Video Conferencing: 1:1 NAT (and more!)
Introduction

OK - so "NAT:Port Forward" was easy.  Steel yourself.  The world of 1:1 NAT is murky.  Some serious research went into this and nowhere on the internet was particularly helpful.  Various individuals put forward ideas and what is below is an amalgam of what was discovered.  This works - it is proven and has been the spur for other schools to decide to make a switch to what Mt Aspiring College is doing.

This 1:1 NAT was tested with both a Polycom Viewstation 128 and a Polycom HDX6000 codec using H323.  It should work with any H323 compliant codec.


Configure pfSense - Virtual IPs

This process is identical to that covered in "Firewall: pfSense" under the "Inbound Firewall: NAT" section.  We used IP addresses from our /29 public IP range.  

To use addresses from the /29 range we first have to define them to pfSense as "Virtual IP Addresses" (look on the "Firewall" menu):


The relevant virtual IP detail  for the "VC.100" rule is:


You can call the rule what ever you want - a descriptive name just makes it easier to follow things.


Configure pfSense - 1:1 NAT

Hold on to your steak and cheese ... follow what we did, substituting your IP addresses as required.

Use the "Firewall", "NAT" menu and choose the "1:1" tab:


The detail of this rule is:


Use the "Firewall", "NAT" menu and choose the "Outbound" tab:


The first rule above is the critical one.  Make sure the VC rule(s if you have more than one VC unit) are at the top by manually moving them after you have created the rule.  The detail of the VC.100 rule is:


Next make a firewall rule on the "FIBRE" (or "WAN") interface.  "Firewall", "Rules" then the "FIBRE" (or "WAN") tab:


The rule detail for VC.100 is:


Finally you need a rule on the LAN interface to allow outbound traffic.  Use "Firewall", "Rules" and choose the "LAN" tab. Again position this rule at the top.


The VC.100 rule detail is:




Configure the Video Conference unit - LAN and Firewall

The last steps in the set up process are to define the IP address, subnet mask, gateway and firewall settings on the local video conferencing unit.  Details of our set up are on the two images below.




Test it all - your call!

Just to prove it all works: here is a screen capture of the statistics during an actual call between the VC at Mt Aspiring College and another site: