I read the Rulz, I've created a DNAT blackhole rule, and I'm still getting the same IP hitting the voip server on my LAN.

Is the blackhole DNAT before your regular rule?
Maybe show us an edit of your rule.

Best regards 
Alex

Hi,

Thank you for the reply.   The Blackhole DNAT is at the top of my NAT rules, and the blackhole route to the nonexistent IP (blackhole2 in the rule) is my only static route.

Your protected host is published via DNAT too, correct?
Is that address in Going to your external WAN IP? And maybe it’s better to use an IP of a not existing host instead of a multicast IP.
But nevertheless the DNAT should work with that IP too. Sorry other things I don’t see at the moment.

Best regards 

Alex 

Alex,

My protected host (PBX9) is not published via DNAT.  It's defined under VOIP settings , and I have a firewall rule allowing SIP protocol out from PBX9.

The 224 address was suggested in another post, maybe I misunderstood.  I changed it to another unused IP and will see if anything changes.

Thank you again

Kevin

Hi Kevin,

thanks for clarification. Probably that’s why the blackhole DNAT rule is not working.
https://community.sophos.com/cfs-file/__key/communityserver-discussions-components-files/51/iptables-sequence.JPG

Sorry no better idea for that.

Best regards 

Alex 

I'm sorry Alex - do you mean it's probably not working because of the VOIP configuration, or because of the (now changed) multicast blackhole IP?

No, maybe that DNAT blackhole is processed after the connection is handled by the voip (helper / proxy). That’s be caused by the structure of the UTM.
Sorry my knowledge of the VoIP helper is bad. So I am not sure, but that’s my best guess.

BR

No, maybe that DNAT blackhole is processed after the connection is handled by the voip (helper / proxy). That’s be caused by the structure of the UTM.
Sorry my knowledge of the VoIP helper is bad. So I am not sure, but that’s my best guess.

BR