Voxalot / SIP Broker Support Forums

Voxalot / SIP Broker Support Forums (http://forum.sipbroker.com/index.php)
-   Voxalot Support (http://forum.sipbroker.com/forumdisplay.php?f=4)
-   -   pfSense and Symmetric NAT (http://forum.sipbroker.com/showthread.php?t=4458)

ctylor 10-11-2009 06:03 PM

pfSense and Symmetric NAT
 
My D-Link router was continually losing its connection to the Internet, so I decided to convert a 10 year old computer I had laying around into a full-time router using the pfSense router operating system, and using a separate 10/100 Mbps 4-port switch to distribute the IP addresses to each device.

This really solved my loss-of-connection issues but introduced another one, my SIP devices were unable to register and stopped working. They had all been set up with STUN. But STUN does not work with symmetric NAT firewalls, which is what by default pfSense is configured to be. So after searching around the internet for 20 to 30 minutes I discovered the most elegant solution is the one found here:
By default, pfSense rewrites the source port on all outgoing packets. Many OS's do a poor job of source port randomization, if they do it at all. This makes IP spoofing easier, and makes it possible to fingerprint hosts behind your firewall from their outbound traffic. Rewriting the source port eliminates these potential (but unlikely) security vulnerabilities.

But, this breaks some applications. There are built in rules when Advanced Outbound NAT is disabled that don't do this for UDP 500 (IKE for VPN traffic) and 5060 (SIP) because these types of traffic will almost always be broken by rewriting the source port. Though a small minority of VoIP systems are actually broken by not rewriting the source port, in which cases you will not want to use static port.

You may use other protocols, like some games amongst other things, that do not work properly when the source port gets rewritten. To disable this functionality, you need to use the static port option. Click Firewall -> NAT, and the Outbound tab. Click "Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))" and click Save. You will then see a rule at the bottom of the page labeled "Auto created rule for LAN". Click the "e" button to the right of that rule to edit it. Check the "static port" box on that page, and click Save. Apply changes and this behavior will be disabled.
Following this change, my pfSense router changed from being a symmetric NAT to a port restricted cone NAT and STUN was working again, and my IP phone was working just fine once again.

Note: Under the "Normal" firewall optimization found under "Advanced" settings, I found my NAT keep alive interval should be 59 seconds. I didn't test is thoroughly to know the exact limit, but I know that setting it to 159 seconds caused inbound calls to no longer be sent to my IP phone. Hence, pfSense is less forgiving than most commercial home routers in terms of keeping STUN/NAT states alive under 'normal' settings.


All times are GMT. The time now is 07:07 AM.

Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.