NAT not translating ports?



  • Trying to forward SIP/UDP coming in on 5060 to an internal server listening on 5080.  pfSense passes traffic when I map 5060 to 5060, but not when I map 5060 to 5080.

    Works:
    WAN UDP 5060  192.168.X.24
    (ext.: 70.57.X.X) 5060  SIP UDP

    Does not work:
    WAN UDP 5060  192.168.X.24
    (ext.: 70.57.X.X) 5080  SIP UDP

    I have firewall rules allowing both ports:
    UDP 66.241.X.Y * 192.168.X.24 5080 *
    UDP 66.241.X.Y * 192.168.X.24 5060 *

    Both rules are set to log traffic, but when I configure the NAT as 5060:5060, the incoming SIP packet gets logged and sent on to the internal host.  WHen I configure the NAT as 5060:5080, the incoming packet (same source IP, same test case) is not logged and does not make it to the internal host.

    Any pointers?

    –thanks



  • If I remember correctly, if you have both rule active, it is only going to match the first rule. If you are changing rules and both are not active at them same time.  Reset the states and try again.



  • I'll give that a shot (again.)

    During my initial testing I deleted and re-created both the NAT mapping and the firewall rule, allowing the NAT "create rule" script to do its job.



  • Actually did get this working earlier today, but then found out that sipxbridge will not properly anchor calls if it receives invites through PAT.  So I had the carrier reconfigure invites to port 5080 and modified the NAT:

    WAN UDP 5080  192.168.X.24 (ext.: 70.57.X.X) 5080  SIP

    When they send invites, pfSense logs claim to be forwarding the packets:

    Jul 20 16:26:36 NG0 66.241.X.X:5060 192.168.X.24:5080 UDP
    Jul 20 16:26:34 NG0 66.241.X.X:5060 192.168.X.24:5080 UDP
    Jul 20 16:26:33 NG0 66.241.X.X:5060 192.168.X.24:5080 UDP
    Jul 20 16:26:32 NG0 66.241.X.X:5060 192.168.X.24:5080 UDP

    but the sipx box does not receive the packets (at all.)  Both tcpdump and application logging show no packets coming from the ITSP gateway address (tcpdump does show keepalives we are sending to them every 20 seconds.)  I can ping the sipx box from pfsense, and I can send UDP/5080 packets with netcat which get picked up by the sipx logs and by tcpdump.

    I've restarted pfSense and the sipx server, deleted and re-created both the NAT mapping and the firewall rules more than once.

    Any pointers?  I'm stumped…



  • What type of NICs are in the pfsense firewall?



  • @podilarius:

    What type of NICs are in the pfsense firewall?

    Via VT6105M (on an alix 2d3)



  • Check a tcpdump on the pfsense FW on WAN then LAN to see if the packets are traversing correctly.
    Can you screen shot your rules, inbound NAT, and outbound NAT?
    If you have an old machine lying around and some intel NICs, put a test FW together and see if it works with that.

    I have not really heard of NAT not working correctly. What version of pfSense are you using?



  • Still running 1.2.3 here (better luck with VoIP traffic shaping than with 2.x so far.)

    This problem went away for a couple of weeks and then re-appeared today.  Nothing changed in pfSense config other than some dnsmasq static mappings (which regularly move about for testing.)  Running tcpdump on both the NAT target and on pfSense looking for the remote host IP shows the internal host sending keepalives to the ITSP, but nothing coming from them.  pfSense firewall rule logs packets that tcpdump does not report on either host:

    Act Time If Source Destination Proto
    Aug 2 13:37:32 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
    Aug 2 13:37:30 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
    Aug 2 13:37:29 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
    Aug 2 13:37:28 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
    Aug 2 13:37:21 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
    Aug 2 13:37:19 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP
    Aug 2 13:37:18 NG0 66.241.X.Y:5060 192.168.X.24:5080 UDP

    pfsense:~#  tcpdump host 66.241.X.Y
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on vr0, link-type EN10MB (Ethernet), capture size 96 bytes
    13:36:19.710032 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    13:36:39.717413 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    13:36:59.723839 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    13:37:19.731218 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    13:37:39.737579 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    13:37:59.744985 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    13:38:19.751407 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    13:38:39.758748 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4
    13:38:59.765230 IP sipx.domain.com.5080 > 66.241.X.Y.5060: SIP, length: 4

    [root@sipx sipxpbx]# tcpdump host 66.241.X.Y
    tcpdump: WARNING: arptype 65535 not supported by libpcap - falling back to cooked socket
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
    13:36:19.756734 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    13:36:39.757210 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    13:36:59.756742 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    13:37:19.757247 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    13:37:39.756711 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    13:37:59.757228 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    13:38:19.756763 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    13:38:39.757203 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4
    13:38:59.756787 IP sipx.domain.com.5080 > 66.241.X.Y.sip: SIP, length: 4


Locked