|
Voxalot Support Support for the Voxalot service. |
Thread Tools | Display Modes |
10-11-2009, 06:03 PM | #1 |
Join Date: Apr 2006
Location: Vancouver, BC
Posts: 296
Thanks: 94 Thanked 53 Times in 27 Posts |
pfSense and Symmetric NAT
My D-Link router was continually losing its connection to the Internet, so I decided to convert a 10 year old computer I had laying around into a full-time router using the pfSense router operating system, and using a separate 10/100 Mbps 4-port switch to distribute the IP addresses to each device.
This really solved my loss-of-connection issues but introduced another one, my SIP devices were unable to register and stopped working. They had all been set up with STUN. But STUN does not work with symmetric NAT firewalls, which is what by default pfSense is configured to be. So after searching around the internet for 20 to 30 minutes I discovered the most elegant solution is the one found here: By default, pfSense rewrites the source port on all outgoing packets. Many OS's do a poor job of source port randomization, if they do it at all. This makes IP spoofing easier, and makes it possible to fingerprint hosts behind your firewall from their outbound traffic. Rewriting the source port eliminates these potential (but unlikely) security vulnerabilities.Following this change, my pfSense router changed from being a symmetric NAT to a port restricted cone NAT and STUN was working again, and my IP phone was working just fine once again. Note: Under the "Normal" firewall optimization found under "Advanced" settings, I found my NAT keep alive interval should be 59 seconds. I didn't test is thoroughly to know the exact limit, but I know that setting it to 159 seconds caused inbound calls to no longer be sent to my IP phone. Hence, pfSense is less forgiving than most commercial home routers in terms of keeping STUN/NAT states alive under 'normal' settings. Last edited by ctylor; 12-31-2009 at 06:24 PM. |
Tags |
cone, firewall, m0n0wall, nat, pfsense, router, static port, stun, symmetric |
|
|