NAT 1:1 Polycom VSX 7000


  • LAYER 8 Netgate

    If they are routed to you, sure.

    If they are on the WAN subnet, you'll have to go to other lengths like make a silly WAN bridge.

    I would do everything I outlined above and make sure what the problem actually is first.

    You could do all that and the issue isn't NAT at all.

    You really need to understand what your VoIP system requires in order to deploy it successfully instead of guessing.



  • I think the problem is with NAT.
    Already configured the WAN subnet direct in polycom, without going through my pfsense, worked successfully.

    Best regards,
    Wesley Santos


  • Netgate Administrator

    I would use an IPAlias rather than a ProxyARP VIP though it probably doesn't make any difference.

    By far the most likely cause is that the Polycom device is sending it's internal IP in the contact packets for other devices to connect back to which will obviously fail. When you use a public IP on it directly it sends that so everything works.

    If that is the case you need to set the Polycom to send it's external IP when it's behind NAT. Almost all VoIP devices have a setting for that. There's nothing we can do in pfSense to correct it.

    A packet capture would likely prove that to be the problem.

    Steve



  • Hi Steve, how are you?
    Thanks for your return.
    According to your suggestion of using IPAlias, I already set it up, but it was not successful, the same problem occurs when configured with ProxyARP.
    Regarding the configuration of sending NAT to Polycom, it is also already configured, but there were problems sending and receiving calls.
    My Polycom dials external, but with black video, it also receives an external call, but does not automatically connect as it should.

    Best regards,
    Wesley Santos


  • Netgate Administrator

    Ok well really you would need to get a packet capture of the SIP packets to check that it really is sending the external IP in the SIP connection to open replies to.
    There is probably something similar there for the other services but we may not be able to see it.

    Steve



  • Hi Steve,
    I performed a packet capture on WAN-ip, using filter on client remote address "140.242.250.200", my polycom is configured NAT for WAN-IP "189.20.108.XX", you can try to help me based on captured log's.

    vtcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on sk1, link-type EN10MB (Ethernet), capture size 262144 bytes
    14:53:51.195282 IP 189.20.108.XX.3232 > 140.242.250.200.1720: Flags [S], seq 12312384, win 8192, options [mss 1456], length 0
    14:53:51.349001 IP 140.242.250.200.1720 > 189.20.108.XX.3232: Flags [S.], seq 1312067764, ack 12312385, win 4380, options [mss 1460], length 0
    14:53:51.351178 IP 189.20.108.XX.3232 > 140.242.250.200.1720: Flags [.], ack 1, win 8192, length 0
    14:53:51.365850 IP 189.20.108.XX.3232 > 140.242.250.200.1720: Flags [P.], seq 1:229, ack 1, win 8192, length 228
    14:53:51.520050 IP 140.242.250.200.1720 > 189.20.108.XX.3232: Flags [.], ack 229, win 5360, length 0
    14:53:51.531834 IP 140.242.250.200.1720 > 189.20.108.XX.3232: Flags [P.], seq 1:111, ack 229, win 5360, length 110
    14:53:51.533182 IP 189.20.108.XX.3232 > 140.242.250.200.1720: Flags [.], ack 111, win 8082, length 0
    14:53:51.558796 IP 140.242.250.200.1720 > 189.20.108.XX.3232: Flags [P.], seq 111:261, ack 229, win 5360, length 150
    14:53:51.559118 IP 189.20.108.XX.3232 > 140.242.250.200.1720: Flags [.], ack 261, win 8042, length 0
    14:53:51.564237 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [S], seq 12440638, win 8192, options [mss 1456], length 0
    14:53:51.716167 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [S.], seq 1302810247, ack 12440639, win 4380, options [mss 1460], length 0
    14:53:51.717206 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1, win 8192, length 0
    14:53:51.783631 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1:846, ack 1, win 8192, length 845
    14:53:51.786574 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 846:857, ack 1, win 8192, length 11
    14:53:51.885921 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1:513, ack 1, win 4380, length 512
    14:53:51.885933 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 513:945, ack 1, win 4380, length 432
    14:53:51.887110 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 513, win 7680, length 0
    14:53:51.887206 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 945, win 7248, length 0
    14:53:51.887416 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 945:956, ack 1, win 4380, length 11
    14:53:51.889096 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 956, win 7237, length 0
    14:53:51.940740 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [.], ack 846, win 5915, length 0
    14:53:51.940752 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [.], ack 857, win 5915, length 0
    14:53:51.958866 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 857:864, ack 956, win 8181, length 7
    14:53:51.963400 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 864:870, ack 956, win 8192, length 6
    14:53:52.038397 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 956:969, ack 857, win 5915, length 13
    14:53:52.039127 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 969, win 8179, length 0
    14:53:52.063747 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 870:915, ack 969, win 8192, length 45
    14:53:52.091200 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 915:1004, ack 969, win 8192, length 89
    14:53:52.132462 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [.], ack 870, win 5915, length 0
    14:53:52.143346 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 969:1014, ack 870, win 5915, length 45
    14:53:52.145111 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1014, win 8147, length 0
    14:53:52.146042 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1014:1112, ack 870, win 5915, length 98
    14:53:52.147115 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1112, win 8049, length 0
    14:53:52.148748 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1112:1249, ack 870, win 5915, length 137
    14:53:52.149125 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1249, win 7912, length 0
    14:53:52.150236 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1249:1284, ack 870, win 5915, length 35
    14:53:52.151142 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1284, win 7922, length 0
    14:53:52.165168 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1004:1031, ack 1284, win 7922, length 27
    14:53:52.186843 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1031:1058, ack 1284, win 8020, length 27
    14:53:52.188603 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1058:1069, ack 1284, win 8020, length 11
    14:53:52.190754 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1069:1077, ack 1284, win 8020, length 8
    14:53:52.208542 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1077:1206, ack 1284, win 8020, length 129
    14:53:52.210436 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1206:1214, ack 1284, win 8020, length 8
    14:53:52.226882 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1214:1241, ack 1284, win 8157, length 27
    14:53:52.228475 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1241:1249, ack 1284, win 8157, length 8
    14:53:52.229118 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1284:1293, ack 915, win 5915, length 9
    14:53:52.231158 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1293, win 8183, length 
    14:53:52.244894 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1249:1284, ack 1293, win 8183, length 35
    14:53:52.247840 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1284:1311, ack 1293, win 8183, length 27
    14:53:52.272856 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1293:1302, ack 1004, win 5915, length 9
    14:53:52.273134 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1302, win 8183, length 0
    14:53:52.321386 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1302:1311, ack 1031, win 5915, length 9
