Date: Wed, 7 Dec 2005 20:45:48 +0200 From: "Gee Jay" <geejay@inbox.lv> To: "Constant, Benjamin" <bconstant@be.tiauto.com> Cc: freebsd-pf@freebsd.org Subject: RE: Can PF do Cone NAT ? Message-ID: <CPEBJFBCDCKKIHJAODHCIEPJCBAA.geejay@inbox.lv> In-Reply-To: <B6D948D84090A54ABCD88AA391DAAC8C021F7D8D@tiasbel00ex00.be.eu.tiauto.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Benjamin Constant wrote: > I'm maybe wrong but did you try with the static-port option on your nat > rules? Thanks, I overlooked that option. I conclude from the IP state table that PFSense firewall did not use that option. As far as I understand, the static-port option would cause problems for other machines behind the NAT who run the same services. So there would have to be different NAT options for different port-ranges, if one wanted to follow this path. Another solution I see is to put our Asterisk (VOIP) server on a 1:1 NAT and give it an extra external IP on the firewall. thanks again for your suggestion. GeeJay TI Automotive > -----Original Message----- > From: owner-freebsd-pf@freebsd.org > [mailto:owner-freebsd-pf@freebsd.org] On Behalf Of Gee Jay > Sent: mardi 6 décembre 2005 21:09 > To: freebsd-pf@freebsd.org > Subject: Can PF do Cone NAT ? > > Dear Gentlemen, > > I am struggling to set up NAT / Port redirection on a PFSense > firewall (which uses PF) for the SIP Protocol or rather its > RTP media streams. > > By all appearances the NAT in PF seems to work as a symmetric > NAT which causes SIP in certain cases to fail. > > The VOIP provider in question uses on his side several media > boxes with their own IPs to stream the RTP Media via UDP. My > understanding of the problem is that the NAT in PF uses a > different NAT port for each public destination IP so that the > media boxes talk back to "dead" ports on the NAT. > Whereas in the cone NAT only one port irrespectively of the > external IP addressed. > > > For further explanations regarding the problem see here: > http://corp.deltathree.com/technology/nattraversalinsip.pdf > or here > http://list.sipfoundry.org/archive/ietf-behave/pdf00000.pdf > http://en.wikipedia.org/wiki/Restricted_cone_NAT > > My basic question is: Can PF do a cone NAT ? And if so, how ? > The PF documentation didn't help me unfortunately. > > Thanks for your help in the matter. > > GeeJay > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > The information contained in this transmission may contain privileged and confidential information. It is intended only for the use of the person(s) named above. If you are not the intended recipient, you are hereby notified that any review, dissemination, distribution or duplication of this communication is strictly prohibited. If you are not the intended recipient, please contact the sender by reply email and destroy all copies of the original message. This communication is from TI Automotive.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CPEBJFBCDCKKIHJAODHCIEPJCBAA.geejay>