From owner-freebsd-pf@FreeBSD.ORG Wed May 16 12:40:33 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 66B0D16A401 for ; Wed, 16 May 2007 12:40:33 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from frontmail.ipactive.de (frontmail.maindns.de [85.214.95.103]) by mx1.freebsd.org (Postfix) with ESMTP id 2BAFA13C457 for ; Wed, 16 May 2007 12:40:32 +0000 (UTC) (envelope-from volker@vwsoft.com) Received: from mail.vtec.ipme.de (Q7d6b.q.ppp-pool.de [89.53.125.107]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by frontmail.ipactive.de (Postfix) with ESMTP id 6CED612883F; Wed, 16 May 2007 14:40:24 +0200 (CEST) Received: from cesar.sz.vwsoft.com (cesar.sz.vwsoft.com [192.168.16.3]) by mail.vtec.ipme.de (Postfix) with ESMTP id A11E13F9E1; Wed, 16 May 2007 14:39:58 +0200 (CEST) Message-ID: <464AFB9D.7080101@vwsoft.com> Date: Wed, 16 May 2007 14:39:57 +0200 From: Volker User-Agent: Thunderbird 2.0.0.0 (X11/20070420) MIME-Version: 1.0 To: Henry References: In-Reply-To: X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-VWSoft-MailScanner: Found to be clean X-MailScanner-From: volker@vwsoft.com X-ipactive-MailScanner-Information: Please contact the ISP for more information X-ipactive-MailScanner: Found to be clean X-ipactive-MailScanner-From: volker@vwsoft.com Cc: freebsd-pf@freebsd.org Subject: Re: Trouble getting IP Phone to work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 May 2007 12:40:33 -0000 On 12/23/-58 20:59, Henry wrote: > I'm running PF. > - I have an IP Phone here that uses the 3com NBX phone system. > - Residential cable broadband connection with dynamic IP. > > When I use binat, the phone works 100%. > > When I use NAT with redirects to forward, the phone works partially. > Some features don't work at all, and the others work sometimes. > > To further test, I had NAT on, redirect all traffic to the $phone and > passed all traffic and it still doesn't work 100%. > > Example: > ---------------------- > nat on $ext_if from !($ext_if) -> ($ext_if:0) > rdr on $ext_if proto {tcp udp icmp} from any to ($ext_if) -> $phone > block log all > pass log all keep state > ---------------------- > > I see nothing being blocked, everything is passing and all incoming > traffic should be going to the phone. So I'm kind of stumped. Any > ideas? Henry, sounds like a routing problem. How's the default gateway (router) being set on the phone? If it's correct, is variable $phone being set right? Do you see something in the pf logs? Does pf modify the destination address as you expect it (to be the one of the phone)? Anyway, I really hope the ruleset shown is not your production ruleset. It's a damned wide open firewall... ;) Are we talking about a SIP phone or what does the protocol look like? If it's SIP, I can provide configuration examples, as I've finished hacking pf rules for a snom 300 SIP phone, redirect connections from the public outside to it and it's working fine for some weeks now. Volker