Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Inconsistent routing and NAT HELP!

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mizunoer
      last edited by

      We are seeing that when a device on the outside of the firewall, but inside our LAN configuration, initiates a connection we do not have a problem but when the device on the inside of the firewall initiates the connection the pfsense device sometimes incorrectly NATs the outgoing traffic.  This is on a phone system and we maintain logical connectivity but the audio channel drops.  Here is what we are seeing from the packet capture:
      LAN interface:
      Working:
      IP 192.168.13.190.6000 > 10.10.10.251.6000: UDP, length 14
      IP 10.10.10.251.6000 > 192.168.13.190.6000: UDP, length 16
      IP 10.10.10.252.30028 > 192.168.13.190.9000: UDP, length 172
      IP 192.168.13.190.9000 > 10.10.10.252.30028: UDP, length 172

      Not Working:
      IP 192.168.13.190.6000 > 10.10.10.251.6000: UDP, length 20
      IP 10.10.10.251.6000 > 192.168.13.190.6000: UDP, length 16
      IP 10.10.10.252.30028 > 192.168.13.190.9000: UDP, length 172
      IP 10.10.10.252.30028 > 192.168.13.190.9000: UDP, length 172

      Wan Interface:
      Working:
      IP 10.10.10.251.6000 > 192.168.13.190.6000: UDP, length 16
      IP 192.168.13.190.6000 > 10.10.10.251.6000: UDP, length 14
      IP 192.168.13.190.9000 > 10.10.10.252.30028: UDP, length 172
      IP 10.10.10.252.30028 > 192.168.13.190.9000: UDP, length 172

      Not Working:
      IP 10.10.10.251.6000 > 192.168.13.190.6000: UDP, length 16
      IP 192.168.13.190.6000 > 10.10.10.251.6000: UDP, length 14
      IP 192.168.13.190.9000 > 10.10.10.252.30028: UDP, length 172
      IP xx.xx.xx.xx.59168 > 192.168.13.190.9000: UDP, length 172

      As you can see when the item isn't working we see the the packets hitting the LAN interface with the destination 192.168.13.190 are being natted to xx.xx.xx.xx(my public IP).  When this happens we lose our audio channel.  We have tried many different rules to state that we don't want outbound traffic from .152 to another local address be natted but it is happening anyway.

      We are using a samsung IP telephone system.  The system operates off of two different private IP addresses, 10.10.10.251 and 10.10.10.252.  We have the pfsense firewall installed at our central location where the phone system is.  Our central subnet is 10.10.10.0. Our remote subnets are 192.168.10.0, 192.168.11.0, 192.168.12.0, 192.168.13.0.  Each site has a bonding appliance and firewall that allow the subnets to communicate.

      When the pfsense firewall is removed everything works perfectly.

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        Could you post a screen shot of your manual outbound rules?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.