I'd like to make wifi calling working but everything I tried seem doesn't work.
Please could someone share his/her settings for that?

Operator states:
Minimal parameters: to successful call must used Wi-Fi router support transfer of internet security IP Sec and have this parameters: IP Protocol Type ESP 50 and/or IP Protocol Type UDP (Port 500), IP Protocol Type UDP (Port 4500), NAT translation time out under 2 minutes. Upload min. 100 kb/s for voice call and 1 Mb/s for video call.

I have hAP ac with RouterOS 6.47 (stable)
Service is enabled on provider. Settings are enabled in settings of my mobile - latest Android 10.
I don't see any possible transmission regard VoWIFI in Torch

It seems I miss something basic.

My experience is that home gateway (e.g. Mikrotik) has to be transparent enough for outgoing connections and that's about it. It's phone which establishes IPsec tunnel to MNO's core network and it does that immediately after registering to WiFi-enabled network.
Default ROS setup should be fine.

Ah, yes, also ISP has to allow IPsec (originating from customers), I can imagine some ISPs might block it for some reason.

Hello,

I've got a similar problem...look: viewtopic.php?f=2&t=162126

Apparently it's some kind of IPsec passthrough issue on Mikrotik...unfortunately I've haven't found a way to solve this yet. May be the Mikrotik team can help us on that issue...

Regards,
Rodrigo

Make sure you are not blocking IPSec traffic (protocols or ports) in the forward table coming from your LAN side.

Also, check your DNS cache to see if the devices are resolving 3gpp FQDN pointing to the telco core network for VoWiFi (you can also setup QoS for that traffic):

Hello Martin,

In my case, the iPhone still connect to IMS core and I can even make and receive calls...but it looses the registry regularly and fallbacks to the cellular network.

I’ve tested on a simple TP-Link mesh router, and this symptom doesn’t occurs.

Very odd... :-/

I'm afraid only sniffing the traffic on the Tik may give a clue here. The only things to come to my mind are that the iPhone would not send keepalives frequently enough and the Mikrotik firewall would close the UDP pinhole (the default lifetime of a UDP pinhole is 3 minutes), or that the iPhone's LAN IP would change and so the pinhole would become obsolete. Both seem quite unlikely to me, though. So sniff to file and see what happens before the registration is lost.

I agree with @sindy. Many other factors could contribute to the observed issue.

Please tell us more about your deployment (WiFi AP or other details). And don’t forget:

I think in my case it's the mobile (Xiaomi A2) issue - I don't see any related traffic in Torch (nor packet sniffer in android). Weird - the VoWiFi is enabled.
I should see some related traffic in torch, right?

As I wrote: when mobile connects to WLAN, it tries to establish IPsec tunnel to MNOs core network. So torch should show some related activity at that time. If mobile can't establish the tunnel, I don't think it retries as long as it's registered to same LAN. And int that case torch won't show anything further.
If, OTOH, IPsec tunnel is established, there will be activity (voice calls, text messages, other mobile signalling), but torch will only see encrypted traffic.

Just to be sure: SIM card subscription includes VoWiFi service? It's not automatic/mandatory service for LTE subscribers ...

Yes, VoWiFi service is active and verified by provider (I asked their support).
What is enough to tell phone to try initiate VoWiFi connection again? Toggle Flight mode, WiFi or reboot?

What is enough to tell phone to try initiate VoWiFi connection again? Toggle Flight mode, WiFi or reboot?

Toggle WiFi (keep WiFi disabled few tens of seconds to allow phone properly resume operations natively using mobile network before changing to WiFi again). Toggling flight mode would probably do it as well.

/ip firewall service-port
set h323 ports=1720
set sip ports=5060,5061,500,4500,5222,3478,80,443 sip-direct-media=yes sip-timeout=3m

ip -> firewall -> service ports -> set sip ports=500,4500,5060,5061,5080,5081,5082

This is nonsense! VoWIFI is not a SIP service. It uses IPsec.
Phones will make outgoing traffic to UDP port 500 of their service provider, then to UDP port 4500.
They will exchange regular packets to keep the connection alive.

