![]() the ALG doesn't handle the situation when the device in the LAN uses different IP addresses for SIP and for RTP. a PBX in your LAN and phones in the internet registering to it, you need a port-forwarding rule for SIP even if the SIP ALG is enabled, and there is a lot of things that may go wrong. When talking about the reverse scenario, i.e. So you don't need any port-forwarding (dst-nat) rules to connect a phone in your LAN to an exchange on a public address, as the phone creates a pinhole (tracked connection) for SIP using the first REGISTER message, and for each call, it creates a pinhole by sending the RTP where the exchange has asked it to (which is normally the media proxy). And the phones even send RTP before connect, allowing the exchange to send them the pre-connect audio. What has made this possible is a cooperative behaviour of the phones that use the same sockets for sending and receiving, which wasn't the case since the very start as the RTP and SIP RFCs do not require this. For the RTP traffic, they also wait from where it actually comes rather than sending it to the address found in SDP, and proxy the RTP between the phones, so the phones do not need to know each other's socket addresses. Since quite a few years ago, public exchanges can handle client-side NAT by storing the socket address from which the REGISTER request actually came and sending INVITEs and keepalive packets to that socket rather than the one found in the Contact header in the REGISTER message. ip firewall connection print detail where src-address~"remote.ip.add.ress:port" or dst-address~"remote.ip.add.ress:port"īut you have to do then the DNAT stuff manually? UDP/TCP 5060, the RTP-Range.? Or from winbox just navigate to IP>Firewall and then click on the Service Ports tab and disable it through the GUI. To disable, run this command from the terminal: /ip firewall service-port disable sip. So you may want to do it the other way round - while a call is ongoing, find the remote address:port tuple using /tool sniffer ip-address=ip.of.the.phone and print the connections which have it as either the src-address or the dst-address: Mikrotik SIP ALG is called a SIP Helper and is located under /IP>Firewall>Service ports. I never bothered to check that because switching SIP helper off is one of the first settings I do on every new router. Whether this tracked connection for RTP is marked as related or not is a different thing. So it reserves the WAN side IP address and port for that connection and sends then in the SDP to the remote peer. Regarding the RTP, the ALG creates a tracked connection with the necessary NAT handling in advance, before the first RTP packet ever comes from either direction, while processing the SDPs from both peers. So the SIP ALG still has enough to do even if doesn't tamper with the SDP and RTP - at least it replaces the address and port in the Via and Contact uris sent by the phone to its own WAN side address and port. Inside the SIP message, there are IP addresses and ports in both the own headers of SIP and its payload - the SDP used to establish and control the RTP session.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |