NAT 1:1 Polycom VSX 7000

  • Netgate Administrator

    That's not necessarily an error but you would expect more traffic when it connects correctly.

    I would bet it's sending it's internal private IP still we've seen that many many times. Including numerous times when a VoIP provider told us it definitely wasn't and we had to prove it was using packet captures.

    We would need to see the SIP packets to be sure.

    PM them to me if you prefer. I'll take a look when I have time.


  • can i send you a .pcap packet capture for you to help analyze?

  • Netgate Administrator

    Yes, start a chat and attach it there.

  • not allowed, your chat is restricted to people you follow only

  • LAYER 8 Netgate

    Post whatever it is you think is telling you that. If that is the case it should not be. People chat me all the time without following.

    This user has restricted their chat messages. They must follow you before you can talk to them

  • Netgate Administrator

    Hmm, must have changed the default at a forum update or something. I've changed that setting now, try again.


  • Your chat is now released.

  • Dear, I made the capture available on Google Drive

  • Netgate Administrator

    Great I have that.

    There are no SIP packets in there so I can't check that directly but it looks like it's still sending it's internal IP as the address to connect back to which can never work. For example:




    I won't to be any sort of expert in those protocols but from your description of the behaviour and the fact we see only outgoing RTP traffic in the pcap I think it is not configured to send the external IP.

    You need to set that correctly in the Polycom device before it can work behind NAT.


  • Hi, thanks for your effort to help solve my case.
    Please can you explain if I used the filter correctly, I intended to monitor only LAN-ip traffic, using a filter for polycom IP address "", when NAT requests occur, they should be caught in tcpdump using the command filter below?

    tcpdump -nvxi re0 -w capture.pcap host

    I captured packets from the WAN-ip interface, using a filter for WAN-ip and LAN-ip addresses, but when analyzing wireshark did not find NAT requests, I will forward the link of this packet in your chat.
    I used the command below.

    tcpdump -nvxi sk1 -w new.pcap "(host 189.20.108.XX or host"

    Best regards,
    Wesley Santos

  • LAYER 8 Netgate

    It has nothing to do with the filter.

    The PBX is telling the far side to connect back to on port 3230 for RTP.

    Obviously the far side cannot do that because that is your inside, non-routable, RFC1918 address.

    You need to tell the PBX to send your outside WAN address there instead.

    It is embedded in the SIP protocol. NAT can't translate it and there is no SIP ALG in pfSense to do it for you either.

  • Hey man, how you doing?
    I reviewed all NAT settings applied to "Polycom VSX 7000", also restored the applied settings and configured them again. I can not understand what I am configuring wrong with NAT inside the pfsense firewall, the polycom NAT settings are very simple, below are some pictures of the polycom NAT settings.

    LAN properties.
    Captura de tela de 2019-08-15 17-18-34.png

    Polycom NAT Settings.
    Captura de tela de 2019-08-15 17-18-12.png

    Captura de tela de 2019-08-15 17-17-06.png
    Best regards,
    Wesley Santos

  • LAYER 8 Netgate

    Sorry. I don't read Portuguese.

  • LAYER 8 Netgate

  • Sorry, I replaced the images using English.

  • Hello, I have this same problem reported by this person.
    I performed all the steps and was only able to connect with the other end by clearing the "NAT is H.323 compliant" check box, but only audio is transmitted between both ends, when I leave this option selected, I can't connect audio / video.


    In fact, I have come to the conclusion that my firewall is blocking requests on the H323 protocol, do you suggest some maneuver to free all traffic coming under the H323 protocol?

    Best regards,
    Wesley Santos

  • Netgate Administrator

    It's very unlikely to be blocking it unless you have added rules. Do you see blocked traffic?

    If you uncheck that and incoming audio streams then work then clearly the device is then sending the correct address for external clients to connect to.

    The lack of video could be related or it could be a missing firewall rule for whatever port that is using.

    Try getting a pcap with the audio functioning and see what other traffic is there on the WAN.


  • Hi @stephenw10, how are you?
    I cleared the "H.323 NAT Compatible" checkbox, performed a new capture, traffic seems to occur between both ends, but only audio traffic occurs, video traffic requires Polycom-enabled H323 protocol.
    In your chat I sent a packet capture.

    Best regards,
    Wesley Santos

  • Netgate Administrator

    Hmm, not seeing anything obviously wrong in the pcap. It is now sending correct IP address for incoming connections in the packets I checked which is why RTP traffic is now coming back from the remote IP.

    I won't claim to be any sort of expert here, there could be something on there indicating why video is failing. I can't see why it wouldn't work though given the audio is sending.

    Do you see any errors reported in the Polycom? Or whatever you're connecting to?

    Did you try enabling h.460?


  • Hi Steve, how are you?
    Seeing no problem during Polycom calls, I noticed that by selecting the "NAT is H.323 compliant:" checkbox does not connect to final destination, I will clear the H323 checkbox and select the H460 "Enable" checkbox. H. 460 "-Firewall" as shown in the image below.

    Captura de tela de 2019-08-19 16-30-25.png

    Best regards,
    Wesley Santos

Log in to reply