OPNsense Forum

Archive => 18.7 Legacy Series => Topic started by: deviantintegral on November 23, 2018, 07:27:30 pm

Title: Stale WAN IP used for SIP NAT mapping (Dynamic state reset)
Post by: deviantintegral on November 23, 2018, 07:27:30 pm

OPNSense is connected via DSL / pppoe for it's WAN connection. I have an OBiHAI SIP bridge for VoIP access. If the WAN IP changes, the old NAT mapping are still used, causing packets to be sent with the wrong source IP address. This breaks WAN connectivity until the states are killed.

• In the firewall states dump, I filter on port 5060 to see the inbound and outbound mappings.
• Note your current WAN IP, and click "reload" at the WAN interface in the overview to force a new connection.
• After the IP has renewed, reload the states dump and note the outbound IP address is the old IP address and not the new one.
• Killing the states restores WAN connectivity to the SIP bridge.

I've verified the wrong source IP is being sent from a packet capture of the pppoe interface. What's surprising to me is that nothing else other than this one mapping appears to be affected by this.

In the firewall advanced options, I found "Dynamic state reset" which was not enabled. Turning that on fixed the stale mappings. Is there any reason why that option shouldn't be on by default?

This could be related to switching ISPs from one that used DHCP to DSL and PPPoE. Is this a setting normally set during the setup wizard, which would be missed if you manually changed WAN settings after the initial install?