NAT Port Forwarding to Internal host UDP port 5060 not working as expected

inflamer

Gofast,

have you verified that the response is coming back to the same port as the original request was sent out from?

If the involved SIP UA's do not support the 'rport' SIP extension then the responses would be sent back to the port specified in the topmost via header, which would normally not be the same port as the NAT'ed port the original request was sent out with.

• Andreas

gofast

The source and dest port were 5060 from the asterisk box for the packet on the LAN being sent to the internet(WAN).
The source port got changed via the outgoing NAT to the WAN. The return packet from the internet had source and dest ports of 5060. The port forward should forward this regardless because it met the rule - destination port 5060 on wan forward to an ip on the LAN. I firewall added rules to allow all on all interfaces and it doesn't help. It appears to just get dropped for an unknown reason (unknown to me). Why does the port forward get ignored? What came before shouldn't matter as UDP is stateless. Am I missing something?

inflamer

Gofast,

can you post screenshots of the NAT PFW rule and the associated firewall rule?

gofast

I can post tomorrow as I don't have access right now. The 2.01 seem to have a bug that changing the fwd rule from tcp to udp didn't update the auto created filter to udp (and you couldn't edit it). This didn't seem to occur in 2.1. Ether way with the rules+filter created correctly I couldn't make it work.

It was created with the following settings
protocol udp
destination port 5060 - 5060
target ip - lan ip of voip box i.e. 10.x.x.x
target port 5060
everything else was default i.e. Interface - wan, destination - wan address, create associated rule, no source options selected.

Diagnostics / packet capture showed packets sending & receiving on wan but only packets destined for internet on lan. tcpdump on voip box also confirmed this. The wan is a pppoe to modem in bridge mode.

I also tried manual outgoing nat, adding rues to allow everything on all interfaces, advanced options - Bypass firewall rules for traffic, Disable the PF scrubbing option,  Reflection on/off

gofast

I can't get port forwards on UDP port 5060. I can get a mail server, pptp server, terminal server, web server all working (TCP and TCP + GRE for PPTP), but not VOIP on UDP.
Here are the packet captures from the interfaces.

10.X.X.X is my VOIP box address on the LAN
122.X.X.X is the WAN address
213.X.X.X is the VOIP providers address

Packet captures on the voip box on the LAN - I can only see packets being sent to the VOIP provider…
20:00:37.425557 IP 10.X.X.X.5060 > 213.X.X.X.5060: SIP, length: 648
20:00:38.425626 IP 10.X.X.X.5060 > 213.X.X.X.5060: SIP, length: 648
20:00:40.425756 IP 10.X.X.X.5060 > 213.X.X.X.5060: SIP, length: 648
20:00:44.426029 IP 10.X.X.X.5060 > 213.X.X.X.5060: SIP, length: 648

packet captures on the pfsense on the WAN if - I can see packets being sent to the VOIP provider...and responses back.
20:22:14.587253 IP 122.X.X.X.56607 > 213.X.X.X.5060: UDP, length 514
20:22:14.634733 IP 213.X.X.X.5060 > 122.X.X.X.5060: UDP, length 455
20:22:14.816183 IP 122.X.X.X.56607 > 213.X.X.X.5060: UDP, length 514
20:22:14.863381 IP 213.X.X.X.5060 > 122.X.X.X.5060: UDP, length 455

packet captures on the pfsense on the LAN again only show packets being sent to the VOIP provider.
20:24:21.581862 IP 10.X.X.X.5060 > 213.X.X.X.5060: UDP, length 514
20:24:21.808852 IP 10.X.X.X.5060 > 213.X.X.X.5060: UDP, length 514
20:24:24.543081 IP 10.X.X.X.5060 > 213.X.X.X.5060: UDP, length 648
20:24:28.543369 IP 10.X.X.X.5060 > 213.X.X.X.5060: UDP, length 648

I've attached a screenshots of the NAT rule. I've used the auto created firewall rule. I've tried the latest build, allowing everything from anywhere to anywhere of any type on everything, manual nat with static port, nothing helps. Nothing in the logs either. The responses appear to be just dropped for no apparent reason. Anyone have any idea what I should try next? Oh and it works on my Cisco 877.

inflamer

gofast, perhaps you could try changing the NAT rule to have a 'Dest.addr' of 'WAN address' instead of the manually input 122.x.x.x IP address?

