1
23.1 Legacy Series / does one-to-one modify the source port number?
« on: June 30, 2023, 12:51:43 pm »
greetings,
i have a public class C which will be facing my OPNsense box. i have configured a one-to-one NAT rule to map a public IP through to my phone system. i believe i have all of the appropriate firewall rules to permit inbound RTP and so forth.
one of the things i'm always careful with when implementing a new firewall is to ensure that there is no NAT ALG or similar on the box, as this always causes problems with SIP registrations with the voice provider.
i understand this is not in OPNsense unless i went out of my way to install the os-siproxd plugin, but I did see some notes online (perhaps quite old) that made reference to the source port being modified under certain circumstances.
on an outbound (SNAT) NAT rule i can see there is an option for "static-port" but this does not exists with a one-to-one NAT rule.
the way my phone system works: it assumes nothing is going to change the ports number when it talks out, and it stamps the outbound packets with the external WAN IP address that I have assigned it. this is the same WAN IP i am using in my one-to-one NAT rule.
are there any problems i should be looking out for with this?
many thanks in advance,
cheers, Wiz!!
i have a public class C which will be facing my OPNsense box. i have configured a one-to-one NAT rule to map a public IP through to my phone system. i believe i have all of the appropriate firewall rules to permit inbound RTP and so forth.
one of the things i'm always careful with when implementing a new firewall is to ensure that there is no NAT ALG or similar on the box, as this always causes problems with SIP registrations with the voice provider.
i understand this is not in OPNsense unless i went out of my way to install the os-siproxd plugin, but I did see some notes online (perhaps quite old) that made reference to the source port being modified under certain circumstances.
on an outbound (SNAT) NAT rule i can see there is an option for "static-port" but this does not exists with a one-to-one NAT rule.
the way my phone system works: it assumes nothing is going to change the ports number when it talks out, and it stamps the outbound packets with the external WAN IP address that I have assigned it. this is the same WAN IP i am using in my one-to-one NAT rule.
are there any problems i should be looking out for with this?
many thanks in advance,
cheers, Wiz!!