Outbound NAT for VOIP: switch from Manual to Hybrid?
-
At a customer they run a Netgate SG-1100 with pfsense-2.4.5p1: yes, the upgrade waits, because they are ~600kms away from me, and we all hesitate ;-)
But the current question is:
they got a new VOIP-appliance (unify.com) and this one is placed in the subnet "TK" (separate interface/VLAN) with 2 IPs (= 2 boxes) 192.168.99.10 and .11
These go out and talk to some upstream servers, as far as I understand, SIP-trunks.
Normally I expected them to be allowed by some Allow-Rule on the TK-interface.
Turns out I see packages blocked on the LAN interface, but with a source IP from the TK-subnet! Why that?
I found the Outbound NAT Rules running in "Manual Outbound NAT" mode, with some outdated rules in there. Cleaned up some, not yet fully happy. I currently allow that strange source IP out, but that doesn't seem correct to me.
Now I found some pdf from a pfsense hangout, it recommends to use "Hybrid Outbound NAT" mode. I'd like to follow that, but I don't want to break things ...
Is toggling that in any way dangerous ... ? Is there a possibility to lose admin access from remote? There is no competent admin there, I have to be sure about my next steps here.
Here the current state:
LAN is 192.168.100.0/24, 192.168.80.0/24 is a GUEST LAN, 192.168.99.0/24 is the net for the VOIP appliances.
I'd appreciate any guiding here. Thanks.