Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Voip not working due to nat persistence

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mgiammarco2
      last edited by

      Hi,
      I have a network managed by Pfsense.
      My customer has a cloud pbx and many internal soft sip clients.
      It seems that PFSense terminates NAT on valid tcp connections.
      I have put firewall optimization "conservative".
      I have manually increased states timeouts and tcp states to 10x
      I am embarassed because the problem persists and:

      • I have no more things to try
      • I cannot check if it is really a firewall problem because I cannot log NAT states changes

      What can I do?
      Thanks,
      Mario

      stephenw10S S 2 Replies Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator @mgiammarco2
        last edited by

        @mgiammarco2 said in Voip not working due to nat persistence:

        It seems that PFSense terminates NAT on valid tcp connections.

        What exactly are you seeing?

        The NAT applied by the firewall is part of the firewall state. It should remain active until the state closes.

        You have SIP clients behind pfSense and an external PBX? No special config would usually be required for that.

        Steve

        M 2 Replies Last reply Reply Quote 0
        • M
          mgiammarco2 @stephenw10
          last edited by

          @stephenw10
          I can assure that there is a real problem that impact phone calls of the customer.
          The pbx provider has sent me evidence that pfsense close nat on valid tcp connections or on udp flows that receive a ping on each minute.
          I have changed firewall optimization as conservative to increase timeouts but it is not enough.
          Now I need a way to log closed sessions by pfsense to see why it is happening.

          1 Reply Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @mgiammarco2
            last edited by

            @mgiammarco2 What PBX? We are 3CX partners and have not had any issues using pfSense at client offices.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            M 1 Reply Last reply Reply Quote 0
            • M
              mgiammarco2 @SteveITS
              last edited by

              @steveits Kalliope PBX

              1 Reply Last reply Reply Quote 0
              • M
                mgiammarco2 @stephenw10
                last edited by

                @stephenw10 I confirm that there are a lot of blocked incoming udp packets from pbx ip to firewall ip.
                That suggests that the nat has timeout and now firewall refuses packets.
                I need to log nat state changes. Is it possible?

                1 Reply Last reply Reply Quote 0
                • stephenw10S
                  stephenw10 Netgate Administrator
                  last edited by

                  NAT states are part of the firewall states, they are not separately created or removed.
                  For example:

                  all icmp 172.21.16.22:50232 (192.168.22.1:5392) -> 8.8.8.8:50232       0:0
                     age 00:00:02, expires in 00:00:10, 3:3 pkts, 252:252 bytes, rule 82
                  

                  You cannot log state removals dircetly. You can log state creations by enabling logging on the pass rules that created them.

                  You can dump the current state table at the command line:

                  pfctl -vss
                  

                  A single v there will show you the states as in my example above.

                  What rule is shown as blocking that traffic from the PBX?

                  Is this a single firewall, not an HA pair with state sync?

                  Steve

                  M 1 Reply Last reply Reply Quote 0
                  • M
                    mgiammarco2 @stephenw10
                    last edited by

                    @stephenw10
                    The rule is "default deny rule ipv4"
                    The firewall is an HA pair active passive with multi wan, does it matter?

                    stephenw10S 1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator @mgiammarco2
                      last edited by

                      @mgiammarco2 said in Voip not working due to nat persistence:

                      The firewall is an HA pair active passive with multi wan, does it matter?

                      Yes. In an HA pair the firewall states are sync'd between the nodes so that when they fail over traffic continues to flow. They are sync'd both ways so that the nodes can failover and failback. That means that if the Secondary node sees the states as timing out or being closedfor some reason it will sync that state closure back to the primary.
                      The most common cause if that is mismatched interfaces between the nodes so that states are not valid on both.

                      So the first thing I would do there is disable state sync on the secondary and see if that stops the connections being dropped.
                      Be aware that means failing back after a failover event would not be seamless whilst it's disabled.

                      Steve

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        mgiammarco2 @stephenw10
                        last edited by

                        @stephenw10
                        HI,
                        it seems that powering down the slave firewall has solved the problem.
                        But now I am worried.
                        The two firewalls are working correctly, all interfaces of the slave were always in backup state.
                        The two firewalls are connected to a cisco router that provides internet connection and it supports multicast.
                        How can I detect and solve this problem? What exactly is the mismatch you were talking about?
                        Thanks,
                        Mario

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Backup the config files from each node and compare the interfaces section.

                          This sort of issue is almost always because the interfaces are not identically defined.

                          They must be configured in the same order with the same internal names.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.