I just discovered a strange issue with my current PF NAT setup.
The Scenario:
I'm operating a SIP phone behind my FreeBSD 10.2 gateway which uses PF for firewalling/NAT and gets a dynamically assigned external IP address from my ISP which changes every couple of days. SIP phone has the internal IP address 10.6.6.64, uses STUN to discover the external IP address and registers to two different external SIP providers. PF is set up to use static ports for SIP and RTP from the IP phone to the outside world. Relevant sections from my /etc/pf.conf:
The Problem:
Using
As it turned out, the problem was a state that PF had recorded for the old external IP address (new one was: 77.6.131.232):
What I don't see is why this should happen at all, and why only for one SIP provider, not the other one. Only difference between the two SIP providers is that the SIP phone sends SIP keepalive messages to one SIP provider (the faulty one) in 20 second intervals, whereas it uses 360 sec intervals for the other. This is cause the interval cannot be configured for one provider, only for the other.
Any ideas as to why this is happening and how it could be solved? I could kill states using the old IP address from a script, when the PPPoE link goes down, but I rather cosider this a workaround than a solution.
The Scenario:
I'm operating a SIP phone behind my FreeBSD 10.2 gateway which uses PF for firewalling/NAT and gets a dynamically assigned external IP address from my ISP which changes every couple of days. SIP phone has the internal IP address 10.6.6.64, uses STUN to discover the external IP address and registers to two different external SIP providers. PF is set up to use static ports for SIP and RTP from the IP phone to the outside world. Relevant sections from my /etc/pf.conf:
Code:
ExtIF = "tun0"
PHONE = "10.6.6.64"
RTP = "5004:5020"
set state-policy if-bound
scrub all random-id reassemble tcp fragment reassemble
scrub out on $ExtIF inet proto udp from port sip set-tos 0x60
scrub out on $ExtIF inet proto udp from port $RTP set-tos 0xB8
nat on $ExtIF inet proto udp from $PHONE port {sip, $RTP} -> ($ExtIF) static-port
nat on $ExtIF from ! ($ExtIF) to any -> ($ExtIF) port 39000:65535
pass out quick on $ExtIF inet proto udp from port sip keep state (udp.first 90, udp.single 120, udp.multiple 400) queue voip
pass out quick on $ExtIF inet proto udp from port $RTP queue voipThe Problem:
Using
tcpdump on the external interface tun0, I just discovered that SIP registrations going out to one SIP provider are sent using the correct external IP address, whereas SIP registrations going out to the second SIP provider are sent out using an old IP address that I had like two days ago. I'm talking about the source IP address here with which packets are sent out over the external interface. The external IP address within the SIP packets is the correct one in both cases.As it turned out, the problem was a state that PF had recorded for the old external IP address (new one was: 77.6.131.232):
Code:
tun0 udp 77.12.28.177:5060 (10.6.6.64:5060) -> 148.251.246.101:5060 MULTIPLE:MULTIPLEWhat I don't see is why this should happen at all, and why only for one SIP provider, not the other one. Only difference between the two SIP providers is that the SIP phone sends SIP keepalive messages to one SIP provider (the faulty one) in 20 second intervals, whereas it uses 360 sec intervals for the other. This is cause the interval cannot be configured for one provider, only for the other.
Any ideas as to why this is happening and how it could be solved? I could kill states using the old IP address from a script, when the PPPoE link goes down, but I rather cosider this a workaround than a solution.