Feature #1225
closed
static port range and outbound rules source port range (only to be tested and integrated, already coded)
50%
Description
When you go to NAT Outbound, you can create rules to make 1 port static, or to force the source port (for example, force that traffic with source port 5111 from host 192.168.0.1 will be NATed to WAN_IP:51110).
This is nice, of course, but not quite helpful when it comes to SIP, since you have a range of RTP port to make static.
Based on the built "built on Sun Jan 23 06:46:02 EST 2011", I've patched the GUI so that it can now handle ranges of static ports with a single rule, as pf supports it. This is a very simple patch requiring to change only 3 files (Outbound NAT rules edition, Outbound NAT rules listing, and pf rules file generation).
I'm willing to contribute those small changes, and have been told to way it in forum, thus, if a developer of pfSense is interested, I'd be glad if pfSense would contain a few lines of code from me Wink
(btw, the few lines are ONLY copy-paste-edit)
I'm attaching an archive with the files in their original state, and after changes.
Files
Updated by Chris Buechler about 13 years ago
- Target version deleted (
2.0) - Affected Version deleted (
2.0)
I've never seen RTP have to be static, though a worthwhile feature to have post-2.0.
Updated by Martin Dupont about 13 years ago
When a SIP peer starts the dialog, it sends thru SDP the port on which it is expecting the RTP stream.
There are of course various ways to survive without static ports, but they make it easier.
Updated by Tony Graziano about 13 years ago
We use a sip server which handles both trunking and remote users. We typically use static port NAT for both functions. While we know what IP address internally would be requiring static port NAT, we also know what ports it will be using, because we can define them. Static port NAT is not unusual to see when the sip server is behind NAT and handles trunking and remote users unless it is using a robust SBC which also manipulates the headers and uses STUN support to get around a firewall which rewrites the source port.
When a firewall rewrites the source port it usually means the audio is going to be broken, hence the firewall using static port NAT to ensure the firewall is more or less "uninvolved" and the sip server or client sees the media return to the expected port(s).
Updated by Martin Dupont about 13 years ago
Mistake in the patch files.
In firewall_nat_out_edit.php, you should add after lin 223:
$natent['sourceportend'] = ($protocol_uses_ports) ? $_POST['sourceportend'] : "";
Updated by Martin Dupont about 13 years ago
This is rendered useless by support of port alias. No need to implement this anymore.
Updated by Martin Dupont about 13 years ago
I can't find how to close the task myself, so if someone could tell me how to (if I can!) or could close it...
Updated by