PFSense RTSP UDP not working with Static Port Force Rewrite

overpf · May 29, 2018, 2:59 PM

Hi,

I have a RTSP server at LAN 10.0.10.20 (port 554), I could connect with TCP fine from WAN using port 20554 (NAT), but when using UDP, the client does not get a video stream back. I have set static port to force pfsense not to rewrite source port as described here.

http://www.selectedintelligence.com/post/46429611973/pfsense-rtsp-and-rtp

When I looked at firewall state, the TCP connection is established fine but the outgoing UDP is not. When I do a packet capture, the seems the outgoing port to the client is not correct.

overpf · May 31, 2018, 11:44 AM

I found similar issue, so it looks like pfsense can't handle it?

https://news.ycombinator.com/item?id=13617009

stephenw10 · May 31, 2018, 12:14 PM

You have set static ports on all traffic from your LAN which is not what you want to do. There's a high chance of some conflicts. You should set outbound NAT to hybrid mode and just add one additional rule to static NAT just traffic from the required source and maybe just UDP since TCP seems to be working fine.

The states there seem to show the UDP traffic is not being NAT'd at all for some reason.
Which interface was that packet capture run on?

Steve

overpf · May 31, 2018, 5:17 PM

Thanks Steve, I should be capturing on LAN.

Actually I do wanted to disable source port rewrite for all, as my subnets are all for rtsp server machines only. I will give the specific IP a try.

overpf · May 31, 2018, 5:14 PM

Ok, I changed to a the single server IP

Captured the packets on WAN again and I noticed something really strange.

The yellow is WAN (at DC), green is my home IP (client connecting) so the TCP packets are sent back to me correctly. The (blue) UDP packets are returning to a wrong IP, and that IP is my office static IP!!

This does not make any sense. I previously setup this pfsense in my office and use it as a WAN and test, and a week ago, I have moved it to a DC. There is no hardcoding in pfsense (I checked) that has my office IP.

The only place I used to set my office IP is when creating VPN certs in another PFSense instance (for management). I used a dynamic dns hostname for that to test, and I have already switched the dynamic dns IP to the DC IP, this is more than a week ago.

So why is pfsense still remembering my office IP somewhere? I have rebooted already multiple times. I have download the backup config to checl, and the only place with my office IP is in the firewalls entried updated by username admin@MYOFFICEIP while I was in office setting it up.

overpf · Jun 9, 2018, 8:26 AM

I worked with another experienced pfsense admin, and confirmed it's a bug

When I switch to old 2.3, it works fine.

https://forum.netgate.com/topic/131765/nat-problem-with-rtcp-server

stephenw10 · Jun 11, 2018, 3:06 PM

It seems very likely that your client is sending the office external IP as the destination for the stream.

I cannot imagine any other reason it would open a connection to that otherwise.

Steve

overpf · Jun 12, 2018, 1:16 AM

No idea about that, I did a reset and setup everything again, found the above bug, and using the old version now fine.

stephenw10 · Jun 12, 2018, 2:15 PM

That bug seems to be unrelated. At least to the packet capture above. It's not failing to NAT traffic there just opening a stream to the wrong location. The only place it could have got that from (unless it's hard coded into the server) is from the client.

Steve