The provider is running the SIP over TCP. I am more familiar with SIP over UDP but nonetheless this is what they use.
Router in office is a CCR2004-16G-2S+ and it is being 'router on a stick' for the LAN/VLAN side with a 10G SFP+ interface- just has a virtual interface for the other VLAN, and the other SFP+ is used at 1G for WAN. In the config, the VoIP VLAN is called 'Public WiFi', because it is used for guest Wi-Fi (TP Link AP uses VLAN 11), and also for VoIP phones.
I am finding some phones lagging a lot on ringing and audio start.
I restart phone, and it can take quite a while to register. I unplug and plug back in, and then it takes even longer. I am removing the connection entries from the conntrack table between restarts sometimes, to see if that helps (it can help with my packet capture for sure..)
By the third phone-restart, I am up to 25 minutes before the handset registers. Packet capture which is from mikrotik and redirected to my PC does show everything OK internally - and I can ping and see the web interface (but don't have password to log in to it yet - they tried to set it for me but it's not working).
I see inbound invalid NAT connections from the provider - like they are trying to continue a TCP session that our end considers terminated. I confirm in the nat table that the ports are no longer tracked - so they are indeed invalid.
I brought one of the offending handsets home, and it registers fine every time I turn it on, however this is all by itself - doesn't have 33 other handsets on same network connecting to same provider. I also use a Mikrotik here (Hex gr750) and here at home I have the SIP helper turned on. It is turned off at the office, but I don't think this is the issue.
I have IP-Neighbour on Mikrotik announcing voip VLAN 11 via LLDP-MED. Switches are doing dual-mode (tagged vlan11 and untagged default vlan) on all ports.
but to eliminate switches and VLAN, I created a new IP address, DHCP pool etc on ether1 & ether2, bridged them, so that my laptop and this phone were on their own subnet (192.168.30.0/24), and I still see the same issues.
Does anything stick out here? I know my NAT masquerade rule does not specify subnets but it shouldn't matter - it specifies the out-interface. In my experience that is enough.
Code: Select all
# 2024-02-13 21:26:02 by RouterOS 7.13.3
#
# model = CCR2004-16G-2S+
/interface bridge add disabled=yes name=IT-test
/interface ethernet set [ find default-name=sfp-sfpplus2 ] name=1G-sfp-Internet
/interface ethernet set [ find default-name=sfp-sfpplus1 ] name=10G-sfp-LAN
/interface vlan add interface=10G-sfp-LAN name=vlan2-management vlan-id=2
/interface vlan add interface=10G-sfp-LAN name=vlan11-public-internet vlan-id=11
/interface list add name=LAN
/ip ipsec peer add address=123.123.123.123/32 disabled=yes name=P6
/ip ipsec peer add address=123.123.123.123/32 exchange-mode=ike2 name=ITGuy
/ip ipsec profile set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 nat-traversal=no
/ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048
/ip pool add name=Public_WiFi ranges=192.168.10.11-192.168.10.240
/ip pool add name=Management_VLAN ranges=192.168.20.11-192.168.20.250
/ip pool add name=IT-test ranges=192.168.30.11-192.168.30.100
/ip dhcp-server add address-pool=Public_WiFi interface=vlan11-public-internet lease-time=15m name=Public_WiFi
/ip dhcp-server add address-pool=Management_VLAN interface=vlan2-management name=Management_VLAN
/ip dhcp-server add address-pool=IT-test disabled=yes interface=IT-test name=IT-test
/interface bridge port add bridge=IT-test interface=ether1
/interface bridge port add bridge=IT-test interface=ether2
/ip firewall connection tracking set udp-timeout=20s
/ip neighbor discovery-settings set discover-interface-list=LAN lldp-med-net-policy-vlan=11
/ipv6 settings set disable-ipv6=yes
/interface list member add interface=10G-sfp-LAN list=LAN
/ip address add address=11.11.11.11/30 interface=1G-sfp-Internet network=11.11.11.10
/ip address add address=22.22.22.22.53/30 interface=1G-sfp-Internet network=22.22.22.22.52
/ip address add address=22.22.22.22.54/30 interface=1G-sfp-Internet network=22.22.22.22.52
/ip address add address=192.168.1.254/24 interface=10G-sfp-LAN network=192.168.1.0
/ip address add address=192.168.10.1/24 interface=vlan11-public-internet network=192.168.10.0
/ip address add address=192.168.200.254/24 interface=wireguard1 network=192.168.200.0
/ip address add address=192.168.20.1/24 interface=vlan2-management network=192.168.20.0
/ip address add address=192.168.30.1/24 disabled=yes interface=IT-test network=192.168.30.0
/ip dhcp-client add disabled=yes interface=10G-sfp-LAN
/ip dhcp-server network add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dhcp-server network add address=192.168.20.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.20.1
/ip dhcp-server network add address=192.168.30.0/24 dns-server=8.8.8.8 gateway=192.168.30.1
/ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall filter add action=accept chain=input comment="Without ICMP echo replies, the BGP closes route to our subnet" in-interface=1G-sfp-Internet protocol=icmp
/ip firewall filter add action=accept chain=input comment=Wireguard dst-port=443 protocol=udp
/ip firewall filter add action=accept chain=input src-address-list=Trusted
/ip firewall filter add action=accept chain=input comment=VoIP src-address=123.123.123.123
/ip firewall filter add action=accept chain=input connection-type=sip in-interface=1G-sfp-Internet
/ip firewall filter add action=accept chain=forward connection-type=sip in-interface=1G-sfp-Internet
/ip firewall filter add action=log chain=input connection-state=invalid in-interface=1G-sfp-Internet log=yes src-address=91.240.178.10
/ip firewall filter add action=drop chain=input connection-state=!established,related in-interface=1G-sfp-Internet
/ip firewall nat add action=accept chain=srcnat comment="No-nat for IPSec VPN" dst-address=192.168.0.0/16 src-address=192.168.0.0/16
/ip firewall nat add action=masquerade chain=srcnat comment="Outbound internet access" out-interface=1G-sfp-Internet
/ip firewall service-port set sip disabled=yes
/ip ipsec identity add mode-config=request-only notrack-chain=prerouting peer=P6
/ip ipsec identity add peer=ITGuy
/ip ipsec policy add dst-address=192.168.80.0/24 peer=Carl src-address=192.168.1.0/24 tunnel=yes
/ip ipsec policy add comment="P6 VPN not in use - 60G bridge used now instead" disabled=yes dst-address=192.168.2.0/24 peer=P6 src-address=192.168.1.0/24 tunnel=yes
/ip route add disabled=no dst-address=0.0.0.0/0 gateway=11.11.11.12 routing-table=main suppress-hw-offload=no
/snmp set contact="Carl" enabled=yes
/system clock set time-zone-name=Europe/London
/system identity set name="Main router"
/system logging add disabled=yes topics=debug
/system logging add disabled=yes topics=ipsec
/system note set show-at-login=no
/system routerboard settings set enter-setup-on=delete-key
/tool sniffer set file-limit=2048KiB filter-interface=all filter-mac-address=80:5E:0C:9F:AC:36/FF:FF:FF:FF:FF:FF memory-limit=2048KiB streaming-enabled=yes streaming-server=192.168.30.99