If you have a static WAN IP it shouldn't make any difference I guess, but if your WAN is using DHCP, it would be safer to have 'Dest.addr' set to 'WAN address' since that alias would always be your current WAN IP address.

gofast

Hi,

It is a static ip address so yes it shouldn't make any difference. The wan connection is pppoe to a modem in bridge mode. Anyway you can see from the packet capture that the packets are arriving back with the correct address. All other tcp connections nat just fine. How do I log a bug for this? I'm thinking of setting up a virtual environment to replicate the problem for the developers. What vitalisation technology should I use for this? Virtual box? I suspect this is the same issue I get with pptp connections sometimes not working. Perhaps the same problem with udp packets is affecting gre packets? (also stateless packets). Also how can I access the full nat table (not just the summary)?
I've spent many hours on this and am sure it is a bug. I've reset to defaults, upgraded to latest release, etc. etc. etc. If the rule says nat the packet and it matches the rule and is not being filtered, Why isn't it working  ???

Regards,
Tony

launch3

Hey guys saw this is a recent thread and I am having the exact same issue. I tried upgrading to 2.1 but still having the issue. I've tried port forwarding, ive tried static outgoing nat, set the firewall to conservative, still no dice. I am having an issue with the FreeSWITCH pbx behind the firewall where incoming calls drop after exactly 32 seconds. Doing packet caps, I traced it to the firewall not forwarding SIP 'ACK' packets along to the pbx. I've attached the flow of 3 packet caps - one on the pfsense lan, one on wan, and one on the pbx. I have phones registered directly to the ip trunk carrier now as a workaround since my pbx is not fully functional due to this issue. In the packet caps the phones all ring for about a half second then the PBX auto-answers and routes to the IVR menu so the phones stop ringing after half a ring. You can see in the packet caps that the phones receive the incoming ACK packets fine, and note that the phones are using random ports, while the PBX is always using 5080. Maybe this has something to do with it?
Please note that the LAN capture and WAN capture were done for different calls, as I did not know how to do both at once with pfSense. The PBX capture was done at the same time as the pfSense WAN capture IIRC.

Edit: Removed the images as they are not really relevant to this thread. We somewhat solved our issue as you can see below, but I plan to do some more testing with the static nat options and such to see if my install exhibits the same behavior as the OP's.

launch3

Just to let everyone know, we resolved our issue. Here is a summary of what we are working with:
pfSense 2.1 box on a Verizon FIOS connection
FreeSWITCH PBX on internal LAN, using SIP registration. All endpoints (phones) are on the internal lan as well.

To fix this issue, we needed to modify the way our PBX behind the NAT formed its SIP packets. It was formatting the Contact field in the SIP headers with the external WAN IP and the PBX external port. When the UDP packets passed out from the pbx and through pfSense, pfSense was randomizing the source port. The voice carrier's systems seem to work in a way where if the IP in the contact field matches the source IP of the packet, it chooses to use that return IP along with the port shown in the contact field. Since the port was set as the PBX's external port, and pfSense was randomizing the port, the return traffic from the voice provider was addressed to that pbx port, not the pfsense port, and the traffic was dropped. When we modified the PBX configuration to use its local LAN ip in the contact field, the voice provider's systems chose to disregard the contact field, and would return the udp packets to the source port that pfSense set, and everything would work ok.

So I will try to document how this stuff works so anyone out there struggling with the same issue can understand how the symmetric NAT works with SIP and VOIP. Now there are two main elements to VOIP:
SIP Signalling (controls the flow of the call, can contain DTMF signalling and controls the beginning, ending, routing etc of the call)
RTP Voice Stream (voice and possibly video stream, also contains DTMF signalling in some cases - inband or oob)

The signalling is a separate channel from the rtp data. The rtp data is always UDP. The SIP signalling can be either UDP OR TCP, depending on how your solution is configured.

RFC 4961, section 4 states:

There are two specific instances where symmetric RTP and symmetric
  RTCP are REQUIRED:

The first instance is NATs that lack integrated Application Layer
  Gateway (ALG) functionality.  Such NATs require that endpoints use
  symmetric UDP ports to establish bidirectional traffic.  This
  requirement exists for all types of NATs described in Section 4 of
  [RFC4787].  ALGs are defined in Section 4.4 of [RFC3022].

