On 2019-02-06, Patrick <jum...@yahoo.de> wrote: > My nat rule use the parenthesis and all other devices behind the > firewall works fine. I think it’s more a specific issue with the SPA112. > I have also set the ruleset optimization to conservative but in this > case the generated state has just a longer time to live. This isn’t the > problem because the SPA112 sends regular keep alive packets which reset > the counter for the state.
Setting to 'conservative' (i.e. hanging on to states for longer) can't help with this. Using parentheses won't help either, that means "do a lookup at state creation time", but you aren't getting a new state created because the old one hasn't expired. > > Here the related rules: > pass out quick on egress inet from (vether0:network) nat-to (egress) modulate > state > pass in on egress inet proto udp from <sipprovider> to (egress) port 5060 > > As I’m just reading again my rules. Is the modulate state the problem? > Or will pf use keep state for UDP packets as the default? PF uses "keep state" by default, and "keep state" is required for NAT. I think your main options are: - use a *shorter* timeout for this rule (this can be set per-rule and overrides the default from "set optimization") and have a port forward rule so that incoming packets still work even when the state has timed out - arrange a way to flush these states when the IP changes The first of these is probably easiest if you can do it ..
