Can PF do Cone NAT ?

Gee Jay geejay at
Wed Dec 7 11:48:39 PST 2005

Benjamin Constant wrote:

> I'm maybe wrong but did you try with the static-port option on your nat
> rules?

Thanks, I overlooked that option. I conclude from the IP state table that
PFSense firewall did not use that option. As far as I understand, the
static-port option would cause problems for other machines behind the NAT
who run the same services. So there would have to be different NAT options
for different port-ranges, if one wanted to follow this path.

Another solution I see is to put our Asterisk (VOIP) server on a 1:1 NAT and
give it an extra external IP on the firewall.

thanks again for your suggestion.


TI Automotive
> -----Original Message-----
> From: owner-freebsd-pf at > [mailto:owner-freebsd-pf at]
On Behalf Of Gee Jay
> Sent: mardi 6 décembre 2005 21:09
> To: freebsd-pf at
> Subject: Can PF do Cone NAT ?
> > Dear Gentlemen,
> > I am struggling to set up NAT / Port redirection on a PFSense > firewall
(which uses PF) for the SIP Protocol or rather its > RTP media streams.
> > By all appearances the NAT in PF seems to work as a symmetric > NAT
which causes SIP in certain cases to fail.
> > The VOIP provider in question uses on his side several media > boxes
with their own IPs to stream the RTP Media via UDP. My > understanding of
the problem is that the NAT in PF uses a > different NAT port for each
public destination IP so that the > media boxes talk back to "dead" ports on
the NAT.
> Whereas in the cone NAT only one port irrespectively of the > external IP
> > > For further explanations regarding the problem see here:
> or here
> > My basic question is: Can PF do a cone NAT ? And if so, how ? > The PF
documentation didn't help me unfortunately.
> > Thanks for your help in the matter.
> > GeeJay
> > _______________________________________________
> freebsd-pf at mailing list
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at"
The information contained in this transmission may contain privileged and
confidential information.  It is intended only for the use of the
person(s) named above. If you are not the intended recipient, you are
hereby notified that any review, dissemination, distribution or
duplication of this communication is strictly prohibited. If you are not
the intended recipient, please contact the sender by reply email and
destroy all copies of the original message. This communication is from TI

More information about the freebsd-pf mailing list