To block WoW, you could block connections on your LAN with destination port 3724.  I don't know whether it is TCP or UDP, though.  This will block attempts to log in from the game client.

For just a single player with online gaming, and not much other traffic from your LAN at the same time, the SMC gateway that Comcast ships with their biz installs is actually quite a powerful little gateway.  The advantages of PFSense with its QoS will not come into play.  There are certain setups to setup your own router from behind the SMC so your own router gets the next static IP in your block, effectively bypassing the router/NAT features of the SMC, and if you use PFSense and you have quite a bit of other LAN traffic, the QoS/traffic shaping abilities that PFSense has will help out your online gaming quite a bit.

Since you have 1:1 mappings, you try to access the external public IP from the inside.
Meaning a request comes from the LAN, goes to the WAN and should go back into the LAN.
This is not possible. (Due to the way NAT works).
Also 1:1 NAT does not work with NAT reflection.

Why do you use 1:1 NAT?
Is upnp not working for you to forward the ports dynamically?

If you could use dynamically created normal NAT mappings, you could try to enable NAT reflection.

Can you post screenshots of your firewall, nat, aon rules?
From where do you connect?
How is your network set up? (ASCII art?)
if someone connects from external side, what is the error they get?
Any entries in the firewall log?
Any entries in the server log?
What does a TCP dump on the WAN show?

Would device polling be a detriment here?

I wonder because Im in the exact same situation as the OP.

Try this:
http://forum.pfsense.org/index.php/topic,13887.msg94807.html#msg94807

I had to track this down when getting PvPGN to work with external SC players for my LAN. The problem is that Starcraft encapsulates it's source TCP/IP port within the data itself, so simple port forwarding fails often.

Well, what you have to do is:

1. Alter the PCs in question to use different source ports from default. This is a registry edit on Windows, and a ResEdit on Mac.
  a. use regedit to edit/create:
    HKLM\Software\Battle.net\Configuration REG_DWORD "Game Data Port"
    (choose a unique so far unused port for each client, value should be in hex)
2. Then on your router forward each of those ports to the correct client computer
3. Enable Manual Outbound NAT, and setup each port you chose as an outbound source port (so that it isn't translated to another port # on the WAN side, this is waht borks up Bnet a lot, since SC encodes the port # within the data, etc..)
One of my entries looks like:
WAN  192.168.0.0/24 6113 * * * * YES

An easy way to do it is to duplicate a rule for one of the services you know has higher priority. Then edit the new rule to any port numbers, but with a specific source IP address.

Just for the record. I tried to host regular multipleyer sessions and it work no problem. For some reason only the coop mode is giving me problems.

I recently made some headway on this issue.  It appears that the uPnP port mappings are getting FUBAR'd (by other Xbox 360s on the network).  I disabled static ports and it seems to solve the connection issue.  However now I will occasionally get warnings about not having OPEN NAT on some Xbox 360s, but it's not such a big deal.

Anyway to investigate the problem I first upgraded to 1.2.3 RC1.  Then I did some packet captures targeting the consoles that were unable to connect.  The packets appear to be sent by the Xbox 360 to Xbox Live(XBL) but a reply is never received.  All the while the other Xbox 360s are connected and playing fine.  This leads me to believe it's a port forwarding issue.    I think the replies were being sent to the wrong IP but there's no way I can see to distinguish that reply from all the other traffic in the packet capture since whoever the reply is being sent to is also receiving it's own packets from XBL.  Once I turned off static ports, they have all been signing on OK not to mention sign on time is faster and no disconnects have occurred that I know of since then.  Everyone is playing online and they're very happy… and if they're happy, I'm happy.

I checked and the uPnP port mappings are still being made, even without static ports.  I'm sure uPnP wasn't developed with this in mind but I'm going to keep trying!

Thank you for your help.

@chrisboy99:

people cant connect. even not find the server on steam- server list
only local computers can Join it

This sounds like a missconfiguration of the server.
Did you actually set it up to register on the master list?

