Automatic "outbound" nat from LAN to OPT interfaces?

  • I've got some oddball behavior going on Beta1, and granted, it is a hack, but I'm just trying to understand how it's happened.

    I have OPT2, which is a manually created OpenVPN tunnel.  I hacked get_interface_list() to allow tun interfaces, and made tun0 OPT2.

    This has worked well for over a month.  Yesterday I deployed a little SIP-based phone device to connect to my asterisk server on the opposite end of the tunnel.  So you can see what's up:

    [phone] |-----------|[pfSense]|---------<openvpn>---------|[WRT54G][asterisk]</openvpn> 

    (For some reason the above refuses to render correctly.  Asterisk is at  Asterisk requires that you define whether sip is coming across a nat or not.  If it is, and it's "dynamic" (dhcp), you have to let asterisk know.  So I set it up the way I thought was correct, and in fact worked prior to going to pfSense (freebsd firewall with openvpn), which was this:


    When I do this, the registration either gets rejected over and over again, or if I force it to be allowed, and I do "sip show peers", it shows that the phone is registered, and can be reached at  Well, that's not right.  So I tried this:


    Again, registration works, but when a call is placed, audio only goes one way, ie, I can hear him, but he can't hear me, and vice versa.

    Just for grins, I tried this:


    Registration works, kinda.  Not consistently.  When it does, despite registration I cannot place calls, as it is trying to send the traffic to  Simply doesn't work.

    So I'm wondering, is traffic nat'ed by default?  I'm looking at the sip traffic headers and they clearly show that the traffic comes from, so asterisk isn't nuts, and I know the phone isn't the problem, as it has been used in several environments, and so far as it is concerned, traffic is routed.  SIP is aweful across a nat, thus the openvpn.

    So is there a way to disable this behavior, is it intentional, and did my hack of an OPT interface cause it?

  • Erm…this is what I get for speaking up before looking at the "source".  Straight from rules.debug:

    nat on tun0 from to any -> (tun0)

    So what causes this?

  • At firewall>nat, outbound tab enable advanced outbound nat and check the rules that are generated at the bottom of the page. Make sure there are only NAT mappings listed you need (it will generate one for your LAN by default) and deletete unneeded ones or add what you need. Btw, why are you still running Beta1? Move on to Beta2 ;-)

  • Can't.  I'm doing the utmost evil and running a beta release at a production site 3 hours away.  I can't upgrade until I go down there, not because it won't work, but because my sleep better at night knowing that I'd be there "just in case".

    Don't worry, I'm going down on friday.