No luck with or with out the interface nor using source port, which thankfully is static in this case. The WAN and LAN IP are one and the same, it's a routed public internet address. Using the destination address instead of the source along with the afore mentioned combinations also does not work.
tcpdump running directly on the XXX.200 machine verified what torch shows:
# tcpdump -i eth1 -n -nn -N -s 0 src XXX.XXX.XXX.200 and udp dst port 5060
15:04:45.286216 IP XXX.XXX.XXX.200.5060 > XXX.XXX.XXX.27.5060: SIP, length: 424
15:04:46.444211 IP XXX.XXX.XXX.200.5060 > XXX.XXX.XXX.44.5060: SIP, length: 436
15:04:47.075953 IP XXX.XXX.XXX.200.5060 > XXX.XXX.XXX.44.5060: SIP, length: 467
15:04:48.926155 IP XXX.XXX.XXX.200.5060 > XXX.XXX.XXX.44.5060: SIP, length: 467
15:04:50.907552 IP XXX.XXX.XXX.200.5060 > XXX.XXX.XXX.44.5060: SIP, length: 803
15:04:53.230850 IP XXX.XXX.XXX.200.5060 > XXX.XXX.XXX.44.5060: SIP, length: 803
15:04:55.991327 IP XXX.XXX.XXX.200.5060 > XXX.XXX.XXX.44.5060: SIP, length: 436
15:04:59.211580 IP XXX.XXX.XXX.200.5060 > XXX.XXX.XXX.44.5060: SIP, length: 467
15:05:05.039716 IP XXX.XXX.XXX.200.5060 > XXX.XXX.XXX.44.5060: SIP, length: 803
I'm at a loss as to why the MT fw isn't catching it. Over the past several days since my initial post, several thousand packets have hit the rule, but it's definitely not all of them. Only 3 have hit it over the past hour, when it should be 1 every could seconds.
