Running version 6.5 on a RB2011. I did reboot just a few minutes ago, no change.
The connection table should clear on a reboot right? I really appreciate your suggestions! It is great to have someone to bounce idea off of. Casey *********** Firewall Rules **************** /ip firewall connection tracking set enabled=yes /ip firewall filter add chain=input comment="Allow all local traffic in" in-interface=bridge-local add chain=input comment="Allow all pings" protocol=icmp add chain=input comment="default configuration" connection-state=established add chain=input comment="default configuration" connection-state=related add action=drop chain=input comment="SSH Brute Force Rule01" dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=8w4d chain=input comment="SSH Brute Force Rule02" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="SSH Brute Force Rule03" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="SSH Brute Force Rule04" connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="SSH Brute Force Rule05" connection-state=new dst-port=22 protocol=tcp add chain=input comment="Open SSH Port" dst-port=22 in-interface=ether1-gateway protocol=tcp add action=drop chain=input comment="Drop all other traffic coming from Internet" in-interface=ether1-gateway add chain=forward comment="default configuration" connection-state=established add chain=forward comment="default configuration" connection-state=related add action=drop chain=forward comment="default configuration" connection-state=invalid /ip firewall nat add action=masquerade chain=srcnat comment=Hairpin-Test src-address= 192.168.55.0/24 add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 protocol=tcp to-addresses=192.168.55.200 to-ports=8080 add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 protocol=tcp to-addresses=192.168.55.201 to-ports=8081 add action=dst-nat chain=dstnat comment=IX2 dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.54 to-ports=80 add action=dst-nat chain=dstnat comment=IX2 dst-port=443 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.54 to-ports=443 add action=dst-nat chain=dstnat comment=IX2 dst-port=50500 protocol=tcp to-addresses=192.168.55.54 to-ports=50500 add action=dst-nat chain=dstnat comment="IX2 FTP" dst-port=21 protocol=tcp to-addresses=192.168.55.54 to-ports=21 add action=dst-nat chain=dstnat comment=Casey7-RDP dst-port=3389 protocol=tcp to-addresses=192.168.55.52 to-ports=3389 add action=dst-nat chain=dstnat comment=HTPC7-Plex dst-port=32400 protocol=tcp to-addresses=192.168.55.50 to-ports=32400 add action=dst-nat chain=dstnat comment=HTPC7-CetonApp dst-port=5832 protocol=tcp to-addresses=192.168.55.50 to-ports=5832 add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 protocol=tcp to-addresses=192.168.55.55 to-ports=5060 add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 protocol=udp to-addresses=192.168.55.55 to-ports=5060 add action=dst-nat chain=dstnat comment=VOIP dst-port=5061 protocol=udp to-addresses=192.168.55.55 to-ports=5061 add action=dst-nat chain=dstnat comment=VOIP dst-port=5061 protocol=tcp to-addresses=192.168.55.55 to-ports=5061 add action=dst-nat chain=dstnat comment=VOIP dst-port=10000-20000 protocol=udp to-addresses=192.168.55.55 to-ports=10000-20000 /ip firewall service-port set sip disabled=yes *********************************************************************** On Thu, Jan 29, 2015 at 7:07 PM, Alexander Neilson <alexan...@neilson.net.nz > wrote: > You would still see it leaving your interface if the upstream was blocking > it. > > Can you post privatised firewall rules etc so we can see what you have in > place? > > What software version are you running? > > Have you rebooted after changes? Cleared your connections table? There is > a bug where firewall rule changes don't take effect until a reboot. Also if > an existing connection in the contrac table then no matter the change it > won't be reflected until that connection has cleared. > > Like others I run asterisk sip servers through mikrotiks so I know it > works. Just trying to find issues. > > Regards > > Alexander > > Alexander Neilson > Neilson Productions Ltd > alexan...@neilson.net.nz > 021 329 681 > > > On 30/01/2015, at 12:48 pm, Casey Mills <wkm...@gmail.com> wrote: > > > > I'm using my Android phone as one of the extensions. This works from > inside > > and outside my network. But connecting to the SIP trunk with the FreePBX > > box is not working. In torch I can see the traffic getting to the local > > bridge. But that traffic is not making it out the WAN port. I am able to > > ping both SIP provider servers. > > > > I have watched the counters in my filter rules and NAT, I can't find > where > > the traffic is stopping. > > > > Comcast is my upstream, they could be blocking it but they are minding > > their Ps and Qs trying to get the Time Warner merger approved. > > > > Casey > > > >> On Thu, Jan 29, 2015 at 6:34 PM, Scott Reed <sr...@nwwnet.net> wrote: > >> > >> All of our phones are FreePBX through Mikrotiks ( several to get out to > >> the Internet and I don't recall doing anything special to get them to > work. > >> Do the normal network stuff, traceroute, etc. Make sure you have > >> connectivity. > >> Any chance your upstream is blocking SIP traffic? > >> > >> > >>> On 1/29/2015 5:21 PM, Casey Mills wrote: > >>> > >>> I setup a FreePBX server and wanted to test a few SIP trunking > services. > >>> > >>> The SIP packets are not making it through the router from the inside > of my > >>> network. I thought it might be a fluke with the first provider, so I > >>> signed > >>> up with a second. Same result. > >>> > >>> I simply can not figure out why they aren't making it through. My > leading > >>> theory is FreePBX/Asterisk is changing the packet IP address, somehow > >>> making it invalid. But I have tried setting the IP of the server to the > >>> internal and external IP. > >>> > >>> I am able to use an app on my phone and connect to the server from > outside > >>> of the network. Utilizing the dst-nat forwarding. > >>> > >>> Any ideas on where to start? > >>> > >>> Casey > >>> -------------- next part -------------- > >>> An HTML attachment was scrubbed... > >>> URL: <http://mail.butchevans.com/pipermail/mikrotik/ > >>> attachments/20150129/f155ae1c/attachment.html> > >>> _______________________________________________ > >>> Mikrotik mailing list > >>> Mikrotik@mail.butchevans.com > >>> http://mail.butchevans.com/mailman/listinfo/mikrotik > >>> > >>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > >>> RouterOS > >>> > >>> > >>> ----- > >>> No virus found in this message. > >>> Checked by AVG - www.avg.com > >>> Version: 2015.0.5646 / Virus Database: 4273/9019 - Release Date: > 01/29/15 > >> -- > >> Scott Reed > >> Owner > >> NewWays Networking, LLC > >> Wireless Networking > >> Network Design, Installation and Administration > >> Mikrotik Advanced Certified > >> www.nwwnet.net > >> (765) 855-1060 (765) 439-4253 Toll-free (855) 231-6239 > >> > >> > >> > >> _______________________________________________ > >> Mikrotik mailing list > >> Mikrotik@mail.butchevans.com > >> http://mail.butchevans.com/mailman/listinfo/mikrotik > >> > >> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > >> RouterOS > > -------------- next part -------------- > > An HTML attachment was scrubbed... > > URL: < > http://mail.butchevans.com/pipermail/mikrotik/attachments/20150129/81f51003/attachment.html > > > > _______________________________________________ > > Mikrotik mailing list > > Mikrotik@mail.butchevans.com > > http://mail.butchevans.com/mailman/listinfo/mikrotik > > > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > _______________________________________________ > Mikrotik mailing list > Mikrotik@mail.butchevans.com > http://mail.butchevans.com/mailman/listinfo/mikrotik > > Visit http://blog.butchevans.com/ for tutorials related to Mikrotik > RouterOS > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.butchevans.com/pipermail/mikrotik/attachments/20150129/37050877/attachment.html> _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS