<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Brian,<div><br></div><div>I am not sure.</div><div>Dave said its device cannot register anymore.</div><div>In your doc, it says the INVITE won't work because of the port mismatch with the REGISTER.</div><div><br></div><div>BTW, what kind of crappy firewall does that...</div><div>A firewall is supposed to keep the same source port during the lifetime of the translation, which can be a very long time if you send regular keepalives.</div><div>To change it between a REGISTER and an INVITE, a firewall would need to have some kind of SIP ALG, and that's dodgy.</div><div><br></div><div><div apple-content-edited="true"> <span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><span class="Apple-style-span" style="border-collapse: separate; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 14px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-border-horizontal-spacing: 0px; -webkit-border-vertical-spacing: 0px; -webkit-text-decorations-in-effect: none; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; "><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" color="#1C00FF">David Ponzone &nbsp;</font><font class="Apple-style-span" color="#000000" size="3"><span class="Apple-style-span" style="font-size: 12px; ">Direction Technique</span></font></font></div><div><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; ">email: <a href="mailto:david.ponzone@ipeva.fr">david.ponzone@ipeva.fr</a></span></font></font></div><div><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; ">tel: &nbsp; &nbsp; &nbsp;01 74 03 18 97</span></font></font></div><div><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; ">gsm: &nbsp; 06 66 98 76 34</span></font></font></div><div><font class="Apple-style-span" face="'Helvetica Neue'"><br></font></div><div><font class="Apple-style-span" color="#1C00FF" face="'Helvetica Neue'">Service Client<span class="Apple-converted-space">&nbsp;</span></font><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" color="#FF0000">IP</font></font><font class="Apple-style-span" color="#1C00FF" face="'Helvetica Neue'">eva</font></div><div><font class="Apple-style-span" color="#1C00FF" face="'Helvetica Neue'"><span class="Apple-style-span" style="color: rgb(0, 0, 0); font-family: Helvetica; "><div><font class="Apple-style-span" face="'Helvetica Neue'"><font class="Apple-style-span" size="3"><span class="Apple-style-span" style="font-size: 13px; ">tel: &nbsp; &nbsp; &nbsp;0811 46 26 26</span></font></font></div><div><font class="Apple-style-span" face="'Helvetica Neue'" size="3"><span class="Apple-style-span" style="font-size: 13px; "><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 10px/normal Arial; color: rgb(0, 34, 243); "><span style="text-decoration: underline; "><a href="BLOCKED::http://www.ipeva.fr/">www.ipeva.fr</a></span><span style="color: rgb(101, 104, 149); ">&nbsp; -&nbsp; &nbsp;<span style="color: rgb(0, 34, 243); text-decoration: underline; "><a href="BLOCKED::http://www.ipeva-studio.com/">www.ipeva-studio.com</a></span></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 10px/normal Arial; color: rgb(0, 34, 243); "><span class="Apple-style-span" style="text-decoration: underline; "><br></span></div><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; font: normal normal normal 10px/normal Arial; color: rgb(0, 34, 243); "><span class="Apple-style-span"><div style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; text-align: justify; font: normal normal normal 10px/normal Arial; color: rgb(192, 192, 192); "><i>Ce message et toutes les pièces jointes sont confidentiels et établis à l'intention exclusive de ses destinataires. Toute utilisation ou diffusion non autorisée est interdite. Tout message électronique est susceptible d'altération.&nbsp;</i><b><i>IPeva</i></b><i>&nbsp;décline toute responsabilité au titre de ce message s'il a été altéré, déformé ou falsifié. Si vous n'êtes pas destinataire de ce message, merci de le détruire immédiatement et d'avertir l'expéditeur.</i></div><div style="text-decoration: underline; text-align: justify; "><font class="Apple-style-span" color="#C0C0C0"><i><br></i></font></div></span></div></span></font></div></span></font></div></div></span><br class="Apple-interchange-newline"></div></span><br class="Apple-interchange-newline"> </div><br><div><div>Le 29/08/2010 à 11:29, broken dash a écrit :</div><br class="Apple-interchange-newline"><blockquote type="cite"><div>I came across this sipx troubleshooting faq talking about how<br>pfsense's port radomization jacks things up and they go on to describe<br>how you solved your problem. It seems almost certain that it's the<br>cause, but surely the linux port randomization would be equally as<br>problematic as the bsd version...