- Joined
- Feb 15, 2012
- Messages
- 17
- Reaction score
- 0
Hi All,
We have a 3CX System currently with SIP trunks and are planning to replace our current Linksys BEFSX41 router with a Mikrotik RB450 Router with RouterOS v6.0rc9.
I have setup the router using Winbox v6.0rc9 and set the first port as our external connection and the 2nd port as the internal connection.
Also set the firewall NAT rules, but no filter rules or Mangle rules. The NAT rules are below:
/ip firewall nat
add action=masquerade chain=srcnat comment="Allow Outgoing Traffic & NAT" \
disabled=yes dst-address=0.0.0.0/0 src-address=10.1.1.0/24 !to-addresses \
!to-ports
add action=netmap chain=srcnat comment="TCP 5060 SIP Out" protocol=tcp \
src-address=10.1.1.220 src-port=5060 to-addresses=protected_host \
to-ports=5060
add action=netmap chain=srcnat comment="UDP 5060 SIP Out" protocol=udp \
src-address=10.1.1.220 src-port=5060 to-addresses=protected_host \
to-ports=5060
add action=netmap chain=srcnat comment="TCP 5090 Tunnel Out" protocol=tcp \
src-address=10.1.1.220 src-port=5090 to-addresses=protected_host \
to-ports=5090
add action=netmap chain=srcnat comment="UDP 5090 Tunnel Out" protocol=udp \
src-address=10.1.1.220 src-port=5090 to-addresses=protected_host \
to-ports=5090
add action=netmap chain=srcnat comment="UDP 9000-9100 RTP Out" protocol=udp \
src-address=10.1.1.220 src-port=9000-9100 to-addresses=protected_host \
to-ports=9000-9100
add action=netmap chain=srcnat comment="UDP 10000-10009 Fax Out" protocol=udp \
src-address=10.1.1.220 src-port=10000-10009 to-addresses=protected_host \
to-ports=10000-10009
add action=netmap chain=dstnat comment="TCP 5060 SIP In" dst-address=\
protected_host dst-port=5060 protocol=tcp to-addresses=10.1.1.220 \
to-ports=5060
add action=netmap chain=dstnat comment="UDP 5060 SIP In" dst-address=\
protected_host dst-port=5060 protocol=udp to-addresses=10.1.1.220 \
to-ports=5060
add action=netmap chain=dstnat comment="TCP 5090 SIP Tunnel In" dst-address=\
protected_host dst-port=5090 protocol=tcp to-addresses=10.1.1.220 \
to-ports=5090
add action=netmap chain=dstnat comment="UDP 5090 SIP Tunnel In" dst-address=\
protected_host dst-port=5090 protocol=udp to-addresses=10.1.1.220 \
to-ports=5090
add action=netmap chain=dstnat comment="UDP 9000-9100 RTP In" dst-address=\
protected_host dst-port=9000-9100 protocol=udp to-addresses=10.1.1.220 \
to-ports=9000-9100
add action=netmap chain=dstnat comment="UDP 10000-10009 Fax In" dst-address=\
protected_host dst-port=10000-10009 protocol=udp to-addresses=10.1.1.220 \
to-ports=10000-10009
add action=netmap chain=dstnat comment="TCP 3CX Management" disabled=yes \
dst-address=protected_host dst-port=5000 protocol=tcp to-addresses=\
10.1.1.220 to-ports=5000
add action=masquerade chain=srcnat comment="Added by webbox" out-interface=\
E2_internal to-addresses=0.0.0.0 !to-ports
add chain=srcnat
add action=dst-nat chain=dstnat comment="Allow all incoming to 3CX" disabled=\
yes dst-address=0.0.0.0/0 to-addresses=10.1.1.220 !to-ports
When I replace the linksys with the Mikrotik, I can make calls internal/external and connect using our SIP Clients on our Android phones either through the normal connection or through the 3CX tunnel connection and they work fine.
When I call from an external source to our internal, the call fails immediately upon attempting to connect to the 3CX server. I placed wireshark on the linksys router and the Mikrotik router to compare settings. I found that the Mikrotik fails with error "407 Proxy Authentication Required" I am not sure why this is being generated as the Linksys doesn't have this issue. I have attached the screenshots of the wireshark. Any help is greatly appreciated, thanks in advance.
