regardless of what i do, following the whole steps mentioned here:
upnp does not seem to allow the packets, you can see the packet answers always to be blocked in the system-logs :-(
i use 2.0-RC2 (i386) built on Sun May 15 20:43:07 EDT 2011
now i defined NAT by hand and it works…
but why not upnp ?
i used the following upnp rule: allow 1-65535 xxx.xxx.xxx.xxx/32 1-65535
anyone any ideas ?
i even created a pass-rule for the upne ports from lan-network to lan-address as stated in http://forum.pfsense.org/index.php/topic,33024.0.html
but it still does not work, there are simply no mapping in the upnp status...
Your going to have a hard time behind a double nat maintaining static ports..
Napt by its nature changes the source port when you make an outbound connection. This can be overcome with with setting static port in your oubound nat on pfsense. But your router in front of pfsense would also have to maintain this static port..
Many services in these console games (for some unknown reason like to see static ports) ie connection coming from specific port.. So lets for example say you create an connection to publicIP:80 from privateIP:2000
Normally with nat (napt) you have this
privateIP:2000 ---> publicIP:80 (pfsense) YourPublicIP:RandomPort ----> publicIP:80
To get some of these applications/games to work you have to setup outbound nat to be static so you get this.
privateIP:2000 ---> publicIP:80 (pfsense) YourPublicIP:2000---> publicIP:80
If you put a nat device in front you normally get this.
privateIP:2000 ---> publicIP:80 (pfsense) otherprivateIP:RandomPort ----> publicIP:80 (nat router) YourpublicIP:SomeOtherRandomPort ----> publicIP:80
What you mignt need to happen is this.
privateIP:2000 ---> publicIP:80 (pfsense) otherprivateIP:2000 ----> publicIP:80 (nat router) YourpublicIP:2000 ----> publicIP:80
This is just an example of problem you can have with double nat and such services that for whatever reason want to see some specific sourceport.
So is pfsense the only thing doing nat? What is your outbound mapping look like?
What I did was to create an alias for each game/game service, with all their port numbers, for the firewall, then created a rule using each, to keep things tidy and easy to change per service if they change ports. I tested with that only, no snort or squid or anything else. Once all was working correctly, I then added squid and squidguard. Once that was tuned, I added snort and tuned that up. If I had put all three in there at once I would never have been able to figure out just what was doing what if something wasn't working. So I would disable Suricata or set the default allow-all out the firewall lan interface, and test. If it works, at least you have narrowed it down to what you had disabled, firewall rules or Suricata.
Try to separate your alias xboxgroup (do a alias for each one).
Disable your rule prioritizing.
Create ACL for UPnP
It's works for me with 2 Xbox One, except for Warframe game.
Test with this configuration (copy/paste from an other post)
I have manies issues with Warframe on 2 Xbox on the same ISP (only 1 public IP address).
In Warframe, I can't invite a friend to join me.
At the best, only 1 Xbox can see the other player, launch a invit but an error message tell "The player is offline).
All the network test on Xbox is OK : (Internet, Multiplayer and NAT Open)
I try with other game (Rocket League and Warhammer Vermintide) without problem.
I use PFsense 2.4.3-RELEASE (amd64)
Firewall / NAT / Outbound
Mode : Manual Outbound NAT
Interface : WAN
Source : Xbox1 (alias for 192.168.0.16)
Port Source : any
Destination : any
Port Destination : anay
NAT Address : WAN
NAT Port : any
Static Port : YES
Interface : WAN
Source : Xbox2 (alias for 192.168.0.17)
Port Source : any
Destination : any
Port Destination : anay
NAT Address : WAN
NAT Port : any
Static Port : YES
Services / UPnP & NAT-PMP
Enable UPnP & NAT-PMP
Allow UPnP Port Mapping
Allow NAT-PMP Port Mapping
External Interface : WAN
Interface : LAN + loopback
ACL Entries : allow 1-65535 192.168.0.16 1-65535
ACL Entries : allow 1-65535 192.168.0.17 1-65535
System / Advanced / Firewall & NAT
NAT Reflection mode for port forwards : Pure NAT
Enable NAT Reflection for 1:1 NAT
Enable automatic outbound NAT for Reflection
Firewall / NAT / Port Forward
Nothing, because I activate UPnP
Actually, I must use the bad ISP-box only for Warframe ;-)
The part that is missing is the outbound NAT. The Factorio server is a client to the factorio pingpong servers that are used for NAT punching(1). The source ports when talking to these pingpong servers must not be mangled, so an outbound NAT rules is needed to prevent this (PFSense mangles ports by default). Just got all this working today.
