NAT Ports to VLANS

Jamerson

Hi Guys.
We need to NAT a group of ports on the WAN to a specifies VLANS.
is this possible on the pfsense ?

like we want to NAT port 5060 to the VLAN 20 over the WAN.

thank you

Derelict

https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Jamerson

Thank you for your answer,
I have forwarded the ports to VLAN as descript however when I check for open ports using this link http://www.yougetsignal.com/tools/open-ports/  its shows that its the ports stills closed.
please see attached screenshots of the forwarded rules.

Derelict

No screenshots.

The list of things to check is here:

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Jamerson

please see screenshot thank you


Derelict

Great where is the screen shot of the port forward?

You cannot just NAT WAN address:5060 to the LAN. You either need 1:1 NAT which requires an outside IP address for every inside address or port forward WAN address:5060 to a specific Inside Address:5060

Jamerson

@Derelict:

Great where is the screen shot of the port forward?

You cannot just NAT WAN address:5060 to the LAN. You either need 1:1 NAT which requires an outside IP address for every inside address or port forward WAN address:5060 to a specific Inside Address:5060

on the VLAN we have like 10 Phones,
does it means I have to nat each phone ip ?
please see the rules on the WAN side (screenshots is attached)


Derelict

With one outside IP address you can forward port 5060 inbound to exactly one place, not like 10.

Describe your VoIP environment completely? Where are the phones, where is the PBX, and where are the SIP trunks (if any).

Who is the provider and what is their port forward/NAT guidance?

Jamerson

@Derelict:

With one outside IP address you can forward port 5060 inbound to exactly one place, not like 10.

Describe your VoIP environment completely? Where are the phones, where is the PBX, and where are the SIP trunks (if any).

Who is the provider and what is their port forward/NAT guidance?

Thank you for your answer,
the PBX is hosted outside the office in a google datacentre which need incoming ports.
according to the manual we need those ports to be open.

Remote provisioning of devices
Incoming:
443 TCP (default) or another external secure port (SIP-RTP page);
5060 UDP – 5061 TCP for SIP registration
RTP: from 10000 to 15000 (SIP-RTP page)

outgoing is any to any rules applied.

edit :
when we call out stuff works fine however when people calls us the quality is poor.
i've changed the outgoing NAT rules from Automatically to Manually however the issue still exisit.

Can someone please advice !

Derelict

If all calls are completing reliably to/from multiple phones and you have two-way audio it is probably not NAT.

when people calls us the quality is poor.

Usually voice quality in one direction is the issue and that is generally you speaking to them because your upload is asymmetric compared to your download.

You probably need to better-describe what you are seeing.

Jamerson

@Derelict:

If all calls are completing reliably to/from multiple phones and you have two-way audio it is probably not NAT.

when people calls us the quality is poor.

Usually voice quality in one direction is the issue and that is generally you speaking to them because your upload is asymmetric compared to your download.

You probably need to better-describe what you are seeing.

we managed to fix the issue,
when we use ISP 1 as default WAN the problem with the voice come back
when we use ISP 2 as default WAN the problem disappear the phone quality is fine.

the phones are running on VLAN30 and the Computers on VLAN1.

we are using a Load balancing with one Tire 1 and packet loss or high latency ,when I check whatismyip sometimes I get the ISP1 and others I get the ISP2 IP.
I want to use ISP2 as default WAN and Gateway and ISP 1 only when the ISP 2 total down.
do I have to change the Trigger Level to member Down ?

Thank you


Derelict

I can imagine load balancing with VoIP would be unsatisfactory.

I would create a failover gateway group and policy route the VoIP traffic to that instead of the load balance group. Both can coexist and you can have different outbound connections use different gateway groups.