For just a single player with online gaming, and not much other traffic from your LAN at the same time, the SMC gateway that Comcast ships with their biz installs is actually quite a powerful little gateway. The advantages of PFSense with its QoS will not come into play. There are certain setups to setup your own router from behind the SMC so your own router gets the next static IP in your block, effectively bypassing the router/NAT features of the SMC, and if you use PFSense and you have quite a bit of other LAN traffic, the QoS/traffic shaping abilities that PFSense has will help out your online gaming quite a bit.
Since you have 1:1 mappings, you try to access the external public IP from the inside.
Meaning a request comes from the LAN, goes to the WAN and should go back into the LAN.
This is not possible. (Due to the way NAT works).
Also 1:1 NAT does not work with NAT reflection.
Why do you use 1:1 NAT?
Is upnp not working for you to forward the ports dynamically?
If you could use dynamically created normal NAT mappings, you could try to enable NAT reflection.
Can you post screenshots of your firewall, nat, aon rules?
From where do you connect?
How is your network set up? (ASCII art?)
if someone connects from external side, what is the error they get?
Any entries in the firewall log?
Any entries in the server log?
What does a TCP dump on the WAN show?
I had to track this down when getting PvPGN to work with external SC players for my LAN. The problem is that Starcraft encapsulates it's source TCP/IP port within the data itself, so simple port forwarding fails often.
Well, what you have to do is:
1. Alter the PCs in question to use different source ports from default. This is a registry edit on Windows, and a ResEdit on Mac.
a. use regedit to edit/create:
HKLM\Software\Battle.net\Configuration REG_DWORD "Game Data Port"
(choose a unique so far unused port for each client, value should be in hex)
2. Then on your router forward each of those ports to the correct client computer
3. Enable Manual Outbound NAT, and setup each port you chose as an outbound source port (so that it isn't translated to another port # on the WAN side, this is waht borks up Bnet a lot, since SC encodes the port # within the data, etc..)
One of my entries looks like:
WAN 192.168.0.0/24 6113 * * * * YES
I recently made some headway on this issue. It appears that the uPnP port mappings are getting FUBAR'd (by other Xbox 360s on the network). I disabled static ports and it seems to solve the connection issue. However now I will occasionally get warnings about not having OPEN NAT on some Xbox 360s, but it's not such a big deal.
Anyway to investigate the problem I first upgraded to 1.2.3 RC1. Then I did some packet captures targeting the consoles that were unable to connect. The packets appear to be sent by the Xbox 360 to Xbox Live(XBL) but a reply is never received. All the while the other Xbox 360s are connected and playing fine. This leads me to believe it's a port forwarding issue. I think the replies were being sent to the wrong IP but there's no way I can see to distinguish that reply from all the other traffic in the packet capture since whoever the reply is being sent to is also receiving it's own packets from XBL. Once I turned off static ports, they have all been signing on OK not to mention sign on time is faster and no disconnects have occurred that I know of since then. Everyone is playing online and they're very happy… and if they're happy, I'm happy.
I checked and the uPnP port mappings are still being made, even without static ports. I'm sure uPnP wasn't developed with this in mind but I'm going to keep trying!
people cant connect. even not find the server on steam- server list
only local computers can Join it
This sounds like a missconfiguration of the server.
Did you actually set it up to register on the master list?
If you could post the output of the serverlog here someone (me?) might be able to help you.
Although this is more a question for one of the countless Half Life 2 modding scene forums and less for the pfSense forum.
(Also it would help if you answer my previous questions)
Did you enable static ports (as in the sticky above)?
Does the server show a client connecting in the log?
If you connect with a client what error do you get?
Does TCPdump show any packets destined for the server?
Does your serverlog show anything like this:
Adding master server 188.8.131.52:27011
Adding master server 184.108.40.206:27011
Connection to Steam servers successful.
VAC secure mode is activated.
Did you actually forward all the ports the srcds requires?
UDP 27000 to 27015 inclusive
TCP 27030 to 27039 inclusive
I whited out the private IP addresses, "they'' say its bad practice to post your network addresses although hiding private addresses is being very paranoid but I do as others better educated than I tell me.
I wrote rules to allow UPnP only on my gaming console IPs so that other devices on that interface cant use UPnP. You could set up one rule for your entire subnet if you like but that wasnt what I wanted.
