> On 06.02.2019, at 11:15, Sebastian Reitenbach <[email protected]> > wrote: > > Am Mittwoch, Februar 06, 2019 10:57 CET, [email protected] schrieb: > >> Hello, >> I have a Cisco SPA112 VoIP to connect my analog phone to my provider SIP >> system. Recently I replaced my Linux based (Fritzbox) with a OpenBSD 6.4 >> firewall. The firewall is connected to a vDSL modem and performs NAT for >> outgoing IPv4 connection. The connection to the SIP server from the SPA112 >> is a IPv4 with NAT via UDP port 5060. The connection works and I can see the >> NAT in the state table. I have configured NAT-Keepalive on the SPA112 to >> keep the state open. After 24 hours my provider terminate my connection and >> after established a new connection the firewall has a new public IPv4 >> address. >> After this change the SPA112 can't longer communicate to the SIP server >> because it's still using the old state with the old public IPv4 address. If >> I deleted the state manually on the firewall the force the SPA112 to >> register again it works. The SPA112 has also an automatism to re-register >> after 60 minutes. But without deleting the state the SPA112 will use again >> the old state/connection. >> From my point of view the SPA112 should use a new connection for the >> re-register or at least a new connection, if it detects the lost of the >> previous registration. But this problem doesn't exist with the old Linux >> based firewall. I can also see a lot of other NAT entries in the state table >> with the old public IPv4 address. Is there a feature of pf to delete all NAT >> entries with the no longer existing public IPv4 on a address change? >> Best Regards,Patrick > > some lines of pf.conf would be helpful. Do you have parentheses around your > interface name in the nat-to rule, like nat-to ($ext_if) > that should update the rules when addresses change, but I don't think that > will touch active states. > However, SIP and UDP might be problematic, since states are consulted first, > before the rules are traversed. Since UDP is stateless, PF only seems > sending/receiving IP and port, but with SIP the sending port always might be > 5060 as well, so it may match the existing state, even if the external IP > changed. > > Sebastian >
Hi Sebastian, Thanks for your quick reply. My nat rule use the parenthesis and all other devices behind the firewall works fine. I think it’s more a specific issue with the SPA112. I have also set the ruleset optimization to conservative but in this case the generated state has just a longer time to live. This isn’t the problem because the SPA112 sends regular keep alive packets which reset the counter for the state. Here the related rules: pass out quick on egress inet from (vether0:network) nat-to (egress) modulate state pass in on egress inet proto udp from <sipprovider> to (egress) port 5060 As I’m just reading again my rules. Is the modulate state the problem? Or will pf use keep state for UDP packets as the default? Best Regards, Patrick
