Am Mittwoch, Februar 06, 2019 10:57 CET, jum...@yahoo.de schrieb: > Hello, > I have a Cisco SPA112 VoIP to connect my analog phone to my provider SIP > system. Recently I replaced my Linux based (Fritzbox) with a OpenBSD 6.4 > firewall. The firewall is connected to a vDSL modem and performs NAT for > outgoing IPv4 connection. The connection to the SIP server from the SPA112 is > a IPv4 with NAT via UDP port 5060. The connection works and I can see the NAT > in the state table. I have configured NAT-Keepalive on the SPA112 to keep the > state open. After 24 hours my provider terminate my connection and after > established a new connection the firewall has a new public IPv4 address. > After this change the SPA112 can't longer communicate to the SIP server > because it's still using the old state with the old public IPv4 address. If I > deleted the state manually on the firewall the force the SPA112 to register > again it works. The SPA112 has also an automatism to re-register after 60 > minutes. But without deleting the state the SPA112 will use again the old > state/connection. > From my point of view the SPA112 should use a new connection for the > re-register or at least a new connection, if it detects the lost of the > previous registration. But this problem doesn't exist with the old Linux > based firewall. I can also see a lot of other NAT entries in the state table > with the old public IPv4 address. Is there a feature of pf to delete all NAT > entries with the no longer existing public IPv4 on a address change? > Best Regards,Patrick
some lines of pf.conf would be helpful. Do you have parentheses around your interface name in the nat-to rule, like nat-to ($ext_if) that should update the rules when addresses change, but I don't think that will touch active states. However, SIP and UDP might be problematic, since states are consulted first, before the rules are traversed. Since UDP is stateless, PF only seems sending/receiving IP and port, but with SIP the sending port always might be 5060 as well, so it may match the existing state, even if the external IP changed. Sebastian
