Sorry to keep pestering, but this is kind of a show stopper for me. Does
anyone have any ideas?
Thanks,
Tim
Tim Pushor wrote:
Hi All,
I am having some trouble with asterisk behind a NAT via pf. The
trouble I am having is that sometimes inbound RTP would fail with some
SIP connections. The problem was sporadic, but I think I've nailed it
down.
The firewall was reporting state clashes (state failure errors, I
believe)
What seems to be happening is that when the connection uses symmetric
RTP, the server (asterisk) sends UDP traffic to the server and makes a
state entry for the NAT that is taking place. Then when the client
tries to talk back on the same set of ports, the redirect clashes with
the state entry.
I can see two things that would rectify the situation (unless I'm way
off base): Somehow ask pf to NAT the outbound UDP but don't make the
state entry. I have rdr's anyway so it'd still work. Somehow ask the
rdr to rdr only if there isn't a state already :)
Am I making sense?
Thanks in advance,
Tim
-----
This is how I have my SIP setup:
# Enable static-port on outbound SIP requests
nat on $ext_if from $asterisk port 5060 to any port 5060 -> $ext_if
static-port
#nat on $ext_if from $asterisk port 10000<>20000 to any -> $ext_if
static-port
# Redirect SIP and RTP traffic to asterisk server
rdr on $ext_if proto udp from any to $ext_if port 5060 -> $asterisk
port 5060
rdr on $ext_if proto udp from any to $ext_if port 10000:20000 ->
$asterisk