<br><br> &nbsp;&nbsp;&nbsp;&nbsp;<a href="http://sipx-wiki.calivia.com/index.php/SipXbridge_Overview_and_Configuration">http://sipx-wiki.calivia.com/index.php/SipXbridge_Overview_and_Configuration</a><br><br>I wonder if u installed the freeswitch package on your pfsense<br>firewall and configured it be a B2BUA if that would react in the same<br>way...<br><br><br><br>Cheers,<br>Brian<br><br><br>On Sun, Aug 29, 2010 at 3:15 AM, David Ponzone &lt;<a href="mailto:davtod.ponzone@ipeva.fr">davtod.ponzone@ipeva.fr</a>&gt; wrote:<br><blockquote type="cite">Dave,<br></blockquote><blockquote type="cite">quite quickly, it's obvious your FreeSWITCH is no longer able to detect that<br></blockquote><blockquote type="cite">your HT-287 is behind NAT.<br></blockquote><blockquote type="cite">One possiblity is that the rport is missing from the REGISTER.<br></blockquote><blockquote type="cite">Perhaps your pfsense is messing with it ?<br></blockquote><blockquote type="cite">So to start, I would recommend you take a trace when the packet enters<br></blockquote><blockquote type="cite">pfsense and when it goes out to your proxy, and compare them to see any<br></blockquote><blockquote type="cite">differences.<br></blockquote><blockquote type="cite">David Ponzone &nbsp;Direction Technique<br></blockquote><blockquote type="cite">email: <a href="mailto:david.ponzone@ipeva.fr">david.ponzone@ipeva.fr</a><br></blockquote><blockquote type="cite">tel: &nbsp; &nbsp; &nbsp;01 74 03 18 97<br></blockquote><blockquote type="cite">gsm: &nbsp; 06 66 98 76 34<br></blockquote><blockquote type="cite">Service Client&nbsp;IPeva<br></blockquote><blockquote type="cite">tel: &nbsp; &nbsp; &nbsp;0811 46 26 26<br></blockquote><blockquote type="cite">www.ipeva.fr&nbsp; -&nbsp; &nbsp;<a href="http://www.ipeva-studio.com">www.ipeva-studio.com</a><br></blockquote><blockquote type="cite">Ce message et toutes les pièces jointes sont confidentiels et établis à<br></blockquote><blockquote type="cite">l'intention exclusive de ses destinataires. Toute utilisation ou diffusion<br></blockquote><blockquote type="cite">non autorisée est interdite. Tout message électronique est susceptible<br></blockquote><blockquote type="cite">d'altération.&nbsp;IPeva&nbsp;décline toute responsabilité au titre de ce message s'il<br></blockquote><blockquote type="cite">a été altéré, déformé ou falsifié. Si vous n'êtes pas destinataire de ce<br></blockquote><blockquote type="cite">message, merci de le détruire immédiatement et d'avertir l'expéditeur.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Le 29/08/2010 à 09:01, Dave Redmore a écrit :<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Hello All,<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I ran into an issue today that has burned up most of my day<br></blockquote><blockquote type="cite">troubleshooting.&nbsp; I have resolved the problem, but would really like to<br></blockquote><blockquote type="cite">understand what caused it, or some of the internal Freeswitch plumbing that<br></blockquote><blockquote type="cite">is at play so that I can learn something from all of this time I have<br></blockquote><blockquote type="cite">invested.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">I have a Freeswitch server running that acts as a proxy to an account with<br></blockquote><blockquote type="cite">an ITSP for doing T38 faxing.&nbsp; The Freeswitch server has a public IP address<br></blockquote><blockquote type="cite">- there are four "users" who register simple FXS ATAs to my server and it<br></blockquote><blockquote type="cite">then proxies to the ITSP using the "proxy_media" functionality.&nbsp; It has been<br></blockquote><blockquote type="cite">working very well for the last 6 months or so.&nbsp; I have never had to deal<br></blockquote><blockquote type="cite">with any NAT traversal issues - I just point the ATA to the IP to register<br></blockquote><blockquote type="cite">and everything is great.