Click Here To Visit SIP Broker  

Go Back   Voxalot / SIP Broker Support Forums > Voxalot Forums > Voxalot Support

Voxalot Support Support for the Voxalot service.

 
 
Reply
Thread Tools Display Modes
Unread 10-11-2009, 06:03 PM   #1
ctylor
 
ctylor's Avatar
 
Join Date: Apr 2006
Location: Vancouver, BC
Posts: 296
Thanks: 94
Thanked 53 Times in 27 Posts
ctylor will become famous soon enough
Default pfSense and Symmetric NAT

My D-Link router was continually losing its connection to the Internet, so I decided to convert a 10 year old computer I had laying around into a full-time router using the pfSense router operating system, and using a separate 10/100 Mbps 4-port switch to distribute the IP addresses to each device.

This really solved my loss-of-connection issues but introduced another one, my SIP devices were unable to register and stopped working. They had all been set up with STUN. But STUN does not work with symmetric NAT firewalls, which is what by default pfSense is configured to be. So after searching around the internet for 20 to 30 minutes I discovered the most elegant solution is the one found here:
By default, pfSense rewrites the source port on all outgoing packets. Many OS's do a poor job of source port randomization, if they do it at all. This makes IP spoofing easier, and makes it possible to fingerprint hosts behind your firewall from their outbound traffic. Rewriting the source port eliminates these potential (but unlikely) security vulnerabilities.

But, this breaks some applications. There are built in rules when Advanced Outbound NAT is disabled that don't do this for UDP 500 (IKE for VPN traffic) and 5060 (SIP) because these types of traffic will almost always be broken by rewriting the source port. Though a small minority of VoIP systems are actually broken by not rewriting the source port, in which cases you will not want to use static port.

You may use other protocols, like some games amongst other things, that do not work properly when the source port gets rewritten. To disable this functionality, you need to use the static port option. Click Firewall -> NAT, and the Outbound tab. Click "Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))" and click Save. You will then see a rule at the bottom of the page labeled "Auto created rule for LAN". Click the "e" button to the right of that rule to edit it. Check the "static port" box on that page, and click Save. Apply changes and this behavior will be disabled.
Following this change, my pfSense router changed from being a symmetric NAT to a port restricted cone NAT and STUN was working again, and my IP phone was working just fine once again.

Note: Under the "Normal" firewall optimization found under "Advanced" settings, I found my NAT keep alive interval should be 59 seconds. I didn't test is thoroughly to know the exact limit, but I know that setting it to 159 seconds caused inbound calls to no longer be sent to my IP phone. Hence, pfSense is less forgiving than most commercial home routers in terms of keeping STUN/NAT states alive under 'normal' settings.

Last edited by ctylor; 12-31-2009 at 06:24 PM.
ctylor is offline   Reply With Quote
Reply

Tags
cone, firewall, m0n0wall, nat, pfsense, router, static port, stun, symmetric

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 03:16 AM.


Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.