2017 7:53 am

I saw that you have bridge interface try to check the /bridge setting use-ip-firewall

Please go to /ip setting and choose rp-filter to loose

Sent from my SM-N920T using Tapatalk

razavim · Sun Nov 26, 2017 7:53 am

I saw that you have bridge interface try to check the /bridge setting use-ip-firewall

Please go to /ip setting and choose rp-filter to loose

Sent from my SM-N920T using Tapatalk

HExSM · Mon Nov 27, 2017 10:32 am

Maybe its asterisk sip.config problem? Do you use provider recommend config? And try install bugfix only image on mikrotik

Yes, I am using the recommended configuration. I have tested the bugfix only image, but the problem remains.

Try to disable SIP helper

I have already tried SIP helper enabled and disabled.

I saw that you have bridge interface try to check the /bridge setting use-ip-firewall
Please go to /ip setting and choose rp-filter to loose

The setting use-ip-firewall is set to no and the setting rp-filter loose doesn't help either. But thank you for the suggestion, I hadn't tested it yet.

blajah · Mon Nov 27, 2017 10:44 am

Ok, one more thing you can try is to use RAW firewall, matching src/dst addresses with no-track action. This would skip connection tracker.

HExSM · Mon Nov 27, 2017 11:07 am

Ok, one more thing you can try is to use RAW firewall, matching src/dst addresses with no-track action. This would skip connection tracker.

If I do that, there are no more packages coming in from the SIP trunk. I also added forward rules to the firewall filter and inserted them before the fasttrack action.
But that shouldn't work anyway, because NAT will not work without connection tracking. Or am I wrong?

pe1chl · Mon Nov 27, 2017 11:16 am

NAT and SIP in combination is asking for trouble, and a non-cooperative ISP that is resetting the connection (and maybe even changing the address) only adds to the problem.

I would advise to configure IPv6 on your connection and use that, so you do not need NAT.
When your ISP or SIP provider don't support IPv6 I guess it is time to shop for some more competent suppliers...

blajah · Mon Nov 27, 2017 11:27 am

You're right, i wasn't thinking enough

HExSM · Mon Nov 27, 2017 11:46 am

NAT and SIP in combination is asking for trouble, and a non-cooperative ISP that is resetting the connection (and maybe even changing the address) only adds to the problem.
I would advise to configure IPv6 on your connection and use that, so you do not need NAT.
When your ISP or SIP provider don't support IPv6 I guess it is time to shop for some more competent suppliers...

You're right, i wasn't thinking enough

In Germany we unfortunately have a forced disconnection of the internet connection with ADSL/VDSL. A change of provider is already planned, but we will also have a forced separation every 180 days. There is also an internet connection without forced separation via SDSL, but we cannot and will not afford it.

The problem here is not NAT and VoIP, but that connections in the router are probably not disconnected properly. And for me it's still a bug in RouterOS, until someone can show me a configuration issue

You're right, i wasn't thinking enough

No problem, it was worth a try

pe1chl · Mon Nov 27, 2017 12:17 pm

In Germany we unfortunately have a forced disconnection of the internet connection with ADSL/VDSL. A change of provider is already planned, but we will also have a forced separation every 180 days. There is also an internet connection without forced separation via SDSL, but we cannot and will not afford it.

I think it is time that the Germans petition a change in this ridiculous policy and get internet connections that just remain connected until an equipment failure occurs.
I have seen that "daily disconnection" thing a lot in discussions and also see it on connections we have with Germans.
Here in the Netherlands your VDSL can be up for a year when you are lucky. (of course interruptions happen due to network maintenance or faults, but not daily)

The problem here is not NAT and VoIP, but that connections in the router are probably not disconnected properly. And for me it's still a bug in RouterOS, until someone can show me a configuration issue

The issue only raises its head because you are using NAT! The router has to keep track of all connections it has NATted, and when it does not have to NAT this issue does not occur either.
So try it with IPv6. Don't dare telling me that there is no IPv6 in Germany, or I might spill my coffee.

HExSM · Mon Nov 27, 2017 12:44 pm

I think it is time that the Germans petition a change in this ridiculous policy and get internet connections that just remain connected until an equipment failure occurs.
I have seen that "daily disconnection" thing a lot in discussions and also see it on connections we have with Germans.
Here in the Netherlands your VDSL can be up for a year when you are lucky. (of course interruptions happen due to network maintenance or faults, but not daily)

I guess that will never happen.
This is the same problem why mobile data volume in Germany is limited and expensive. No one would buy more landline Internet and of course the German providers want to prevent that. That's two ways to make money. But that's OT

The issue only raises its head because you are using NAT! The router has to keep track of all connections it has NATted, and when it does not have to NAT this issue does not occur either.
So try it with IPv6. Don't dare telling me that there is no IPv6 in Germany, or I might spill my coffee.

