Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Manual Outbound NAT vs. Port Randomization

    Scheduled Pinned Locked Moved NAT
    2 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pyyg
      last edited by

      TL;DR:

      We have Manual Outbound NAT running and have some rules that are set as "Static Port"s.

      Are these ports reserved/excluded from the pool that gets used for randomization on outbound NAT'ed traffic?
      If not, will open sockets be "stolen" when pfSense tries to forward traffic matching a rule with "Static Port" ticked?

      Long Version:

      Client of ours has got an on-site PBX behind a pfSense. We were asked to setup manual outbound NAT rules with static ports for 5060 etc.

      Included in those was a rather large range of high level ports, let's say 8000- 10000 for example (read: LOTS)

      My colleague chimed in and said "don't you dare assign all those as static ports. If you do, other NAT-using devices will get their sockets stolen every time someone makes a phone call (deliberate exaggeration on his part).

      I've had a brief read up on how NAT works with pf and FreeBSD but couldn't find any info on this circumstance. My colleague may well be correct…... he often is.

      (virtually) any input would be gratefully received.

      Pyyg

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        If you over-use static port, pf won't allow one to "steal" the other's connection, but will deny the new connection (can't create a conflicting state).

        It would only be denied iff it tries to re-use the same static source port going to the same destination:

        Connection #1:
        a.a.a.a:xxxx NAT to b.b.b.b:xxxx destination c.c.c.c:yyyy

        Connection #2 – Denied:
        a.a.a.q:xxxx NAT to b.b.b.b:xxxx destination c.c.c.c:yyyy

        Connection #3 -- OK:
        a.a.a.q:xxxx NAT to b.b.b.b:xxxx destination d.d.d.d:zzzz

        Limiting use of static port to things that require static port (e.g. a PBX) is the best way to avoid problems. Generally speaking, the only time someone would really hit scenario #3 above is if you have two local PBX units attempting to connect to the same remote PBX. In that case you'd need to NAT one of them out a different IP address (1:1 NAT or outbound NAT to a different IP address)

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.