Pfsense + NAT/Portforward + H.323
So I ended up setting up a 1.2.3 release box last week because the current firewall solution (Linksys RV042) could not be configured properly for our PolyCom teleconference system. The issue I am having seems to be with H.323 passing through the Pfsense box from the internet. Here is a break down of connection:
Pfsense WAN = 75.X.X.X
Pfsens LAN = 192.X.X.1
Core Switch = VLAN 192.X.X.2 Core Switch IP 10.X.X.1
PolyCom = 10.X.X.15
So the Pfsense has a static route to send all traffic for 10.X.X.X to 192.X.X.2 which is a VLAN on the Core Switch allowing all hosts on the 10.X.X.X subnet to be seen by Pfsense. The Core Switch has a default route to send all traffic to 192.X.X.1 which is the LAN interface of Pfsense. The PolyCom resides on the 10 subnet so my port forwards forward connections from the WAN interface to the Polycom on the 10 subnet and the static route tells pfsense where to find it.
Since I installed the Pfsense box it seems all my port forwards work but now we have intermittent one way audio and video. Also my Polycom cannot register with the gateway server and they tell me they see the Polycom sending the H.323 packet to the gateway server and then a request is sent back to the Polycom from the gateway server, but the logs show PolyCom did not receive a response therefore does not register.
Ive added specific pass rules from the gateway server to Pfsense and have even set up an allow all to the Polycom. But it still seems the H.323 packet does not get through. I did not have this issue with the Linksys RV042 and I really have a hard time believing that POS can do something Pfsense cannot. Any ideas? I know the network logic is kinda odd, it was inherited and although a restructure is needed I need to try and find a solution asap. Thanks in advance for any help you can provide.
Unfortunately I have had to remove Pfsense, but here is a little information.
When running a packet capture on the LAN interface you will see the registration packet sent via UDP from the Polycom system hit the LAN. Running a capture on the WAN you will see the same packet hitting the WAN and then being sent to its destination. The Gateway server will then pass back an ACK packet using h.323 protocol. The packet is received by the WAN just fine. But you will never see it hit the LAN, as if Pfsense just doesnt know what to do with it.
With Pfsense in play, I have had successful audio/video connections but it was very intermittent and the error rate was high. I was unable to find out if anything like this was addressed in a future release, but Id love to bring Pfsense back to the head of my network instead of a standalone vpn server if a new release addresses this issue.
You might try steps 2 and 4 here. 3 would not apply to non-sip applications, and I'm pretty sure 1 wouldn't either.