A
A
Al Tinho2015-10-26 10:34:41
Mikrotik
Al Tinho, 2015-10-26 10:34:41

Polycom and firewall setup, where could be the error?

Hello everyone, I ask you for help, because I'm already sick of it and I don't know where to dig!
The essence of the problem: there is a Polycom RPG 300 videoconferencing system and a firewall on Mikrotik, I just can’t set up a normal connection using the h323 protocol of the polycom with the outside world, on the polycom website they write what is needed for communication, you need to forward the tcp port 1720 - forwarded, allowed traffic to it in rules, further, to transmit video and audio, you need to allow dynamic ports udp 3230-3235, I didn’t quite understand what it is, but in the firewall I allowed traffic to this range of ports, but for some reason the connection does not work, or I don’t see, I don’t listen to the subscriber, or they don’t see me , I attach the firewall config below:
add chain=input comment=VPN dst-port=1701,500,4500 protocol=udp src-address-list=vpn
add chain=input dst-address=212.33.3.202 protocol=ipsec-esp
add chain=input comment="Accept Established" connection-state=established in-interface=ether1 log=yes log-prefix=Established
add chain=input comment="Accept related" in-interface=ether1 log=yes log-prefix= "Accept related"
add chain=input comment=polycom dst-port=1720 in-interface=ether1 protocol=tcp
add chain=input disabled=yes dst-address=212.33.3.202 dst-port=49152-65535 in-interface=ether1 protocol=tcp
add chain=output dst-port=3230-3235 protocol=tcp
add chain=input dst-port=3230-3235 in-interface=ether1 protocol=tcp
add chain=output out-interface=lan protocol=udp src- port=3230-3235
add chain=input dst-port=3230-3235 in-interface=ether1 protocol=udp
add chain=forward disabled=yes dst-address=162.168.0.6 dst-port=3230-3235 out-interface=lan protocol=tcp src-address=212.33.3.202
add chain=forward disabled=yes dst-address=192.168.0.6 dst-port=3230-3235 out-interface=lan protocol=udp src-address=212.33.3.202
add chain=input comment="gtc support" src-address=82.198.164.22
add chain=input comment="gtc support" src -address=82.198.160.0/26
add chain=forward out-interface=lan
add chain=forward in-interface=lan
add chain=input disabled=yes in-interface=lan
add chain=input dst-limit=60/1m, 5,src-address in-interface=ether1 protocol=icmp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " in-interface=ether1 protocol=tcp psd=21, 3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" in-interface=ether1 protocol= tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain= input comment="SYN/FIN scan" in-interface=ether1 protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout= 2w chain=input comment="SYN/RST scan" in-interface=ether1 protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" in-interface=ether1 protocol=tcp tcp-flags= fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan " in-interface=ether1 protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list -timeout=2w chain=input comment="NMAP NULL scan" in-interface=ether1 protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src- to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=21,22,23,80 in-interface=ether1 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=21,22,23,80 in-interface=ether1 protocol= tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=21,22,23, 80 in-interface=ether1 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst- port=21,22,23,80 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="dropping port scanners" in-interface=ether1 src-address-list="port scanners"
add action=drop chain=forward connection-state=invalid
add action=drop chain=input comment="from WAN to 212" dst-address=212.33.3.202 dst-port=80 in-interface=ether1 protocol=tcp
add action=drop chain=output comment="from LAN to 212" out-interface=lan protocol=tcp src-address=212.33.3.202 src-port=80
add action=drop chain=input comment="Drop invalid connection packets" connection-state=invalid
/ip firewall nat
add action=masquerade chain= srcnat out-interface=ether1 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment=VLAN out-interface=ether1 src-address=192.168.10.0/24
add action=dst-nat chain=dstnat comment= AD dst-port=6000 in-interface=ether1 protocol=tcp to-addresses=192.168.0.11 to-ports=3389
add action=dst-nat chain=dstnat comment="WEB Service" dst-port=7000 in-interface=ether1 protocol=tcp to-addresses=192.168.0.4 to-ports=80
add action=dst-nat chain=dstnat comment =Polycom in-interface=ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=1720
add action=dst-nat chain=dstnat disabled=yes dst-port=11111 in-interface=ether1 protocol=tcp to-addresses =192.168.0.5 to-ports=1720
add action=redirect chain=dstnat comment="WEB Proxy" disabled=yes dst-port=80 protocol=tcp src-address=192.168.0.31-192.168.0.76 to-ports=8080
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp src-address=192.168.0.78-192.168.0.249 to-ports=8080
Tell me where is the jamb?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
A
Alexander Romanov, 2016-03-22
@moneron89

In the firewall, change the input chain to forward in the rule that opens port 1720 (because dst-nat works in prerouting). In NAT you have two dstnats, one of them with comment=Polycom drives ALL tsp traffic on 192.168.0.6:1720. Not sure if you need it, turn it off. It is generally inexpedient to use the output chain - this is traffic that is generated by the router itself.
Deal with the firewall. To understand it better, use this material. Yes, it's difficult. But it's easier to figure it out once.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question