Answer the question
In order to leave comments, you need to log in
S
S
SofroN2018-10-31 11:26:40
SofroN, 2018-10-31 11:26:40
Mikrotik does not pass rtp traffic to sip telephony. Where is the mistake?
Good afternoon
There are two offices 192.168.1.0/24 and 192.168.10.0/24 between them configured l2tp tunnel. routes are configured. a ping pass
In the first there is automatic telephone exchange in the second addpac ap200d. both devices are configured and working on the old tp link'e via an external ip address.
addpac is registered on automatic telephone exchange normally. With an incoming call, the signaling also goes well. when answering (picking up the handset) this call, the calling party still hears long beeps. the receiving party listens to silence.
Judging by the tcpdump on the Mikrotik office with addpac, the response rtp packets do not go to the destination network.
When everything worked through an external ip, the scheme was such a
PBX (static ip) - tp-link (static ip) - addpac
Tried the following scheme also without results
PBX(static ip) - mikrotik(static ip) - addpac
Now
PBX scheme(192.168.1.151) - mikrotik(static ip) -l2tp(192.168.100.1) - l2tp(192.168.100.178) - mikrotik(static ip) - addpac( 192.168.10.151)
Mikrotik1 (office with PBX)
/ip firewall address-list
add address=192.168.1.0/24 list=office-networks
add address=192.168.10.0/24 list=office-networks
add address=192.168.100.0/24 list=office-networks
add address=GGG.GGG.GGG.GGG list=remote-office
/ip firewall filter
add action=drop chain=input connection-state=invalid log-prefix=DROP-INVALID-INPUT
add action=drop chain=forward connection-state=invalid log-prefix=DROP-INVALID-FORWARD
add action=drop chain=input log-prefix=BLACK-LIST src-address-list=black-list
add action=accept chain=input protocol=icmp
add action=accept chain=forward src-address-list=office-networks
add action=accept chain=input src-address-list=office-networks
add action=accept chain=input src-address=192.168.100.0/24
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment=VPN dst-port=1701,500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input dst-port=1723 protocol=tcp src-address-list=remote-office
add action=accept chain=input src-address-list=remote-office
add action=drop chain=forward log-prefix=DROP-FORWARD
add action=drop chain=input log-prefix=DROP-INPUT
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=RT new-connection-mark=ISP1-IN passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=ether2-wan new-connection-mark=ISP2-IN \
passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1-IN new-routing-mark=ISP1-ROUTE passthrough=no
add action=mark-routing chain=output connection-mark=ISP2-IN new-routing-mark=ISP2-ROUTE passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=RT
add action=masquerade chain=srcnat out-interface=ether2-wan
/ip firewall service-port
set sip disabled=yes sip-direct-media=no > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/32 RT 10
1 A S 0.0.0.0/0 ether2-wan 1
2 A S 0.0.0.0/0 RT 10
3 ADS 0.0.0.0/0 MMM.MMM.MMM.1 1
5 ADC MMM.MMM.MMM.0/25 MMM.MMM.MMM.66 ether2-wan 0
6 ADC 192.168.1.0/24 192.168.1.253 default-bridge 0
7 ADC 192.168.2.0/24 192.168.2.252 voip-bridge 0
8 ADC 192.168.3.0/24 192.168.3.1 video-bridge 0
9 S 192.168.10.0/24 192.168.1.253 GH-vpn 1Mikrotik (office with addpac)
/ip firewall address-list
add address=GGG.GGG.GGG.178 list=remote-office
add address=MMM.MMM.MMM.66 list=remote-office
add address=192.168.100.0/24 comment=VPN list=office-networks
add address=192.168.10.0/24 list=office-networks
add address=192.168.1.0/24 list=office-networks
add address=AAA.AAA.AAA.AAA list=remote-office
/ip firewall filter
add action=drop chain=input connection-state=invalid
add action=drop chain=input connection-state=invalid src-address-list=black-list
add action=drop chain=forward connection-state=invalid
add action=accept chain=input in-interface-list=WAN protocol=icmp
add action=accept chain=input connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input in-interface-list=!WAN src-address=192.168.10.0/24
add action=accept chain=forward src-address-list=office-networks
add action=accept chain=forward src-address-list=remote-office
add actiadd action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment=VPN dst-port=1701,500,4500 protocol=udp
add action=accept chain=forward comment=fxo disabled=yes dst-address=192.168.10.151 dst-port=23,80,23000-23003 protocol=tcp
add action=accept chain=input in-interface-list=!WAN src-address-list=office-networks
add action=accept chain=input in-interface-list=!WAN src-address-list=remote-office
add action=drop chain=forward
add action=drop chain=input log-prefix=TT
/ip firewall mangle
add action=mark-connection chain=input connection-mark=no-mark in-interface=RT new-connection-mark=ISP1-IN passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=eth2-wan new-connection-mark=ISP2-IN passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1-IN new-routing-mark=ISP1-ROUTE passthrough=no
add action=mark-routing chain=output connection-mark=ISP2-IN new-routing-mark=ISP2-ROUTE passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=RT
add action=masquerade chain=srcnat out-interface=eth2-wan
add action=dst-nat chain=dstnat dst-port=35023 protocol=tcp to-addresses=192.168.10.151 to-ports=23
add action=dst-nat chain=dstnat dst-port=35080 protocol=tcp to-addresses=192.168.10.151 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=23000-23003 protocol=udp to-addresses=192.168.10.151
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes ports=5060,5061,23000,23001 sip-timeout=10m
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 RT 1
1 A S 0.0.0.0/0 eth2-wan 2
2 ADS 0.0.0.0/0 RT 1
3 DS 0.0.0.0/0 GGG.GGG.GGG.254 1
4 A S 0.0.0.0/32 eth2-wan 2
5 X S 0.0.0.0/32 RT 1
6 ADC GGG.GGG.GGG.1/32 GGG.GGG.GGG.GGG RT 0
7 ADC GGG.GGG.GGG.0/24 GGG.GGG.GGG.178 eth2-wan 0
8 A S MMM.MMM.MMM.66/32 GGG.GGG.GGG.GGG RT 1
9 A S AAA.AAA.AAA.72/32 GGG.GGG.GGG.GGG RT 1
10 S 192.168.1.0/24 192.168.10.1 l2tp-triada 1
11 ADC 192.168.10.0/24 192.168.10.1 default-br 0
Similar questions
J
M
R
M
K
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question