Outbound NAT state disappears after a few hours



  • I'm experiencing a weird issue relating to PFsense NAT states, within an Asterisk based SIP environment. I have a number of SIP phones connected on my LAN, behind my PFsense. My Asterisk system is in a data center, thus connected directly in the cloud.

    Let's assume that a.b.c.d is my Asterisk's public IP address, while Asterisk is listening for SIP control packets on port 5070 (instead of deafult 5060).
    Let's also assume that w.x.y.z is my PFsense's WAN public IP.

    In normal conditions there are two states in my PFsense for each and every phone on my LAN. Let's consider one of these phones, with private IP 192.168.16.191. These two states for this phones are:

    UDP    a.b.c.d:5070 <- 192.168.16.191:5062                      MULTIPLE:MULTIPLE
    UDP    192.168.16.191 -> w.x.y.z:49277 -> a.b.c.d:5070    MULTIPLE:MULTIPLE

    The later shows the NAT translation towards the Internet, using PFsense's WAN IP.

    After a while (could be anything between a few hours to a few days), the NAT state disappears in such a way that these two states become the following:

    UDP    a.b.c.d:5070 <- 192.168.16.191:5062      MULTIPLE:MULTIPLE
    UDP    192.168.16.191 -> a.b.c.d:5070              SINGLE:NO_TRAFFIC

    At that point in time, it becomes impossible to receive or make calls to/from this phone - for obvious reasons - , until I delete these two states. After deletion, my phone get registered again once its SIP register timer gets expired. Then everything comes back to normal conditions… until the issue surfaces again.

    The issue applies randomly to pretty much all my phones (10 of them)

    My environment looks as following:

    HW: Alix board - 500Mh CPU - 256MB RAM
    PFsense release: 2.0.1 (problem did exist with 2.0 as well)
    State table size: 250 / 23000 (roughly)
    Firewall Optimization Options: Conservative
    Sip expiration timer configured on the phone: 150 sec

    Please help, as I can't figure out any longer where the problem lies :-(



  • Did you tried siproxy package?

    this maybe handles better multi client sip connections.



  • Switch your state keeping to conservative under System>Advanced, or increase the keepalive time on your phones. I would not recommend using siproxd in your scenario.



  • Thanks for your comments. In the description of my environment I have stated that I did set "firewall optimization options" to "conservative" already. More over, the SIP expire timeout is set to 150sec in each phone  :-\

    Although I'm considering siproxd for other purpose, I didn't try it yet. However, I have other sites running an identical PFsense (same HW, same release, same phones on their LAN) where the issue doesn't show up … In any case, regardless whether or not I have SIPROXD, I don't understand the reason why some states suddenly look corrupted (i.e. no longer NATed), and that's what I would like to understand. Sounds like some kind of bisbehavior to me  ???



  • I would not recommend using siproxd in your scenario.

    Chris- Im curious why?  I thought siproxd was meant just for this…    ???

    jhaye-  If you do try siproxd, be aware that I was unable to get any other server port than 5060 to work. Ive not seen anyone else report this however...  Client side 5070 should be fine...

    Your firewall hardware might be a little anemic to be running this package however...  Maybe CMB's concern...

    Good Luck!  :)



  • I wouldn't run siproxd unless you have a requirement for it - specifically, having to rewrite the IP within the SIP from private to public. Most circumstances that's not needed and hence I wouldn't add the overhead (though minimal) and potential complications of pushing the traffic through siproxd.



  • Multiple sip clients registered to same provider +rtp ports behind firewall isn't a nat trouble?

    I always had problems this way. :(



  • @marcelloc:

    Multiple sip clients registered to same provider +rtp ports behind firewall isn't a nat trouble?

    Not as long as you're rewriting the source port on port 5060, as 2.0 and newer do by default.



  • That's good news. I'll do some tests.

    Thanks Chris  :)



  • @cmb:

    @marcelloc:

    Multiple sip clients registered to same provider +rtp ports behind firewall isn't a nat trouble?

    Not as long as you're rewriting the source port on port 5060, as 2.0 and newer do by default.

    Is it possible to get a walk through on this? Or can I find any documentation on how to set this up? Im not that good on firewalls so a setup would be handy.
    In my case I use an external provider and seven cisco phones on the LAN running through SipProxd and there is constant troubles with the setup and if I can drop the siproxd I think it would be great.

    Cheers!


Log in to reply