I wrote rules to use static ports on the XBOX, PS3, Wii, and BluRay which are all on my DMZ interface so those look duplicated but each IP is different. The rest of the DMZ network has a rule to not use static ports as well as the LAN and OVPN.
I pasted those numbers on the pics in this post so you normally wouldnt see a space between the IP addresses and the mask for example 10.99.99.0/28, 10.99.99.2/32, etc.
Well I should clarify that I have a static mapping set in the DHCP server. It was my understanding from the other guides that you need to do that to set outbound static mapping. However I did make it outside the DHCP pool. (so for example I use a 10.10.10/24 I allow .5 - .240 for the actual Pool). If that isn't correct, I can change it easily, however it does work for my xbox360
I have hit clear to try and restart to see if that helps, but it doesn't. Any thoughts?
Are you really certain, that the server was actually running on 27017.
I think i remember something that if you misswrite something in the config file, the server jsut starts with the default value (which would be in this case 27015).
The main reason I would like to do this is as i said old games that do not support IP
Most new Lan based games will not let you play as a lan setup if your ip address is on a differant range then the server.
Most old Lan based games do not even have support for IP
and in my experance most VPNs do not allow all ethernet traffic
To give you an example other then gaming
With a vpn if you connect to a network with a shared drive in windows the vpn client can not see what computer has the shard drive under the network list becouse that data is not passed.
Here is the router Package i used
I wonder if that could that have something to do with the Static Ports option in the NAT?
You should probably keep static ports on.
Anyway I'm glad everything worked out OK for you! ;D
It sounds like the packets are not being properly sent to the XBox Live server (as it doesn't respond); since the problem doesn't appear to be the destination port, there must be some kind of interruption between the jump from LAN to WAN. Does that logic sound right to you?
I suppose it doesn't matter now but…
I think what was happening is that the Xbox Live server was responding to requests by Xbox 2, only the packets were being directed to Xbox 1 since it was assigned port 3074 by uPnP/pfsense.
1. NAT >>AON manually created entries for all networks. ie WAN 192.168.X.X /24 source Static Port (Unchecked)
2. The entry for Xbox I selected static port. The other entries were left unchecked
3. Nat >> Port Forward the standard set
A. WAN UDP External Port 88 NAT IP (192.168.X.X) Local Port 88
B. Wan TCP/UDp External Port 3074 NAT IP (192.168.X.X) Local Port 3074
4. UPnP is off
I have nintendo wii and mario kart and it worked out-of-the-box. No firewall rules has been made and everything works. Updates,virtual console, mario kart channel etc etc.
which version do you use?
i'm using 1.2 - Release.
my Wii can connect to the Inet, but i can't play online with Mario Kart. i see my friends, but when i will connect to their channel, it doesn't work.no error message or sth. when i connect to the WFC und will play, i see the message "searching for players" but nothing more for 10 minutes.
Holy crap, i got it!!! finally.
When i realized the IRC port was the problem, i also realized that i had imspector proxying IRC.
I disabled just the IRC portion for imspector, restarted the service, and viola.
It now works just fine, even after i turned off advanced outbound nat and all port forwards.
So, lesson learned. CNC3 uses frickin IRC. wireshark is my best friend.
No one has replied to this thread, but i figured i would post the solution just in case anyone else has the same problem.
Found the problem, Xbox Live is down today as they roll out the new updated dashboard etc
As we gear up to bring you the New Xbox Experience, Xbox LIVE and the Xbox LIVE page on Xbox.com will be down for 24 hours, beginning on September 29, 2008 from 12:01 AM PST until 11:59 PM PST. During this time you will not be able to access Xbox LIVE.
no they CAN connect thru my public IP… for some reason my server on my LAN shows up as offline when i look up the public ip to ME, but when anyone tries to connect to it who is not on my LAN, they can see adn connect just fine. if i try connecting via my public WAN ip, it doesn't go, but if anyone else does, it does. people who are and are not on campus with me.
I had the same problems in the past yer , but i resolve with a new configuration system.
I change the network cards in to a gigabyte "intel" 1000 full duplex and the ram "512 ddr333 to 1024 ddr 400
I have better connection and lag then i play alone with single pc without any firewall
ex : ping 5-10 metro loss=0 choke=0 " ping 20-30 europe loss=1-3 choke=max5' ping 30-50 usa loss= 2-8
choke= max 20
We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.
Subscribe to our Newsletter
Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.