Other UDP-based protocols can also benefit from common local transmit
  and receive ports.

There are no known cases where symmetric RTP or symmetric RTCP are
  harmful.

For these reasons, it is RECOMMENDED that symmetric RTP and symmetric
  RTCP always be used for bidirectional RTP media streams.

I have observed pfSense using the same port internally as it does externally for RTP streams. However, it does not use the same port as the remote server does.

As for SIP signalling over TCP and UDP, so far I have used purely UDP, although I plan to experiment with TCP. With non-rtp UDP traffic, I don't believe RFC says anything about ports needing to stay the same. In my experience, pfSense uses a random external port with non-rtp udp traffic. I believe this is normal functionality. According to a tech at our voice provider, with SIP signalling the ports on both ends SHOULD BE be the same for proper functionality. I am not sure whether the issue we had is common to all ip voip trunking providers, I would have to see if there is a spec saying anything about the contact field in the sip header. But it seems we worked around the issue of ports not being the same by setting an internal ip for the contact field so that the remote server uses the originating ip/port to return signalling traffic to. So from what I understand, it is good practice to keep the port that the PBX behind the firewall is using for signalling exactly the same on the outside of the firewall. I believe this is known as 'port preservation' in a NAT system.

Now for TCP SIP signalling, I have not had a chance to experiment, but I am assuming that the same functionality will be exhibited with a random port being used on the WAN interface.

Now I am going to attempt to figure out the best way to keep the ports symmetric in pfSense and I will post back. The outgoing static nat settings in pfSense may be the answer, but when I previously tested it, the ports seemed to still be asymmetric. But I now realize that I may need to clear the state table before the change will take effect, so I will try that next.

To work with a NAT device, a voip device on the LAN needs to either:
A. Set the SIP header contact field to its LOCAL LAN IP & PORT
B. Set the SIP header contact field to the EXTERNAL WAN IP & PORT

Now there is a big caveat with B - the VOIP device MUST KNOW ITS EXTERNAL PORT. With a symmetric nat, this becomes tricky as the external port will be randomized. In this case, it is best to set the contact field to the internal lan ip and port, because some voip providers will mistakenly try to use the info from the contact field if the external IP matches but the port is not correct because of symmetric nat. In my case, I had the voip device set to use auto-nat. Some devices also use STUN servers to discover their external ip. It seems that these methods discovered the external IP, but did NOT discover the external port properly or at all (it was still using the internal port in the contact field). Even if the external server did discover the external port, the symmetric nat would use a different random port for two different connections so it may not work properly.

Seems like the moral of the story is that VOIP is pretty tricky sometimes.
Anyone else that has info, please chime in. I am not an expert, still learning this stuff.

inflamer

@launch3:

…

Now this is all fine and dandy, but in the case of pfSense, some clearing of the air is needed. I read somewhere (unsure of the accuracy of this statement), that pfSense did NOT contain any ALG functionality. However, according to a tech at the voice provider, with SIP the ports on both ends MUST be the same.

...

This leads me to believe that pfSense does indeed have ALG functionality.

I'd like to add a few comments here. What you are describing here, where pfSense randomizes the source port on outbound traffic, is not ALG functionality. ALG, in this case SIP ALG, means manipulating the SIP payload. That would for example mean manipulating the IP address and/port number in the contact header, or manipulating IP addresses and/or port numbers within the SDP of a SIP INVITE request.

You describe that your SIP provider will send return traffic to the port specified in the contact header if the IP address in the contact header matches the IP address for which the SIP request was received from. This is, as far as my knowledge goes, not a behavior which is specified in RFC3261 or other SIP standards, but rather a "proprietary" behavior.

From what you describe about how you managed to get this working, it may seem as your SIP provider supports rport (http://www.ietf.org/rfc/rfc3581.txt).

I believe that if you use manual outbound NAT in pfSense, so that pfSense does not randomize the outgoing source port, but rather uses a port specified by you (Normally 5060), that this would also work since the response from your SIP provider would then come back to a port which you have pre-defined.

Also, when you are quoting RFC 4961, that applies to RTP and RTCP, which is the actual audio/video media packets, which is not related to SIP signaling itself, which was the issue here.