    14:53:52.323134 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1311, win 8183, length 0
    14:53:52.350844 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1311:1324, ack 1077, win 5915, length 13
    14:53:52.351147 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1324, win 8179, length 0
    14:53:52.383996 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1324:1333, ack 1249, win 7605, length 9
    14:53:52.385144 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1333, win 8183, length 0
    14:53:52.417547 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1333:1342, ack 1311, win 7605, length 9
    14:53:52.419156 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1342, win 8183, length 0
    14:53:53.191208 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1311:1322, ack 1342, win 8192, length 11
    14:53:53.191891 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1322:1330, ack 1342, win 8192, length 8
    14:53:53.349391 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1342:1355, ack 1330, win 7605, length 13
    14:53:53.351151 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1355, win 8179, length 0
    14:53:54.079736 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1330:1365, ack 1355, win 8192, length 35
    14:53:54.091519 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1365:1494, ack 1355, win 8192, length 129
    14:53:54.233905 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1355:1364, ack 1365, win 7605, length 9
    14:53:54.235171 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1364, win 8183, length 0
    14:53:54.273647 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1364:1373, ack 1494, win 9295, length 9
    14:53:54.275186 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1373, win 8183, length 0
    14:53:54.286645 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1494:1529, ack 1373, win 8192, length 35
    14:53:54.301896 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1529:1658, ack 1373, win 8192, length 129
    14:53:54.448893 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1373:1382, ack 1529, win 9295, length 9
    14:53:54.451173 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1382, win 8183, length 0
    14:53:54.488835 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1382:1391, ack 1658, win 10985, length 9
    14:53:54.489155 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1391, win 8183, length 0
    14:53:54.499932 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1658:1693, ack 1391, win 8192, length 35
    14:53:54.514226 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1693:1822, ack 1391, win 8192, length 129
    14:53:54.658089 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1391:1400, ack 1693, win 10985, length 9
    14:53:54.659249 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1400, win 8183, length 0
    14:53:54.698031 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1400:1409, ack 1822, win 12675, length 9
    14:53:54.699194 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1409, win 8183, length 0
    14:53:54.709097 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1822:1857, ack 1409, win 8192, length 35
    14:53:54.724136 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1857:1986, ack 1409, win 8192, length 129
    14:53:54.866983 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1409:1418, ack 1857, win 12675, length 9
    14:53:54.869173 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1418, win 8183, length 0
    14:53:54.905928 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1418:1427, ack 1986, win 14365, length 9
    14:53:54.907210 IP 189.20.108.X.3233 > 140.242.250.200.3234: Flags [.], ack 1427, win 8183, length 0
    14:53:54.919729 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 1986:2021, ack 1427, win 8192, length 35
    14:53:54.931719 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 2021:2150, ack 1427, win 8192, length 129
    14:53:55.076380 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1427:1436, ack 2021, win 14365, length 9
    14:53:55.077207 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1436, win 8183, length 0
    14:53:55.115922 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1436:1445, ack 2150, win 16055, length 9
    14:53:55.117191 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1445, win 8183, length 0
    14:53:55.128352 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 2150:2185, ack 1445, win 8192, length 35
    14:53:55.145844 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 2185:2314, ack 1445, win 8192, length 129
    14:53:55.284777 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1445:1454, ack 2185, win 16055, length 9
    14:53:55.285173 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1454, win 8183, length 0
    14:53:55.323921 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1454:1463, ack 2314, win 17745, length 9
    14:53:55.325200 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1463, win 8183, length 0
    14:53:55.340885 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 2314:2349, ack 1463, win 8192, length 35
    14:53:55.352551 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 2349:2478, ack 1463, win 8192, length 129
    14:53:55.504857 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1463:1472, ack 2478, win 19435, length 9
    14:53:55.505197 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1472, win 8183, length 0
    14:53:55.545598 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1472:1481, ack 2478, win 19435, length 9
    14:53:55.547156 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1481, win 8183, length 0
    14:53:55.561711 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 2478:2513, ack 1481, win 8192, length 35