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Here is what the four users "looked" like -<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">User1 :&nbsp; Grandstream HT-287 -&gt; DD-WRT Router (NAT) -&gt; Internet -&gt; Freeswitch<br></blockquote><blockquote type="cite">Proxy<br></blockquote><blockquote type="cite">User2 :&nbsp; Grandstream HT-503 -&gt; DD-WRT Router (NAT) -&gt; Internet -&gt; Freeswitch<br></blockquote><blockquote type="cite">Proxy<br></blockquote><blockquote type="cite">User3 :&nbsp; Grandstream HT-502 -&gt; Comcast/SMC Router (NAT) -&gt; Internet -&gt;<br></blockquote><blockquote type="cite">Freeswitch Proxy<br></blockquote><blockquote type="cite">User4 :&nbsp; Grandstream HT-287 -&gt; IPCOP 1.4.11 (NAT) -&gt; Comcast Gateway -&gt;<br></blockquote><blockquote type="cite">Freeswitch Proxy<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">(User4 is my office, so the IPCOP firewall and the Freeswitch Proxy sit on<br></blockquote><blockquote type="cite">the same Comcast Gateway)<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">As I said, this all worked perfectly without any need to "fiddle" with<br></blockquote><blockquote type="cite">anything on any firewalls - worked right out of the box.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">So, today I changed out my IPCOP firewall for a pfsense firewall - and my<br></blockquote><blockquote type="cite">HT-287 would no longer register.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">After much head-scratching, packet captures, etc. I found that I needed to<br></blockquote><blockquote type="cite">set up a Static Port NAT for the port the HT-287 was using (5062) in order<br></blockquote><blockquote type="cite">to get this to work.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">So, I see WHAT is happening, but I really want to know WHY it is happening.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Here are the gory details:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">The sofia status of the profile looks like this - when the I have the Static<br></blockquote><blockquote type="cite">Port NAT in place (details changed for security):<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">_______________________________________________________________<br></blockquote><blockquote type="cite">Call-ID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="mailto:0e551b3c694a793c@192.168.1.137">0e551b3c694a793c@192.168.1.137</a><br></blockquote><blockquote type="cite">User:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="mailto:8885554525@173.11.22.111">8885554525@173.11.22.111</a><br></blockquote><blockquote type="cite">Contact:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "user"<br></blockquote><blockquote type="cite">&lt;<a href="sip:8885554525@192.168.1.137;fs_nat=yes;fs_path=sip%3A8885554525%40173.22.22.55%3A5060">sip:8885554525@192.168.1.137;fs_nat=yes;fs_path=sip%3A8885554525%40173.22.22.55%3A5060</a>&gt;<br></blockquote><blockquote type="cite">Agent:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Grandstream HT287 1.1.0.45 DevId 000b821203c5<br></blockquote><blockquote type="cite">Status:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Registered(UDP-NAT)(unknown) EXP(2010-08-29 01:17:03)<br></blockquote><blockquote type="cite">Host:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 173-11-22-111-illinois.hfc.comcastbusiness.net<br></blockquote><blockquote type="cite">IP:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 173.22.22.55<br></blockquote><blockquote type="cite">Port:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5060<br></blockquote><blockquote type="cite">Auth-User:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8885554525<br></blockquote><blockquote type="cite">Auth-Realm:&nbsp;&nbsp;&nbsp;&nbsp; 173.11.22.111<br></blockquote><blockquote type="cite">MWI-Account:&nbsp;&nbsp;&nbsp;&nbsp;<a href="mailto:8885554525@173.11.22.111">8885554525@173.11.22.111</a><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Call-ID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="mailto:1716488819-5062-1@192.168.7.150">1716488819-5062-1@192.168.7.150</a><br></blockquote><blockquote type="cite">User:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="mailto:8885554544@173.11.22.111">8885554544@173.11.22.111</a><br></blockquote><blockquote type="cite">Contact:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "user"<br></blockquote><blockquote type="cite">&lt;<a href="sip:8885554544@192.168.7.150:5062;user=phone;fs_nat=yes">sip:8885554544@192.168.7.150:5062;user=phone;fs_nat=yes</a>;<br></blockquote><blockquote type="cite">fs_path=sip%3A8885554544%4098.255.0.11%3A5062%3Buser%3Dphone&gt;<br></blockquote><blockquote type="cite">Agent:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Grandstream HT-502&nbsp; V1.1B 1.0.1.63<br></blockquote><blockquote type="cite">Status:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Registered(UDP-NAT)(unknown) EXP(2010-08-29 01:48:35)<br></blockquote><blockquote type="cite">Host:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 173-11-22-111-illinois.hfc.comcastbusiness.net<br></blockquote><blockquote type="cite">IP:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 