Configure UCM62XX via port forwarding in Mikrotik router

suggestion

#1

Hello.

Due to several security reasons I configured my UCM6202 via a private IP and I forwarded the port of the Public IP used in my Mikrotik router towards the private IP of the UCM
I have forwarded the UDP, RTP port to 5060 from my Mikrotik router. I also configured the External Host setting directed to the public IP of my Mikrotik router, External UDP Port to 5060 and External TCP Port to 5060.

After all that when I configuring my phones using Server address as the router Public_IP:5060 the phones are not getting registered.
I didn’t understand what am I doing wrong in the configuration.

Anyone please suggest the process of what I am trying to achieve In my case.

Thanks


#2

What does your destination nat settings look like in the IP–>Firewall–>NAT rules of the Mikrotik?
What does the Service Ports look like ? is there anything enabled there ?
What does the IP IP Service list look like ? is there anything enabled there ?


#3

first of all make sure that you have done the birth of the 5060 ONLY by certain and safe public ip in ACL, not to the whole world.
You must also do the nat of the RTP ports (always in ACL) enable the nat on the inside


#4

#What does your destination nat settings look like in the IP–>Firewall–>NAT rules of the Mikrotik?
Ans: Dstn source: public ip of the mikrotik
dstn port : 5060
From Action:
dstn
to address: private ip of ucm
port: 5060

#What does the Service Ports look like ? is there anything enabled there ?
Ans: The service Port SIP is disabled and other ports are enabled.

#What does the IP IP Service list look like ? is there anything enabled there ?
Ans: All disabled except Winbox & WWW port.

Thanks


#5

this is a Grandstream forum, if you have no answers you should ask those questions on the Mikrotik forum


#6

I will also generated this queries in mikrotik. This queries involves both mikrotik and Grandstream. The main purpose will be served by Grandstream.


#7

So, the phones are remote?
Do you have a SIP trunk as well and what is its status?


#8

I have tried both local and remote phone to configure. I didn’t used a SIP trunk yet. Initially I need to just make sure that both remote and local IP phones can be make live via this process.


#9

So, local phones are not working either?


#10

Siyam … you need to set up some Geo IP blocking on the Mikrotik if you are using remote extensions … there are also other ports that are needed by the remote phones to gain access to the UCM in the Mikrotik…

If you need to get the Mikrotik to perform better and allow the UCM to work well you need to utilise the best practices for the Mikrotik and also make it sip friendly for the UCM.

I would suggest to use the following site and make sure you lock your Mikrotik down.
Grab the Hardened Firewall information from the Mikrotik Wiki

Look for the post by SOB
https://forum.mikrotik.com/viewtopic.php?t=132844


#11

I agree with Kev & Damiano about securing.

In the meantime.
Go to PBX Setting, SIP Settings and NAT.

  1. Put your public IP or FQDN that resolves to same in the External Host field.
  2. Check the box about using same for SDP.
  3. At the bottom of the page input the local LAN segment and subnet.
  4. For those extensions that will be remote, go to the extension settings and check the box for NAT.

The above tells the UCM how to respond when seeing a local device and (differently) for a public device.

You need to forward the RTP ports and you need to disable the SIP ALG on the router.


#12

I always ues UCMs in conjunction with MIcrotik routers and it works perfectly!

On the UCM
PBX Settings-SIP Settings-NAT-ExternalHost (insert here the public IP)
PBX Settings-SIP Settings-NAT-Local Network (insert here the local IP network)
PBX Settings-RTP Settings-Start RTP 10000
PBX Settings-RTP Settings-END RTP 11000

On the Mikrotik
IP-Firewall-ServicePorts disable SIP
IP-FIrewall-NAT Chain dsnat, protocol tcp, dstport 5060-5061 , in interface list WAN, action dst-nat, to-addresses (UCM local IP), to ports 5060-5061
IP-FIrewall-NAT Chain dsnat, protocol udp, dstport 5060-5061 , in interface list WAN, action dst-nat, to-addresses (UCM local IP), to ports 5060-5061
IP-FIrewall-NAT Chain dsnat, protocol udp, dstport 10000-11000 , in interface list WAN, action dst-nat, to-addresses (UCM local IP), to ports 10000-11000
IP-FIrewall-NAT Chain dsnat, protocol tcp, dstport 10000-11000 , in interface list WAN, action dst-nat, to-addresses (UCM local IP), to ports 10000-11000


#13

As Mariano has mentioned the ports he uses in the destination nat rules of the Mikrotik, I personally will lock the external side down to the IP Address / range of the SIP server using source address = sip provider, destination address = external IP of the Wan (we have a small range of different IP Addresses and prefer to lock it down to the one IP) and the rest as he has mentioned.

On top of that I would use geo ip blocking (for remote extensions) and several other scripts to ensure that the system is clean.


#14

UCM in mode Sw , Route or Dual ?


#15