Manual Outbound NAT vs. Port Randomization

  • TL;DR:

    We have Manual Outbound NAT running and have some rules that are set as "Static Port"s.

    Are these ports reserved/excluded from the pool that gets used for randomization on outbound NAT'ed traffic?
    If not, will open sockets be "stolen" when pfSense tries to forward traffic matching a rule with "Static Port" ticked?

    Long Version:

    Client of ours has got an on-site PBX behind a pfSense. We were asked to setup manual outbound NAT rules with static ports for 5060 etc.

    Included in those was a rather large range of high level ports, let's say 8000- 10000 for example (read: LOTS)

    My colleague chimed in and said "don't you dare assign all those as static ports. If you do, other NAT-using devices will get their sockets stolen every time someone makes a phone call (deliberate exaggeration on his part).

    I've had a brief read up on how NAT works with pf and FreeBSD but couldn't find any info on this circumstance. My colleague may well be correct…... he often is.

    (virtually) any input would be gratefully received.


  • Rebel Alliance Developer Netgate

    If you over-use static port, pf won't allow one to "steal" the other's connection, but will deny the new connection (can't create a conflicting state).

    It would only be denied iff it tries to re-use the same static source port going to the same destination:

    Connection #1:
    a.a.a.a:xxxx NAT to b.b.b.b:xxxx destination c.c.c.c:yyyy

    Connection #2 – Denied:
    a.a.a.q:xxxx NAT to b.b.b.b:xxxx destination c.c.c.c:yyyy

    Connection #3 -- OK:
    a.a.a.q:xxxx NAT to b.b.b.b:xxxx destination d.d.d.d:zzzz

    Limiting use of static port to things that require static port (e.g. a PBX) is the best way to avoid problems. Generally speaking, the only time someone would really hit scenario #3 above is if you have two local PBX units attempting to connect to the same remote PBX. In that case you'd need to NAT one of them out a different IP address (1:1 NAT or outbound NAT to a different IP address)

Log in to reply