SIP and NAT Reflection

pkwong · Feb 24, 2008, 4:51 PM

Hi,

I can't seem to get a definitive answer from the documentation or random googling for (at least 5 hours) with regards to sip and NAT Reflection. I'm currently running pfsense 1.2 RC4

I have the following set up:

Also.. It's not 1:1 NAT. I have one IP address on the WAN and it's a static IP.

1. General / Advanced Options / Disable Nat Reflection box (unchecked)
2. I have ports forwarded properly to my Asterisk Server (Using Port Forwarding) (ports 5060 / 10001-2000)
3. The RTP Ports are 10000 - 20000 and I know Nat Reflection won't work with >500 ports so I created a port alias with the ports broken up into 499 port blocks and put them all under the same alias. I created a rule that would then port forward the alias (port range) to the proper machine.

My NAT Rules are as follows:

IF / Proto / Ext. Port Range / NAT IP / Int. Port Range / Description

WAN / 'TCP/UDP' / 5060-5070 / 192.168.1.250 / SIP
WAN / 'TCP/UDP' / VOIP_RTP_RANGE / 192.168.1.250 / VOIP_RTP_RANGE / SIP RTP
WAN / 'TCP/UDP' / 6 / 192.168.1.250 / 80(HTTP) / Web Server
I know reflection is working as I am able to access my pfsense box from the public ip address. (I'd like to think it's working.. maybe it's not)

I can't however reach the webserver or the PBX Box from inside the network using the external address. I'm assuming I've done something wrong or NAT Reflection isn't working, but for the life of me, I'm stuck. I've RTFM'd a few dozen times and don't know what I'm doing wrong. Can anyone help me shed some light on the situation?

Thanks In Advance.

GruensFroeschli · Feb 24, 2008, 4:58 PM

afaik there is an additional limit of 1000 ports that can be reflected.

Do you have a domain-name on your WAN-IP?
If yes:
Do your clients use the pfSense as DNS?
You could make an entry on the DNS-forwarder config that overrides your domain-name to the IP of your local server.

Like this your clients would when they resolve the name of the Server get as IP the IP of the server directly and not the IP on the WAN.

pkwong · Feb 24, 2008, 5:04 PM

Ahh.. yes.. I was thinking about that. I figured it was "active ports" count, not what was specified. heh.. I do have the clients using pfsense as the DNS. (That's how I'm currently resolving the problem), but in the long-run if I wanted to test if something worked, I'd need to go outside and look for a wireless access point and go back and forth in the troubleshooting.. This could prove to be tedious and pretty much in general a royal pain in the ass.

I have the DNS-Forwarder fix going on right now, but "port reflection" is something I'm really hoping to get working. heh

1000 port hard-limit is based on the actual number defined in the rule and not the active number of ports being reflected, huh? Well.. That could be my problem..

I'll give it a try!

hoba · Feb 24, 2008, 6:39 PM

I doubt that natreflection (or at least the way pfSense does it currently) will work for a crappy protocol like SIP.