If you could post the output of the serverlog here someone (me?) might be able to help you.
Although this is more a question for one of the countless Half Life 2 modding scene forums and less for the pfSense forum.

(Also it would help if you answer my previous questions)

Did you enable static ports (as in the sticky above)? Does the server show a client connecting in the log? If you connect with a client what error do you get? Does TCPdump show any packets destined for the server? Does your serverlog show anything like this:

Console initialized.
….
Adding master server 207.173.177.11:27011
Adding master server 68.142.72.250:27011
Connection to Steam servers successful.
VAC secure mode is activated.

Did you actually forward all the ports the srcds requires?

UDP 1200
UDP 27000 to 27015 inclusive
TCP 27030 to 27039 inclusive

further inspection ….......

the subnets were all wrong also so the DHCP wasnt able to assign IP's to OPT1 was on another network instead of just another subnet, I modified it to....

network 192.168.1.0/25
LAN 192.168.1.1/25 subnet host
OPT1 192.168.1.128/25 subnet host
subnet mask: 255.255.255.128

which mean they are on different subnets but same network now.

tested xbox live and everything is brill!!!  ;D

thank again for the input without it I wouldn't have been looking in the right areas ;)

I think the answer to your question is no, although i'm not sure i understood what you want to ask
^^"

I whited out the private IP addresses, "they'' say its bad practice to post your network addresses although hiding private addresses is being very paranoid but I do as others better educated than I tell me.

Pic 1:
I wrote rules to allow UPnP only on my gaming console IPs so that other devices on that interface cant use UPnP.  You could set up one rule for your entire subnet if you like but that wasnt what I wanted.

Pic 2:
I wrote rules to use static ports on the XBOX, PS3, Wii, and BluRay which are all on my DMZ interface so those look duplicated but each IP is different.  The rest of the DMZ network has a rule to not use static ports as well as the LAN and OVPN.

I pasted those numbers on the pics in this post so you normally wouldnt see a space between the IP addresses and the mask for example 10.99.99.0/28, 10.99.99.2/32, etc.


Thanks for the quick reply!

Well I should clarify that I have a static mapping set in the DHCP server.  It was my understanding from the other guides that you need to do that to set outbound static mapping. However I did make it outside the DHCP pool. (so for example I use a 10.10.10/24 I allow .5 - .240 for the actual Pool).  If that isn't correct, I can change it easily, however it does work for my xbox360

I have hit clear to try and restart to see if that helps, but it doesn't.  Any thoughts?

Well, I have found out what the problem might be.

http://forums.srcds.com/viewtopic/9380

The error I am getting (sv_lan is 0…) could be due to a bug. If I could get another person to test this out that would make me feel better.

Edit: Also, make sure that you have your sv_region set to anything but -1, or the server will not show up on the master list!

Are you really certain, that the server was actually running on 27017.
I think i remember something that if you misswrite something in the config file, the server jsut starts with the default value (which would be in this case 27015).

I will check it out, thanks

The main reason I would like to do this is as i said old games that do not support IP
Most new Lan based games will not let you play as a lan setup if your ip address is on a differant range then the server.
Most old Lan based games do not even have support for IP
and in my experance most VPNs do not allow all ethernet traffic

To give you an example other then gaming
With a vpn if you connect to a network with a shared drive in windows the vpn client can not see what computer has the shard drive under the network list becouse that data is not passed.

Here is the router Package i used
http://www.mikrotik.com/testdocs/ros/2.9/interface/eoip.php

Ok, to answer my own question.

Using static ports with AON causes the rejects.  Setup AON without static ports and I get regular Blocks.

UPnP says its allowing in on port 3074 like Stu/d stated above but its not making it through the firewall for some odd reason, although states shows me a bunch of connections on port 3074.

Setting up a port forward for 3074 resolves all this but then whats the point of UPnP then?

I still need to test the "port forward" method a bit more.

I'll update my post ASAP.

I wonder if that could that have something to do with the Static Ports option in the NAT?

You should probably keep static ports on.

Anyway I'm glad everything worked out OK for you! ;D

It sounds like the packets are not being properly sent to the XBox Live server (as it doesn't respond); since the problem doesn't appear to be the destination port, there must be some kind of interruption between the jump from LAN to WAN.  Does that logic sound right to you?

I suppose it doesn't matter now but…
I think what was happening is that the Xbox Live server was responding to requests by Xbox 2, only the packets were being directed to Xbox 1 since it was assigned port 3074 by uPnP/pfsense.

Solved

Steps:

1. NAT >>AON  manually created  entries for all networks. ie  WAN 192.168.X.X /24 source   Static Port (Unchecked)   
2. The entry for Xbox I selected  static port. The other entries were left unchecked
3.  Nat >> Port Forward the standard set
     A. WAN UDP External Port 88     NAT IP (192.168.X.X)  Local Port  88
     B. Wan TCP/UDp External Port 3074    NAT IP (192.168.X.X) Local Port 3074
4. UPnP is off

Results:

XboxLive connection went from Strict to Open.

@n1ko:

I have nintendo wii and mario kart and it worked out-of-the-box. No firewall rules has been made and everything works. Updates,virtual console, mario kart channel etc etc.

hi!

which version do you use?

i'm using 1.2 - Release.
my Wii can connect to the Inet, but i can't play online with Mario Kart. i see my friends, but when i will connect to their channel, it doesn't work.no error message or sth. when i connect to the WFC und will play, i see the message "searching for players" but nothing more for 10 minutes.

greets tpf

I dont think it's enough to just block the ports BitTorrent uses, because almost every client randomizes it's ports.

Why dont ou try to configure the traffic-shaper?
Since you only want to avoid that everything gets slowed down when something torrents, and not block it alltogether this might be the solution.

Also i think it wont be enough just to allow the ports 3074 and 88 for Xbox live.
After the first client connected these ports are used and the next client will use different ports.

Maybe you could google/tcpdump and look what the second/third client uses.

Ahh ok, i wasen't aware that the rules are catched in that way.

thank you

bi-nat? iv got my traffic shaper switched off because it makes ventrilo lag, but i still have the problem with starcraft

update
i stopped the lag with the static NAT option but i still cant create games.

As far as I know it, UPnP won't do the static port on outbound connections so you still have to set up that on AoN page.

Holy crap, i got it!!! finally.
When i realized the IRC port was the problem, i also realized that i had imspector proxying IRC.
I disabled just the IRC portion for imspector, restarted the service, and viola.
It now works just fine, even after i turned off advanced outbound nat and all port forwards.

So, lesson learned. CNC3 uses frickin IRC. wireshark is my best friend.

No one has replied to this thread, but i figured i would post the solution just in case anyone else has the same problem.

Found the problem, Xbox Live is down today as they roll out the new updated dashboard etc

Status:

As we gear up to bring you the New Xbox Experience, Xbox LIVE and the Xbox LIVE page on Xbox.com will be down for 24 hours, beginning on September 29, 2008 from 12:01 AM PST until 11:59 PM PST. During this time you will not be able to access Xbox LIVE.

i play counter-strike and TF2 without any port forwards or anything without ANY problems whatsoever, im just having trouble hosting a server.

no they CAN connect thru my public IP… for some reason my server on my LAN shows up as offline when i look up the public ip to ME, but when anyone tries to connect to it who is not on my LAN, they can see adn connect just fine.  if i try connecting via my public WAN ip, it doesn't go, but if anyone else does, it does. people who are and are not on campus with me.

I had the same problems in the past yer , but i resolve with a new configuration system.
I change the network cards in to a gigabyte "intel" 1000 full duplex and the ram "512 ddr333 to 1024 ddr 400
I have better connection and lag then i play alone with single pc without any firewall

ex : ping 5-10 metro loss=0  choke=0 "  ping 20-30 europe loss=1-3  choke=max5'  ping 30-50 usa loss= 2-8
choke= max 20

ps: u have to change this