Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Automatic "outbound" nat from LAN to OPT interfaces?

    NAT
    2
    4
    3.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      Numbski
      last edited by

      I've got some oddball behavior going on Beta1, and granted, it is a hack, but I'm just trying to understand how it's happened.

      I have OPT2, which is a manually created OpenVPN tunnel.  I hacked get_interface_list() to allow tun interfaces, and made tun0 OPT2.

      This has worked well for over a month.  Yesterday I deployed a little SIP-based phone device to connect to my asterisk server on the opposite end of the tunnel.  So you can see what's up:

      
[phone]192.168.0.111 |-----------|192.168.0.100[pfSense]10.0.1.3|---------<openvpn>---------|10.0.1.2[WRT54G]172.16.30.1-----------172.16.30.2[asterisk]</openvpn>

      (For some reason the above refuses to render correctly.  Asterisk is at 172.16.30.2.)  Asterisk requires that you define whether sip is coming across a nat or not.  If it is, and it's "dynamic" (dhcp), you have to let asterisk know.  So I set it up the way I thought was correct, and in fact worked prior to going to pfSense (freebsd firewall with openvpn), which was this:

      host=dynamic
      nat=no

      When I do this, the registration either gets rejected over and over again, or if I force it to be allowed, and I do "sip show peers", it shows that the phone is registered, and can be reached at 10.0.1.3.  Well, that's not right.  So I tried this:

      host=192.168.0.111
      nat=no

      Again, registration works, but when a call is placed, audio only goes one way, ie, I can hear him, but he can't hear me, and vice versa.

      Just for grins, I tried this:

      host=dynamic
      nat=yes

      Registration works, kinda.  Not consistently.  When it does, despite registration I cannot place calls, as it is trying to send the traffic to 10.0.1.3.  Simply doesn't work.

      So I'm wondering, is traffic nat'ed by default?  I'm looking at the sip traffic headers and they clearly show that the traffic comes from 10.0.1.3, so asterisk isn't nuts, and I know the phone isn't the problem, as it has been used in several environments, and so far as it is concerned, traffic is routed.  SIP is aweful across a nat, thus the openvpn.

      So is there a way to disable this behavior, is it intentional, and did my hack of an OPT interface cause it?

      1 Reply Last reply Reply Quote 0
      • N
        Numbski
        last edited by

        Erm…this is what I get for speaking up before looking at the "source".  Straight from rules.debug:

        nat on tun0 from 192.168.0.0/24 to any -> (tun0)

        So what causes this?

        1 Reply Last reply Reply Quote 0
        • H
          hoba
          last edited by

          At firewall>nat, outbound tab enable advanced outbound nat and check the rules that are generated at the bottom of the page. Make sure there are only NAT mappings listed you need (it will generate one for your LAN by default) and deletete unneeded ones or add what you need. Btw, why are you still running Beta1? Move on to Beta2 ;-)

          1 Reply Last reply Reply Quote 0
          • N
            Numbski
            last edited by

            Can't.  I'm doing the utmost evil and running a beta release at a production site 3 hours away.  I can't upgrade until I go down there, not because it won't work, but because my sleep better at night knowing that I'd be there "just in case".

            Don't worry, I'm going down on friday.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.