Not in the habit of asking for help on the forums, but hit a wall, need a push in the right direction, help who has a minute of time.
There is a call panel Dahua DHI-VTO6221E-P it acts as a SIP server (VTO).
There is an internal intercom Dahua VTH2611L in this case it is a SIP client (VTH).
Everything works when in the same subnet, but the task to disperse geographically these two devices.
Static IP is not in the connection point of the call panel, nor in the connection point of the intercom.
There are no fine-tuning proprietary devices, only IP addresses, SIP passwords.
My solution:
Two Mikrotik RB941s, one for the outside panel (VTO), subnet 192.168.100.0/24 (100.2 for the SIP server) and its own WAN.
For the internal intercom (VTH) 192.168.200.0/24 (200.2 is for the host "SIP" client) and also its own WAN.
Both raise a WireGuard tunnel towards my working CHR on static. The WireGuard details are CHR - 172.22.0.1, RB941 "SIP" - 172.22.0.2, RB941 "CLIENT" - 172.22.0.3.
Through packets go both ways!
On RB941 "SIP", on RB941 "CLIENT" and on CHR - NAT- Masquerade to WireGuard tunnel for outgoing hosts 172.22.0.0/24 like this:On both routers, Route 172.22.0.0.0/24 is dynamically raised via Wireguard tunnel.
On the SIP server router, the rules also work:
In general, this is a well-established scheme that works for me in many cases, except for SIP! The intercom has an incoming call (port 5000), RTSP video (port 554), but no voice in both directions (port 5060). Because it is necessary to be able to substitute the return address in SIP headers (but where: SIP? CLIENT? CHR?), and I don't know how. And in general I read a global recommendation about SIP - either to enable DIRECT MEDIA on SIP-server (but Dahua did not provide any settings) or to avoid NAT at all.
In the settings of the internal intercom are parameters of the remote SIP server as 172.22.0.2, although that (for its router) has IP 192.168.100.2, and despite the fact that NAT sneaks packets, here lies the whole problem of SIP-protocol.
By the way, all three components of the tunnel have NAT:
(turning it on doesn't help)
1) Is there any way I can write a WireGuard tunnel in Bridge so that the devices see each other on the same subnet (avoid NAT)?
2) Maybe I should give up WireGuard in favor of OpenVPN implementation, but I understand there either tcp or udp, and when calling from the intercom both protocols are used.
3) Learn how to inject headers into SIP packets by some rule on Mikrotik?
Max, thx!
There is a call panel Dahua DHI-VTO6221E-P it acts as a SIP server (VTO).
There is an internal intercom Dahua VTH2611L in this case it is a SIP client (VTH).
Everything works when in the same subnet, but the task to disperse geographically these two devices.
Static IP is not in the connection point of the call panel, nor in the connection point of the intercom.
There are no fine-tuning proprietary devices, only IP addresses, SIP passwords.
My solution:
Two Mikrotik RB941s, one for the outside panel (VTO), subnet 192.168.100.0/24 (100.2 for the SIP server) and its own WAN.
For the internal intercom (VTH) 192.168.200.0/24 (200.2 is for the host "SIP" client) and also its own WAN.
Both raise a WireGuard tunnel towards my working CHR on static. The WireGuard details are CHR - 172.22.0.1, RB941 "SIP" - 172.22.0.2, RB941 "CLIENT" - 172.22.0.3.
Through packets go both ways!
On RB941 "SIP", on RB941 "CLIENT" and on CHR - NAT- Masquerade to WireGuard tunnel for outgoing hosts 172.22.0.0/24 like this:
Code:
add action=masquerade chain=srcnat out-interface=to_alcr-lnt-wg-voip-tun src-address-list=127.22.0.0.0/24On the SIP server router, the rules also work:
Code:
add action=netmap chain=dstnat disabled=yes dst-port=554 in-interface=to_alcr-lnt-wg-voip-tun protocol=tcp to-addresses=192.168.100.2 to-ports=554add action=netmap chain=dstnat disabled=yes dst-port=5060 in-interface=to_alcr-lnt-wg-voip-tun protocol=udp to-addresses=192.168.100.2 to-ports=5060add action=netmap chain=dstnat disabled=yes dst-port=5000 in-interface=to_alcr-lnt-wg-voip-tun protocol=tcp to-addresses=192.168.100.2 to-ports=5000In the settings of the internal intercom are parameters of the remote SIP server as 172.22.0.2, although that (for its router) has IP 192.168.100.2, and despite the fact that NAT sneaks packets, here lies the whole problem of SIP-protocol.
By the way, all three components of the tunnel have NAT:
Code:
set sip disabled=yes ports=5060 sip-direct-media=no1) Is there any way I can write a WireGuard tunnel in Bridge so that the devices see each other on the same subnet (avoid NAT)?
2) Maybe I should give up WireGuard in favor of OpenVPN implementation, but I understand there either tcp or udp, and when calling from the intercom both protocols are used.
3) Learn how to inject headers into SIP packets by some rule on Mikrotik?
Max, thx!
Statistics: Posted by Maksheri — Sun Feb 11, 2024 8:24 pm