The pfSense Store

Author Topic: NAT Ports to VLANS  (Read 162 times)

0 Members and 1 Guest are viewing this topic.

Offline Jamerson

  • Sr. Member
  • ****
  • Posts: 365
  • Karma: +4/-0
    • View Profile
NAT Ports to VLANS
« on: May 17, 2017, 11:33:07 am »
Hi Guys.
We need to NAT a group of ports on the WAN to a specifies VLANS.
is this possible on the pfsense ?

like we want to NAT port 5060 to the VLAN 20 over the WAN.

thank you

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 7665
  • Karma: +904/-223
    • View Profile
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help!

Offline Jamerson

  • Sr. Member
  • ****
  • Posts: 365
  • Karma: +4/-0
    • View Profile
Re: NAT Ports to VLANS
« Reply #2 on: May 17, 2017, 12:20:14 pm »
Thank you for your answer,
I have forwarded the ports to VLAN as descript however when I check for open ports using this link http://www.yougetsignal.com/tools/open-ports/  its shows that its the ports stills closed.
please see attached screenshots of the forwarded rules.

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 7665
  • Karma: +904/-223
    • View Profile
Re: NAT Ports to VLANS
« Reply #3 on: May 17, 2017, 12:22:16 pm »
No screenshots.

The list of things to check is here:

https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help!

Offline Jamerson

  • Sr. Member
  • ****
  • Posts: 365
  • Karma: +4/-0
    • View Profile
Re: NAT Ports to VLANS
« Reply #4 on: May 17, 2017, 12:40:30 pm »
please see screenshot thank you

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 7665
  • Karma: +904/-223
    • View Profile
Re: NAT Ports to VLANS
« Reply #5 on: May 17, 2017, 03:18:18 pm »
Great where is the screen shot of the port forward?

You cannot just NAT WAN address:5060 to the LAN. You either need 1:1 NAT which requires an outside IP address for every inside address or port forward WAN address:5060 to a specific Inside Address:5060
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help!

Offline Jamerson

  • Sr. Member
  • ****
  • Posts: 365
  • Karma: +4/-0
    • View Profile
Re: NAT Ports to VLANS
« Reply #6 on: May 17, 2017, 04:35:07 pm »
Great where is the screen shot of the port forward?

You cannot just NAT WAN address:5060 to the LAN. You either need 1:1 NAT which requires an outside IP address for every inside address or port forward WAN address:5060 to a specific Inside Address:5060
on the VLAN we have like 10 Phones,
does it means I have to nat each phone ip ?
please see the rules on the WAN side (screenshots is attached)


Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 7665
  • Karma: +904/-223
    • View Profile
Re: NAT Ports to VLANS
« Reply #7 on: May 17, 2017, 06:03:22 pm »
With one outside IP address you can forward port 5060 inbound to exactly one place, not like 10.

Describe your VoIP environment completely? Where are the phones, where is the PBX, and where are the SIP trunks (if any).

Who is the provider and what is their port forward/NAT guidance?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help!

Offline Jamerson

  • Sr. Member
  • ****
  • Posts: 365
  • Karma: +4/-0
    • View Profile
Re: NAT Ports to VLANS
« Reply #8 on: May 18, 2017, 06:48:35 am »
With one outside IP address you can forward port 5060 inbound to exactly one place, not like 10.

Describe your VoIP environment completely? Where are the phones, where is the PBX, and where are the SIP trunks (if any).

Who is the provider and what is their port forward/NAT guidance?
Thank you for your answer,
the PBX is hosted outside the office in a google datacentre which need incoming ports.
according to the manual we need those ports to be open.

Remote provisioning of devices
Incoming:
443 TCP (default) or another external secure port (SIP-RTP page);
5060 UDP 5061 TCP for SIP registration
RTP: from 10000 to 15000 (SIP-RTP page)


outgoing is any to any rules applied.


edit :
when we call out stuff works fine however when people calls us the quality is poor.
i've changed the outgoing NAT rules from Automatically to Manually however the issue still exisit.

Can someone please advice !
« Last Edit: May 18, 2017, 10:45:48 am by Jamerson »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 7665
  • Karma: +904/-223
    • View Profile
Re: NAT Ports to VLANS
« Reply #9 on: May 18, 2017, 12:20:37 pm »
If all calls are completing reliably to/from multiple phones and you have two-way audio it is probably not NAT.

Quote
when people calls us the quality is poor.

Usually voice quality in one direction is the issue and that is generally you speaking to them because your upload is asymmetric compared to your download.

You probably need to better-describe what you are seeing.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help!

Offline Jamerson

  • Sr. Member
  • ****
  • Posts: 365
  • Karma: +4/-0
    • View Profile
Re: NAT Ports to VLANS
« Reply #10 on: May 18, 2017, 12:32:44 pm »
If all calls are completing reliably to/from multiple phones and you have two-way audio it is probably not NAT.

Quote
when people calls us the quality is poor.

Usually voice quality in one direction is the issue and that is generally you speaking to them because your upload is asymmetric compared to your download.

You probably need to better-describe what you are seeing.

we managed to fix the issue,
when we use ISP 1 as default WAN the problem with the voice come back
when we use ISP 2 as default WAN the problem disappear the phone quality is fine.

the phones are running on VLAN30 and the Computers on VLAN1.

we are using a Load balancing with one Tire 1 and packet loss or high latency ,when I check whatismyip sometimes I get the ISP1 and others I get the ISP2 IP.
I want to use ISP2 as default WAN and Gateway and ISP 1 only when the ISP 2 total down.
do I have to change the Trigger Level to member Down ?


Thank you
« Last Edit: May 18, 2017, 06:25:31 pm by Jamerson »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 7665
  • Karma: +904/-223
    • View Profile
Re: NAT Ports to VLANS
« Reply #11 on: May 19, 2017, 12:29:30 pm »
I can imagine load balancing with VoIP would be unsatisfactory.

I would create a failover gateway group and policy route the VoIP traffic to that instead of the load balance group. Both can coexist and you can have different outbound connections use different gateway groups.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help!