Hello misc.
I have PBX samsung office serv 7400 with VOIP module.
SIP-provider give out small privat /29 network to connect to their
sip-server directly.
So I need to include in this network my OBSD box to translate IP-phone
from my
own private /24 network. All work is fine with only one IP-phone, any
other phones
can't establish connections with PBX, becouse "static port" directive is
use in nat rules.
Without "static port" directive only one side be hear in talk.
Please, help to resolve this problem.
#####################pf.conf#############################
int_if = "fxp0"
ipsec_if = "fxp1"
phone_if = "fxp2"
waterpas_if = "rl0"
table <khaer> { 192.168.16.0/24 }
table <baza> { 192.168.15.0/24 }
table <phone> { 172.20.252.0/29 }
table <ipsec1> { 192.168.10.1 }
table <ipsec2> { 192.168.10.2 }
set skip on { lo0, enc0 }
set loginterface fxp0
set block-policy drop
block log all
#nat
match out on $phone_if inet proto udp from 192.168.16.13 to any nat-to
$phone_if static-port
match out on $phone_if inet proto udp from 192.168.16.14 to any nat-to
$phone_if static-port
#in
pass in on $int_if inet proto udp from 192.168.16.13 to fxp2:network
route-to $phone_if
pass in on $int_if inet proto udp from 192.168.16.14 to fxp2:network
route-to $phone_if
#out
pass out on { $phone_if, $waterpas_if } inet proto { tcp, udp }
pass out on $int_if inet proto { tcp, udp } from 192.168.16.6 to any
pass out on $int_if inet proto icmp from 192.168.16.6 to any
###############################################################
"route-to" is used for policy based routing, because I have four network
on this box.
Here is state:
# pfctl -s state | grep .13
all udp 172.20.252.34:6000 <- 192.168.16.13:6000 MULTIPLE:MULTIPLE
all udp 172.20.252.36:6000 (192.168.16.13:6000) ->
172.20.252.34:6000 MULTIPLE:MULTIPLE
all udp 172.20.252.34:9000 <- 192.168.16.13:9000 NO_TRAFFIC:SINGLE
all udp 172.20.252.36:9000 (192.168.16.13:9000) ->
172.20.252.34:9000 SINGLE:NO_TRAFFIC
all udp 172.20.252.35:30012 <- 192.168.16.13:9000 MULTIPLE:MULTIPLE
all udp 172.20.252.36:9000 (192.168.16.13:9000) ->
172.20.252.35:30012 MULTIPLE:MULTIPLE
all udp 172.20.252.35:30013 <- 192.168.16.13:9001 MULTIPLE:MULTIPLE
all udp 172.20.252.36:9001 (192.168.16.13:9001) ->
172.20.252.35:30013 MULTIPLE:MULTIPLE
# pfctl -s state | grep .14
all udp 172.20.252.34:6000 <- 192.168.16.14:6000 NO_TRAFFIC:SINGLE
192.168.16.13 is ringing and talk, but 192.168.16.14 can't.
I read this: http://www.bastard.net/~kos/pf-voip.html and directly
copy-paste setup for my case,
but with tagging again only one phone is done.
Possibility I don't understand how nat is work and PF can't translate
192.168.16.14 with same port,
that in use in this moment.
here translate is work:
all udp 172.20.252.34:6000 <- 192.168.16.13:6000 MULTIPLE:MULTIPLE
all udp 172.20.252.36:6000 (192.168.16.13:6000) ->
172.20.252.34:6000 MULTIPLE:MULTIPLE
but here not work
all udp 172.20.252.34:6000 <- 192.168.16.14:6000 NO_TRAFFIC:SINGLE
because port 6000 already take up in previous state.