Of course the issue is that I am using NAT, I 100% agree with you. But if I use the command to remove connections and it doesn't clear everything, than it's a bug in RouterOS. And this bug should be removed. IPv6 would be a workaround, but than maybe nobody would work on the root of the issue.

Cha0s · Mon Nov 27, 2017 1:21 pm

What happens if you disable connection tracking and then re-enable it?

/ip firewall connection tracking set enabled=no
/ip firewall connection tracking set enabled=yes

From what you wrote I understand that you manually (or with scripting) clear the connections in connection tracking but not disabling the whole thing altogether. Maybe that will get connection tracking 'unstuck'?

[offtopic]
And here I though that only my country had bad internet policy with a stupid limitation of 10% upload over the download speed. Or naming VDSL as a Fiber service (damn marketing departments...)

But forcing a disconnect on you every 24h is ridiculous. I wonder how Germans accept that stupid policy!
Then again, in countries like Australia or Canada they still have monthly data caps, so... I guess we shouldn't complain, there are worse situations out there

Out of curiosity, what is the reasoning behind this periodic forced disconnect policy?

Mobile data plans are a completely different beast. There you have to deal with dinosaur telecommunications companies that need to charge everything based on volume/time. It's like an addiction to them

ISPs usually tend to be more openminded... or not...
[/offtopic]

HExSM · Mon Nov 27, 2017 2:12 pm

What happens if you disable connection tracking and then re-enable it?
Code: Select all
/ip firewall connection tracking set enabled=no
/ip firewall connection tracking set enabled=yes
From what you wrote I understand that you manually (or with scripting) clear the connections in connection tracking but not disabling the whole thing altogether. Maybe that will get connection tracking 'unstuck'?

I already had the same idea. Unfortunately, it didn't work out.

But forcing a disconnect on you every 24h is ridiculous. I wonder how Germans accept that stupid policy!
Then again, in countries like Australia or Canada they still have monthly data caps, so... I guess we shouldn't complain, there are worse situations out there

Out of curiosity, what is the reasoning behind this periodic forced disconnect policy?

Currently, all Internet connections are completely switched to IP based connections. If you then have such a connection, the connection is "only" interrupted every 180 days.
Alleged reasons for the forced separation: First, to prevent servers from being hosted and second, because the providers have only a limited number of IP addresses and are therefore interested in ensuring that no addresses are wasted for unused connections.

pe1chl · Mon Nov 27, 2017 2:19 pm

Of course the issue is that I am using NAT, I 100% agree with you. But if I use the command to remove connections and it doesn't clear everything, than it's a bug in RouterOS. And this bug should be removed. IPv6 would be a workaround, but than maybe nobody would work on the root of the issue.

NAT is only a workaround for the migration period to IPv6. Once IPv6 is fully deployed there is no more reason for many-to-1 NAT and issues like this (trouble with NAT-unfriendly protocols) disappear.
I think you should consider IPv6 the solution.

Also you are not the only one with those issues (Asterisk trunk connections lost when behind German ISP) and there are special Asterisk solutions to re-establish the connection in that case.

MWComms · Thu Nov 30, 2017 2:40 am

Hi Forum Users, I am delighted to know i am not the only person experiencing this.

Issue Summary

* Same issue. When running PPPoE tunnel over VDSL, if VDSL tunnel drops / re-auths, the trunk becomes unreachable until the router has been rebooted.
* The issue is NOT limited to NAT / PBX's on private networks. This also affects systems on PUBLIC IP's.
* All other TCP/UDP traffic remains unaffected and continues to pass.

Things to Note.

* Country: Australia.
* Provider: We are an ISP, We use our own ranges. We auth our own customers. We run our own LNS.
* Static IP: Yes.
* Internet Type: NBN / VDSL.

* Network Engineer.
* SIP Engineer.
* Changed Routers from HAP to RB2011.
* Run MPLS / Voice Networks up the Eastern Seabord, using over 100 MikroTik's & Redback SE Series.

Hardware Software In-Use.

(Provider Details)
* LNS, Redback Smartedge 100.
* VMWare ESX 5.5 (Trunk Hypervisor).
-> VMXNet3 NIC.
-> VMware Tools Installed.
-> CentOS 6.5.
-> Asterisk 11.7.0.
-> Public Address: Yes.

