Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange case of nat not working depending on source port (sip trunk)

    Scheduled Pinned Locked Moved NAT
    2 Posts 1 Posters 344 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • O
      olivluca
      last edited by

      I have a pfsense firewall with 3 Wans (two of them ppoe with the same gateway but different monitoring ip), a LAN and a DMZ.
      In the DMZ I have a freepbx vm that connects to a sip trunk using udp port 5070 (both source and destination).
      I have a rule to send this traffic to a specific wan (don't be fooled by the name, this is the first wan in pfsense).

      3f6f7258-7fc3-4eed-81bd-e1ecd2c830bf-image.png
      I also have a backup firewall (in case the main one fails and/or to test new versions/configurations).
      Yesterday I upgraded both firewalls from 2.4.4p3 to 2.4.5p1 then to 2.5.1 but, due to this issue I had to go back to 2.4.5p1 (on both firewalls).
      Everything seemed to be working but later I found the sip trunk wasn't.
      Capturing the traffic I saw that

      • it was going out on a different wan (with the same gw but different monitoring ip)
      • it was not natted (i.e. it was going out with the internal ip of the freepbx box)

      The first issue I solved by disconnecting the other wan and connecting it again (???), but no matter what I tried I could not solve the second one, so today I decided to revert to the same version I started with (2.4.4.p3) on the backup firewall but that didn't solve anything 😕

      After some more test I discovered that if the source port was 5070 the address was not natted, while it was with a different port, so I just changed the source port and problem solved. Note that I have an incoming nat rule on port 5070, but disabling it had no effect

      a5e6b54f-0ec2-4de9-a7bd-1bacb599b124-image.png

      Ok, so I switched back to the main firewall (on 2.4.5p1) and, again, the sip trunk wasn't working (outgoing address not natted), but I switched back the source port to 5070 and it worked again 👻

      Note that both firewall had the same exact configuration (apart from the interfaces' names since the hardware is different, I just take the xml from the main one, edit the interfaces name and restore it to the backup).

      I couldn't find port 5070 anywhere in the xml backup of the configuration apart from the DMZ outgoing rule and the NAT incoming rule so I don't understand why it wasn't natted and then it was.

      I'm considering putting the freepbx box either directly on the internet or with a 1:1 nat to a dedicated wan, but I'd really like to know what happened.

      1 Reply Last reply Reply Quote 0
      • O
        olivluca
        last edited by

        Nobody has any suggestion?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.