nat for some internal ip's is not working

Started by Beleggrodion, December 05, 2022, 11:52:48 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 05, 2022, 11:52:48 AM Last Edit: December 05, 2022, 02:02:56 PM by Beleggrodion
Hi,

I have the problem on some opnsense firewall's that when the firewall is restartet, that some yealink phones can't connect anymore to the pbx on the wan side.

The provider told me that three phones can't connect (i dont have access to the phones). When i now check in the firewall  and do a tcpdump i see that the affected phone's try to connect to the pbx. "SIP: REGISTER" is visible on the LAN and also on the WAN side.  They only thing that i see, that the three ip's are with their internal IP's visible on the tcpdump on the pppoe0 interface. Shoul'd that not be the public ip of the firewall as on the other phones?

I also had the same issue on another customer with an internal pbx which connect to the sip provider directly.

I use the default NAT settings. The firewall version is 22.7.9 commit b0c31af1a.

Update/Edit:

After some search i deleted the entries of the affected internal ip in the "Firewall: Diagnostics: States" view and then nat nat worked again. But why this happens and how can we prevent it?
December 07, 2022, 12:34:24 PM #1
I'm having a very similar issue.

udp port forward rule mapping some external WAN port to an internal LAN address.
in sessions: Instead of using the established connection the router tries to send the package directly out the WAN interface bypassing the OUTBOUND NAT, and not using the already established session.

I did the thing you suggested and it fixed it temporarily. But when the session dies I have the same issue again.

Something with connection tracking in the opnsense seams not to be working correctly.

December 08, 2022, 06:50:17 AM #2
Hi there,

are you WAN interfaces directly connected to internet or are they on a private network?

Rgds
December 09, 2022, 02:57:09 PM #3
From my side, the public ip is direct on the firewall, via pppoe. the modem is bridged, and no other ip is configured on the wan side. As julian232 described, it looks like only udp sessions are affected.
December 27, 2022, 01:45:01 PM #4
Hello,

cause i have a similar problem but with a fixed ppoe line and IP where sometime a resync happens between modem. And randomly the connected dect phones want not reregister till i restart the n670 master basestation.
I looked through firewall settings and...
There is a config setting in Firewall -> Settings called Dynamic state reset and it will flush entire state table on IPv4 address changes. Sounds like a solution, hopefully also for scenarios like mine where the IP is changing to the same as before the reconnection.
January 05, 2023, 09:14:09 PM #5
When i go to Firewall => States, I see the following:

Code Select

int pro source nat dest State Rule
all udp 123.123.123.123:13331 10.132.0.17:13231 MULTIPLE:MULTIPLE let out anything from firewall host itself
all udp 123.123.123.123:13331 123.123.123.123:13231 10.132.0.17:13231 NO_TRAFFIC:SINGLE


One thing I can do to make a particular connection working, is to delete the state and hope for it to work.

This issue has become a problem and we are probably replacing the OPNsense Firewall Router with another Router.
Print
Go Up Pages1
User actions