98.255.0.11<br></blockquote><blockquote type="cite">Port:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5062<br></blockquote><blockquote type="cite">Auth-User:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8885554544<br></blockquote><blockquote type="cite">Auth-Realm:&nbsp;&nbsp;&nbsp;&nbsp; 173.11.22.111<br></blockquote><blockquote type="cite">MWI-Account:&nbsp;&nbsp;&nbsp;&nbsp;<a href="mailto:8885554544@173.11.22.111">8885554544@173.11.22.111</a><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Call-ID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="mailto:090ee80e1a0ec9ed@10.8.11.149">090ee80e1a0ec9ed@10.8.11.149</a><br></blockquote><blockquote type="cite">User:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="mailto:8885554549@173.11.22.111">8885554549@173.11.22.111</a><br></blockquote><blockquote type="cite">Contact:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "user" &lt;<a href="sip:8885554549@10.8.11.149:5062">sip:8885554549@10.8.11.149:5062</a>&gt;<br></blockquote><blockquote type="cite">Agent:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Grandstream HT287 1.1.0.45 DevId 000b82127390<br></blockquote><blockquote type="cite">Status:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Registered(UDP)(unknown) EXP(2010-08-29 02:00:42)<br></blockquote><blockquote type="cite">Host:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 173-11-22-111-illinois.hfc.comcastbusiness.net<br></blockquote><blockquote type="cite">IP:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 173.11.22.99<br></blockquote><blockquote type="cite">Port:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5062<br></blockquote><blockquote type="cite">Auth-User:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8885554549<br></blockquote><blockquote type="cite">Auth-Realm:&nbsp;&nbsp;&nbsp;&nbsp; 173.11.22.111<br></blockquote><blockquote type="cite">MWI-Account:&nbsp;&nbsp;&nbsp;&nbsp;<a href="mailto:8885554549@173.11.22.111">8885554549@173.11.22.111</a><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Call-ID:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="mailto:1035241259-5060-1@10.1.10.150">1035241259-5060-1@10.1.10.150</a><br></blockquote><blockquote type="cite">User:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<a href="mailto:8885554547@173.11.22.111">8885554547@173.11.22.111</a><br></blockquote><blockquote type="cite">Contact:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "user"<br></blockquote><blockquote type="cite">&lt;<a href="sip:8885554547@10.1.10.150:5060;user=phone;fs_nat=yes;fs">sip:8885554547@10.1.10.150:5060;user=phone;fs_nat=yes;fs</a><br></blockquote><blockquote type="cite">_path=sip%3A8885554547%4098.222.55.100%3A5060%3Buser%3Dphone&gt;<br></blockquote><blockquote type="cite">Agent:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Grandstream HT-503&nbsp; V1.1B 1.0.1.63<br></blockquote><blockquote type="cite">Status:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Registered(UDP-NAT)(unknown) EXP(2010-08-29 00:15:09)<br></blockquote><blockquote type="cite">Host:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 173-11-22-111-illinois.hfc.comcastbusiness.net<br></blockquote><blockquote type="cite">IP:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 98.222.55.100<br></blockquote><blockquote type="cite">Port:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 5060<br></blockquote><blockquote type="cite">Auth-User:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 8885554547<br></blockquote><blockquote type="cite">Auth-Realm:&nbsp;&nbsp;&nbsp;&nbsp; 173.11.22.111<br></blockquote><blockquote type="cite">MWI-Account:&nbsp;&nbsp;&nbsp;&nbsp;<a href="mailto:8885554547@173.11.22.111">8885554547@173.11.22.111</a><br></blockquote><blockquote type="cite">___________________________________________________________<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">The "User4" account is in red.&nbsp; The "Contact" field is substantially<br></blockquote><blockquote type="cite">different and the "Status" indicates "Registered (UDP)", rather than<br></blockquote><blockquote type="cite">"Registered (UDP-NAT)" as the others.