Just my $0.02.

• Andreas

launch3

@inflamer:

@launch3:

…

Now this is all fine and dandy, but in the case of pfSense, some clearing of the air is needed. I read somewhere (unsure of the accuracy of this statement), that pfSense did NOT contain any ALG functionality. However, according to a tech at the voice provider, with SIP the ports on both ends MUST be the same.

...

This leads me to believe that pfSense does indeed have ALG functionality.

I'd like to add a few comments here. What you are describing here, where pfSense randomizes the source port on outbound traffic, is not ALG functionality. ALG, in this case SIP ALG, means manipulating the SIP payload. That would for example mean manipulating the IP address and/port number in the contact header, or manipulating IP addresses and/or port numbers within the SDP of a SIP INVITE request.

You describe that your SIP provider will send return traffic to the port specified in the contact header if the IP address in the contact header matches the IP address for which the SIP request was received from. This is, as far as my knowledge goes, not a behavior which is specified in RFC3261 or other SIP standards, but rather a "proprietary" behavior.

From what you describe about how you managed to get this working, it may seem as your SIP provider supports rport (http://www.ietf.org/rfc/rfc3581.txt).

I believe that if you use manual outbound NAT in pfSense, so that pfSense does not randomize the outgoing source port, but rather uses a port specified by you (Normally 5060), that this would also work since the response from your SIP provider would then come back to a port which you have pre-defined.

Also, when you are quoting RFC 4961, that applies to RTP and RTCP, which is the actual audio/video media packets, which is not related to SIP signaling itself, which was the issue here.

Just my $0.02.

• Andreas

Andreas, thanks for your input. Regarding the misinterpretation of the RFC, I realized my mistake and was in the middle of editing my post when you posted. Please see my revised post. As for the manual outbound NAT, my testing did not work, BUT i feel that may be because the state table needed to be cleared after that change. It seemed that the port that was set in the state table was still being used the whole time. I also checked out the spec for RPORT that you linked - there is no RPORT appearing in the sip headers that I captured.

Here someone basically sums up what I have experienced:
http://qutecom.org/ticket/27

It's easy: some providers (as Ekiga) don't allow private address in Contact, this means that the provider doesn't help when the client is behind NAT. This meants that the provider doesn't fix the signalling (by using received public address instead of private "Contact") but that the provider doesn't offer a RTP tunnel (proxy RTP).
In this case the only solution is in the client side which could be:
a) STUN support: If the client is behind a non symmetric NAT router and supports STUN, it can solve by itlsef the signalling and media (by setting public addresses in "Contact" and SDP (retrieved using STUN).
b) Manual port forwarding in the router and setting these values manually in the signalling and SDP sent by the client.

In my case, setting the contact field to the private address disqualified it in the providers system, whereas with a publically routable address, the provider attemped to route the return packets to it. It may not be 'if the ip in the contact field matches the source ip' as I stated earlier, and they may just be looking for a private or public ip in there, since IIRC there are certain ip ranges that are always reserved for private network addressing.

I am realizing more and more that this is not really pfSense specific, it's more of a snafu when dealing with SIP and symmetric NAT.

gofast

Hi All,

I'm definitely getting replies from my voip service provider (type udp, dest =  my wan ip:5060) they just aren't getting forwarded by my simple port forward rule (posted previously). I can't see a reason why the pfSense is dropping them. The packet trace (also posted previously) clearly shows the arriving packets on wan but nothing forwarded to lan. Can someone tell me what possible reasons a port forward wouldn't work? I've put firewall rules in place to allow everything on every interface. It looks to me like the forward rule is being ignored for some reason but the packet matches it.

Regards,
Tony

quiethorn

Having the same problem as the OP. Decided to try upgrading 1.2.3 to 2.0.1. Outbound calls through pfSense work fine, inbound fails with 5060 forwarded to FreePBX server. No point wasting any time. Went back to 1.2.3 as soon as I found this thread.

hm

Just to confirm that I was seeing a similar issue with 2.0.1 not forwarding UDP packets on port 5060 to  my pbx, but I was only having problem with outbound calls whereby far end can never hangup the call properly (call still connected on my pbx leg until it times out).  My provider correctly sends 200 OK for the call to the randomised port, but sends the BYE to port 5060, and pfsense just seems to ignore the latter, so pbx never saw the BYE.

