Forwarding RTP ports 20000-20011 not working

rsingh

I am having a problem getting VoIP working. This VoIP provider allows you to send RTP packets to any port but they only send RTP packets back to ports 20000-20011. I setup a nat which created an automatic firewall rule for this however it doesn't work. I have a traffic capture below. i am not showing any drops if i look at the real-time filter logs.

my external ip: 216.58.19.208
isp's sip server: 209.197.191.40
my voip adapter: 192.168.1.102

I setup the following nat rule:
If  Proto  Ext. port range  NAT IP  Int. port range  Description 
OPT1 TCP/UDP 20000 - 20011 192.168.1.102

It has the following firewall rule:
Proto  Source  Port  Destination  Port  Gateway  Schedule  Description 
TCP/UDP * * 192.168.1.102 20000 - 20011

tcpdump -i fxp1 net 209.197.191.40/32 (this is my outside interface)
12:29:25.151991 IP 209.197.191.40.12992 > 216.58.19.208.20010: UDP, length 172
12:29:25.163855 IP 216.58.19.208.5656 > 209.197.191.40.12992: UDP, length 172
12:29:25.174259 IP 209.197.191.40.12992 > 216.58.19.208.20010: UDP, length 172
12:29:25.184090 IP 216.58.19.208.5656 > 209.197.191.40.12992: UDP, length 172
12:29:25.192346 IP 209.197.191.40.12992 > 216.58.19.208.20010: UDP, length 172
12:29:25.203235 IP 216.58.19.208.5656 > 209.197.191.40.12992: UDP, length 172
12:29:25.209521 IP 209.197.191.40.12992 > 216.58.19.208.20010: UDP, length 172
12:29:25.223461 IP 216.58.19.208.5656 > 209.197.191.40.12992: UDP, length 172
12:29:25.233807 IP 209.197.191.40.12992 > 216.58.19.208.20010: UDP, length 172
12:29:25.243673 IP 216.58.19.208.5656 > 209.197.191.40.12992: UDP, length 172
12:29:25.249459 IP 209.197.191.40.12992 > 216.58.19.208.20010: UDP, length 172

• you can see 2 way traffic here

tcpdump -i em0 net 192.168.1.102/32 (inside interface)
12:29:25.143454 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.163814 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.184049 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.203167 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.223394 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.243630 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.263864 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.282975 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.303209 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172
12:29:25.323445 IP 192.168.1.102.20010 > 209.197.191.40.12992: UDP, length 172

• here you only see one way traffic.

the result of this is that i can talk to people over voip but i cannot hear them. very annoying. any ideas how i can get this inbound traffic onto my network?

rsingh

as a workaround i have a 1:1 nat setup for my external ip to the sip box ip.

i say this is a workaround because i don't need all ports open on the sip box, and it's a dynamic ip address so if my ip changes, my voip will stop working until i change this setting.

GruensFroeschli

Could it be that your provider also expects that outbound connections originate from 20000-20011 as well?
Have you tried to enable static ports for your voip device?
http://doc.pfsense.org/index.php/Static_Port

Eugene

Give us screenshots of your nat and rules please.
There it no traffic coming from OPT1 to LAN, that is why you can not hear them.

rsingh

sounds like static ports will resolve this. the problem was that the ports were getting re-written, 1:1 nat resolved this.

if static ports didn't require enabling advance outbound nat, I'd do it. it's too bad I can't have both automatic nat and advanced nat at the same time.

UPDATE:

I've removed the 1:1 nat and setup static port. RTP works perfectly. the problem of course was that the port number was being changed in the nat process and my VoIP provider didn't like this.

advanced outbound nat is incredibly simple. If I new how easy it was to setup, I would have done this on day 1.