(Customer Details)
* Netcomm NF10WV VDSL Modem (Bridged).
* HP Elitedesk 8000 (ESXi -> PBX).
* MikroTik HAP Lite and RB2011UiAS (PPPoE Dialler, Router, Firewall).
* HP OfficeConnect 1920 (PoE Switch).
* ESXi v6.5.
-> VMXNet3 NIC
-> VMware Tools Installed
-> FreePBX Distro v6.
-> FWConsole version 13.0.192.8
-> Asterisk Version 13.14.0
-> Public Address: Yes
-> Private Address: Yes

The following behaviour has been observed when the issue occurs.

* SIP Debug (no apparent SIP responses are recieved by either side, e.g. OPTIONS, INVITE).
* Capture via TCPDump reveals that the packet is being sent by both instances of Asterisk but nothing being recieved on remote end.
* MikroTik Conntrack shows the session but no repl bytes / packets are recorded. This is further reflected by a lack of 'Seen Reply' flag.

The following steps have been attempted to detemrmine the cause and workable solution at the customer site WITHOUT REBOOTING. They have NOT worked.

* Reset sessions in MikroTik Conntrack.
* Stop Asterisk for 10 Minutes
* Reboot Asterisk
* Reboot Hypervisor
* SIP ALG on/off (tried both, does not matter).
* Static Default Route (with pref src set).
* PPPoE Dialler profile set to 'Default'.
* Redirect and retargetted 5080, (translated remotely to 5060), the trunk becomes reachable until a subsequent disconnect/reauth.
* Redirect and retargetted 5060, the trunk remains unreachable.
* Added port forward udp:<publicip>:5080->udp:<privateip>:5060

The following steps have been attempted to detemrmine the cause and workable solution at the provider site. They have NOT worked.

* Added redirect (IPTABLES POSTROUTING) ports from 5080 -> 5060 on Trunk box.
* Changed customer target port to 5080. The trunk becomes reachable until a subsequent disconnect/reauth.
* Changed customer target port back to 5060. The trunk remains unreachable.

Supplemental.

* I had set up the same test conditions at my lab. With RB2011, PPPoE (over true Fibre Optic) with VMWare workstation and a FreeBSD 10.3 / Asterisk 13 Server. I could not reproduce the error.
* Routed a public /30 to the customer.
* Added vlan interface to MikroTik w/ public IP.
* Added vlan inerface / portgroup to PBX.
* Assigned public IP to PBX.
* Changed last resort gw to new public /30.
* Removed NAT rules, specific to SIP / VoIP.
* Reconfigured SIP configs to listen/connect via/on new public IP.
* Established bi-directional trunk.
* Forced disconnect/re-auth of PPPoE.
* Trunk becomes unreachable until Reboot.

My thoughts.

* I suspect the MikroTik's kernel, subsequent to the disconnect/reauth is no longer processing the SIP packets, irrespective of the port used prior to the disconnect.
* It appears session beccomes stuck in the kernel likely due to internal RouterOS interface / session identification no longer existing.

kujo · Thu Nov 30, 2017 10:04 pm

Turn off connection tracker and check again)

Yours respectfully!

HExSM · Fri Dec 01, 2017 5:39 pm

Wow... Finally someone who has the same problem

I'm in contact with the Mikrotik support, but it seems they have no idea what could cause the problem.

Turn off connection tracker and check again)

Without connection tracker NAT isn't working anymore. So that's no solution.

MWComms · Sun Dec 03, 2017 2:33 pm

Turn off connection tracker and check again)

Why would we globally switch off conntrack? This would strip vital functionality.

If you are referring to the latest test iteration where there is no NAT in my setup, then an IP > Firewall > Raw > udp:5060:notrack had been added but did not resolve the issue.

MWComms · Sun Dec 03, 2017 2:38 pm

MikroTik Support may like to replicate the issue with Asterisk Trunks & PPPoE Client and then track/debug the packet(s) through the kernel to see what happens to them. That would be my suggestion.

Happy to help them do it too.

kujo · Sun Dec 03, 2017 5:00 pm

I have one sip connection through pppoe and one through ethernet static. NO PROBLEM THERE!

Yours respectfully!

MWComms · Mon Dec 04, 2017 12:08 am

I have one sip connection through pppoe and one through ethernet static. NO PROBLEM THERE!

Is your 'sip connection' from an IP phone or a SIP trunk?

Perhaps if we had informative responses from our peers, instead of one liner's we may be able to narrow down the problem to help come to a solution.

HExSM · Mon Dec 04, 2017 1:30 pm

Perhaps if we had informative responses from our peers, instead of one liner's we may be able to narrow down the problem to help come to a solution.

What do you mean with "peers"?

HExSM · Tue Dec 05, 2017 5:27 pm

Don't dare telling me that there is no IPv6 in Germany, or I might spill my coffee.

Please record a video

There are providers that offer IPv6. Unfortunately, ours doesn't yet.
So we have to use NAT. And no, we can't change the provider.. There is a contract with a duration of about 11 months.

pe1chl · Tue Dec 05, 2017 7:13 pm

I think the approach in Germany is quite different from here in the Netherlands.
When we would have providers that do such silly things as regularly interrupt the connection or not provide IPv6 we would just make a lot of noise on the social media and/or the consumer programme on TV and we'll see the spokesmen promise that it will be fixed.
Several such actions have been taken against incompetent providers and they don't like such publicity so they usually change the behaviour.

StubArea51 · Wed Dec 06, 2017 6:00 pm

Will be interesting to see what comes of this. I've had the exact same issue of having to clear UDP/5060 sessions manually when there is a failover or outage. I've not put much time into troubleshooting as it doesn't happen very often, but it seems to be the same issue everyone else is having.

pe1chl · Wed Dec 06, 2017 6:55 pm

It is due to the use of NAT with a protocol that is not NAT-friendly. When you stop using NAT your problem will be solved.

HExSM · Thu Dec 07, 2017 12:55 am

It is due to the use of NAT with a protocol that is not NAT-friendly. When you stop using NAT your problem will be solved.

But until the connection was reset it works without any problem. The issue is definitely RouterOS. With pfsense I also have the same problem. I have an open connection in the states table. But unlike RouterOS I can immediately reregister to the SIP provider, after I removed that dead connection from the state table. So yes, it's a default behaviour to get a dead connection, but removing that dead connection does not work correctly on RouterOS.

MWComms · Thu Dec 07, 2017 3:08 am

It is due to the use of NAT with a protocol that is not NAT-friendly. When you stop using NAT your problem will be solved.

With respect, your assessment is incorrect. If you read my submission, you will note that one of my troubleshooting steps was to add a publicly routable subnet to remove NAT from the equation.

In my own experience, the issue persists while NAT is not used.

pe1chl · Thu Dec 07, 2017 10:36 am

In my system, I have an issue when I put my phone behind NAT and connect to two different VoIP providers, however it works OK when I put one of the providers on a network without NAT.
I don't see those permanently lost connections, however my IP address never changes and interruptions only occur due to technical reasons, not scheduled every day.
There are enough variables to make it a complex matter...

che · Thu Dec 07, 2017 12:13 pm

In my own experience, the issue persists while NAT is not used.

In that case the conclusion is that PPP tunnel is the problem, not NAT.

che · Mon Dec 11, 2017 10:30 am

I've forgot to ask, have you recreated (deleted and then created it again) PPPoE client interface in these situations?

HExSM · Tue Dec 12, 2017 6:04 pm

I've forgot to ask, have you recreated (deleted and then created it again) PPPoE client interface in these situations?

Hi che,

that works! I created a copy of the PPPoE client interface and disconnected it. Than I enabled the copied version and the connection was reestablished.
After that I deleted the copied version and did a reset like I did before. And you know what? The connection was reestablished!

I spent weeks and the solution for me was to make a copy of the PPPoE client interface?! You must be kidding..

I'm gonna watch this for a week and report back.

Thank you sharing that idea!

Best regards
Stefan

MWComms · Mon Jan 08, 2018 5:03 am

I too will check regarding the PPPoE interface creation and report back.

mTwUser · Wed Mar 14, 2018 10:54 am

I've forgot to ask, have you recreated (deleted and then created it again) PPPoE client interface in these situations?

Same problem, do we have to recreate a PPoE Interface now everytime? This can't be a long term solution... as of now multiple Clients have to be restarted every day because of this bug. IMO the issue is not resolved, this a temporary work around.

maxfava · Mon May 07, 2018 1:28 pm

To me it happening when I have multiple ISP and mascherade

btw, this is what happen when you reset the pppoe
a) the router has default gateway pppoe ISP
b) reset the pppoe, cause that there is a window where the routing table is without the default routing.
c) during this window the connection tracking is reset / error due to no default gateway
d) when pppoe return the connection tracking is not able to re-create appropriate dst/reply or is not routing the calls from the sip client to the pppoe

as per my experience.
a) use static default route and disable check gateway feature.
b) in your src-nat instead of using mascherade use src-nat as described in wiki
https://wiki.mikrotik.com/wiki/Manual:I ... _or_NAT444

add action=src-nat to-addresses=[your public ip] to-ports=3100-5199 src-address=[your local subnet]

other action, instead of delete the single connection tracking, what I did is disable the connection tracking and enable it again after few seconds.

let me know.

Kamrans55 · Fri Aug 27, 2021 9:31 pm

Anyone having issue of no browsing or B.W dip for 5mins randomly in mikrotik these days?

Who is online