SPA112 VoIP with pf and NAT - States keeps open on address change

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

SPA112 VoIP with pf and NAT - States keeps open on address change

jummo4
Hello,
I have a Cisco SPA112 VoIP to connect my analog phone to my provider SIP system. Recently I replaced my Linux based (Fritzbox) with a OpenBSD 6.4 firewall. The firewall is connected to a vDSL modem and performs NAT for outgoing IPv4 connection. The connection to the SIP server from the SPA112 is a IPv4 with NAT via UDP port 5060. The connection works and I can see the NAT in the state table. I have configured NAT-Keepalive on the SPA112 to keep the state open. After 24 hours my provider terminate my connection and after established a new connection the firewall has a new public IPv4 address. 
After this change the SPA112 can't longer communicate to the SIP server because it's still using the old state with the old public IPv4 address. If I deleted the state manually on the firewall the force the SPA112 to register again it works. The SPA112 has also an automatism to re-register after 60 minutes. But without deleting the state the SPA112 will use again the old state/connection.
From my point of view the SPA112 should use a new connection for the re-register or at least a new connection, if it detects the lost of the previous registration. But this problem doesn't exist with the old Linux based firewall. I can also see a lot of other NAT entries in the state table with the old public IPv4 address. Is there a feature of pf to delete all NAT entries with the no longer existing public IPv4 on a address change? 
Best Regards,Patrick
Reply | Threaded
Open this post in threaded view
|

Re: SPA112 VoIP with pf and NAT - States keeps open on address change

Sebastian Reitenbach
Am Mittwoch, Februar 06, 2019 10:57 CET, [hidden email] schrieb:

> Hello,
> I have a Cisco SPA112 VoIP to connect my analog phone to my provider SIP system. Recently I replaced my Linux based (Fritzbox) with a OpenBSD 6.4 firewall. The firewall is connected to a vDSL modem and performs NAT for outgoing IPv4 connection. The connection to the SIP server from the SPA112 is a IPv4 with NAT via UDP port 5060. The connection works and I can see the NAT in the state table. I have configured NAT-Keepalive on the SPA112 to keep the state open. After 24 hours my provider terminate my connection and after established a new connection the firewall has a new public IPv4 address. 
> After this change the SPA112 can't longer communicate to the SIP server because it's still using the old state with the old public IPv4 address. If I deleted the state manually on the firewall the force the SPA112 to register again it works. The SPA112 has also an automatism to re-register after 60 minutes. But without deleting the state the SPA112 will use again the old state/connection.
> From my point of view the SPA112 should use a new connection for the re-register or at least a new connection, if it detects the lost of the previous registration. But this problem doesn't exist with the old Linux based firewall. I can also see a lot of other NAT entries in the state table with the old public IPv4 address. Is there a feature of pf to delete all NAT entries with the no longer existing public IPv4 on a address change? 
> Best Regards,Patrick

some lines of pf.conf would be helpful. Do you have parentheses around your interface name in the  nat-to rule, like nat-to ($ext_if)
that should update the rules when addresses change, but I don't think that will touch active states.
However, SIP and UDP might be problematic, since states are consulted first, before the rules are traversed. Since UDP is stateless, PF only seems sending/receiving IP and port, but with SIP the sending port always might be 5060 as well, so it may match the existing state, even if the external IP changed.

Sebastian

Reply | Threaded
Open this post in threaded view
|

Re: SPA112 VoIP with pf and NAT - States keeps open on address change

Mihai Popescu-3
In reply to this post by jummo4
I think you need to show your pf rules.
Did you make your firewall aware that your ISP is changing address ?

Reply | Threaded
Open this post in threaded view
|

Re: SPA112 VoIP with pf and NAT - States keeps open on address change

jummo4
In reply to this post by Sebastian Reitenbach
 

> On 06.02.2019, at 11:15, Sebastian Reitenbach <[hidden email]> wrote:
>
> Am Mittwoch, Februar 06, 2019 10:57 CET, [hidden email] schrieb:
>
>> Hello,
>> I have a Cisco SPA112 VoIP to connect my analog phone to my provider SIP system. Recently I replaced my Linux based (Fritzbox) with a OpenBSD 6.4 firewall. The firewall is connected to a vDSL modem and performs NAT for outgoing IPv4 connection. The connection to the SIP server from the SPA112 is a IPv4 with NAT via UDP port 5060. The connection works and I can see the NAT in the state table. I have configured NAT-Keepalive on the SPA112 to keep the state open. After 24 hours my provider terminate my connection and after established a new connection the firewall has a new public IPv4 address.
>> After this change the SPA112 can't longer communicate to the SIP server because it's still using the old state with the old public IPv4 address. If I deleted the state manually on the firewall the force the SPA112 to register again it works. The SPA112 has also an automatism to re-register after 60 minutes. But without deleting the state the SPA112 will use again the old state/connection.
>> From my point of view the SPA112 should use a new connection for the re-register or at least a new connection, if it detects the lost of the previous registration. But this problem doesn't exist with the old Linux based firewall. I can also see a lot of other NAT entries in the state table with the old public IPv4 address. Is there a feature of pf to delete all NAT entries with the no longer existing public IPv4 on a address change?
>> Best Regards,Patrick
>
> some lines of pf.conf would be helpful. Do you have parentheses around your interface name in the  nat-to rule, like nat-to ($ext_if)
> that should update the rules when addresses change, but I don't think that will touch active states.
> However, SIP and UDP might be problematic, since states are consulted first, before the rules are traversed. Since UDP is stateless, PF only seems sending/receiving IP and port, but with SIP the sending port always might be 5060 as well, so it may match the existing state, even if the external IP changed.
>
> Sebastian
>

