Comware

Hi,

I set up an MSR 2004 router for one of my customers. Generally speaking, I'm super happy with the router. However, I can't get the outbound telephony to work. When I dial a number on one of the sip phones, the call ususally just times out without being created at all. Inbound calls are working, so I think it might be a problem with nat, not translating the udp ports properly. But I have no idea how to fix it. I already tried to enable nat alg for sip without success. I need to fix this asap, so any suggestion would be much appreciated.

I tested another router with which everything works fine. So now I'm sure that the MSR2004 is to blame.

I did some more digging and it looks like UDP packets in general are somehow mistreated by the nat. Is there any additional option I need to configure to mimic 'stateful' routing/nating if my UDP packets?

Here is the sanitized config that's currently active:

#
     version 7.1.064, Release 0605P20
    #
     sysname gw-1
    #
     ip icmp source 192.168.100.1
    #
    nat address-group 0
     address xxx.91.227.170 xxx.91.227.170
    #
     nat mapping-behavior endpoint-independent
    #
     dhcp enable
    #
     dns proxy enable
     dns server 8.8.8.8
     dns server 8.8.4.4
    #
     password-recovery enable
    #
    vlan 1
    #
    vlan 10
     name Management VLAN
    #
    vlan 11
     name Internal VLAN
    #
    vlan 12
     name Guest Wifi VLAN
    #
    vlan 20
     name Sublet 1 VLAN
    #
    qos map-table dscp-lp
     import 6 export 6
    #
    traffic classifier highprio operator and
     if-match acl name sip
    #
    traffic behavior communication
    #
    traffic behavior highprio
     remark local-precedence 7
    #
    qos policy communication
     classifier highprio behavior highprio
    #
     stp mode rstp
     stp global enable
    #
    dhcp server ip-pool guest
     gateway-list 192.168.210.1
     network 192.168.210.0 mask 255.255.255.0
     address range 192.168.210.10 192.168.210.200
     dns-list 192.168.210.1
     expired day 0 hour 4
    #
    dhcp server ip-pool internal
     gateway-list 192.168.200.1
     network 192.168.200.0 mask 255.255.254.0
     address range 192.168.200.10 192.168.201.200
     dns-list 192.168.200.1
     expired day 0 hour 8
    #
    controller Cellular0/0
    #
    interface Aux0
    #
    interface NULL0
    #
    interface Vlan-interface10
     ip address 192.168.100.1 255.255.255.0
    #
    interface Vlan-interface11
     ip address 192.168.200.1 255.255.254.0
     packet-filter 3000 inbound
     qos apply policy communication inbound
    #
    interface Vlan-interface12
     ip address 192.168.210.1 255.255.255.0
     packet-filter 3000 inbound
     packet-filter 3001 inbound
     qos apply policy communication inbound
    #
    interface Vlan-interface20
     packet-filter 3000 inbound
    #
    interface GigabitEthernet0/0
     port link-mode route
     ip address xxx.91.227.170 255.255.255.248
     tcp mss 1460
     packet-filter name external inbound
     nat outbound address-group 0 port-preserved
    #
    interface GigabitEthernet0/1
     port link-mode route
    #
    interface GigabitEthernet0/2
     port link-mode route
    #
    interface GigabitEthernet0/27
     port link-mode route
    #
    interface GigabitEthernet0/3
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 12 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/4
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 12 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/5
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 12 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/6
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 12 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/7
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 12 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/8
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 12 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/9
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 12 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/10
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 12 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/11
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 11 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/12
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 11 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/13
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 11 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/14
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 11 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/15
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 11 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/16
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 11 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/17
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 11 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/18
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 11 tagged
     port hybrid vlan 1 untagged
     port hybrid pvid vlan 10
    #
    interface GigabitEthernet0/19
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 11 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/20
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 12 tagged
     port hybrid vlan 1 untagged
     port hybrid pvid vlan 10
    #
    interface GigabitEthernet0/21
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 11 tagged
     port hybrid vlan 1 untagged
     port hybrid pvid vlan 10
    #
    interface GigabitEthernet0/22
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 11 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/23
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 11 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/24
     port link-mode bridge
     port link-type hybrid
     port hybrid vlan 10 to 11 tagged
     port hybrid vlan 1 untagged
    #
    interface GigabitEthernet0/25
     port link-mode bridge
     port access vlan 11
    #
    interface GigabitEthernet0/26
     port link-mode bridge
     port access vlan 10
    #
     scheduler logfile size 16
    #
    line class aux
     user-role network-admin
    #
    line class tty
     user-role network-operator
    #
    line class vty
     user-role network-operator
    #
    line aux 0
     user-role network-admin
    #
    line vty 0
     user-role network-operator
    #
    line vty 1
     authentication-mode scheme
     user-role network-operator
    #
    line vty 2 63
     user-role network-operator
    #
     ip route-static 0.0.0.0 0 xxx.91.227.169
    #
     ssh server enable
     ssh user admin service-type all authentication-type password
    #
     ssh2 algorithm cipher aes256-cbc
    #
     ntp-service unicast-server ptbtime1.ptb.de
    #
    acl advanced 3000
     rule 0 deny tcp destination 192.168.100.0 0.0.0.255
     rule 1 deny udp destination 192.168.100.0 0.0.0.255
    #
    acl advanced 3001
     rule 0 deny ip destination 192.168.100.0 0.0.0.255
     rule 1 deny ip destination 192.168.200.0 0.0.0.255
    #
    acl advanced name external
     rule 0 permit icmp
     rule 5 permit tcp established
     rule 15 permit udp source-port eq dns
     rule 20 permit udp destination-port gt 1024
     rule 21 permit udp
     rule 25 permit 115
     rule 9999 deny ip
    #
    acl advanced name sip
     rule 0 permit tcp destination-port range 5060 5061
     rule 5 permit udp destination-port range 5060 5061
    #
    domain system
    #
     domain default enable system
    #
    role name level-0
     description Predefined level-0 role
    #
    role name level-1
     description Predefined level-1 role
    #
    role name level-2
     description Predefined level-2 role
    #
    role name level-3
     description Predefined level-3 role
    #
    role name level-4
     description Predefined level-4 role
    #
    role name level-5
     description Predefined level-5 role
    #
    role name level-6
     description Predefined level-6 role
    #
    role name level-7
     description Predefined level-7 role
    #
    role name level-8
     description Predefined level-8 role
    #
    role name level-9
     description Predefined level-9 role
    #
    role name level-10
     description Predefined level-10 role
    #
    role name level-11
     description Predefined level-11 role
    #
    role name level-12
     description Predefined level-12 role
    #
    role name level-13
     description Predefined level-13 role
    #
    role name level-14
     description Predefined level-14 role
    #
    user-group system
    #
    local-user admin class manage
     password hash xxx
     service-type ssh telnet terminal http
     authorization-attribute user-role network-admin
     authorization-attribute user-role network-operator
    #
    cwmp
     cwmp enable
    #
    return

Well, this looks like a huge issue and I don't really know how to fix this. But I have a friend, a friend that is working in an Internet provider company and as far as I know, he was always telling me that, if I have issues with my router or with the internet connection I should seek for the answer on the internet for the first time, before calling the provider, as many of the issues could be solved very easy. Also, my friend told me that everybody should read this article about high-speed internet connections if you want to understand how does an internet connection work. Maybe you will find a solution for your problem after reading this article, I will be honest with you, this is the greatest article I ever read and I found out a lot of new features and tips that are very useful on a day by day basis.