Synopsis: <Natted keep-alive UDP connections not killed on PPPoE address
change>
Category: <system>
Environment:
System : OpenBSD 5.5
Details : OpenBSD 5.5 (GENERIC) #271: Wed Mar 5 09:31:16 MST 2014
[email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
Architecture: OpenBSD.amd64
Machine : amd64
Description:
Hello! I've encountered this issue while trying to get a SIP phone to
work behind an OpenBSD router. The SIP phone is in its own network, and
is natted.
I have configured the SIP phone to use UDP and to register with the SIP
server every 50 seconds. My understanding is this establishes a
permanent bidirectional UDP connection with the SIP server (UDP hole
punching, please correct me if I'm wrong)
This is the pf directive I use to allow the phone to communicate with
the sip server:
pass out quick on pppoe0 from em1:network to any nat-to (pppoe0)
And this is the corresponding connection I find in my state table:
all udp 78.55.192.3:63740 (192.168.2.2:5060) -> 217.10.79.9:5060
MULTIPLE:MULTIPLE
The problem happens when pppoe0 gets a new IP address. Even with the ()
around pppoe0, it doesn't look like this connection gets killed. Several
hours after the IP change on pppoe, I will still see this UDP connection
alive, and still natted to the old IP address.
While this connection is kept alive, the phone will not be able to
register again and will therefore be non-working.
Hot-to-repeat:
Setup a persistent, natted UDP connection over an interface with a
dynamic IP address. Change IP address on this interface, observe
connection in state table still natted to old IP address.
Workaround:
Flushing the state table whenever an IP changes.
Thanks!
Yann Hamon
Attaching full /etc/pf.conf:
#
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
block drop all
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
# Bridge and SIP phone are both natted
pass out quick on pppoe0 from em1:network to any nat-to (pppoe0)
pass out quick on pppoe0 from vether0:network to any nat-to (pppoe0)
pass out on pppoe0
# SSH port on router is 2208
pass in quick on pppoe0 proto tcp to port 2208
# Forwarding SIP and RTP ports
pass in quick on pppoe0 proto udp from any to any port 5004:5020 rdr-to
192.168.2.2
pass in quick on pppoe0 proto udp from any to any port 5060 rdr-to
192.168.2.2
pass in quick on em1 from em1:network
pass out quick on em1 from em1:network to em1:network
# Allow connecting to admin interface from Sip phone
pass out quick on em1 proto tcp from vether0:network to em1:network port www
pass in quick on em2
pass out quick on em2
pass in quick on em3
pass out quick on em3
pass in quick on vether0 from vether0:network
pass out quick on vether0 to vether0:network
# DHCP
pass quick on vether0 inet proto tcp from any port 67:68 to any port 67:68
pass quick on vether0 inet proto udp from any port 67:68 to any port 67:68