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">When I do a packet capture on the external NIC interface (eth0) - I see the<br></blockquote><blockquote type="cite">following when the HT-287 tries to register and the Static Port NAT is NOT<br></blockquote><blockquote type="cite">in place:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">___________________________________________________________________<br></blockquote><blockquote type="cite">Internet Protocol, Src: 173.11.22.99 (173.11.22.99), Dst: 173.11.22.111<br></blockquote><blockquote type="cite">(173.11.22.111)<br></blockquote><blockquote type="cite">User Datagram Protocol, Src Port: 11521 (11521), Dst Port: 5090 (5090)<br></blockquote><blockquote type="cite">Session Initiation Protocol<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp; Request-Line: REGISTER&nbsp;<a href="sip:173.11.22.111:5090">sip:173.11.22.111:5090</a>&nbsp;SIP/2.0<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Method: REGISTER<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Request-URI:&nbsp;<a href="sip:173.11.22.111:5090">sip:173.11.22.111:5090</a><br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Request-URI Host Part: 173.11.22.111<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Request-URI Host Port: 5090<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp; Message Header<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Via: SIP/2.0/UDP 10.8.11.149:5062;branch=z9hG4bKda48f838c8689e41<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Transport: UDP<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Sent-by Address: 10.8.11.149<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Sent-by port: 5062<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Branch: z9hG4bKda48f838c8689e41<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; From: &lt;<a href="sip:8885554549@173.11.22.111:5090">sip:8885554549@173.11.22.111:5090</a>&gt;;tag=c8a0d452edc5ac4b<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SIP from address:&nbsp;<a href="sip:8885554549@173.11.22.111:5090">sip:8885554549@173.11.22.111:5090</a><br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SIP tag: c8a0d452edc5ac4b<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To: &lt;<a href="sip:8885554549@173.11.22.111:5090">sip:8885554549@173.11.22.111:5090</a>&gt;<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Contact: &lt;<a href="sip:88855564549@10.8.11.149:5062">sip:88855564549@10.8.11.149:5062</a>&gt;<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Contact Binding: &lt;<a href="sip:8885554549@10.8.11.149:5062">sip:8885554549@10.8.11.149:5062</a>&gt;<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Supported: replaces, timer<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Call-ID:&nbsp;<a href="mailto:aa77d777bae71be6@10.8.11.149">aa77d777bae71be6@10.8.11.149</a><br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CSeq: 100 REGISTER<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Sequence Number: 100<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Method: REGISTER<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Expires: 3600<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; User-Agent: Grandstream HT287 1.1.0.45 DevId 000b82127390<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Max-Forwards: 70<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Allow:<br></blockquote><blockquote type="cite">INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Content-Length: 0<br></blockquote><blockquote type="cite">_______________________________________________________________<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">When Freeswitch replies back with a "401 Unauthorized" - asking for further<br></blockquote><blockquote type="cite">Auth - it replies back to port 5062 - so the packet never comes back<br></blockquote><blockquote type="cite">(pfsense is looking for a packet back on port 11521 in this case).<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">If I put the Static Port NAT in place - all is well, because the "Source"<br></blockquote><blockquote type="cite">port shows as "5062" - the rest of the packet looks pretty much the same.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Now, here is a packet coming from one of the other Users - this one comes<br></blockquote><blockquote type="cite">through a DD-WRT router - here we see that the Source Port is 5060 :<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">_________________________________________________________________<br></blockquote><blockquote type="cite">Internet Protocol, Src: 173.22.22.55 (173.22.22.55), Dst: 173.11.22.111<br></blockquote><blockquote type="cite">(173.11.22.111)<br></blockquote><blockquote type="cite">User Datagram Protocol, Src Port: sip (5060), Dst Port: 5090 (5090)<br></blockquote><blockquote type="cite">Session Initiation Protocol<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp; Request-Line: REGISTER&nbsp;<a href="sip:173.11.22.111:5090">sip:173.11.22.111:5090</a>&nbsp;SIP/2.0<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Method: REGISTER<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Request-URI:&nbsp;<a href="sip:173.11.22.111:5090">sip:173.11.22.111:5090</a><br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [Resent Packet: False]<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp; Message Header<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Via: SIP/2.0/UDP 192.168.1.137;branch=z9hG4bK665bc67a1c64292b<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Transport: UDP<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Sent-by Address: 192.168.1.137<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Branch: z9hG4bK665bc67a1c64292b<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; From: "fax" &lt;<a href="sip:8885554525@173.11.22.111:5090">sip:8885554525@173.11.22.111:5090</a>&gt;;tag=8dc68b35111c4261<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To: &lt;<a href="sip:8156564525@173.15.28.101:5090">sip:8156564525@173.15.28.101:5090</a>&gt;<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Contact: &lt;<a href="sip:8885554525@192.168.1.137">sip:8885554525@192.168.1.137</a>&gt;<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Contact Binding: &lt;<a href="sip:8885554525@192.168.1.137">sip:8885554525@192.168.1.137</a>&gt;<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Call-ID:&nbsp;<a href="mailto:0e551b3c694a793c@192.168.1.137">0e551b3c694a793c@192.168.1.137</a><br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CSeq: 503 REGISTER<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Sequence Number: 503<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Method: REGISTER<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Expires: 3600<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; User-Agent: Grandstream HT287 1.1.0.45 DevId 000b821203c5<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Max-Forwards: 70<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Allow:<br></blockquote><blockquote type="cite">INVITE,ACK,CANCEL,BYE,NOTIFY,REFER,OPTIONS,INFO,SUBSCRIBE,UPDATE<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Content-Length: 0<br></blockquote><blockquote type="cite">______________________________________________________________________<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Here is one more packet coming from a Comcast/SMC Router - again, the source<br></blockquote><blockquote type="cite">port is correct:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">______________________________________________________________________<br></blockquote><blockquote type="cite">&nbsp;Internet Protocol, Src: 98.244.55.100 (98.244.55.100), Dst: 173.11.22.111<br></blockquote><blockquote type="cite">(173.11.22.111)<br></blockquote><blockquote type="cite">User Datagram Protocol, Src Port: sip (5060), Dst Port: 5090 (5090)<br></blockquote><blockquote type="cite">Session Initiation Protocol<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp; Request-Line: REGISTER&nbsp;<a href="sip:173.11.22.111:5090">sip:173.11.22.111:5090</a>&nbsp;SIP/2.0<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp; Message Header<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Via: SIP/2.0/UDP 10.1.10.150:5060;branch=z9hG4bK58981045;rport<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Transport: UDP<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Sent-by Address: 10.1.10.150<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Sent-by port: 5060<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Branch: z9hG4bK58981045<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; RPort: rport<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; From: &lt;<a href="sip:8885554547@173.11.22.111:5090;user=phone">sip:8885554547@173.11.22.111:5090;user=phone</a>&gt;;tag=138706651<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; To: &lt;<a href="sip:8885554547@173.11.22.111:5090;user=phone">sip:8885554547@173.11.22.111:5090;user=phone</a>&gt;<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Call-ID:&nbsp;<a href="mailto:1035241259-5060-1@10.1.10.150">1035241259-5060-1@10.1.10.150</a><br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; CSeq: 79875 REGISTER<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Sequence Number: 79875<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Method: REGISTER<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Contact:<br></blockquote><blockquote type="cite">&lt;<a href="sip:8885554547@10.1.10.150:5060;user=phone">sip:8885554547@10.1.10.150:5060;user=phone</a>&gt;;reg-id=1;+sip.instance="&lt;<a href="urn:uuid:00000000-0000-1000-8000-000B821F9A84">urn:uuid:00000000-0000-1000-8000-000B821F9A84</a>&gt;"<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Contact