If I were to go to diagnostic>states, and manually delete the firewall state entry  (UDP) for an ongoing call, I found that disconnecting the call from far-end then worked fine, so this seems like port forwarding doesn't work if the firewall already have an existing state/connection for the same internal host ip/port.

As pointed out by the OP, creating a static manual outbound rule to 5060 for just my PBX seems to workaround this problem.

.

3vian

I'm having the same issue, with 2.01 and 2.03. Would be great if this bug could be fixed in the next release.

kejianshi

I don't think that the way SIP port is handled in pfsense is considered a bug by the developers.  I think they consider it a security feature.
I could be wrong on that but I think they consider "static" port "Bad".  Perhaps a button click on the outbound NAT menu to enable "static" on any outbound port 5060, 5061 and 500 without actually having to set up Manual Outbound NAT would be a nice happy middle ground?

jimp

@kejianshi:

I don't think that the way SIP port is handled in pfsense is considered a bug by the developers.

It isn't.

@kejianshi:

I think they consider it a security feature.

Not really. More of a "breaks more than it helps" setup. Most phones these days do not need static 5060 on the way out to a remote PBX, only PBXs need that to trunks, and those can break in a lot more ways than just 5060, you really need manual outbound NAT to do static port for all UDP from the local PBX, or 1:1 NAT if you can.

@kejianshi:

I could be wrong on that but I think they consider "static" port "Bad".

It isn't bad, it just breaks more setups than it helps now. On 1.2.3 it was the other way because the majority needed it back then.

@kejianshi:

Perhaps a button click on the outbound NAT menu to enable "static" on any outbound port 5060, 5061 and 500 without actually having to set up Manual Outbound NAT would be a nice happy middle ground?

A better compromise is on my todo list for 2.2: http://redmine.pfsense.org/issues/2416

kejianshi

That is really nice, and it sounds like it was exactly what he was wanting.

reh1151

Most weird. I'm using pfSense 2.03 since I'm in a production environment and 2.1 is a RC0 version. For me, the port forwarding for SIP & RTP inbound through my VoIP interface has always worked perfectly. The VoIP interface is configured with my public IP & Gateway to my SIP provider. My issue is the exact opposite: no one can make outbound calls. Launch3's posts may hold the key to what's wrong here. Using his two scenarios, my setup would be the one he refers to as "B".

kejianshi

Hmmmm…

For me, This is the way I see it.

For all devices inside the LAN that the Asterisk server is on, they don't need to know anything at all about the state of the connection further than the Asterisk server they are connected to.  So, they get DNS inside the LAN and they get the LAN (private) IP of the Asterisk server and nothing more.

The Asterisk server needs to know its Behind NAT and it needs to know its private IP as well as its public IP. 
Totally different than what the SIP phones need to know.

So, on my Asterisk server here at home,  it gets:

NAT - YES  (This one is behind NAT with a dynamic IP)
Dynamic Host - mydynamicdns.domain.com    (If you have purchased a static IP put it here)
Local Networks:
192.168.32.0  / 255.255.255.0      (network the asterisk server is on)
10.159.29.0 / 255.255.255.0
10.159.30.0 / 255.255.255.0
10.159.31.0 / 255.255.255.0        Long list of other local subnets behind my pfsense
10.159.32.0 / 255.255.255.0        Including any VPN subnets I want phones to work from
10.159.33.0 / 255.255.255.0
10.159.34.0 / 255.255.255.0

No re-invite
No Jitter Buffers

The only thing I tell the SIP devices is the private IP address of the LAN side of the SIP server, username and password and that includes clients connecting in through VPNs.

Works for incoming and outgoing calls.  Has for years.

P.S.  Since RTP will always get broken when two layers of NAT are involved anyway, the only port I forward is 5060.  Thats all.
I don't bother forwarding 10000 RTP ports hoping that a sip device outside my network will somehow magically work through NAT. 
The Reason this works at all is because my SIP server is REGISTERED to a NON-NATed Trunk.
That doesn't work in reverse.  If a SIP phone outside my network registers to my server without using VPN audio will be broken.
(I can't wait for IPV6!  Can't get here soon enough for me so we can stop worrying all this NAT crap.)

I wonder how many "network professionals" internet that just works will un-employ?