Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - wizdude

Pages1
#1
23.1 Legacy Series / does one-to-one modify the source port number?
June 30, 2023, 12:51:43 PM
greetings,

i have a public class C which will be facing my OPNsense box. i have configured a one-to-one NAT rule to map a public IP through to my phone system. i believe i have all of the appropriate firewall rules to permit inbound RTP and so forth.

one of the things i'm always careful with when implementing a new firewall is to ensure that there is no NAT ALG or similar on the box, as this always causes problems with SIP registrations with the voice provider.

i understand this is not in OPNsense unless i went out of my way to install the os-siproxd plugin, but I did see some notes online (perhaps quite old) that made reference to the source port being modified under certain circumstances.

on an outbound (SNAT) NAT rule i can see there is an option for "static-port" but this does not exists with a one-to-one NAT rule.

the way my phone system works: it assumes nothing is going to change the ports number when it talks out, and it stamps the outbound packets with the external WAN IP address that I have assigned it. this is the same WAN IP i am using in my one-to-one NAT rule.

are there any problems i should be looking out for with this?

many thanks in advance,

cheers, Wiz!!
#2
23.1 Legacy Series / Q in Q but not 802.1ad
June 28, 2023, 11:34:37 AM
greetings,

i need to run multiple VLANS to my ISP and originally i thought they wanted Q-in-Q 802.1ad so I tested this up in my lab and provided some packet dumps to confirm all was ok.

it turns out what they are after is "classic" Q-in-Q with both packets tagged with 0x8100 (802.1q)

i have been advised that my carriage service provider will drop packets tagged with 0x88a8 (802.1ad).

is there a way to configure this up? i need to have two VLAN's encapsulated inside another VLAN with all packets tagged as 802.1q

many thanks in advance,

cheers, Wiz!!

edit: i can see this original change was discussed here:
https://github.com/opnsense/core/issues/5893
double tagged VLAN's used to be both set to 802.1q, but this is not standard and 802.1ad is the preference.

the commit here:
https://github.com/opnsense/core/commit/021f656fd6adc93d55a72221252eb6289711a6d7
changes behaviour so that once a VLAN is created with an upstream VLAN as a parent, the parent is changed from 802.1q to 802.1ad.

in general this makes good sense. in my case it would be great to see this as an option which could be turned on and off for each interface. probably a small change, but i don't have a suitable build environment to even test this.

in any case, what i'm asking for is if there is some config way or otherwise i can work around this.

Pages1