Re: SIP with NAT traversal and STUN using NPF

To: Edgar Fuß <ef%math.uni-bonn.de@localhost>
Subject: Re: SIP with NAT traversal and STUN using NPF
From: Martin Husemann <martin%duskware.de@localhost>
Date: Sun, 14 Jun 2026 18:22:49 +0200

On Sun, Jun 14, 2026 at 05:00:26PM +0200, Edgar Fuß wrote:
> Possibly dumb question: does NPF support stateful UDP?

There ain't no dumb question, and better to double check anyway!

The answer depends on what you define as "stable". The various UDP messages
from my VoIP device to the server are all mapped with a stable source
port translation.

But: the same dest port is not translated back 1:1 when a UDP packet is
received from the server with a different source port.

Example (traced on my outside interface):

12:58:34.326026 PPPoE  [ses 0x10d] IP (tos 0x0, ttl 63, id 62136, offset 0, flags [DF], proto UDP (17), length 210)
    ${MY_IP}.16797 > ${REMOTE_IP}.32536: [udp sum ok] UDP, length 182
12:58:34.334538 PPPoE  [ses 0x10d] IP (tos 0xb8, ttl 59, id 0, offset 0, flags [DF], proto UDP (17), length 210)
    ${REMOTE_IP}.32536 > ${MY_IP}.29564: [no cksum] UDP, length 182
12:58:34.346054 PPPoE  [ses 0x10d] IP (tos 0x0, ttl 63, id 62142, offset 0, flags [DF], proto UDP (17), length 210)
    ${MY_IP}.16797 > ${REMOTE_IP}.32536: [udp sum ok] UDP, length 182
12:58:34.354267 PPPoE  [ses 0x10d] IP (tos 0xb8, ttl 59, id 0, offset 0, flags [DF], proto UDP (17), length 210)
    ${REMOTE_IP}.32536 > ${MY_IP}.29564: [no cksum] UDP, length 182

Where ${MY_IP} is my public IPv4 and ${REMOTE_IP} is the server of
my provider.

I need UDP port 29564 incoming mapped to the VoIP device original source
port while this call is active. I suppose if UPnP would be available
the Fritz!Box would arrange for this via that.

Can I make NPF map this automatically? I tried a 

	map $ext_if dynamic no-ports proto udp $voip_ip <-> $ext_v4

rule, assuming the no-ports option (that disables port mapping) and
the <-> for both in and out would give me the desired behaviour, but
this did not work. Maybe with a bit of NPF debugging it could be made
to work for this case - or I am doing something stupid.

I would really prefer a NPF only solution over anything involving
UPnP, NAT-PMP or PCP. Besides, contrary to documentation claims, I see
no PCP activity from the device at all. It tries to find a UPnP server
though.

Martin

Follow-Ups:
- Re: SIP with NAT traversal and STUN using NPF
  - From: Greg Troxel

References:
- Re: SIP with NAT traversal and STUN using NPF
  - From: Martin Husemann
- Re: SIP with NAT traversal and STUN using NPF
  - From: Edgar Fuß

Prev by Date: Re: SIP with NAT traversal and STUN using NPF
Next by Date: Re: SIP with NAT traversal and STUN using NPF
Previous by Thread: Re: SIP with NAT traversal and STUN using NPF
Next by Thread: Re: SIP with NAT traversal and STUN using NPF
Indexes:

Home | Main Index | Thread Index | Old Index