Outbound NAT Mode: Hybrid Outbound
Add this mapping:
Source: <internal address="" of="" your="" server="">Source Port: udp/34197
Destination Port: udp/*
NAT Port: *
Static Port: YES
I havn't had a chance to test it with many other games. But I've been playing Ark a lot lately and noticed that I keep getting time outs. I'll run a continous ping check and time it. Every 2 hours on the dot I get a row of 4 packet loses in a row and my Ark client times out.
I have troubleshooted local hardware, including switch and NIC etc… I left the continous ping running all day long and came back to a 0% packet loss. It seems to only happen when I'm playing Ark.
I have it feeling it might have to do with how packets are handled. I'm trying to set my NAT from auto to manual and see if that makes a difference. But while I'm testing that... anyone else have any recommendations?
And yes. I have the game ports forwarded.
By any chance does your DHCP lease reset every two hours? It shouldn't be disconnecting you but something to consider.
Have made it working, I publish my rules if somebody is interested on it …
Works for the servers you are playing on, I see many using ports not in your rules.
20167, 19777, 47200, just to name a few. Again BF4 Server port can be anything.
Perhaps not the exact answer any of you are looking for but this works and works well and is relatively easy to get going:
I've tested it with:
Blizzard (Including Destiny 2)
League of Legends
ArenaNet (Guild Wars 2)
Frontier (Elite Dangerous)
Microsoft (Windows Updates)
Simply setup an Ubuntu Server 16.xx Server without the LAMP option (you'll need to disable Apache if you do, it will intercept port 80), I suggest choosing the OpenSSH server, is easier to paste commands from another PC with PuTTY etc.
Once the server is installed simply follow the setup instructions here https://github.com/RyanEwen/lan-cache-docker/wiki/Setup-instructions.
Set the IP of this new lan-cache server as your DNS server instead of using pfSense for DNS.
Trying to shoehorn nginx, sniproxy and the way dnsmasq is used for hijacking the various Game CDN names into pfSense is well beyond my abilities.
Ignoring that you are running a fairly old version of pfsense.
The rule you have setup for your game has several problems:
1. It is limited to udp and tcp traffic, but the game updater might use ping requests to check if a host exists, pinging use the icmp protocol (but that would also take place on another port, so it would still not pass by this rule).
2. The rule only passes for a single port? Are you sure the game updater only uses that one port? If not the traffic is split between your WANs, that is usually a problem since the host server expects traffic to come from the same source IP, not from different.
Basically, I have not reason to think that your current setup should work at all.
This is totally a DenverCoder9 xkcd 979 reference.. I had same problem. You never posted back what solved yours!
A CISCO switch with 'UDP Relay/IP Helper' option to forward port 27036
Bridge the two networks
only use 1 subnet in first place
I ended up bridging the two… Don't need the security.
If the game uses Xbox Live for everything on the network side, then I would think it would work.
If the game uses its own servers, a different port number that you can't change (to make each console use a unique port), or requires UPnP, then obviously my solution would not work.
Bones, I know it's been a few months but were you able to get port forwarding for COD sorted out?
If so how?
I'm currently beating my head against the wall trying to get an "Open NAT" in Black Ops 3. I have tried everything in the pfSense help pages but still no joy.
I have been having this same issue on and off again since the release of xbox ones. I tried having another crack at this over the weekend since I now have the latest dashboards on every xbox and can select which port to use instead of 3074.
The issue is the same, I have NAT Open on every box using all forms of NAT Reflection mode for port forwards, disabled, pure NAT and NAT + Proxy and have had Automatic create outbound NAT rules checked and unchecked. The issue is it works for most games but then there are a few that just refuse to multiplayer up. They can party and chat and play majority of the games.
Games like Warframe that don't connect with NAT Open just require you to set a manual outbound NAT with sticky port disabled. This will set the second xbox to NAT Strict and you will be able to play together. Once you switch games you can leave it and xbox 1 sticky and xbox 2 random port but this might affect matchmaking in other games if you don't switch back to sticky on both when not partied together.
Also as an update to what has been attempted, I've now changed my ACL entries to have one Xbox be allowed 3074, the next 3075, the final 3076, then 2 rules for all of them to be allowed to grab 53-3073 and 3077-65535, as it seems from another forum that this was Activision's suggestion. Still no dice.
