Inconsistent routing and NAT HELP!
-
We are seeing that when a device on the outside of the firewall, but inside our LAN configuration, initiates a connection we do not have a problem but when the device on the inside of the firewall initiates the connection the pfsense device sometimes incorrectly NATs the outgoing traffic. This is on a phone system and we maintain logical connectivity but the audio channel drops. Here is what we are seeing from the packet capture:
LAN interface:
Working:
IP 192.168.13.190.6000 > 10.10.10.251.6000: UDP, length 14
IP 10.10.10.251.6000 > 192.168.13.190.6000: UDP, length 16
IP 10.10.10.252.30028 > 192.168.13.190.9000: UDP, length 172
IP 192.168.13.190.9000 > 10.10.10.252.30028: UDP, length 172Not Working:
IP 192.168.13.190.6000 > 10.10.10.251.6000: UDP, length 20
IP 10.10.10.251.6000 > 192.168.13.190.6000: UDP, length 16
IP 10.10.10.252.30028 > 192.168.13.190.9000: UDP, length 172
IP 10.10.10.252.30028 > 192.168.13.190.9000: UDP, length 172Wan Interface:
Working:
IP 10.10.10.251.6000 > 192.168.13.190.6000: UDP, length 16
IP 192.168.13.190.6000 > 10.10.10.251.6000: UDP, length 14
IP 192.168.13.190.9000 > 10.10.10.252.30028: UDP, length 172
IP 10.10.10.252.30028 > 192.168.13.190.9000: UDP, length 172Not Working:
IP 10.10.10.251.6000 > 192.168.13.190.6000: UDP, length 16
IP 192.168.13.190.6000 > 10.10.10.251.6000: UDP, length 14
IP 192.168.13.190.9000 > 10.10.10.252.30028: UDP, length 172
IP xx.xx.xx.xx.59168 > 192.168.13.190.9000: UDP, length 172As you can see when the item isn't working we see the the packets hitting the LAN interface with the destination 192.168.13.190 are being natted to xx.xx.xx.xx(my public IP). When this happens we lose our audio channel. We have tried many different rules to state that we don't want outbound traffic from .152 to another local address be natted but it is happening anyway.
We are using a samsung IP telephone system. The system operates off of two different private IP addresses, 10.10.10.251 and 10.10.10.252. We have the pfsense firewall installed at our central location where the phone system is. Our central subnet is 10.10.10.0. Our remote subnets are 192.168.10.0, 192.168.11.0, 192.168.12.0, 192.168.13.0. Each site has a bonding appliance and firewall that allow the subnets to communicate.
When the pfsense firewall is removed everything works perfectly.
-
Could you post a screen shot of your manual outbound rules?