    14:53:55.573761 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 2513:2642, ack 1481, win 8192, length 129
    14:53:55.725037 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1481:1490, ack 2513, win 19435, length 9
    14:53:55.727196 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1490, win 8183, length 0
    14:53:55.765379 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1490:1499, ack 2642, win 21125, length 9
    14:53:55.767187 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1499, win 8183, length 0
    14:53:55.780891 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 2642:2677, ack 1499, win 8192, length 35
    14:53:55.794249 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 2677:2806, ack 1499, win 8192, length 129
    14:53:55.944518 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1499:1508, ack 2677, win 21125, length 9
    14:53:55.945185 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1508, win 8183, length 0
    14:53:55.984359 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1508:1517, ack 2806, win 22815, length 9
    14:53:55.985173 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1517, win 8183, length 0
    14:53:56.001818 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 2806:2841, ack 1517, win 8192, length 35
    14:53:56.014327 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 2841:2970, ack 1517, win 8192, length 129
    14:53:56.164897 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1517:1526, ack 2841, win 22815, length 9
    14:53:56.165186 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1526, win 8183, length 0
    14:53:56.205638 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [.], ack 2970, win 24505, length 0
    14:53:56.206037 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1526:1535, ack 2970, win 24505, length 9
    14:53:56.207233 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1535, win 8183, length 0
    14:53:56.219839 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 2970:3005, ack 1535, win 8192, length 35
    14:53:56.233469 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 3005:3134, ack 1535, win 8192, length 129
    14:53:56.371796 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [.], ack 3005, win 24505, length 0
    14:53:56.373793 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1535:1544, ack 3005, win 24505, length 9
    14:53:56.375309 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1544, win 8183, length 0
    14:53:56.414175 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1544:1553, ack 3134, win 26195, length 9
    14:53:56.415189 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1553, win 8183, length 0
    14:53:56.428395 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 3134:3169, ack 1553, win 8192, length 35
    14:53:56.444410 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 3169:3298, ack 1553, win 8192, length 129
    14:53:56.583387 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1553:1562, ack 3169, win 26195, length 9
    14:53:56.585194 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1562, win 8183, length 0
    14:53:56.622732 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1562:1571, ack 3298, win 27885, length 9
    14:53:56.623175 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1571, win 8183, length 0
    14:53:56.640433 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 3298:3333, ack 1571, win 8192, length 35
    14:53:56.652612 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 3333:3462, ack 1571, win 8192, length 129
    14:53:56.803268 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1571:1580, ack 3333, win 27885, length 9
    14:53:56.805199 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1580, win 8183, length 0
    14:53:56.842812 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1580:1589, ack 3462, win 29575, length 9
    14:53:56.843208 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1589, win 8183, length 0
    14:53:56.861649 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 3462:3497, ack 1589, win 8192, length 35
    14:53:56.873558 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 3497:3626, ack 1589, win 8192, length 129
    14:53:57.022749 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1589:1598, ack 3497, win 29575, length 9
    14:53:57.023187 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1598, win 8183, length 0
    14:53:57.063389 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1598:1607, ack 3626, win 31265, length 9
    14:53:57.065192 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1607, win 8183, length 0
    14:53:57.080970 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 3626:3661, ack 1607, win 8192, length 35
    14:53:57.094297 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 3661:3790, ack 1607, win 8192, length 129
    14:53:57.243129 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1607:1616, ack 3661, win 31265, length 9
    14:53:57.245203 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1616, win 8183, length 0
    14:53:57.283870 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1616:1625, ack 3790, win 32955, length 9
    14:53:57.285184 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1625, win 8183, length 0
    14:53:57.301597 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 3790:3825, ack 1625, win 8192, length 35
    14:53:57.314168 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [P.], seq 3825:3954, ack 1625, win 8192, length 129
    14:53:57.462710 IP 140.242.250.200.3234 > 189.20.108.XX.3233: Flags [P.], seq 1625:1634, ack 3825, win 32955, length 9
    14:53:57.463192 IP 189.20.108.XX.3233 > 140.242.250.200.3234: Flags [.], ack 1634, win 8183, length 0
    

