Yes, this is a common problem I run into when multiple NAT clients
connect to the same IPSEC VPN server. Only the first one is allowed to
connect, because the IPSEC server is refusing the other connections
because they have the same external IP.
Other firewalls get around this by using a pool of public ip address and
each NAT client gets his own 1:1 mapping from the pool. Some firewalls
give you the option of choosing a 1:1 NAT IP or a PAT IP from the
captive portal screen, others just do it automatically. Granted this
doesn't help much if you don't have the public IPs, but I would like to
see this feature added in the future.
Adam
Lee J. Imber wrote:
Hi All,
I am stuck and hoping someone here can help.
Here is the situation.
I have 10 SIP phones Polycom IP320's on a internal 10.0.0.x net. These
phones then get dhcp from the pfsense 1.2-RELEASE box. Then out a
cable modem to the phone provider.
The Problem.
I can only get one phone to work. The first phone that boots works,
then remaining phones don't. When I say they don't work, they boot
fine, get Ip information but I get no dial tone and I cannot make
inbound or outbound calls. The phone that boot first works perfectly.
I have tried all the various NAT tweaks I can think of like enabling
static port and AON, nothing works same issue.
I read :
"SIP Limitation - By default, all TCP and UDP traffic other than SIP
and IPsec gets the source port rewritten. More information on this can
be found in the static port documentation. Because this source port
rewriting is how pf tracks which internal IP made the connection to
the given external server, and most all SIP traffic uses the same
source port, only one SIP device can connect simultaneously to a
single server on the Internet. Unless your SIP devices can operate
with source port rewriting (most can't), you cannot use multiple
phones with a single outside server without using a dedicated public
IP per device. The sipproxd package will provide a work around for
this issue, and is currently under development."
OK, forget playing with rules/nat.
I have installed siproxd and been digging through that documentation
and testing with no luck.
This is where I am, anyone have a working siproxd.conf that would be
similar to my topology?
Any pointers?
Thanks,
Lee
