I don't remember if 6.5 is stable. I would move to 6.12.
I don't think that will fix the problem, but should make a more stable
router.
On 1/29/2015 7:25 PM, Casey Mills wrote:
Running version 6.5 on a RB2011.
I did reboot just a few minutes ago, no change.
The connection table should clear on a reboot right?
I really appreciate your suggestions! It is great to have someone to bounce
idea off of.
Casey
*********** Firewall Rules ****************
/ip firewall connection tracking
set enabled=yes
/ip firewall filter
add chain=input comment="Allow all local traffic in"
in-interface=bridge-local
add chain=input comment="Allow all pings" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="SSH Brute Force Rule01" dst-port=22
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=8w4d chain=input comment="SSH Brute Force Rule02"
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1m chain=input comment="SSH Brute Force Rule03"
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1m chain=input comment="SSH Brute Force Rule04"
connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m chain=input comment="SSH Brute Force Rule05"
connection-state=new dst-port=22 protocol=tcp
add chain=input comment="Open SSH Port" dst-port=22
in-interface=ether1-gateway protocol=tcp
add action=drop chain=input comment="Drop all other traffic coming from
Internet" in-interface=ether1-gateway
add chain=forward comment="default configuration"
connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration"
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin-Test src-address=
192.168.55.0/24
add action=dst-nat chain=dstnat comment=Foscam-1 dst-port=8080 protocol=tcp
to-addresses=192.168.55.200 to-ports=8080
add action=dst-nat chain=dstnat comment=Foscam-2 dst-port=8081 protocol=tcp
to-addresses=192.168.55.201 to-ports=8081
add action=dst-nat chain=dstnat comment=IX2 dst-port=80
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.54
to-ports=80
add action=dst-nat chain=dstnat comment=IX2 dst-port=443
in-interface=ether1-gateway protocol=tcp to-addresses=192.168.55.54
to-ports=443
add action=dst-nat chain=dstnat comment=IX2 dst-port=50500 protocol=tcp
to-addresses=192.168.55.54 to-ports=50500
add action=dst-nat chain=dstnat comment="IX2 FTP" dst-port=21 protocol=tcp
to-addresses=192.168.55.54 to-ports=21
add action=dst-nat chain=dstnat comment=Casey7-RDP dst-port=3389
protocol=tcp to-addresses=192.168.55.52 to-ports=3389
add action=dst-nat chain=dstnat comment=HTPC7-Plex dst-port=32400
protocol=tcp to-addresses=192.168.55.50 to-ports=32400
add action=dst-nat chain=dstnat comment=HTPC7-CetonApp dst-port=5832
protocol=tcp to-addresses=192.168.55.50 to-ports=5832
add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 protocol=tcp
to-addresses=192.168.55.55 to-ports=5060
add action=dst-nat chain=dstnat comment=VOIP dst-port=5060 protocol=udp
to-addresses=192.168.55.55 to-ports=5060
add action=dst-nat chain=dstnat comment=VOIP dst-port=5061 protocol=udp
to-addresses=192.168.55.55 to-ports=5061
add action=dst-nat chain=dstnat comment=VOIP dst-port=5061 protocol=tcp
to-addresses=192.168.55.55 to-ports=5061
add action=dst-nat chain=dstnat comment=VOIP dst-port=10000-20000
protocol=udp to-addresses=192.168.55.55 to-ports=10000-20000
/ip firewall service-port
set sip disabled=yes
***********************************************************************
On Thu, Jan 29, 2015 at 7:07 PM, Alexander Neilson <alexan...@neilson.net.nz
wrote:
You would still see it leaving your interface if the upstream was blocking
it.
Can you post privatised firewall rules etc so we can see what you have in
place?
What software version are you running?
Have you rebooted after changes? Cleared your connections table? There is
a bug where firewall rule changes don't take effect until a reboot. Also if
an existing connection in the contrac table then no matter the change it
won't be reflected until that connection has cleared.
Like others I run asterisk sip servers through mikrotiks so I know it
works. Just trying to find issues.
Regards
Alexander
Alexander Neilson
Neilson Productions Ltd
alexan...@neilson.net.nz
021 329 681
On 30/01/2015, at 12:48 pm, Casey Mills <wkm...@gmail.com> wrote:
I'm using my Android phone as one of the extensions. This works from
inside
and outside my network. But connecting to the SIP trunk with the FreePBX
box is not working. In torch I can see the traffic getting to the local
bridge. But that traffic is not making it out the WAN port. I am able to
ping both SIP provider servers.
I have watched the counters in my filter rules and NAT, I can't find
where
the traffic is stopping.
Comcast is my upstream, they could be blocking it but they are minding
their Ps and Qs trying to get the Time Warner merger approved.
Casey
On Thu, Jan 29, 2015 at 6:34 PM, Scott Reed <sr...@nwwnet.net> wrote:
All of our phones are FreePBX through Mikrotiks ( several to get out to
the Internet and I don't recall doing anything special to get them to
work.
Do the normal network stuff, traceroute, etc. Make sure you have
connectivity.
Any chance your upstream is blocking SIP traffic?
On 1/29/2015 5:21 PM, Casey Mills wrote:
I setup a FreePBX server and wanted to test a few SIP trunking
services.
The SIP packets are not making it through the router from the inside
of my
network. I thought it might be a fluke with the first provider, so I
signed
up with a second. Same result.
I simply can not figure out why they aren't making it through. My
leading
theory is FreePBX/Asterisk is changing the packet IP address, somehow
making it invalid. But I have tried setting the IP of the server to the
internal and external IP.
I am able to use an app on my phone and connect to the server from
outside
of the network. Utilizing the dst-nat forwarding.
Any ideas on where to start?
Casey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.butchevans.com/pipermail/mikrotik/
attachments/20150129/f155ae1c/attachment.html>
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2015.0.5646 / Virus Database: 4273/9019 - Release Date:
01/29/15
--
Scott Reed
Owner
NewWays Networking, LLC
Wireless Networking
Network Design, Installation and Administration
Mikrotik Advanced Certified
www.nwwnet.net
(765) 855-1060 (765) 439-4253 Toll-free (855) 231-6239
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <
http://mail.butchevans.com/pipermail/mikrotik/attachments/20150129/81f51003/attachment.html
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
RouterOS
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.butchevans.com/pipermail/mikrotik/attachments/20150129/37050877/attachment.html>
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2015.0.5646 / Virus Database: 4273/9022 - Release Date: 01/29/15
--
Scott Reed
Owner
NewWays Networking, LLC
Wireless Networking
Network Design, Installation and Administration
Mikrotik Advanced Certified
www.nwwnet.net
(765) 855-1060 (765) 439-4253 Toll-free (855) 231-6239
_______________________________________________
Mikrotik mailing list
Mikrotik@mail.butchevans.com
http://mail.butchevans.com/mailman/listinfo/mikrotik
Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS