• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Source port rewriting

Scheduled Pinned Locked Moved NAT
6 Posts 3 Posters 2.8k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    RyujinJakka
    last edited by Sep 19, 2016, 10:11 AM

    I am trying to troubleshoot some issues I am having with SIP trunks connecting to a PABX behind a pfSense router. I am aware of the articles in the knowledge base regarding getting SIP traffic to work properly behind a pfSense firewall but that's not the issue I am facing here.

    I am trying to find out if the SIP session is ever being dropped in the NAT (or state) table on the pfSense router. The way I have tried to do this is by looking at what the new port number is (on the WAN side) after NAT. This port is a random port due to the source port rewriting that pfSense does in its default configuration.

    What I don't know is if the router (pfSense) has some kind of logic that would change that port on some kind of timer? I also can't seem to find the default timer for UDP sessions to be closed down?

    1 Reply Last reply Reply Quote 0
    • R
      RyujinJakka
      last edited by Sep 22, 2016, 11:47 AM

      I am not sure if this has been fully answered but it would seem that the source port won't change when the firewall optimisation is set to conservative.

      I am not sure if this is due to the UDP timeout being increased or if it changes other things too. Maybe someone could shed some light on this?

      1 Reply Last reply Reply Quote 0
      • K
        kpa
        last edited by Sep 23, 2016, 2:50 PM Sep 23, 2016, 2:43 PM

        Yes, as long as the state stays alive the source port reserved for the state on the external interface will stay fixed. As soon as the state goes stale the subsequent traffic that is part of the same "connection" will create a new state with a new random source port.

        Ideally the NAT engine would remember the expired states (or at least certain number of the most recent ones) and try to re-use the same source port if possible for traffic that matches an expired state exactly but this is not implemented in PF unfortunately.

        1 Reply Last reply Reply Quote 0
        • D
          Derelict LAYER 8 Netgate
          last edited by Sep 24, 2016, 5:43 AM

          In some circumstances it is possible to use a static source port in outbound NAT.

          https://doc.pfsense.org/index.php/Static_Port

          pfctl -st

          Firewall mode: Normal

          udp.first                    60s
          udp.single                  30s
          udp.multiple                60s

          Firewall mode: Conservative

          udp.first                  300s
          udp.single                  150s
          udp.multiple                900s

          Either way, there will need to be some sort of keepalive traffic generated either by the SIP provider or the PBX to keep the states open during idle periods.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • R
            RyujinJakka
            last edited by Sep 24, 2016, 10:41 PM

            Thank you for the replies.

            I have been using the source port rewrite to prove if the SIP connection state has ever dropped. The issue we were having was originally masked by keeping the source port static and changing all the timers. I just needed to be sure that there was no logic that changed it periodically.

            As best practice I would think that creating a static port for SIP connections isn't a bad idea.

            1 Reply Last reply Reply Quote 0
            • D
              Derelict LAYER 8 Netgate
              last edited by Sep 24, 2016, 10:55 PM

              A static source port will not help keep a session for an expired state alive. If this is an inside PBX to an outside SIP trunk provider, this problem is generally handled by reregistering with the SIP provider every 45 seconds or so.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              6 out of 6
              • First post
                6/6
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                This community forum collects and processes your personal information.
                consent.not_received