Feature #1225


static port range and outbound rules source port range (only to be tested and integrated, already coded)

Added by Martin Dupont over 13 years ago. Updated about 13 years ago.

Rules / NAT
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Release Notes:


When you go to NAT Outbound, you can create rules to make 1 port static, or to force the source port (for example, force that traffic with source port 5111 from host will be NATed to WAN_IP:51110).
This is nice, of course, but not quite helpful when it comes to SIP, since you have a range of RTP port to make static.

Based on the built "built on Sun Jan 23 06:46:02 EST 2011", I've patched the GUI so that it can now handle ranges of static ports with a single rule, as pf supports it. This is a very simple patch requiring to change only 3 files (Outbound NAT rules edition, Outbound NAT rules listing, and pf rules file generation).

I'm willing to contribute those small changes, and have been told to way it in forum, thus, if a developer of pfSense is interested, I'd be glad if pfSense would contain a few lines of code from me Wink

(btw, the few lines are ONLY copy-paste-edit)

I'm attaching an archive with the files in their original state, and after changes.

Files (69.8 KB) Original and patched files Martin Dupont, 01/23/2011 11:08 AM
Actions #1

Updated by Chris Buechler over 13 years ago

  • Target version deleted (2.0)
  • Affected Version deleted (2.0)

I've never seen RTP have to be static, though a worthwhile feature to have post-2.0.

Actions #2

Updated by Martin Dupont over 13 years ago

When a SIP peer starts the dialog, it sends thru SDP the port on which it is expecting the RTP stream.
There are of course various ways to survive without static ports, but they make it easier.

Actions #3

Updated by Tony Graziano over 13 years ago

We use a sip server which handles both trunking and remote users. We typically use static port NAT for both functions. While we know what IP address internally would be requiring static port NAT, we also know what ports it will be using, because we can define them. Static port NAT is not unusual to see when the sip server is behind NAT and handles trunking and remote users unless it is using a robust SBC which also manipulates the headers and uses STUN support to get around a firewall which rewrites the source port.

When a firewall rewrites the source port it usually means the audio is going to be broken, hence the firewall using static port NAT to ensure the firewall is more or less "uninvolved" and the sip server or client sees the media return to the expected port(s).

Actions #4

Updated by Martin Dupont over 13 years ago

Mistake in the patch files.
In firewall_nat_out_edit.php, you should add after lin 223:
$natent['sourceportend'] = ($protocol_uses_ports) ? $_POST['sourceportend'] : "";

Actions #5

Updated by Martin Dupont about 13 years ago

This is rendered useless by support of port alias. No need to implement this anymore.

Actions #6

Updated by Martin Dupont about 13 years ago

I can't find how to close the task myself, so if someone could tell me how to (if I can!) or could close it...

Actions #7

Updated by Jim Pingle about 13 years ago

  • Status changed from New to Closed

Also available in: Atom PDF