Are you doing SIP over TCP or UDP from FreePBX? (Guessing UDP.) Are you doing SIP over TCP or UDP from your Android phone that works? (Guessing TCP.)
Can you try either disabling the last rule in your firewall filters list (action=drop chain=forward connection-state=invalid), and/or also setting protocol=tcp on it, and then try to originate SIP traffic from your FreePBX server again? They probably aren't harming anything, but unless your SIP trunk provider isn't requiring you to send SIP REGISTER to them and instead uses IP-based authentication, you don't need all of those dst-nat rules pointed at your FreePBX box. The kernel's connection tracking should be able to figure all of that out. -- Nathan Anderson First Step Internet, LLC nath...@fsr.com On Thursday, January 29, 2015 4:25 PM, Casey Mills <> wrote: > Running version 6.5 on a RB2011. > > I did reboot just a few minutes ago, no change. > > The connection table should clear on a reboot right? > > I really appreciate your suggestions! It is great to have someone to > bounce > idea off of. > > Casey > > > > > *********** Firewall Rules **************** > /ip firewall connection tracking > set enabled=yes > /ip firewall filter > add chain=input comment="Allow all local traffic in" > in-interface=bridge-local > add chain=input comment="Allow all pings" protocol=icmp > add chain=input comment="default configuration" > connection-state=established > add chain=input comment="default configuration" connection-state=related > add action=drop chain=input comment="SSH Brute Force Rule01" dst-port=22 > protocol=tcp src-address-list=ssh_blacklist > add action=add-src-to-address-list address-list=ssh_blacklist > address-list-timeout=8w4d chain=input comment="SSH Brute Force Rule02" > connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3 > add action=add-src-to-address-list address-list=ssh_stage3 > address-list-timeout=1m chain=input comment="SSH Brute Force Rule03" > connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2 > add action=add-src-to-address-list address-list=ssh_stage2 > address-list-timeout=1m chain=input comment="SSH Brute Force Rule04" > connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1 > add action=add-src-to-address-list address-list=ssh_stage1 > address-list-timeout=1m chain=input comment="SSH Brute Force Rule05" > connection-state=new dst-port=22 protocol=tcp > add chain=input comment="Open SSH Port" dst-port=22 > in-interface=ether1-gateway protocol=tcp > add action=drop chain=input comment="Drop all other traffic coming from > Internet" in-interface=ether1-gateway > add chain=forward comment="default configuration" > connection-state=established > add chain=forward comment="default configuration" connection-state=related > add action=drop chain=forward comment="default configuration" > connection-state=invalid > /ip firewall nat > add action=masquerade chain=srcnat comment=Hairpin-Test src-address= > 192.168.55.0/24 > add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 > protocol=tcp to-addresses=192.168.55.200 to-ports=8080 > add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 > protocol=tcp to-addresses=192.168.55.201 to-ports=8081 > add action=dst-nat chain=dstnat comment=IX2 dst-port=80 > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.54 > to-ports=80 > add action=dst-nat chain=dstnat comment=IX2 dst-port=443 > in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.54 > to-ports=443 > add action=dst-nat chain=dstnat comment=IX2 dst-port=50500 protocol=tcp > to-addresses=192.168.55.54 to-ports=50500 > add action=dst-nat chain=dstnat comment="IX2 FTP" dst-port=21 protocol=tcp > to-addresses=192.168.55.54 to-ports=21 > add action=dst-nat chain=dstnat comment=Casey7-RDP dst-port=3389 > protocol=tcp to-addresses=192.168.55.52 to-ports=3389 > add action=dst-nat chain=dstnat comment=HTPC7-Plex dst-port=32400 > protocol=tcp to-addresses=192.168.55.50 to-ports=32400 > add action=dst-nat chain=dstnat comment=HTPC7-CetonApp dst-port=5832 > protocol=tcp to-addresses=192.168.55.50 to-ports=5832 > add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 protocol=tcp > to-addresses=192.168.55.55 to-ports=5060 > add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 protocol=udp > to-addresses=192.168.55.55 to-ports=5060 > add action=dst-nat chain=dstnat comment=VOIP dst-port=5061 protocol=udp > to-addresses=192.168.55.55 to-ports=5061 > add action=dst-nat chain=dstnat comment=VOIP dst-port=5061 protocol=tcp > to-addresses=192.168.55.55 to-ports=5061 > add action=dst-nat chain=dstnat comment=VOIP dst-port=10000-20000 > protocol=udp to-addresses=192.168.55.55 to-ports=10000-20000 > /ip firewall service-port > set sip disabled=yes > *********************************************************************** > > On Thu, Jan 29, 2015 at 7:07 PM, Alexander Neilson > <alexan...