How can I setup Mikrotik firewall for SIP-phones? I copied some rules from this article https://www.3cx.com/docs/mikrotik-firew ... iguration/ and successfully got in- and out-voice traffic (my PBX is not 3cx, there are just example rules for me). But also I'm getting spam calls now.
Questions:
1) Now SIP service ports (NAT-helpers) are enabled in firewall. When I switch them off I get voice only in one direction. Shall I disable them or not?
2) How can I filter out spammers with dst-nat (only need my provider's PBX - i.e. 1.2.3.4)? I've added 1.2.3.4 IP address as source address in "PBX SIP UDP"-rule but voice has dissapeared completely. Calls were able btw. Did the same with "PBX Media UDP"-rule - unsuccessfully.
3) This router also gives out Internet for users (separate local network, local port 3 on router). How can I disable Internet access from phones network (port 4 on router) and left only SIP-telephony there? I mean user mustn't have a possibility to disconnect phone from switch, connect PC there and use Internet.
Also need I this "fasttrack" rule or it can be deleted?
4) I need to use IP-phones with addresses from 192.168.1.0/24 and 192.168.2.0/24 networks together. No problems with phones from 192.168.1.0. I get troubles only when I'm use my testing phone with address 192.168.2.10. Therefore I want to ask - how incoming calls are possible for 192.168.1.0-phones without any dstnat-rules at all? When I had empty NAT-table (only masquerade for users' Internet) I had successfull calls to 192.168.1.0-phones from Internet-based phones.

192.168.1.1 - my PBX.
Here are my firewall rules with some disactivated rules removed:
> ip firewall filter p
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough

1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked log=no log-prefix=""

2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""

3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""

4 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1 log=no log-prefix=""

6 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""

9 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

10 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked log=no log-prefix=""

12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""

13 ;;; defconf: drop all from WAN to LAN not DSTNATed (copied this rule from somewhere. It has never worked, has 0 counter on packets)
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=yes log-prefix=""

> ip firewall nat p
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN ipsec-policy=out,none

2 ;;; PBX SIP UDP
chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=5060 protocol=udp dst-port=5060 log=yes log-prefix=""

3 ;;; PBX SIP TCP
chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=5060 protocol=tcp dst-port=5060 log=no log-prefix=""

4 ;;; PBX SIP TLS
chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=5061 protocol=tcp dst-port=5061 log=no log-prefix=""

5 ;;; PBX Media UDP
chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=9000-20999 protocol=udp in-interface-list=WAN dst-port=9000-20999 log=no log-prefix=""

No answers?

It is a difficult subject with many pitfalls. Probably not many persons want to write yet another tutorial, just for you.

It is a difficult subject with many pitfalls. Probably not many persons want to write yet another tutorial, just for you.

OK, thank you. Very useful forum.
Never will recommend anybody buying Mikrotik due to lack of support, bad attitude to customers and unfriendly community.

You are just expecting too much. Tutorials exist, forum topics exist, youtube movies exist on the mikrotik channel.
It is a difficult subject, not possible to explain it in a short forum reply, you will have to study and search it yourself.

Also do not expect the community support OTHER product... contact 3CX, not MikroTik.

As ISP, if someone ask help, after successfull wireless or wired connection, to configure Apple-TV the reply is: ask Apple or who has sell you the Apple-TV...

@GreenFirefly,

I have been using and installing several 3CX PBX's successfully and without any problems all behind Mikrotik routers and was happy to help, but with such a negative comment I will pass on to help you.

@GreenFirefly,

I have been using and installing several 3CX PBX's successfully and without any problems all behind Mikrotik routers and was happy to help, but with such a negative comment I will pass on to help you.

As I've said - unfriendly mikrotik community is so unfriendly.
People here are quite arrogant, don't even give links to materials. Just "It's to hard, go and learn somewhere".
Why do you write so many words? Write simply "RTFM" ang pass by.

Also do not expect the community support OTHER product... contact 3CX, not MikroTik.

As ISP, if someone ask help, after successfull wireless or wired connection, to configure Apple-TV the reply is: ask Apple or who has sell you the Apple-TV...

Sorry for misguidance. My PBX is not 3cx. I've just copied firewall rules from 3cx tutorial.

4) I need to use IP-phones with addresses from 192.168.1.0/24 and 192.168.2.0/24 networks together. No problems with phones from 192.168.1.0. I get troubles only when I'm use my testing phone with address 192.168.2.10. Therefore I want to ask - how incoming calls are possible for 192.168.1.0-phones without any dstnat-rules at all? When I had empty NAT-table (only masquerade for users' Internet) I had successfull calls to 192.168.1.0-phones from Internet-based phones.

I also have used a lot of SIP phones, connected to remote registrars, behind a MT Router.
My experience is, that this just works.
Therefore my best guess is, that you do have a "problem" in your firewall forwarding rule.
Enable LAN segment 192.168.2.0/24 in the interface list, that allows the accept to the forward chain (standard setting is, that this is your net named "LAN" in the interface list)

I also have used a lot of SIP phones, connected to remote registrars, behind a MT Router.
My experience is, that this just works.

I've got the answer for my forth question on the other forum.
When PBX sends its register packets (from port 5060), router opens this port because packets belong to outcoming new connection that is allowed by source NAT (masquerade). Incoming answers to this initial packets are allowed because they belong to established connection (trivial NAT's work).
PBX sends these register packets periodically so 5060 is always opened (though there is keepalive-parameter but nevermind).
Also I've been told that SIP-ALG inspects initial SIP/SDP-packets and opens 2 ports for RTP- and RTCP-protocol (and I found them in SDP-packet "Ringing"). These ports become opened too.
Thing that I didn't understand - how does it work without SIP-ALG? Somebody has to send packets in order to open ports for RTP-traffic. I suppose my local PBX does it.

Thing that I didn't understand - how does it work without SIP-ALG? Somebody has to send packets in order to open ports for RTP-traffic. I suppose my local PBX does it.

Normally either it does not work (e.g. audio in one direction or no audio at all), or the firewall rules are too broad and you get the spam calls. It is difficult (and without SIP-ALG probably impossible) to get it to work exactly right.

For the correct working of your 3CX PBX SIP-ALG must be disabled on the Mikrotik Router.
This might be helpful, https://www.3cx.com/docs/mikrotik-firew ... iguration/

kr

For the correct working of your 3CX PBX SIP-ALG must be disabled on the Mikrotik Router.
This might be helpful, https://www.3cx.com/docs/mikrotik-firew ... iguration/

kr

do not have any 3CX...

Sorry for misguidance. My PBX is not 3cx. I've just copied firewall rules from 3cx tutorial.

Hi,

I too made a post with same exact problem with my own SIP server inside the lan

i can connect sip extensions from inside the network but not from wan and i didnt get any help

i figured out myself after digging so many articles and found SIP-ALG is the culprit

Disabling that also didnt work mikrotik have strange bug sometimes u have to restart the router after disabling SIP ALG and after doing that wholaaaa i can register my SIP extensions from outside the wan.

:)

I have multiple corporate setups with voip systems with Mikrotik. No problems at all.

ALG and sip helper can help you. If you know howto implement it the right way. Also direct media can mess-up or help you

Just take your time to make sure you're going the right way, instead of being negative about this forum. Your lack of knowledge isn't someone else his problem!

Watch the MUM video about sip helper and howto debug with Wireshark https://youtu.be/tM7wyKdnIKA

Glad I could help.