You cant do that.. Xboxs try 3074, then a Random Port (40k+) for Teredo, you MUST allow Xboxes to grab ANY port they want, the ONLY one you can deny is 3074, nothing else.
You can not force an Xbox you use certain ports by restricting what UPNP will allow, the Xbox will just give up since UPNP doesn't tell it "you can only use these", the Xbox ask UPNP, "can i use this", UPNP say nope, Xbox ask then "can I use this", UPNP says nope, Xbox gives up.
The ONLY UPNP rule you should have is.
deny 3074 192.168.1.0/24 3074 <<---- Replace 192.168.1.0/24 with you LAN Subnet
This forces the Xboxes to pick a different port for "Teredo", this also allows all games on all Xboxes to UPNP themselves another port if they need it.
As far as UPNP goes, every Xbox MUST be allowed to use every port except 3074.
In my setup, I have no Xbox Dedicated Inbound or Outbound NAT Rules, the only thing Xbox Related is a deny ACL for 3074.
For Outbound NAT my whole LAN has Static Port, making a separate rule is not very helpful, and forcing random ports for LAN devices hurts worse then it helps anyways, not that it hurts much, point is it offers practically 0 benifit.
I have UPNP only Blocking the use of 3074 "deny 3074 10.0.1.0/24 3074".
Then for "NAT Loopback" or "NAT Reflection" I have
Goto System -> Advanced -> Firewall & NAT
NAT Reflection mode for port forwards: Pure NAT
Enable automatic outbound NAT for Reflection: Check/Enabled
That is it, Xboxes have full open NAT, any Games can UPNP more ports if they need, and they can talk to each other via the WAN IP.
As others have mentioned, if the game is not coded properly to use Upnp you are not going to have much luck (ie if it only requests 1 port, and that port is the same on all your different consoles you cannot do so) The only fix for that type of issue is to have a public IP address for every game console you own. Most ISP's charge extra for additional IP addresses.
Also, as the other thread is locked, and I could not find the upnp restart script mentioned in that thread, I figured out a way to restart upnp for me every morning.
Here's the php script
Then install the cron package, and set it to execute. Here's what mine looks like.
/usr/bin/nice -n20 /usr/local/bin/php /root/restart_upnp.php
obviously i placed the above script code into /root/restart_upnp.php
As far as 'all home routers do this fine' I would highly disagree with that. If you have good luck with default settings on home routers then your upnp should be fine in pfsense.
My only issue was that after a day or two (using 2 PS4's and playing bloodborne, dark souls, etc co-op) it will eventually run out of mappings as they do not age out. Hence the script to restart upnp every morning.
Another thing to mention is that the ps4's/xbox's don't remember their upnp settings between boots. If your games don't work, i would suggest closing the games on all consoles, restarting upnp on the pfsense, and then launching all the apps again. This has fixed our issues 99.9% of the time.
Hey all, super sorry to necro an old thread but it has pertinent information and screenshots.
I was able to get For Honor working with the static outbound rules, however I am running into an issue where I have 2 roomates who also play and while the nat rule works for the first PC in the rule list, the other 2 never get the traffic. I tried adding an alias with the hosts specified, but this doesnt seem to work.
I come from cisco where we could forward nat traffic to a range of hosts, or even a subnet. How would I accomplish the same thing with PFsense?
It looks like I got it… The post I mentioned earlier helped but it was missing one crucial step that immediately fixed my issue. I stumbled upon another page that suggested moving the rule to the top of the list. Once I did that, my issue was fixed. I even removed the ACL entry and tested with positive results.
Pretty sure I figured this out with Cisco switches and the NAT Issue on xbox. I did some research on Cisco's forums and discovered that most of the xbox's traffic is multicast for some reason (also has a TTL of 1 /boggle). I also found an article that talks about needing to have multicast turned on the switches with all the new home theatre gear, so I figured this makes sense. I added the following option to my Cisco switch and now I always have an open NAT, on both my Xbox and PS4.
ip igmp snooping
If your using L3 interfaces you need to turn on pim multicast mode on each interface so it passes multicast traffic too..
If you are referring to Steam streaming from one box to another or from your gaming PC to a Steam Link, then pfSense has absolutely nothing to do with it since Steam streaming only works for devices on the same subnet. No streaming traffic crosses pfSense.