@neilson.net.nz >> wrote: > >> You would still see it leaving your interface if the upstream was >> blocking it. >> >> Can you post privatised firewall rules etc so we can see what you have >> in place? >> >> What software version are you running? >> >> Have you rebooted after changes? Cleared your connections table? There is >> a bug where firewall rule changes don't take effect until a reboot. Also >> if an existing connection in the contrac table then no matter the change >> it won't be reflected until that connection has cleared. >> >> Like others I run asterisk sip servers through mikrotiks so I know it >> works. Just trying to find issues. >> >> Regards >> >> Alexander >> >> Alexander Neilson >> Neilson Productions Ltd >> alexan...@neilson.net.nz >> 021 329 681 >> >>> On 30/01/2015, at 12:48 pm, Casey Mills <wkm...@gmail.com> wrote: >>> >>> I'm using my Android phone as one of the extensions. This works from >>> inside and outside my network. But connecting to the SIP trunk with the >>> FreePBX box is not working. In torch I can see the traffic getting to >>> the local bridge. But that traffic is not making it out the WAN port. I >>> am able to ping both SIP provider servers. >>> >>> I have watched the counters in my filter rules and NAT, I can't find >>> where the traffic is stopping. >>> >>> Comcast is my upstream, they could be blocking it but they are minding >>> their Ps and Qs trying to get the Time Warner merger approved. >>> >>> Casey >>> >>>> On Thu, Jan 29, 2015 at 6:34 PM, Scott Reed <sr...@nwwnet.net> wrote: >>>> >>>> All of our phones are FreePBX through Mikrotiks ( several to get out to >>>> the Internet and I don't recall doing anything special to get them to >>>> work. Do the normal network stuff, traceroute, etc. Make sure you >>>> have connectivity. Any chance your upstream is blocking SIP traffic? >>>> >>>> >>>>> On 1/29/2015 5:21 PM, Casey Mills wrote: >>>>> >>>>> I setup a FreePBX server and wanted to test a few SIP trunking >>>>> services. >>>>> >>>>> The SIP packets are not making it through the router from the inside >>>>> of my network. I thought it might be a fluke with the first provider, >>>>> so I signed up with a second. Same result. >>>>> >>>>> I simply can not figure out why they aren't making it through. My >>>>> leading theory is FreePBX/Asterisk is changing the packet IP address, >>>>> somehow making it invalid. But I have tried setting the IP of the >>>>> server to the internal and external IP. >>>>> >>>>> I am able to use an app on my phone and connect to the server from >>>>> outside of the network. Utilizing the dst-nat forwarding. >>>>> >>>>> Any ideas on where to start? >>>>> >>>>> Casey >>>>> -------------- next part -------------- >>>>> An HTML attachment was scrubbed... >>>>> URL: <http://mail.butchevans.com/pipermail/mikrotik/ >>>>> attachments/20150129/f155ae1c/attachment.html> >>>>> _______________________________________________ >>>>> Mikrotik mailing list >>>>> Mikrotik@mail.butchevans.com >>>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>>> >>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>>> RouterOS >>>>> >>>>> >>>>> ----- >>>>> No virus found in this message. >>>>> Checked by AVG - www.avg.com >>>>> Version: 2015.0.5646 / Virus Database: 4273/9019 - Release Date: >> 01/29/15 >>>> -- >>>> Scott Reed >>>> Owner >>>> NewWays Networking, LLC >>>> Wireless Networking >>>> Network Design, Installation and Administration >>>> Mikrotik Advanced Certified >>>> www.nwwnet.net >>>> (765) 855-1060 (765) 439-4253 Toll-free (855) 231-6239 >>>> >>>> >>>> >>>> _______________________________________________ >>>> Mikrotik mailing list >>>> Mikrotik@mail.butchevans.com >>>> http://mail.butchevans.com/mailman/listinfo/mikrotik >>>> >>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik >>>> RouterOS _______________________________________________ Mikrotik mailing list Mikrotik@mail.butchevans.com http://mail.butchevans.com/mailman/listinfo/mikrotik Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
