Strange case of nat not working depending on source port (sip trunk)
-
I have a pfsense firewall with 3 Wans (two of them ppoe with the same gateway but different monitoring ip), a LAN and a DMZ.
In the DMZ I have a freepbx vm that connects to a sip trunk using udp port 5070 (both source and destination).
I have a rule to send this traffic to a specific wan (don't be fooled by the name, this is the first wan in pfsense).
I also have a backup firewall (in case the main one fails and/or to test new versions/configurations).
Yesterday I upgraded both firewalls from 2.4.4p3 to 2.4.5p1 then to 2.5.1 but, due to this issue I had to go back to 2.4.5p1 (on both firewalls).
Everything seemed to be working but later I found the sip trunk wasn't.
Capturing the traffic I saw that- it was going out on a different wan (with the same gw but different monitoring ip)
- it was not natted (i.e. it was going out with the internal ip of the freepbx box)
The first issue I solved by disconnecting the other wan and connecting it again (???), but no matter what I tried I could not solve the second one, so today I decided to revert to the same version I started with (2.4.4.p3) on the backup firewall but that didn't solve anything
After some more test I discovered that if the source port was 5070 the address was not natted, while it was with a different port, so I just changed the source port and problem solved. Note that I have an incoming nat rule on port 5070, but disabling it had no effect
Ok, so I switched back to the main firewall (on 2.4.5p1) and, again, the sip trunk wasn't working (outgoing address not natted), but I switched back the source port to 5070 and it worked again
Note that both firewall had the same exact configuration (apart from the interfaces' names since the hardware is different, I just take the xml from the main one, edit the interfaces name and restore it to the backup).
I couldn't find port 5070 anywhere in the xml backup of the configuration apart from the DMZ outgoing rule and the NAT incoming rule so I don't understand why it wasn't natted and then it was.
I'm considering putting the freepbx box either directly on the internet or with a 1:1 nat to a dedicated wan, but I'd really like to know what happened.
-
Nobody has any suggestion?