# [PF] Using same ports outbound



## ProServ (Oct 1, 2013)

Hi, wondering if anyone could possibly show me how to get the same port outbound. For example, there are several SIP devices behind the PF firewall and the desired effect is to have those devices go out to servers using 5060-5063.

In pf.conf current rules for SIP ports:


```
pass out on $ext_if inet proto udp from any port 5060 to any port 5060 keep state tag Voip queue voip_out
pass out on $ext_if inet proto udp from any port 5061 to any port 5061 keep state tag Voip queue voip_out
pass out on $ext_if inet proto udp from any port 5062 to any port 5062 keep state tag Voip queue voip_out
```

But looking at the server it shows the SIP device is not using any of the above ports, rather it*'*s using 56540

Thank you for your help.


----------



## J65nko (Oct 1, 2013)

What is the output of `# pfctl -vvs rules` for those three rules?


----------



## ProServ (Oct 1, 2013)

*[solved]*

Hi, thank you for replying so quickly. I found the answer and here it is:


```
nat on $ext_if from !($ext_if) to any -> ($ext_if) static-port
```

It's the *static-port* in the above line which seems to ensure the outbound port is the same as the port configured on the ATA or SIP phone. 

Now the SIP Server records the phones/fax as 506* as shown:


```
260/260      xx.xxx.xx.xx    D   N          A  5062     OK (34 ms)

sip:xx.xxx.xx.xx:5061 	2013-10-01 07:10:08 	Linksys/SPA2102-5.2.13(004)
```
Thanks!


----------



## kpa (Oct 1, 2013)

There's a  problem with static-port if you use it like that and it is when multiple client machines behind the NAT point use the same source port on outbound connections. There will be a collision and PF does not automatically solve it as far as I know. I would limit the use of static-port to UDP only because it does not make any sense with TCP. Something like this:



```
nat on $ext_if inet proto udp from !($ext_if) to any -> ($ext_if) static-port
nat on $ext_if from !($ext_if) to any -> ($ext_if) port 1024:65535
```

The second line guarantees that other connections NAT'ed that are all TCP client connections originate from random unprivileged ports.


----------

