pfSense Support Subscription

Author Topic: Traffic blocked despite allow rule - how to dig deeper?  (Read 1070 times)

0 Members and 1 Guest are viewing this topic.

Offline torontob

  • Sr. Member
  • ****
  • Posts: 479
    • View Profile
Traffic blocked despite allow rule - how to dig deeper?
« on: August 04, 2012, 04:51:48 pm »
Hi Everyone,

I have a problem with NAT/Firewall which blocks an IP that it shouldn't. I have set the rules to ALLOW as follow through NAT/Firewall:

NAT:
-------------------------------

Code: [Select]
WAN UDP 209.209.209.209 *                    22.22.22.22         5060 (SIP) 192.168.0.5 5060  (SIP)    SIP-Server-SIP
WAN UDP 209.209.209.209 10000 - 20000    22.22.22.22          5060 (SIP) 192.168.0.5 10000            SIP-Server-RTP

Firewall:
-------------------------------

Code: [Select]
UDP 209.209.209.209 *                      192.168.0.5 5060  (SIP) * none   NAT SIP-Server-SIP
UDP 209.209.209.209 10000 - 20000     192.168.0.5 10000          * none   NAT SIP-Server-RTP


System Logs > Firewall Logs:
-------------------------------

Code: [Select]
Aug 4 17:34:22 WAN    209.209.209.209:10648    22.22.22.22:12706 UDP
Aug 4 17:34:22 WAN    209.209.209.209:15418    22.22.22.22:11802 UDP


Why is that happening? As you can see above, I have allowed SIP UDP 5060 and RTP UDP port range 10000-20000 to be NATed to 192.168.0.5 and firewall rule shows it open as well. But then, the firewall log show port 12706 and 11802 blocked. Those range fall within 10000-20000. Why are they blocked? How can I dig deeper?


Legends:
SIP-Server LAN IP = 192.168.0.5
SIP-Server Public IP Address (Set as Virtual IP in pfSense): 22.22.22.22
VoIP Service Provider Public IP: 209.209.209.209


Much appreciated,

Offline torontob

  • Sr. Member
  • ****
  • Posts: 479
    • View Profile
Re: Traffic blocked despite allow rule - how to dig deeper?
« Reply #1 on: August 04, 2012, 07:48:40 pm »
My issue was in NAT of port range:

Code: [Select]
WAN UDP 209.209.209.209 10000 - 20000 22.222.22.22 10000 - 20000 192.168.0.5 10000 - 20000 SIP-Server-RTP
Lesson learned: don't rely on from port only. Add from and to.