NAT protocol; any way to set something other than in dropdown?
-
I really need to support SCTP through a NAT rule. I can build a firewall rule on this protocol, but I need the network translation support in order to port forward to an internal IP address. Is there any way to set the protocol to either override the dropdown (is there a commandline override?), or to allow any or all protocols on a particular port to be forwarded?
-
@macncheeseb said in NAT protocol; any way to set something other than in dropdown?:
SCTP
can you not just tunnel it over UDP port?
https://tools.ietf.org/html/rfc6951
UDP Encapsulation of Stream Control Transmission Protocol (SCTP) Packets for End-Host to End-Host Communication -
@johnpoz Thanks for the response. I will look at that document to see if here is something I can use. My first thought is I have tried workarounds like this before,but run into issues with NAT'ing. If there is any hiding of addresses within other protocols, the NAT only goes one level deep. But I'll look.
-
@johnpoz So looking at that RFC and doing some searching shows that UDP encapsulation it is not something that is native to most OSs, including Linux (which I am using). There are some third party SW implementations that promise to do that for anybody needing it but most are still immature or no longer supported from what I can see. So I don't think that is really a feasible solution. Is there no way to manually set the protocol number to filter on in pfsense?
-
@jimp would prob be the best guy to answer such a question. I really have almost zero experience with sctp.. To be honest other than reading some info on it - I have never really seen it in production.
Lets see if jim notices his page and joins us.. I think its a bit more complicated then just adding the protocol number to the dropdown list ;)
If the underlaying stuff is there then sure they could add that to the dropdown list.
-
-
You'd have to edit the source code to add the protocol, or setup 1:1 NAT so everything gets forwarded.
-
@jimp Thanks for the response. So no real way to support anything other than what is in the drop down generically. I don't really like the 1:1 option, but I will explore that and see if it gets me what I need.
-
-
1:1 NAT always forwards all protocols. Perhaps you didn't allow it with firewall rules? 1:1 NAT doesn't add firewall rules automatically like port forwards do.
-
@jimp That was it. Had to allow the traffic through the firewall. Thanks for the help, I think this will get me what I need for now.