Mikrotik Screenshot:
Linksys Screenshot:
Thanks,
Libert
We have a 3CX System currently with SIP trunks and are planning to replace our current Linksys BEFSX41 router with a Mikrotik RB450 Router with RouterOS v6.0rc9.
I have setup the router using Winbox v6.0rc9 and set the first port as our external connection and the 2nd port as the internal connection.
Also set the firewall NAT rules, but no filter rules or Mangle rules. The NAT rules are below:
/ip firewall nat
add action=masquerade chain=srcnat comment="Allow Outgoing Traffic & NAT" \
disabled=yes dst-address=0.0.0.0/0 src-address=10.1.1.0/24 !to-addresses \
!to-ports
add action=netmap chain=srcnat comment="TCP 5060 SIP Out" protocol=tcp \
src-address=10.1.1.220 src-port=5060 to-addresses=protected_host \
to-ports=5060
add action=netmap chain=srcnat comment="UDP 5060 SIP Out" protocol=udp \
src-address=10.1.1.220 src-port=5060 to-addresses=protected_host \
to-ports=5060
add action=netmap chain=srcnat comment="TCP 5090 Tunnel Out" protocol=tcp \
src-address=10.1.1.220 src-port=5090 to-addresses=protected_host \
to-ports=5090
add action=netmap chain=srcnat comment="UDP 5090 Tunnel Out" protocol=udp \
src-address=10.1.1.220 src-port=5090 to-addresses=protected_host \
to-ports=5090
add action=netmap chain=srcnat comment="UDP 9000-9100 RTP Out" protocol=udp \
src-address=10.1.1.220 src-port=9000-9100 to-addresses=protected_host \
to-ports=9000-9100
add action=netmap chain=srcnat comment="UDP 10000-10009 Fax Out" protocol=udp \
src-address=10.1.1.220 src-port=10000-10009 to-addresses=protected_host \
to-ports=10000-10009
add action=netmap chain=dstnat comment="TCP 5060 SIP In" dst-address=\
protected_host dst-port=5060 protocol=tcp to-addresses=10.1.1.220 \
to-ports=5060
add action=netmap chain=dstnat comment="UDP 5060 SIP In" dst-address=\
protected_host dst-port=5060 protocol=udp to-addresses=10.1.1.220 \
to-ports=5060
add action=netmap chain=dstnat comment="TCP 5090 SIP Tunnel In" dst-address=\
protected_host dst-port=5090 protocol=tcp to-addresses=10.1.1.220 \
to-ports=5090
add action=netmap chain=dstnat comment="UDP 5090 SIP Tunnel In" dst-address=\
protected_host dst-port=5090 protocol=udp to-addresses=10.1.1.220 \
to-ports=5090
add action=netmap chain=dstnat comment="UDP 9000-9100 RTP In" dst-address=\
protected_host dst-port=9000-9100 protocol=udp to-addresses=10.1.1.220 \
to-ports=9000-9100
add action=netmap chain=dstnat comment="UDP 10000-10009 Fax In" dst-address=\
protected_host dst-port=10000-10009 protocol=udp to-addresses=10.1.1.220 \
to-ports=10000-10009
add action=netmap chain=dstnat comment="TCP 3CX Management" disabled=yes \
dst-address=protected_host dst-port=5000 protocol=tcp to-addresses=\
10.1.1.220 to-ports=5000
add action=masquerade chain=srcnat comment="Added by webbox" out-interface=\
E2_internal to-addresses=0.0.0.0 !to-ports
add chain=srcnat
add action=dst-nat chain=dstnat comment="Allow all incoming to 3CX" disabled=\
yes dst-address=0.0.0.0/0 to-addresses=10.1.1.220 !to-ports
When I replace the linksys with the Mikrotik, I can make calls internal/external and connect using our SIP Clients on our Android phones either through the normal connection or through the 3CX tunnel connection and they work fine.
When I call from an external source to our internal, the call fails immediately upon attempting to connect to the 3CX server. I placed wireshark on the linksys router and the Mikrotik router to compare settings. I found that the Mikrotik fails with error "407 Proxy Authentication Required" I am not sure why this is being generated as the Linksys doesn't have this issue. I have attached the screenshots of the wireshark. Any help is greatly appreciated, thanks in advance.
Mikrotik Screenshot:
Linksys Screenshot:
Thanks,
Libert