No special configuration is required for this under normal circumstances, unless you have firewalled everything shut.

set sip-timeout to 3 minutes (default) and exclude service-ports from fasttrack (action=accept before fasttrack rule) so ALGs could do their work..

it works for me..

You are probably talking about installation of a SIP app and configuring that to make calls via some SIP server.
That is not what is commonly known as VoWIFI. VoWIFI is a service provided by telecom companies in addition to their VoLTE service (voice over 4G/5G), that does not use SIP directly on the network, but rather sets up an IPsec tunnel over UDP port 500/4500 and does not require an ALG on the local router.

okay, thanks for your response..

then here is a feature request

allow to set special connection timeout for VOWIFI ports (UDP/500 and UDP/4500).. instead of generic UDP timeout..

many people cant increase UDP timeout because it is used for Denial of Service attacks..

On this forum, feature requests can be only raised within a specific topic dedicated to them. You can also issue a support ticket. The official way to open feature requests is via your distributor.

I have a rough idea of an ugly workaround which involves a hairpin tunnel and spoofing of UDP packets that would update the pinhole created for the VoWiFi connection. But your mobile operator must be really specific if their VoWiFi gateway doesn't send the IPsec keepalives on its own.

Unfortunately UGLY mobile operators go UGLY about IPsec keepalives, too.

OK, are you interested in the UGLY workaround then?

sure why not

OK. So the idea is based on the fact that the connection tracking itself (not the firewall as a whole) only takes into account the IP part of the packets (addresses, protocol, and ports) - it doesn't care about in/out interface or MAC addresses. Also, to reset the timeout of the connection, it is enough that a packet belonging to that connection passes in either direction.

So if we can generate UDP packets with exactly the same source and destination addresses and ports like those sent by the phone to the VoWiFi gateway, these will be enough to update the pinhole on the Mikrotik itself and on eventual other routers between the Mikrotik and the internet.

We cannot assign the address of the phone to the Mikrotik itself as it would prevent Mikrotik from ever sending anything to the phone, but we can use src-nat to replace the own address of the Mikrotik by the one of the phone. As src-nat is executed as one of the last actions on an outgoing packet, and as we need this translation to be handled by another tracked connection than the VoWiFi pinhole, we need to push the packet through the packet stack twice; to do that, we use a hairpin tunnel.

So you set up and empty bridge interface (with no ports), like br-local, and attach to it two own adresses of the Mikrotik, such as 127.0.0.1/32 and 127.0.0.2/32. Then you create two ipip tunnels - ipip1 with local-address=127.0.0.1 and remote-address=127.0.0.2, and ipip2 with these addresses swapped. So whatever you send via ipip1 will come back as a new packet via ipip2 and vice versa. To route our keepalive packets via ipip1, add a default route with gateway=ipip1 and routing-mark=via-hairpin.

Now we have to send the packets. The lowest packet rate you can achieve with tool traffic-generator seems to be 1 pps which would be way too much, so you need a scheduled script that will be starting and stopping the traffic generator once a minute or so, or you have to use resolve or tool traceroute to send the packets to the required destination. /tool traceroute seems to be the best choice to me as you can easily control their the TTL so the keepalive packets will only get as far as you need them to get to update all the keepalives but not to the VoWiFi gateway, so even if it happens to be picky, we won't make it angry. The destination will be the address and port of the VoWiFi gateway; as the Mikrotik itself will be sending them, you can use a mangle rule in chain output to assign them a routing-mark via-hairpin; the "real" packets from the phone do not pass through the output chain so they will not be affected.

The last step before actually starting to send the packets is to set up a src-nat rule setting both to-addresses and to-ports to those used by the phone, and acting on out-interface=ipip1.

If this proof of concept works, you can proceed to using the scheduled scripts also to search for the VoWiFi connections in the /ip firewall connection list and to dynamically update the src-nat rule so that you could spoof keepalive packets from multiple phones. As the connection tracking will treat a spoofed packet from the same local address and port as one belonging to an existing spoofed connection, you will need a unique address:port combination for each phone. As the phones do not always use port 4500 for VoWiFi (just checked mine uses 14500), you cannot use a single static rule. And to be sure that the connections will be unique, you will need to create as many local addresses as there will be phones.