It was necessary to force the trunks to use a static SIP server port. The phones can be dynamic but the trunks need to be static.

Then I just used an alias for the providers IP blocks - they have 10 C-blocks - and an alias for VoIP port ranges (5060 and 10000-20000).

Then set up symmetric NAT, meaning, equivalent inbound and outbound mapping rules, except the outbound is 5060 only where as the inbound uses the alias.

A lot of the problem was actually the provider. They replied to the dynamic port during call setup, but for tear down they were sending the BYE to 5060.

Check out the Gaming forum where they have quite a bit of information about NAT and various games.

What's the up-side?

Isolation from your LAN.  If you have a proper DMZ and someone cracks one of your forwarded servers, they will have a very hard time making the jump to your LAN systems.  A 1:1 NAT to LAN is not a DMZ.

OK,
Now the third interface is working partly. I can reach the server by ssh, but not by dns or ping. Besides the 1:1 NAT I also made a port forwarding rule for udp/53 and now dns is also reachable  :P
Maybe the different subnets are a problem. The firewall has ip's on these subnets: 185.110.174.x (2 ips of which one is WAN interface), 185.110.174.x, 213.187.240.x, 185.110.172.x, 185.110.175.x and offcourse 192.168.0/24

Can these subnets be a problem?

Thanks,
Roger

"If you don't need NAT, how to the devices talk?

NAT is a hack to allow sharing a single address or, in some cases, for combining networks that happen to have the same address range.

I have IPv6 available with a /56 prefix.  That means I have 2^72 addresses available in 256 blocks of 2^64 addresses.  The main purpose of NAT was to stretch the IPv4 address space, breaking a few specs in the process.  All my IPv6 capable devices have their own global IPv6 address, with no need for NAT to share a single address.

How do my devices talk?  Every one, that's IPv6 capable, including all computers, tablet & smart phone have their own IPv6 address that's reachable from outside my network, as I allow with my firewall configuration.

NAT is a hack, which is used to get around the IPv4 address shortage.  Even with it, there are simply not enough IPv4 addresses to go around.  Those 2^72 IPv6 addresses I have are  2^40 times the entire IPv4 address space.  That's about a million, million addresses, so there's no need to use hacks like NAT to extend the life of the IPv4 address space.

As I said, NAT is a hack and it breaks some things.  Using it has blinded people to how the 'net is supposed to work.

UDP (72 bytes) from 207.136.236.70:45347 to 172.17.19.54:53 on eth1
  UDP (72 bytes) from 172.17.19.54:53 to 207.136.236.70:45347 on eth1

Look at the source MAC addresses of the inbound traffic and the dest MAC address of the reply traffic there.

I would create a transit network between the two routers instead of putting the other router on LAN.

Hello,

Thanks for your answer. I'll be sticking with Split DNS then. It works, so no worries. The only issue is that I need to make multiple A records on my Dynamic DNS service and I can only create 2 for freeDNS.

What PBX software are you using.  they are not all the same.

https://doc.pfsense.org/index.php/Why_can%27t_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Getting 5 threads about the same thing per day gets rather annoying.

And now they learn.

Still- no support here for outdated versions.  You can lead with that.

;)

I can't find it in the pf docs at the moment but IIRC it uses the source and destination when checking overloaded ports on outbound NAT so it can use the same source port more than once so long as the destination is different so it can discern where to send replies. Using a pool is better as it reduces contention but it's not as critical as it could be. It also makes the kind of statistic you're interested in very hard to calculate.

Ah i figured it out. It's the stupid ISP modem.

Packets coming in from a port forwarding rule are stamped with the WAN IP of the modem as the client.

Packets returning from a request initiated from within the network are as they should be. The real client IP is visiable as the source.

So it's the way the ISp router performs port forwarding (Inteno FG500 if anyone is interested.).

Is their a solution to this?

uPnP?

Source nat would be done on pfsense.

Were you able to figure out another solution than the "three proxy layers?"

