Because of this "Remember that static-port means you can't have two
machines behind the same NAT using the same source port and destination.",
you should instead probably use "binat-to" as a good practice.
This will help force you to not be able to accidentally reuse the same
public IP for another internal server.
SIP uses a lot of ports, and so it really does need its own public IP with
a one to one mapping to the private IP.
If you have remote SIP phone clients that need to run over the gateway too
(not just a SIP trunk), the following helped us keep client
registrations alive;
set timeout { udp.first 1200, udp.single 600, udp.multiple 1800 }
Cheers, Andy.
On Thu, Jun 9, 2016 at 11:40 PM, Stuart Henderson <s...@spacehopper.org>
wrote:
> On 2016-06-09, Markus Wernig <liste...@wernig.net> wrote:
> > On 06/09/2016 08:03 PM, Bryan Vyhmeister wrote:
> >> On Thu, Jun 9, 2016, at 10:48 AM, Markus Wernig wrote:
> >>> Short question:
> >>> How do I prevent pf from changing the source port of outgoing natted
> udp
> >>> packets?
> >>
> >> Did you look at static-port in pf.conf(5)?
> >
> > Argh! I had overlooked that. Shame. Works now.
>
> Remember that static-port means you can't have two machines behind
> the same NAT using the same source port and destination.
>
> If it's OK to change the source port as long as it ends up within
> a certain port range, you can do something like 'nat-to $address port
> 8000:9000'.
>
>
--
*Download our latest free guide here
<https://www.brandwatch.com/competitive-intelligence-guide/>*
