[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NAT state not deleted after IP change (DHCP)



Hi,

My ISP upgraded the cable modem to the DOCSIS-Standard. Since then, the IP changes every 4 hours. Before, I received the same IP for more than a year (the box is always running).

The setup is a Soekris box attached to the cable modem on the first interface, and on the second interface (NAT'ed) is a switch, connected to my private network

First, I had to surround various interface definitions with a brace, so the rules get updated if the IP changes. But one problem remains, the SIP-Phone in my private network. If the IP changes, the connection to the SIP-Proxy get lost. I analyzed the firewall and found the following behaviour:

# pfctl -ss
self tcp 192.168.0.11:49319 -> 217.194.49.118:52765 -> 17.250.248.64:143 ESTABLISHED:ESTABLISHED
self tcp 192.168.0.11:49306 -> 217.194.49.118:59771 -> 17.250.248.64:143 ESTABLISHED:ESTABLISHED
self tcp 192.168.0.11:49299 -> 217.194.49.118:25625 -> 64.12.28.132:5190 ESTABLISHED:ESTABLISHED
self udp 217.194.49.118:47863 -> 193.120.10.3:123 MULTIPLE:SINGLE
self udp 217.194.49.118:29491 -> 62.94.26.10:123 MULTIPLE:SINGLE
self udp 192.168.0.30:5060 -> 217.194.49.202:53754 -> 212.55.198.140:5060 MULTIPLE:MULTIPLE


The state of the SIP-Connection remains active in the state table after changing the IP, why?
If I then delete the state, the SIP-Phone registers immediately with the SIP-Proxy.


pfctl -F state

# pfctl -ss
self udp 217.194.49.118:5504 -> 208.201.242.2:123 MULTIPLE:SINGLE
self udp 192.168.0.30:5060 -> 217.194.49.118:63057 -> 212.55.198.140:5060 MULTIPLE:MULTIPLE


The following are the relevant parts from my pf.con:

# Allow traffic back into the network
pass out on $ext_if from any to any flags S/SA modulate state

nat on $ext_if from <internetenabledhosts> to any -> ($ext_if) port 10000:65535


Thanks,


Cyrill


A general question: Am I right, that I always will lose a SIP-Session if the IP changes (because the state will be deleted)?