I am in a similar situation. I have pfSense 2.3.3 nano on a Firebox x1250. I have Squid 3.5 and SARG 2.3.10 running on ubuntu server 16.04. I tried to create a NAT rule to forward all traffic on the LAN requesting port 80 to the internal ubuntu server running Squid on the default set port of 3128. I want to set it up as a Transparent Proxy but not having any luck.

I've added this to the /etc/squid/squid.conf file:

http_port 3128 transparent
http_port 80 vhost

Instead of the older method (which I've read stopped working after Squid 2.6):
httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

Thanks for any help or advice on what you did to get this to work!

Anthony

And https://github.com/PiBa-NL/pfsense-haproxy-package-doc/wiki

https://doc.pfsense.org/index.php/Why_can't_I_access_forwarded_ports_on_my_WAN_IP_from_my_LAN/OPTx_networks

Configure your internal DNS to resolve the FQDNs to LAN IPs instead of WAN IP.  If that isn't possible, enable NAT Reflection and try that.

You need a cablemodem in bridge mode and then pfSense after that.  If your modem is also acting as a firewall router then you're going to have problems.

" If thats the case then anything from my working LAN that needs to see the server is going through the router anyways (multiple subnets.) "

But not through the nat engine.. For it to work the source has to be natted to the external IP.  So when 192.168.1.100 wants to talk to 192.168.2.100, he is using the public IP of pfsense to get there lets call it 1.2.3.4.. So now to send the traffic to 192.168.2.100 pfsense has to nat that source IP to 1.2.3.4 so that it can be returned through the same path..  If not you have a asymmetrical, and that part of it even stated in the rfc cited.

a) A NAT's hairpinning behavior MUST be of type "External source IP address and port".

What if your 2 segments are on a downstream router..  Now you have to transverse all the way up to the edge just to come back down..

Its always the same common theme with these threads asking about nat reflection - they don't understand how to resolve the IP they want to get to its local IP vs its public IP..  I agree if there is NO way for you to use the local IP.. Like a hard coded public IP in the application.  Or the system uses some method of finding the other system it wants to talk to via some outside 3rd party method that can only return the public IP..  Then you don't really have any choice.

But I have not seen that case ever brought up in all my years here that I can recall.  So it seems it comes down to laziness..  I don't want take the time to resolve to the local IP and not have to nat if another segment, or just talk to the guy next to me..  So I am just going to use the public IP and make the firewall do extra work, and or even hairpin my traffic through its interface..

This is clearly not a optimal configuration - so it blows my freaking mind why anyone, that actual finds or is told there is another way would continue to do such a thing.

dcol setup is clearly a boondoggle of massive proportions..  EV cert provide no extra security..  It might make business sense if your site is hit by the masses..  But from what I can make of it its some sort of file sharing system for doctors.  And is non-profit so he can only get 1???  But the lawyers and doctors want them??  But can not spend the few extra bucks for more??  Come on give me a break. Why would you spend $ on something like that..  So this forces him to use only 1 fqdn???  That has to talk to multiple ips which are really on the same box - so now he is running different parts of this application on different ports - and they need to talk to each other it seems?  So if I read that right and they are using the public IP..  This server has to use nat reflection to talk to itself even??  How and the hell could that be optimal..

If you don't read that thread of his and think its a borked config – you shouldn't be in networking that is for damn freaking sure!!  Or even IT of any fashion at all - shouldn't even be handling the support contracts ;)

Normally how it should go when talking between networking engineers..

eng1: Hey look I have this setup xyz, here is the drawing here are the details.. What do you think??
eng2: WTF dude - that is borked beyond anything I have ever seen..
eng1: Really - how would you do it..
eng2: Well you could do ABC, here draw it up for you - what do you think.
eng1: But how does Z work in that setup..
eng2: Like this - see the packets route here..  And now are not natted.
eng1: Hmmm so all I have to do is X and and then it doesn't do all that extra..
eng2: Yeah
eng1:  Well F me.. Thanks dude..

There should be no NAT config required.  This should just work with basic routing, assuming your firewall rules are good.  Post both firewall rules for the WAN & LAN interfaces, then blow away any weird NATs you may have created and start fresh.