    Best regards,
    Wesley Santos


  • LAYER 8 Netgate

    You need to look into the SIP protocol and see what it's doing.


  • Netgate Administrator

    Yes, you would need to filer additionally by port 5060 and then download and check the actual SIP packets to see what is being sent. You probably don't want to post that publicly though.

    Steve



  • What would the tcpdump command syntax look like, just to filter everything to my wan-ip port 189.20.108.XX port 5060?


  • Netgate Administrator



  • @stephenw10

    Hi Steve, how are you?
    I monitored a connection made by my videoconferencing system, using "pftop" CLI my polycom connects with the target, but "NO_TRAFFIC: SINGLE" communication errors occur.

    PR        DIR SRC                                           DEST                                                   STATE                AGE       EXP     PKTS    BYTES
    rsvp      In  192.168.40.251:0                              140.242.250.200:0                              NO_TRAFFIC:SINGLE       00:15:15  00:00:19        0        0
    tcp       In  192.168.40.251:3233                           140.242.250.200:1720                          ESTABLISHED:ESTABLISHED  00:07:57  23:58:04       15     1096
    tcp       Out 189.20.108.XX:3233                            140.242.250.200:1720                          ESTABLISHED:ESTABLISHED  00:07:57  23:58:04       15     1096
    tcp       In  192.168.40.251:3234                           140.242.250.200:3242                          ESTABLISHED:ESTABLISHED  00:07:57  23:59:35      181    10480
    tcp       Out 189.20.108.XX:3234                            140.242.250.200:3242                          ESTABLISHED:ESTABLISHED  00:07:57  23:59:35      181    10480
    udp       In  192.168.40.251:3232                           140.242.250.200:3262                           NO_TRAFFIC:SINGLE       00:07:56  00:00:30    19850 13004860
    udp       Out 189.20.108.XX:3232                            140.242.250.200:3262                               SINGLE:NO_TRAFFIC   00:07:56  00:00:30    19850 13004860
    udp       In  192.168.40.251:3231                           140.242.250.200:3261                           NO_TRAFFIC:SINGLE       00:07:51  00:00:29       95     7220
    udp       Out 189.20.108.XX:3231                            140.242.250.200:3261                               SINGLE:NO_TRAFFIC   00:07:51  00:00:29       95     7220
    udp       In  192.168.40.251:3233                           140.242.250.200:3263                           NO_TRAFFIC:SINGLE       00:07:51  00:00:29       95     9120
    udp       Out 189.20.108.XX:3233                            140.242.250.200:3263                               SINGLE:NO_TRAFFIC   00:07:51  00:00:29       95     9120
    udp       In  192.168.40.251:3235                           140.242.250.200:3265                           NO_TRAFFIC:SINGLE       00:07:51  00:00:29       95     7220
    udp       Out 189.20.108.XX:3235                            140.242.250.200:3265                               SINGLE:NO_TRAFFIC   00:07:51  00:00:29       95     7220
    udp       In  192.168.40.251:3237                           140.242.250.200:3267                           NO_TRAFFIC:SINGLE       00:07:51  00:00:29       95     7240
    udp       Out 189.20.108.XX:3237                            140.242.250.200:3267                               SINGLE:NO_TRAFFIC   00:07:51  00:00:29       95     7240
    
    

    Best regards,
    Wesley Santos


  • Netgate Administrator

    That's not necessarily an error but you would expect more traffic when it connects correctly.

    I would bet it's sending it's internal private IP still we've seen that many many times. Including numerous times when a VoIP provider told us it definitely wasn't and we had to prove it was using packet captures.

    We would need to see the SIP packets to be sure.

    PM them to me if you prefer. I'll take a look when I have time.

    Steve



  • can i send you a .pcap packet capture for you to help analyze?


  • Netgate Administrator

    Yes, start a chat and attach it there.



  • not allowed, your chat is restricted to people you follow only


  • LAYER 8 Netgate

    Post whatever it is you think is telling you that. If that is the case it should not be. People chat me all the time without following.



  • ERROR
    This user has restricted their chat messages. They must follow you before you can talk to them


  • Netgate Administrator

    Hmm, must have changed the default at a forum update or something. I've changed that setting now, try again.

    Steve



  • Your chat is now released.



  • Dear, I made the capture available on Google Drive


  • Netgate Administrator

    Great I have that.

    There are no SIP packets in there so I can't check that directly but it looks like it's still sending it's internal IP as the address to connect back to which can never work. For example:

    Selection_677.png

    And:

    Selection_678.png

    I won't to be any sort of expert in those protocols but from your description of the behaviour and the fact we see only outgoing RTP traffic in the pcap I think it is not configured to send the external IP.

    You need to set that correctly in the Polycom device before it can work behind NAT.

