From owner-freebsd-pf@FreeBSD.ORG  Tue Dec  6 21:12:12 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A0F5B16A429
	for <freebsd-pf@freebsd.org>; Tue,  6 Dec 2005 21:12:12 +0000 (GMT)
	(envelope-from geejay@inbox.lv)
Received: from smtp1.apollo.lv (smtp1.apollo.lv [80.232.168.211])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 299B443D7C
	for <freebsd-pf@freebsd.org>; Tue,  6 Dec 2005 21:11:56 +0000 (GMT)
	(envelope-from geejay@inbox.lv)
X-Virusscan: Clamd
Received: by smtp1.apollo.lv (CommuniGate Pro PIPE 4.3.5)
	with PIPE id 82505947; Tue, 06 Dec 2005 23:11:53 +0200
Received: from [81.198.232.238] (HELO win2k1)
	by smtp1.apollo.lv (CommuniGate Pro SMTP 4.3.5)
	with SMTP id 82505935 for freebsd-pf@freebsd.org;
	Tue, 06 Dec 2005 23:11:46 +0200
From: "Gee Jay" <geejay@inbox.lv>
To: <freebsd-pf@freebsd.org>
Date: Tue, 6 Dec 2005 22:09:23 +0200
Message-ID: <CPEBJFBCDCKKIHJAODHCMEPHCBAA.geejay@inbox.lv>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on smtp1.apollo.lv
X-Spam-Level: 
X-Spam-Status: No, score=0.0 required=7.0 tests=none autolearn=failed 
	version=3.0.4
Subject: Can PF do Cone NAT ?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2005 21:12:12 -0000

Dear Gentlemen,

I am struggling to set up NAT / Port redirection on a PFSense firewall
(which uses PF) for the SIP Protocol or rather its RTP media streams.

By all appearances the NAT in PF seems to work as a symmetric NAT which
causes SIP in certain cases to fail.

The VOIP provider in question uses on his side several media boxes with
their own IPs to stream the RTP Media via UDP. My understanding of the
problem is that the NAT in PF uses a different NAT port for each public
destination IP so that the media boxes talk back to "dead" ports on the NAT.
Whereas in the cone NAT only one port irrespectively of the external IP
addressed.


For further explanations regarding the problem see here:
http://corp.deltathree.com/technology/nattraversalinsip.pdf
or here
http://list.sipfoundry.org/archive/ietf-behave/pdf00000.pdf
http://en.wikipedia.org/wiki/Restricted_cone_NAT

My basic question is: Can PF do a cone NAT ? And if so, how ? The PF
documentation didn't help me unfortunately.

Thanks for your help in the matter.

GeeJay