Forwarding RTP ports 20000-20011 not working
-
I am having a problem getting VoIP working. This VoIP provider allows you to send RTP packets to any port but they only send RTP packets back to ports 20000-20011. I setup a nat which created an automatic firewall rule for this however it doesn't work. I have a traffic capture below. i am not showing any drops if i look at the real-time filter logs.
my external ip: 216.58.19.208
isp's sip server: 209.197.191.40
my voip adapter: 192.168.1.102I setup the following nat rule:
If Proto Ext. port range NAT IP Int. port range Description
OPT1 TCP/UDP 20000 - 20011 192.168.1.102It has the following firewall rule:
Proto Source Port Destination Port Gateway Schedule Description
TCP/UDP * * 192.168.1.102 20000 - 20011tcpdump -i fxp1 net 209.197.191.40/32 (this is my outside interface)
12:29:25.151991 IP 209.197.191.40.12992 > 216.58.19.208.20010: UDP, length 172
12:29:25.163855 IP 216.58.19.208.5656 > 209.197.191.40.12992: UDP, length 172
12:29:25.174259 IP 209.197.191.40.12992 > 216.58.19.208.20010: UDP, length 172
12:29:25.184090 IP 216.58.19.208.5656 > 209.197.191.40.12992: UDP, length 172
12:29:25.192346 IP 209.197.191.40.12992 > 216.58.19.208.20010: UDP, length 172
12:29:25.203235 IP 216.58.19.208.5656 > 209.197.191.40.12992: UDP, length 172
12:29:25.209521 IP 209.197.191.40.12992 > 216.58.19.208.20010: UDP, length 172
12:29:25.223461 IP 216.58.19.208.5656 > 209.197.191.40.12992: UDP, length 172
12:29:25.233807 IP 209.197.191.40.12992 > 216.58.19.208.20010: UDP, length 172
12:29:25.243673 IP 216.58.19.208.5656 > 209.197.191.40.12992: UDP, length 172
12:29:25.249459 IP 209.197.191.40.12992 > 216.58.19.208.20010: UDP, length 172- you can see 2 way traffic here
tcpdump -i em0 net 192.168.1.102/32 (inside interface)
12:29:25.143454 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.163814 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.184049 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.203167 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.223394 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.243630 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.263864 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.282975 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.303209 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.323445 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172- here you only see one way traffic.
the result of this is that i can talk to people over voip but i cannot hear them. very annoying. any ideas how i can get this inbound traffic onto my network?
-
as a workaround i have a 1:1 nat setup for my external ip to the sip box ip.
i say this is a workaround because i don't need all ports open on the sip box, and it's a dynamic ip address so if my ip changes, my voip will stop working until i change this setting.
-
Could it be that your provider also expects that outbound connections originate from 20000-20011 as well?
Have you tried to enable static ports for your voip device?
http://doc.pfsense.org/index.php/Static_Port -
Give us screenshots of your nat and rules please.
There it no traffic coming from OPT1 to LAN, that is why you can not hear them. -
sounds like static ports will resolve this. the problem was that the ports were getting re-written, 1:1 nat resolved this.
if static ports didn't require enabling advance outbound nat, I'd do it. it's too bad I can't have both automatic nat and advanced nat at the same time.
UPDATE:
I've removed the 1:1 nat and setup static port. RTP works perfectly. the problem of course was that the port number was being changed in the nat process and my VoIP provider didn't like this.
advanced outbound nat is incredibly simple. If I new how easy it was to setup, I would have done this on day 1.