Mikrotik does not pass rtp traffic to sip telephony. Where is the mistake?

S

SofroN2018-10-31 11:26:40

Telephony

SofroN, 2018-10-31 11:26:40

Good afternoon
There are two offices 192.168.1.0/24 and 192.168.10.0/24 between them configured l2tp tunnel. routes are configured. a ping pass
In the first there is automatic telephone exchange in the second addpac ap200d. both devices are configured and working on the old tp link'e via an external ip address.
addpac is registered on automatic telephone exchange normally. With an incoming call, the signaling also goes well. when answering (picking up the handset) this call, the calling party still hears long beeps. the receiving party listens to silence.
Judging by the tcpdump on the Mikrotik office with addpac, the response rtp packets do not go to the destination network.
When everything worked through an external ip, the scheme was such a
PBX (static ip) - tp-link (static ip) - addpac
Tried the following scheme also without results
PBX(static ip) - mikrotik(static ip) - addpac
Now
PBX scheme(192.168.1.151) - mikrotik(static ip) -l2tp(192.168.100.1) - l2tp(192.168.100.178) - mikrotik(static ip) - addpac( 192.168.10.151)

Mikrotik1 (office with PBX)

/ip firewall address-list
add address=192.168.1.0/24  list=office-networks
add address=192.168.10.0/24  list=office-networks
add address=192.168.100.0/24  list=office-networks
add address=GGG.GGG.GGG.GGG  list=remote-office
/ip firewall filter
add action=drop chain=input  connection-state=invalid log-prefix=DROP-INVALID-INPUT
add action=drop chain=forward  connection-state=invalid log-prefix=DROP-INVALID-FORWARD
add action=drop chain=input  log-prefix=BLACK-LIST src-address-list=black-list
add action=accept chain=input  protocol=icmp
add action=accept chain=forward  src-address-list=office-networks
add action=accept chain=input  src-address-list=office-networks
add action=accept chain=input  src-address=192.168.100.0/24
add action=accept chain=input  in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment=VPN dst-port=1701,500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input  dst-port=1723 protocol=tcp src-address-list=remote-office
add action=accept chain=input  src-address-list=remote-office
add action=drop chain=forward  log-prefix=DROP-FORWARD
add action=drop chain=input  log-prefix=DROP-INPUT
/ip firewall mangle
add action=mark-connection chain=input  connection-mark=no-mark in-interface=RT new-connection-mark=ISP1-IN passthrough=yes
add action=mark-connection chain=input  connection-mark=no-mark in-interface=ether2-wan new-connection-mark=ISP2-IN \
    passthrough=yes
add action=mark-routing chain=output  connection-mark=ISP1-IN new-routing-mark=ISP1-ROUTE passthrough=no
add action=mark-routing chain=output  connection-mark=ISP2-IN new-routing-mark=ISP2-ROUTE passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat  out-interface=RT
add action=masquerade chain=srcnat  out-interface=ether2-wan
/ip firewall service-port
set sip disabled=yes sip-direct-media=no

 > ip route print          
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/32                         RT                       10
 1 A S  0.0.0.0/0                          ether2-wan                1
 2 A S  0.0.0.0/0                          RT                       10
 3 ADS  0.0.0.0/0                          MMM.MMM.MMM.1              1
 5 ADC  MMM.MMM.MMM.0/25    MMM.MMM.MMM.66   ether2-wan                0
 6 ADC  192.168.1.0/24     192.168.1.253   default-bridge            0
 7 ADC  192.168.2.0/24     192.168.2.252   voip-bridge               0
 8 ADC  192.168.3.0/24     192.168.3.1     video-bridge              0
 9   S  192.168.10.0/24    192.168.1.253   GH-vpn                    1

Mikrotik (office with addpac)

/ip firewall address-list
add address=GGG.GGG.GGG.178  list=remote-office
add address=MMM.MMM.MMM.66  list=remote-office
add address=192.168.100.0/24 comment=VPN list=office-networks
add address=192.168.10.0/24  list=office-networks
add address=192.168.1.0/24  list=office-networks
add address=AAA.AAA.AAA.AAA  list=remote-office
/ip firewall filter
add action=drop chain=input  connection-state=invalid
add action=drop chain=input  connection-state=invalid src-address-list=black-list
add action=drop chain=forward  connection-state=invalid
add action=accept chain=input in-interface-list=WAN protocol=icmp
add action=accept chain=input  connection-state=established,related
add action=accept chain=forward  connection-state=established,related
add action=accept chain=input  in-interface-list=!WAN src-address=192.168.10.0/24
add action=accept chain=forward  src-address-list=office-networks
add action=accept chain=forward  src-address-list=remote-office
add actiadd action=accept chain=input  protocol=ipsec-esp
add action=accept chain=input comment=VPN dst-port=1701,500,4500 protocol=udp
add action=accept chain=forward comment=fxo disabled=yes dst-address=192.168.10.151 dst-port=23,80,23000-23003 protocol=tcp
add action=accept chain=input  in-interface-list=!WAN src-address-list=office-networks
add action=accept chain=input  in-interface-list=!WAN src-address-list=remote-office
add action=drop chain=forward 
add action=drop chain=input  log-prefix=TT
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=RT new-connection-mark=ISP1-IN passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=eth2-wan new-connection-mark=ISP2-IN passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1-IN new-routing-mark=ISP1-ROUTE passthrough=no
add action=mark-routing chain=output connection-mark=ISP2-IN new-routing-mark=ISP2-ROUTE passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=RT
add action=masquerade chain=srcnat out-interface=eth2-wan
add action=dst-nat chain=dstnat  dst-port=35023 protocol=tcp to-addresses=192.168.10.151 to-ports=23
add action=dst-nat chain=dstnat  dst-port=35080 protocol=tcp to-addresses=192.168.10.151 to-ports=80
add action=dst-nat chain=dstnat  disabled=yes dst-port=23000-23003 protocol=udp to-addresses=192.168.10.151
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes ports=5060,5061,23000,23001 sip-timeout=10m
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

 > ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          RT                        1
 1 A S  0.0.0.0/0                          eth2-wan                  2
 2 ADS  0.0.0.0/0                          RT                        1
 3  DS  0.0.0.0/0                          GGG.GGG.GGG.254            1
 4 A S  0.0.0.0/32                         eth2-wan                  2
 5 X S  0.0.0.0/32                         RT                        1
 6 ADC  GGG.GGG.GGG.1/32     GGG.GGG.GGG.GGG    RT                        0
 7 ADC  GGG.GGG.GGG.0/24    GGG.GGG.GGG.178  eth2-wan                  0
 8 A S  MMM.MMM.MMM.66/32   GGG.GGG.GGG.GGG    RT                        1
 9 A S  AAA.AAA.AAA.72/32   GGG.GGG.GGG.GGG    RT                        1
10   S  192.168.1.0/24     192.168.10.1    l2tp-triada               1
11 ADC  192.168.10.0/24    192.168.10.1    default-br                0

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

S

SofroN, 2018-11-08
@SofroN

Addpac has been tested on three PBXs. Two of them are ELTEX, one in the office, the second at the provider. And on Asterisk. All have the same problem.
Addpac will return.