Need help with outbound NAT and port 4569

Started by highness, February 10, 2025, 04:46:45 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 10, 2025, 04:46:45 AM
Hello all,

Been searching the interwebs most of the day for a solution to a problem I'm having with getting port 4569 opened.

I've got the port forwarding working (cloned it from another port forwarding rule that I know is working), but unable to connect to that port from the outside.  When I run a port scan against port 4569 it says that the port is not open.

I've seen one thread that said I need to create a static port on outbound NAT; so I created one, but not quite sure if I've done it right.

For outbound NAT - I'm using Hybrid outbound NAT rule generation (automatically generated rules are applied after manual rules) and my rule looks like this:

https://imgur.com/a/qq7UrSh



Thanks for *ANY* help you can give me on this!


February 10, 2025, 10:53:46 AM #1
The outbound rule in your screenshot looks very wrong. Before getting into what it maybe should look like, let's find out if it's even needed at all...

Maybe describe what it is that you're trying to accomplish? You have an Asterisk server on your LAN, and you're trying to make it accessible from the internet? Or...?

What have you tried to do? What did you expect to happen? What actually happened?

Note that a port scan will only "work" if it's UDP-based, and something actually responds to a UDP request on that port (Asterisk may not, if it doesn't like the content of the UDP request).
February 10, 2025, 11:47:37 AM #2
The basic misunderstanding is that you tried to use an outbound NAT rule (AKA SNAT) instead of the appropriate port-forwarding (AKA DNAT) rule for incoming traffic on port 4569.

Or, to put it that way: "Wrong direction, Sir!"
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 770 up, Bufferbloat A
February 10, 2025, 12:27:01 PM #3
No; they tried a port forward, and decided it wasn't working, so then they Googled and found a forum post that looks similar and said that they need to add an outbound NAT rule with static port, so they're trying to do that, but they don't really know what they're doing. Before trying to explain how to do the outbound rule properly, I'm trying to establish whether or not it's even needed.
February 10, 2025, 03:20:02 PM #4
Quote from: dseven on February 10, 2025, 10:53:46 AMThe outbound rule in your screenshot looks very wrong. Before getting into what it maybe should look like, let's find out if it's even needed at all...

Maybe describe what it is that you're trying to accomplish? You have an Asterisk server on your LAN, and you're trying to make it accessible from the internet? Or...?

What have you tried to do? What did you expect to happen? What actually happened?

Note that a port scan will only "work" if it's UDP-based, and something actually responds to a UDP request on that port (Asterisk may not, if it doesn't like the content of the UDP request).

My apologies for not describing what I'm trying to do...  I do have an Asterisk server sitting on my LAN - (it's for a ham radio project, but it's still an Asterisk server).

I'm trying to allow other ham radio operators to connect to my "node" via the Internet. Currently, I'm able to connect to some of them, but not the other way around.

The steps I've taken prior to this have been to create a rule to allow 4569 (cloned it from a working rule). I've had others try to connect to me, but no one has been able to do that.
February 10, 2025, 03:21:13 PM #5
Quote from: dseven on February 10, 2025, 12:27:01 PMNo; they tried a port forward, and decided it wasn't working, so then they Googled and found a forum post that looks similar and said that they need to add an outbound NAT rule with static port, so they're trying to do that, but they don't really know what they're doing. Before trying to explain how to do the outbound rule properly, I'm trying to establish whether or not it's even needed.

You would be 100% correct on all points (found the forum post that looked similar) and really don't know what I am doing.
February 10, 2025, 03:52:47 PM #6
Probably AllStar Link, then? I used to have a node, but that was 5+ years ago, and I wasn't running OPNsense back then ;)

According to https://wiki.allstarlink.org/wiki/Troubleshooting , source port preservation is an issue, so that outbound rule probably is actually needed. Try these parameters for your outbound NAT rule (leave everything other than these at defaults):

Interface: WAN
Protocol: UDP

Source address: Single host or Network / your node's internal IP address / /32 for the netmask
Source port: 4569

Static-port: CHECKED

Description: NAT IAX2 with static-port


If that doesn't work, maybe try "any" for the source port.
February 10, 2025, 05:12:50 PM #7
Quote from: dseven on February 10, 2025, 03:52:47 PMProbably AllStar Link, then? I used to have a node, but that was 5+ years ago, and I wasn't running OPNsense back then ;)

You are absolutely right - it is an AllStar link.  Great info!  THANK YOU!
February 10, 2025, 07:22:00 PM #8
Quote from: dseven on February 10, 2025, 03:52:47 PMProbably AllStar Link, then? I used to have a node, but that was 5+ years ago, and I wasn't running OPNsense back then ;)

According to https://wiki.allstarlink.org/wiki/Troubleshooting , source port preservation is an issue, so that outbound rule probably is actually needed. Try these parameters for your outbound NAT rule (leave everything other than these at defaults):

Interface: WAN
Protocol: UDP

Source address: Single host or Network / your node's internal IP address / /32 for the netmask
Source port: 4569

Static-port: CHECKED

Description: NAT IAX2 with static-port


If that doesn't work, maybe try "any" for the source port.

Tried both scenarios - still no joy.

https://imgur.com/a/yII35TM

February 10, 2025, 08:24:54 PM #9
Hmm. You're going to have to dig a bit deeper to figure out what's going on. I don't remember how much visibility you get on an AllStar node. Can you see if it's attempting to register and failing? Maybe do a packet capture on your WAN interface for port 4569 and see what you see. Maybe the AllStar team can help you troubleshoot, and if it turns out to be OPNsense still doing something they don't like, we can look into that further...
February 10, 2025, 08:40:07 PM #10
Quote from: dseven on February 10, 2025, 08:24:54 PMHmm. You're going to have to dig a bit deeper to figure out what's going on. I don't remember how much visibility you get on an AllStar node. Can you see if it's attempting to register and failing? Maybe do a packet capture on your WAN interface for port 4569 and see what you see. Maybe the AllStar team can help you troubleshoot, and if it turns out to be OPNsense still doing something they don't like, we can look into that further...

Absolutely - I'll work with them and get this figured out. I *absolutely* appreciate your help on this!
Print
Go Up Pages1
User actions