Hosting a voip server behind OpenBSD with the following pf.conf file
led to some surprising behaviour:
voice_if = em0
data_if= vr0
ext_if = vr3
PBX = "192.168.234.200"
voip_ports = "10000:40000"
table <remote_phones> persist { .... }
match out on $ext_if from { $voice_if:network, $data_if:network } \
to any nat-to $ext_if static-port
pass out allow-opts flags S/SA modulate state
pass in proto udp on $ext_if from <remote_phones> \
port {sip,$voip_ports} rdr-to $PBX
Notice the last rule does NOT include a "to" clause, as seen in the
pools faq http://www.openbsd.org/faq/pf/pools.html.
The surprise was when udp traffic on ports 10000:40000 was not coming
through and tcdump on $ext_if showed "icmp port unreachable" being
sent back. Adding "to $ext_if" to the last rule fixed it immediately:
pass in proto udp on $ext_if from <remote_phones> \
to $ext_if port {sip,$voip_ports} rdr-to $PBX
If this is by design, please explain!
If the "to" clause is always required with rdr-to, then the man page
should be updated, and the parse code throw an error, and perhaps the
pools FAQ updated (possibly by me).
--Ryan Slack
