Static Port

From PFSenseDocs
Jump to: navigation, search

By default, pfSense rewrites the source port on all outgoing packets. Many operating systems do a poor job of source port randomization, if they do it at all. This makes IP spoofing easier, and makes it possible to fingerprint hosts behind the firewall from their outbound traffic. Rewriting the source port eliminates these potential (but unlikely) security vulnerabilities.

However, this breaks some applications. There are built in rules when Advanced Outbound NAT is disabled that don't do this for UDP 500 (ISAKMP for IPsec VPN traffic) this traffic will almost always be broken by rewriting the source port.

Note that 1.2.3 and older releases will not rewrite the source port on SIP, UDP 5060 traffic, by default though 2.0 and newer do. If problems with handsets are encountered on an older release, upgrade to a current version of pfSense or manually adjust the outbound NAT rules.

Other protocols may be used, such as some games, that do not work properly when the source port gets rewritten. To disable this functionality, the static port option must be used on outbound NAT rules.

  • Navigate to Firewall > NAT on the Outbound tab
  • Select Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))
  • Click Save
  • Find the rule at the bottom of the page labeled "Auto created rule for LAN".
  • Click + at the end of that row to copy the rule.
  • Edit the rule so it only covers the source IP of the device that needs static port, and any other required settings.
  • Check Static Port box on that page
  • Click Save
  • Move the rule to the top of the list
  • Click Apply Changes
  • Navigate to Diagnostics > States
  • Enter the IP address of the device in the Filter box
  • Click Filter
  • Click Kill

Now connections from that device will have their source port retained.