Hi All,
I am having some trouble with asterisk behind a NAT via pf. The trouble
I am having is that sometimes inbound RTP would fail with some SIP
connections. The problem was sporadic, but I think I've nailed it down.
The firewall was reporting state clashes (state failure errors, I believe)
What seems to be happening is that when the connection uses symmetric
RTP, the server (asterisk) sends UDP traffic to the server and makes a
state entry for the NAT that is taking place. Then when the client tries
to talk back on the same set of ports, the redirect clashes with the
state entry.
I can see two things that would rectify the situation (unless I'm way
off base): Somehow ask pf to NAT the outbound UDP but don't make the
state entry. I have rdr's anyway so it'd still work. Somehow ask the rdr
to rdr only if there isn't a state already :)
Am I making sense?
Thanks in advance,
Tim
-----
This is how I have my SIP setup:
# Enable static-port on outbound SIP requests
nat on $ext_if from $asterisk port 5060 to any port 5060 -> $ext_if
static-port
#nat on $ext_if from $asterisk port 10000<>20000 to any -> $ext_if
static-port
# Redirect SIP and RTP traffic to asterisk server
rdr on $ext_if proto udp from any to $ext_if port 5060 -> $asterisk port
5060
rdr on $ext_if proto udp from any to $ext_if port 10000:20000 -> $asterisk
