port forward ranges
-
Hi I am having trouble with port forwarding on the wan interface. I need to allow RTP to an internal sip phone system and it looks like the nat rule using a range between 6000:40000 takes the external rtp port eg 7762 and maps it's to 6000 on the internal device 192.168.11.151
I need to to map the ports range from 6000:40000 to the same port number internally. So if coming in from 7762 to forwards 7762 internally to 192.168.11.151
any help greatly appreciated.
-
I get no outbound audio when I call in from the outside. eg remotely I can't hear them but they can hear me.
The log below shows it going to the wrong port
-
@frog 25318 is the source port.. Not the destination port..
-
@frog Most commonly the source port on a connection is a random port and should be "any."
-
@frog so for an example. Here I created a port range forward of ports 6000-7000. I then using a online tool to send a UDP packet to specific port I used https://www.ipvoid.com/udp-port-scan/ to send UDP on port 6500, this is in the range I am forwarding.
So I did 2 captures so the source ports changed. But you can see that when I send traffic to port 6500 and it hits my wan.. Then when it sends it on to where I forwarded, in this case my 192.168.9.100 box the destination port is whatever port hit on my wan.. Its not changed..
While you can change the port that is sent, so X could hit your wan and you could forward to Y on your internal - when you do a range and the range on the wan matches up with the range your sending - it should send the to the same port..
And as mentioned @SteveITS it is rare that you would set the source port on your forward.. This is almost always left at any, because you normally do not know what source port the traffic would come from..
edit: here I ran sniff at same exact time one on my wan, other on my lan.. Notice the traffic comes in from source port 50163 which doesn't change and traffic hit my wan to port 6700, and forwarded to my 192.168.9.100 box on port 6700 from the same source port 50163
-
Still no joy.
and I have try with the source as any rather than locking it down to specific ips
-
@frog not sure why you think a source port being different than why you think the source port being X and your destination being Y is your problem.
If they sent you traffic on port 6000 from a source port of 20930 that is what pfsense is going to send to the client.
-
@johnpoz just that I have no audio outbound when an external call is made to the phone system.
-
@frog and your pfsense wan is a public IP right, its not some rfc1918 IP address behind your isp device..
-
@johnpoz I don't believe anything odd is happening re the public IP. It's a leased line but with only 2 useable IP's so a .252 subnet
-
@frog but the IP is on pfsense wan itself. Have seen issues when your behind a double nat.
I am not a voip guy.. But what your highlighting is not the problem. The source port is almost always different than the destination port.
You highlight your source port and destination port with a red line like this is the problem. pfsense is not going to change those.. As I showed you in my screenshots above.
There are way better people around here for voip stuff. I have seen issues with alg helper on router/firewall. Or the base port wrong on where your sending the forward.
Sometimes if one way audio could be that your outbound nat needs to be set to static outbound... When device behind pfsense creates a connection to some IP on the internet, normal napt will change the source port.. So you have 192.168.1.100:X wanting to talk to 1.2.3.4:7777 for example.. When pfsense changes the source IP to its public say 4.5.6.7 it will change that source port X to some other port, say Z.. This can be problematic with voip.
But again I am not a voip guy..
-
@frog you linked rule shows traffic/states, the numbers on the left.
Did you look at
https://docs.netgate.com/pfsense/en/latest/troubleshooting/nat-port-forwards.html
And the VOIP pages at
https://docs.netgate.com/pfsense/en/latest/recipes/index.html#firewall-nat