Hi Sebastian,

Thanks for your quick reply.

My nat rule use the parenthesis and all other devices behind the firewall works fine. I think it’s more a specific issue with the SPA112. I have also set the ruleset optimization to conservative but in this case the generated state has just a longer time to live. This isn’t the problem because the SPA112 sends regular keep alive packets which reset the counter for the state.

Here the related rules:
pass out quick on egress inet from (vether0:network) nat-to (egress) modulate state
pass in on egress inet proto udp from <sipprovider> to (egress) port 5060

As I’m just reading again my rules. Is the modulate state the problem? Or will pf use keep state for UDP packets as the default?

Best Regards,
Patrick

Reply | Threaded
Open this post in threaded view
|

Re: SPA112 VoIP with pf and NAT - States keeps open on address change

Stuart Henderson
On 2019-02-06, Patrick <[hidden email]> wrote:
> My nat rule use the parenthesis and all other devices behind the
> firewall works fine. I think it’s more a specific issue with the SPA112.
> I have also set the ruleset optimization to conservative but in this
> case the generated state has just a longer time to live. This isn’t the
> problem because the SPA112 sends regular keep alive packets which reset
> the counter for the state.

Setting to 'conservative' (i.e. hanging on to states for longer) can't
help with this.

Using parentheses won't help either, that means "do a lookup at state
creation time", but you aren't getting a new state created because the
old one hasn't expired.

>
> Here the related rules:
> pass out quick on egress inet from (vether0:network) nat-to (egress) modulate state
> pass in on egress inet proto udp from <sipprovider> to (egress) port 5060
>
> As I’m just reading again my rules. Is the modulate state the problem?
> Or will pf use keep state for UDP packets as the default?

PF uses "keep state" by default, and "keep state" is required for NAT.

I think your main options are:

- use a *shorter* timeout for this rule (this can be set per-rule
and overrides the default from "set optimization") and have a port
forward rule so that incoming packets still work even when the
state has timed out

- arrange a way to flush these states when the IP changes

The first of these is probably easiest if you can do it ..


Reply | Threaded
Open this post in threaded view
|

Re: SPA112 VoIP with pf and NAT - States keeps open on address change

jummo4

> On 07.02.2019, at 14:21, Stuart Henderson <[hidden email]> wrote:
>
> On 2019-02-06, Patrick <[hidden email]> wrote:
>> My nat rule use the parenthesis and all other devices behind the
>> firewall works fine. I think it’s more a specific issue with the SPA112.
>> I have also set the ruleset optimization to conservative but in this
>> case the generated state has just a longer time to live. This isn’t the
>> problem because the SPA112 sends regular keep alive packets which reset
>> the counter for the state.
>
> Setting to 'conservative' (i.e. hanging on to states for longer) can't
> help with this.
>
> Using parentheses won't help either, that means "do a lookup at state
> creation time", but you aren't getting a new state created because the
> old one hasn't expired.
>
>>
>> Here the related rules:
>> pass out quick on egress inet from (vether0:network) nat-to (egress) modulate state
>> pass in on egress inet proto udp from <sipprovider> to (egress) port 5060
>>
>> As I’m just reading again my rules. Is the modulate state the problem?
>> Or will pf use keep state for UDP packets as the default?
>
> PF uses "keep state" by default, and "keep state" is required for NAT.
>
> I think your main options are:
>
> - use a *shorter* timeout for this rule (this can be set per-rule
> and overrides the default from "set optimization") and have a port
> forward rule so that incoming packets still work even when the
> state has timed out
>
> - arrange a way to flush these states when the IP changes
>
> The first of these is probably easiest if you can do it ..
>
>

Thanks for suggestions. I tried to change the timeouts but every time the state gets deleted the SIP server refused the new connection. I think because of the change of source port. Maybe it would work with static-port option. I choose option two and have created a cron job to reconnect my VDSL connection and flush the state table at 2am in the night. This moved the force termination after 24 hours to the night. I remember that the old firewall had a similar option and probably also deleted the state table at the same time. I didn’t noticed the disconnection of my SPA112 in the middle of the night. To recover quicker from a termination at day I have set the re-register timeout to 30 minutes and also runs a script every five minutes on the firewall to check the current public IPv4 address and the one in the state table for the SPA112 and if it not match delete the state.

Best Regards,
Patrick