[AYUDA] Problema con NATEO.



  • Estimados,
    tengo funcionando un pfsense ya hace un buen tiempo y la verdad de maravilla.
    Ahora se me presento un problema.
    Tengo una placa de red conectado a una WAN, tengo una regla NAT para utilizar SIP y RTP. Eso marcha de maravilla, pero ahora se me presento un problema.
    Mi red WAN es una red clase A, 10.0.0.0. La ip WAN mía es estática y es la siguiente: 10.2.76.231.
    Todo el tráfico para VoIP (5060, 10000-20000) de la WAN a la LAN funciona bien exceptuando las IP WAN de la mi Subnet Wan (10.2.76.0/8).

    Por ejemplo:
    Si el paquete viene de la IP: 10.5.69.2, pasa sin problemas.
    Si el paquete viene de la IP: 10.2.76.169, no pasa.

    Les dejo una captura de paquetes para que vea cuando lo rechaza los paquetes:

    
    12:16:19.625614 00:e0:4c:0a:6b:b2 > 00:15:65:25:9a:b8, ethertype IPv4 (0x0800), length 214: (tos 0xb8, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.231.21202 > 10.2.76.169.10008: [udp sum ok] UDP, length 172
    12:16:19.626638 00:15:65:25:9a:b8 > 00:e0:4c:0a:6b:b2, ethertype IPv4 (0x0800), length 242: (tos 0xd8, ttl 64, id 53614, offset 0, flags [none], proto ICMP (1), length 228)
        10.2.76.169 > 10.2.76.231: ICMP 10.2.76.169 udp port 10008 unreachable, length 208
    	(tos 0xb8, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.231.21202 > 10.2.76.169.10008: [udp sum ok] UDP, length 172
    12:16:19.643184 00:e0:4c:0a:6b:b2 > 00:15:65:25:9a:b8, ethertype IPv4 (0x0800), length 214: (tos 0xb8, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.231.21202 > 10.2.76.169.10008: [udp sum ok] UDP, length 172
    12:16:19.644022 00:15:65:25:9a:b8 > 00:e0:4c:0a:6b:b2, ethertype IPv4 (0x0800), length 242: (tos 0xd8, ttl 64, id 53615, offset 0, flags [none], proto ICMP (1), length 228)
        10.2.76.169 > 10.2.76.231: ICMP 10.2.76.169 udp port 10008 unreachable, length 208
    	(tos 0xb8, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.231.21202 > 10.2.76.169.10008: [udp sum ok] UDP, length 172
    12:16:19.663561 00:e0:4c:0a:6b:b2 > 00:15:65:25:9a:b8, ethertype IPv4 (0x0800), length 214: (tos 0xb8, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.231.21202 > 10.2.76.169.10008: [udp sum ok] UDP, length 172
    12:16:19.664460 00:15:65:25:9a:b8 > 00:e0:4c:0a:6b:b2, ethertype IPv4 (0x0800), length 242: (tos 0xd8, ttl 64, id 53616, offset 0, flags [none], proto ICMP (1), length 228)
        10.2.76.169 > 10.2.76.231: ICMP 10.2.76.169 udp port 10008 unreachable, length 208
    	(tos 0xb8, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.231.21202 > 10.2.76.169.10008: [udp sum ok] UDP, length 172
    12:16:19.683607 00:e0:4c:0a:6b:b2 > 00:15:65:25:9a:b8, ethertype IPv4 (0x0800), length 214: (tos 0xb8, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.231.21202 > 10.2.76.169.10008: [udp sum ok] UDP, length 172
    12:16:19.684385 00:15:65:25:9a:b8 > 00:e0:4c:0a:6b:b2, ethertype IPv4 (0x0800), length 242: (tos 0xd8, ttl 64, id 53617, offset 0, flags [none], proto ICMP (1), length 228)
        10.2.76.169 > 10.2.76.231: ICMP 10.2.76.169 udp port 10008 unreachable, length 208
    	(tos 0xb8, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.231.21202 > 10.2.76.169.10008: [udp sum ok] UDP, length 172
    12:16:19.703584 00:e0:4c:0a:6b:b2 > 00:15:65:25:9a:b8, ethertype IPv4 (0x0800), length 214: (tos 0xb8, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.231.21202 > 10.2.76.169.10008: [udp sum ok] UDP, length 172
    12:16:19.704297 00:15:65:25:9a:b8 > 00:e0:4c:0a:6b:b2, ethertype IPv4 (0x0800), length 242: (tos 0xd8, ttl 64, id 53618, offset 0, flags [none], proto ICMP (1), length 228)
        10.2.76.169 > 10.2.76.231: ICMP 10.2.76.169 udp port 10008 unreachable, length 208
    	(tos 0xb8, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.231.21202 > 10.2.76.169.10008: [udp sum ok] UDP, length 172
    12:16:19.723723 00:e0:4c:0a:6b:b2 > 00:15:65:25:9a:b8, ethertype IPv4 (0x0800), length 214: (tos 0xb8, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.231.21202 > 10.2.76.169.10008: [udp sum ok] UDP, length 172
    12:16:19.724530 00:15:65:25:9a:b8 > 00:e0:4c:0a:6b:b2, ethertype IPv4 (0x0800), length 242: (tos 0xd8, ttl 64, id 53619, offset 0, flags [none], proto ICMP (1), length 228)
        10.2.76.169 > 10.2.76.231: ICMP 10.2.76.169 udp port 10008 unreachable, length 208
    	(tos 0xb8, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.231.21202 > 10.2.76.169.10008: [udp sum ok] UDP, length 172
    12:16:19.785782 00:15:65:25:9a:b8 > 00:e0:4c:0a:6b:b2, ethertype IPv4 (0x0800), length 214: (tos 0xb8, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.169.10008 > 10.2.76.231.10332: [udp sum ok] UDP, length 172
    12:16:19.800977 00:15:65:25:9a:b8 > 00:e0:4c:0a:6b:b2, ethertype IPv4 (0x0800), length 214: (tos 0xb8, ttl 64, id 1, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.169.10008 > 10.2.76.231.10332: [udp sum ok] UDP, length 172
    12:16:19.820957 00:15:65:25:9a:b8 > 00:e0:4c:0a:6b:b2, ethertype IPv4 (0x0800), length 214: (tos 0xb8, ttl 64, id 2, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.169.10008 > 10.2.76.231.10332: [udp sum ok] UDP, length 172
    12:16:19.841020 00:15:65:25:9a:b8 > 00:e0:4c:0a:6b:b2, ethertype IPv4 (0x0800), length 214: (tos 0xb8, ttl 64, id 3, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.169.10008 > 10.2.76.231.10332: [udp sum ok] UDP, length 172
    12:16:19.861109 00:15:65:25:9a:b8 > 00:e0:4c:0a:6b:b2, ethertype IPv4 (0x0800), length 214: (tos 0xb8, ttl 64, id 4, offset 0, flags [DF], proto UDP (17), length 200)
        10.2.76.169.10008 > 10.2.76.231.10332: [udp sum ok] UDP, length 172
    
    


  • Seguramente tienes marcada Block private networks en Interfaces - WAN.

    A parte de esto tendrás que autorizar este tráfico en Firewall - Rules - WAN.


Log in to reply