Voip not working due to nat persistence
-
Hi,
I have a network managed by Pfsense.
My customer has a cloud pbx and many internal soft sip clients.
It seems that PFSense terminates NAT on valid tcp connections.
I have put firewall optimization "conservative".
I have manually increased states timeouts and tcp states to 10x
I am embarassed because the problem persists and:- I have no more things to try
- I cannot check if it is really a firewall problem because I cannot log NAT states changes
What can I do?
Thanks,
Mario -
@mgiammarco2 said in Voip not working due to nat persistence:
It seems that PFSense terminates NAT on valid tcp connections.
What exactly are you seeing?
The NAT applied by the firewall is part of the firewall state. It should remain active until the state closes.
You have SIP clients behind pfSense and an external PBX? No special config would usually be required for that.
Steve
-
@stephenw10
I can assure that there is a real problem that impact phone calls of the customer.
The pbx provider has sent me evidence that pfsense close nat on valid tcp connections or on udp flows that receive a ping on each minute.
I have changed firewall optimization as conservative to increase timeouts but it is not enough.
Now I need a way to log closed sessions by pfsense to see why it is happening. -
@mgiammarco2 What PBX? We are 3CX partners and have not had any issues using pfSense at client offices.
-
@steveits Kalliope PBX
-
@stephenw10 I confirm that there are a lot of blocked incoming udp packets from pbx ip to firewall ip.
That suggests that the nat has timeout and now firewall refuses packets.
I need to log nat state changes. Is it possible? -
NAT states are part of the firewall states, they are not separately created or removed.
For example:all icmp 172.21.16.22:50232 (192.168.22.1:5392) -> 8.8.8.8:50232 0:0 age 00:00:02, expires in 00:00:10, 3:3 pkts, 252:252 bytes, rule 82
You cannot log state removals dircetly. You can log state creations by enabling logging on the pass rules that created them.
You can dump the current state table at the command line:
pfctl -vss
A single
v
there will show you the states as in my example above.What rule is shown as blocking that traffic from the PBX?
Is this a single firewall, not an HA pair with state sync?
Steve
-
@stephenw10
The rule is "default deny rule ipv4"
The firewall is an HA pair active passive with multi wan, does it matter? -
@mgiammarco2 said in Voip not working due to nat persistence:
The firewall is an HA pair active passive with multi wan, does it matter?
Yes. In an HA pair the firewall states are sync'd between the nodes so that when they fail over traffic continues to flow. They are sync'd both ways so that the nodes can failover and failback. That means that if the Secondary node sees the states as timing out or being closedfor some reason it will sync that state closure back to the primary.
The most common cause if that is mismatched interfaces between the nodes so that states are not valid on both.So the first thing I would do there is disable state sync on the secondary and see if that stops the connections being dropped.
Be aware that means failing back after a failover event would not be seamless whilst it's disabled.Steve
-
@stephenw10
HI,
it seems that powering down the slave firewall has solved the problem.
But now I am worried.
The two firewalls are working correctly, all interfaces of the slave were always in backup state.
The two firewalls are connected to a cisco router that provides internet connection and it supports multicast.
How can I detect and solve this problem? What exactly is the mismatch you were talking about?
Thanks,
Mario -
Backup the config files from each node and compare the interfaces section.
This sort of issue is almost always because the interfaces are not identically defined.
They must be configured in the same order with the same internal names.
Steve