- Configure the ports forward on ROS
- Disable SIP ALG
- Hairpin NAT
This document describes the port forward configuration of the MikroTik RouterOS router for the remote extensions or some VoIP provider requirements. In general, the operator uses WinBox to configure ROS.
Port forwarding on the ROS:
The below list is the ports that we will forward on the ROS, that just show you how to forward the ports on the ROS. For security, please make your own rule.
|Item||Protocol||Internal Port||External Port|
Access the ROS via WinBOX.
Navigate: IP --> Firewall --> NAT
- Chain: dstnat
- Protocol: 17(udp) // Choose the protocol that you want to forward.
- Dst. Port: 5090 // The external port.
- To Addresses: 192.168.5.150 // The internal PBX IP.
- To Ports: 5060 // Internal port
For a range port of RTP.
- Dst. Port: 10000-12000 //Use “-” for the port range.
- To Ports: 10000-12000 //If this internal same with external port, we also can keep this port blank is the same result.
Note: if the internal same as the external, and use the same protocol, you can use the below format for the multiple-ports.
Use the “,” comma symbol for the port.
Disable SIP ALG：
This option is pretty annoying against the VoIP transmission which leads to SIP call drop, one-way audio or no audio issue. It's recommended to disable it if you have the mentioned issues.
Go the menu: IP-->Firewall--> Service Ports
Hairpin NAT is for the internal device to use the router public IP to access the IP which has been forward.
See their Wiki: Hairpin NAT
If you have been done the Hairpin NAT on your ROS. On the forwarded device side only see the router gateway IP for all the requests from internal or external. Sometimes it would have trouble for PBX to send back packets to the SIP device correctly. So you would need to disable it in some cases.
Such as the below screenshot.
How to disabled/enabled the Hairpin NAT on ROS?
Delete or Disable the rule for Hairpin.
The Hairpin NAT rule is like the following:
Go to the menu: IP --> Firewall --> NAT
Disable/remove the rule with the following settings:
- Chain: srcnat
- Src. Address: 192.168.123.0/24 //Enter your internal IP range, or keep it blank.
- Out. Interface: LAN // LAN or Bridge
- Action: masquerade //Choose this option only.
If you don't know how to disable it, try to contact the Mikrotik support.