    Steve



  • Hi, thanks for your effort to help solve my case.
    Please can you explain if I used the filter correctly, I intended to monitor only LAN-ip traffic, using a filter for polycom IP address "192.168.40.251", when NAT requests occur, they should be caught in tcpdump using the command filter below?

    tcpdump -nvxi re0 -w capture.pcap host 192.168.40.251
    

    I captured packets from the WAN-ip interface, using a filter for WAN-ip and LAN-ip addresses, but when analyzing wireshark did not find NAT requests, I will forward the link of this packet in your chat.
    I used the command below.

    tcpdump -nvxi sk1 -w new.pcap "(host 189.20.108.XX or host 192.168.40.251)"
    

    Best regards,
    Wesley Santos


  • LAYER 8 Netgate

    It has nothing to do with the filter.

    The PBX is telling the far side to connect back to 192.168.40.251 on port 3230 for RTP.

    Obviously the far side cannot do that because that is your inside, non-routable, RFC1918 address.

    You need to tell the PBX to send your outside WAN address there instead.

    It is embedded in the SIP protocol. NAT can't translate it and there is no SIP ALG in pfSense to do it for you either.



  • Hey man, how you doing?
    I reviewed all NAT settings applied to "Polycom VSX 7000", also restored the applied settings and configured them again. I can not understand what I am configuring wrong with NAT inside the pfsense firewall, the polycom NAT settings are very simple, below are some pictures of the polycom NAT settings.

    LAN properties.
    Captura de tela de 2019-08-15 17-18-34.png

    Polycom NAT Settings.
    Captura de tela de 2019-08-15 17-18-12.png

    Captura de tela de 2019-08-15 17-17-06.png
    Best regards,
    Wesley Santos


  • LAYER 8 Netgate

    Sorry. I don't read Portuguese.


  • LAYER 8 Netgate



  • Sorry, I replaced the images using English.



  • Hello, I have this same problem reported by this person.
    I performed all the steps and was only able to connect with the other end by clearing the "NAT is H.323 compliant" check box, but only audio is transmitted between both ends, when I leave this option selected, I can't connect audio / video.

    1565900638171-captura-de-tela-de-2019-08-15-17-18-12.png

    In fact, I have come to the conclusion that my firewall is blocking requests on the H323 protocol, do you suggest some maneuver to free all traffic coming under the H323 protocol?

    Best regards,
    Wesley Santos


  • Netgate Administrator

    It's very unlikely to be blocking it unless you have added rules. Do you see blocked traffic?

    If you uncheck that and incoming audio streams then work then clearly the device is then sending the correct address for external clients to connect to.

    The lack of video could be related or it could be a missing firewall rule for whatever port that is using.

    Try getting a pcap with the audio functioning and see what other traffic is there on the WAN.

    Steve



  • Hi @stephenw10, how are you?
    I cleared the "H.323 NAT Compatible" checkbox, performed a new capture, traffic seems to occur between both ends, but only audio traffic occurs, video traffic requires Polycom-enabled H323 protocol.
    In your chat I sent a packet capture.

    Best regards,
    Wesley Santos


  • Netgate Administrator

    Hmm, not seeing anything obviously wrong in the pcap. It is now sending correct IP address for incoming connections in the packets I checked which is why RTP traffic is now coming back from the remote IP.

    I won't claim to be any sort of expert here, there could be something on there indicating why video is failing. I can't see why it wouldn't work though given the audio is sending.

    Do you see any errors reported in the Polycom? Or whatever you're connecting to?

    Did you try enabling h.460?

    Steve



  • Hi Steve, how are you?
    Seeing no problem during Polycom calls, I noticed that by selecting the "NAT is H.323 compliant:" checkbox does not connect to final destination, I will clear the H323 checkbox and select the H460 "Enable" checkbox. H. 460 "-Firewall" as shown in the image below.

    Captura de tela de 2019-08-19 16-30-25.png

    Best regards,
    Wesley Santos


Log in to reply