Binding:<br></blockquote><blockquote type="cite">&lt;<a href="sip:8885554547@10.1.10.150:5060;user=phone">sip:8885554547@10.1.10.150:5060;user=phone</a>&gt;;reg-id=1;+sip.instance="&lt;<a href="urn:uuid:00000000-0000-1000-8000-000B821F9A84">urn:uuid:00000000-0000-1000-8000-000B821F9A84</a>&gt;"<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Max-Forwards: 70<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; User-Agent: Grandstream HT-503&nbsp; V1.1B 1.0.1.63<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Supported: path<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Expires: 300<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO,<br></blockquote><blockquote type="cite">REFER, UPDATE<br></blockquote><blockquote type="cite">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Content-Length: 0<br></blockquote><blockquote type="cite">___________________________________________________________<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">So, here are my questions:<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">- Why is the Sofia Status so much different for the registration coming<br></blockquote><blockquote type="cite">through the pfSense firewall.&nbsp; It looks like it doesn't get tagged as being<br></blockquote><blockquote type="cite">NAT'd and the "Contact" info is much less.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">- Do most modern routers automatically Static Port NAT any SIP traffic?<br></blockquote><blockquote type="cite">Both DD-WRT and SMC routers appear to be doing this - and not just on a<br></blockquote><blockquote type="cite">simple Port bases (UDP 5060 only), because one of these examples is on<br></blockquote><blockquote type="cite">5062.&nbsp; Are these "SIP aware" firewalls that are doing this automatically,<br></blockquote><blockquote type="cite">as&nbsp; the IPCOP did before?<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">- Is the extra "Contact" data in the last packet example different because<br></blockquote><blockquote type="cite">it is a different UA (HT-503 rather than an HT-287)<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">- Is Freeswitch not flagging the registration from my office (User4) as<br></blockquote><blockquote type="cite">being NAT'd because it is coming in on the same subnet as the interface<br></blockquote><blockquote type="cite">Freeswitch received the packet on (Freeswitch is at 173.11.22.111 and<br></blockquote><blockquote type="cite">pfsense is at 173.11.22.99)?<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Sorry for this terribly long posting - I'm just very curious to understand<br></blockquote><blockquote type="cite">what is going on here, now that I have collected all this information.<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Thanks,<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">Dave<br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">_______________________________________________<br></blockquote><blockquote type="cite">FreeSWITCH-users mailing list<br></blockquote><blockquote type="cite"><a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br></blockquote><blockquote type="cite"><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br></blockquote><blockquote type="cite">UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br></blockquote><blockquote type="cite"><a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite">_______________________________________________<br></blockquote><blockquote type="cite">FreeSWITCH-users mailing list<br></blockquote><blockquote type="cite"><a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br></blockquote><blockquote type="cite"><a href="http://lists.freeswitch.org/mailman/listinfo/freeswitch-users">http://lists.freeswitch.org/mailman/listinfo/freeswitch-users</a><br></blockquote><blockquote type="cite">UNSUBSCRIBE:<a href="http://lists.freeswitch.org/mailman/options/freeswitch-users">http://lists.freeswitch.org/mailman/options/freeswitch-users</a><br></blockquote><blockquote type="cite"><a href="http://www.freeswitch.org">http://www.freeswitch.org</a><br></blockquote><blockquote type="cite"><br></blockquote><blockquote type="cite"><br></blockquote><br>_______________________________________________<br>FreeSWITCH-users mailing list<br><a href="mailto:FreeSWITCH-users@lists.freeswitch.org">FreeSWITCH-users@lists.freeswitch.org</a><br>http://lists.freeswitch.org/mailman/listinfo/freeswitch-users<br>UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users<br>http://www.freeswitch.org<br></div></blockquote></div><br></div></body></html>