Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Outbound rule not working?

    Scheduled Pinned Locked Moved NAT
    12 Posts 4 Posters 1.5k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E Offline
      exico
      last edited by exico

      Yeah, its very old.
      I forgot to tell that i tried both manual and hybrid.
      Anyway now its in hybrid as i have another similar configuration in another location and works.

      By the way my 3cx server have 192.168.7.2 as ip

      3cxfail3.jpg

      EDIT: i tried also to change the server IP (and any rule related to it) . Got the same result..

      1 Reply Last reply Reply Quote 0
      • DerelictD Offline
        Derelict LAYER 8 Netgate
        last edited by

        I would verify that those connections are actually being made from 192.168.7.2 and that connections are not actually going out 4GTIM instead. That static port rule looks correct.

        Packet captures are your friend when debugging voip.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • E Offline
          exico
          last edited by exico

          Ok, i did some digging using the packet capture in pfsense. Bear with me, i never used it.

          First i did some testing with only one interface enabled (VDSLTIM) and disabled 4GTIM just to be sure that there is just one way out and surprise. Did not change anything.

          I used the packet capture while starting the test in 3CX and i do not understand it fully:
          From VDSLTIM Interface:

          15:31:50.086973 IP (tos 0x0, ttl 128, id 17106, offset 0, flags [none], proto UDP (17), length 56)
    192.168.11.2.5090 > 151.80.125.93.3478: [udp sum ok] UDP, length 28
15:31:50.115801 IP (tos 0x0, ttl 50, id 16544, offset 0, flags [DF], proto UDP (17), length 116)
    151.80.125.93.3478 > 192.168.11.2.5090: [udp sum ok] UDP, length 88

          From VLAN INTERFACE:

          15:33:45.450024 IP (tos 0x0, ttl 128, id 17827, offset 0, flags [none], proto UDP (17), length 56)
    192.168.7.2.5090 > 151.80.125.93.3478: [udp sum ok] UDP, length 28
15:33:45.478829 IP (tos 0x0, ttl 49, id 30856, offset 0, flags [DF], proto UDP (17), length 116)
    151.80.125.93.3478 > 192.168.7.2.5090: [udp sum ok] UDP, length 88

          Lets take this part as example, the corrisponding part in 3cx test is this one:
          2019_05_11_15_32_32_3CX_Phone_System_Management_Console.jpg

          For context:
          The network for this part is as follows: 192.168.7.x (voip vlan and 192.168.7.2 is the voip server) -> 192.168.7.1 (pfsense gateway for the vlan) -> 192.168.11.2 (pfsense client) -> 192.168.11.1 (ISP router) -> Internet
          Its a double NAT (yeah its ugly, im looking into transforming it in a bridge) and on the ISP router pfsense is set in DMZ
          I believe that 151.80.125.93 is the 3CX test server

          From what i understand the port is mapped correctly but the tool reports that the mapping its wrong. Correct?
          I also cant find the port 64201 on the log captured

          EDIT: 3CX is not at version 15.5 and its available the v16. I will try to upgrade and see if its just a bug in the tool

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            @exico said in Outbound rule not working?:

            Its a double NAT

            Well does that nat in front of pfsense also do static ports? if its some soho router I doubt it.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • DerelictD Offline
              Derelict LAYER 8 Netgate
              last edited by Derelict

              Your VDSLTIM address looks to be RFC1918 (192.168.11.2) so something upstream must also be performing NAT. It will ALSO need to do the correct thing with the ports.

              You can plainly see that pfSense is not translating the port there as instructed.

              Connection comes from 3CX sourced from 192.168.7.2.5090
              Connection is address translated out VDSLTIM but the source port is static: 192.168.11.2.5090

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                Think you meant to say pfsense "is" doing it correctly since the source is 5090.

                His error is saying its 64201 which clearly points to another nat happening upstream of pfsense.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • DerelictD Offline
                  Derelict LAYER 8 Netgate
                  last edited by

                  Right - not translating the port as instructed

                  Yeah that's worded funny. "It is not translating the port. The port is static. pfSense is doing what it has been instructed to do."

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • E Offline
                    exico
                    last edited by

                    Im not so knowledgeable in networking so maybe i worded it bad.
                    The traffic from internet goes this way:

                    Internet(public IP) ->router(192.168.11.1)->DMZ to 192.168.11.2(pfsense)->192.168.7.1(pfsense)->192.168.7.2(3CX)

                    If i setup a DMZ between pfsense and the stupid ISP router isnt it sufficient? It would redirect everything as it is to the DMZ

                    In my previous post seems that the port is translating correctly (5090) but in 3CX Firewall check i get a "mapping error" reporting that another port is mapped but i cannot find anything related to this port in the packet logs.

                    It bothers me because i have the same setup in another location with router, DMZ, pfsense and 3CX and everything works with no problems and the check tool doesnt report wrong mappings.

                    I will try to set the router in bridge mode (if its even possible) in the first occasion and report back

                    1 Reply Last reply Reply Quote 0
                    • DerelictD Offline
                      Derelict LAYER 8 Netgate
                      last edited by

                      Your upstream device is performing the source port translation. There is nothing pfSense can do to stop that.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • E Offline
                        exico
                        last edited by

                        OK. The stupid modem/router wasnt translating correctly. In bridge it works flawlessy.
                        The only difference from this and my other location is the router. Here i have a tg789vac from Technicolor and branded TIM (the ISP); the other one is a Dlink DVA-5592, is not branded and the ISP is Wind. (Italian ISPs).
                        Guess that the dlink with only DMZ set up does also the static port and the Technicolor not. Good to know.

                        Thank you for your help. Much appreciated.

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.