Can PF do Cone NAT ?
Gee Jay
geejay at inbox.lv
Tue Dec 6 13:12:12 PST 2005
Dear Gentlemen,
I am struggling to set up NAT / Port redirection on a PFSense firewall
(which uses PF) for the SIP Protocol or rather its RTP media streams.
By all appearances the NAT in PF seems to work as a symmetric NAT which
causes SIP in certain cases to fail.
The VOIP provider in question uses on his side several media boxes with
their own IPs to stream the RTP Media via UDP. My understanding of the
problem is that the NAT in PF uses a different NAT port for each public
destination IP so that the media boxes talk back to "dead" ports on the NAT.
Whereas in the cone NAT only one port irrespectively of the external IP
addressed.
For further explanations regarding the problem see here:
http://corp.deltathree.com/technology/nattraversalinsip.pdf
or here
http://list.sipfoundry.org/archive/ietf-behave/pdf00000.pdf
http://en.wikipedia.org/wiki/Restricted_cone_NAT
My basic question is: Can PF do a cone NAT ? And if so, how ? The PF
documentation didn't help me unfortunately.
Thanks for your help in the matter.
GeeJay
More information about the freebsd-pf
mailing list