@johnpoz

@johnpoz said in UPNP Issues:

why are you not on p2 would be my first question.

Turns out I am... My bad.. I keep my pfsense's updated pretty religiously, I forgot about the last update.

Is the video linked by brians showing the right way to open NAT?

i know this is old... but...

@autotalon

i would love to see this screenshot you are talking about :D

So my current workaround is to have a static port mapping set for the consoles, but have a specific non-static port mapping set for 3074 for the GamingConsoles Alias. Now I wanted to try and setup a static port mapping preference for at least one of the consoles, but as the previous post show's UPNP attempts to make a static port mapping for the first console. So I imagine in this scenerio if the singled out console, setup with static port mapping were to open the port after any of the other consoles it would have that unable to connect issue mentioned in the parent post.

Again this is also going under the assumption that PS4's and Black Ops 4 require 3074 as the internal port.

0_1542125186333_AnswerSortOf.JPG

Tried the following on both interfaces
tcpdump -nnvvXS -i eth0 port 7777 or 7778 or 27015 -c 1500

Where is your pfSense in relation to this TPLink router? Before it? After it?

Ok

Thank you for your help and time.
I will set up a test station an talk with our it facility.

Kind regards
Justmilas

@fern88 said in Connections to game servers help:

I was wondering if there is a way and where to create firewall rules to allow incoming and outgoing traffic to and from game servers.

Traffic from your console is already allowed out and reply traffic is allowed in, assuming you added a default allow all to any rule like LAN has. Unsolicited inbound traffic must be allowed via a NAT - port forward. YOu would only need to worry about this if you were hosting a game server on your LAN and wanted external players to be able to connect to your game server.

My goal is to create better performance directly to the game servers to attempt better connectivity.

If it's working, it's working. You won't get it any better except streamlining your QoS.

For instance the recommended ports from the game and console websites have all been added to outbound nat rules. But I noticed through ntopng that I connect using different ports to the game's servers and thought instead of adding each individual port i could generally just add rules to allow all connections from the actual game servers to and from my wan and opt1(ps4).

Source ports and dest ports are two different things entirely. When a game server says 'talk to me on port 3456", that doesn't mean that both client and server use 3456. The client (your PS4) chooses a random port >1024 <65535 and talks to 3456 on the server. I suspect you're creating unnecessary NAT rules and you're trying to fix an issue that doesn't really exist.

Glad to hear you got it working.

I found my problem as well. Turns out the forum doesn't seem to like gif's for an image format so I changed them to png's and now I can see them. Even though you fixed your issue, I went ahead and fixed the screenshots so that they might help someone else.

??? All Internet services rely on IP only per se (with exceptions). DNS is a convenience for us humans. Anyway if NAT reflection works for you then good.

Resolved the issue by enabling the tick box "Enable automatic outbound NAT for Reflection" in System > Advanced > Firewall & NAT. It even says in the description that this needs to be enabled for NAT Refection to work properly, just wish it had prompted me to enable it when i set Pure NAT mode in the rules i setup.

I think you are trying to do too many things at once. I'd break it down and try to figure out a thing at a time and get it working.

If you remove the VPN from the picture, are you able to get the XBox to open? NordVPN does not forward ports so you'll never get an open NAT using them. There are a few providers from my searching that do support port forwarding. I personally use TorGuard as they support port forwarding and seemed a fair price point.

To get a single IP to go through the VPN, I made an alias for my traffic group and set a rule so it goes through my VPN gateway.

0_1534595846071_8c4ea14a-5ca8-4970-a491-fbefd01f71c7-image.png

Here is an example of what my rules look like.

Vlan ;)

Your going to have a hard time behind a double nat maintaining static ports..

Napt by its nature changes the source port when you make an outbound connection. This can be overcome with with setting static port in your oubound nat on pfsense. But your router in front of pfsense would also have to maintain this static port..

Many services in these console games (for some unknown reason like to see static ports) ie connection coming from specific port.. So lets for example say you create an connection to publicIP:80 from privateIP:2000

Normally with nat (napt) you have this

privateIP:2000 ---> publicIP:80 (pfsense) YourPublicIP:RandomPort ----> publicIP:80

To get some of these applications/games to work you have to setup outbound nat to be static so you get this.

privateIP:2000 ---> publicIP:80 (pfsense) YourPublicIP:2000---> publicIP:80

If you put a nat device in front you normally get this.

privateIP:2000 ---> publicIP:80 (pfsense) otherprivateIP:RandomPort ----> publicIP:80 (nat router) YourpublicIP:SomeOtherRandomPort ----> publicIP:80

What you mignt need to happen is this.

privateIP:2000 ---> publicIP:80 (pfsense) otherprivateIP:2000 ----> publicIP:80 (nat router) YourpublicIP:2000 ----> publicIP:80

This is just an example of problem you can have with double nat and such services that for whatever reason want to see some specific sourceport.

So is pfsense the only thing doing nat? What is your outbound mapping look like?

Each Xbox have a different hostname.

What I did was to create an alias for each game/game service, with all their port numbers, for the firewall, then created a rule using each, to keep things tidy and easy to change per service if they change ports.  I tested with that only, no snort or squid or anything else.  Once all was working correctly, I then added squid and squidguard.  Once that was tuned, I added snort and tuned that up.  If I had put all three in there at once I would never have been able to figure out just what was doing what if something wasn't working.  So I would disable Suricata or set the default allow-all out the firewall lan interface, and test.  If it works, at least you have narrowed it down to what you had disabled, firewall rules or Suricata.

Hello,

Try to separate your alias xboxgroup (do a alias for each one).
Disable your rule prioritizing.
Create ACL for UPnP

It's works for me with 2 Xbox One, except for Warframe game.
Test with this configuration (copy/paste from an other post)

I have manies issues with Warframe on 2 Xbox on the same ISP (only 1 public IP address).
In Warframe, I can't invite a friend to join me.
At the best, only 1 Xbox can see the other player, launch a invit but an error message tell "The player is offline).

All the network test on Xbox is OK : (Internet, Multiplayer and NAT Open)
I try with other game (Rocket League and Warhammer Vermintide) without problem.

I use PFsense 2.4.3-RELEASE (amd64)

Firewall / NAT / Outbound

Mode : Manual Outbound NAT

Interface : WAN
Source : Xbox1 (alias for 192.168.0.16)
Port Source : any
Destination : any
Port Destination : anay
NAT Address : WAN
NAT Port : any
Static Port : YES

Interface : WAN
Source : Xbox2 (alias for 192.168.0.17)
Port Source : any
Destination : any
Port Destination : anay
NAT Address : WAN
NAT Port : any
Static Port : YES

Services / UPnP & NAT-PMP

Enable UPnP & NAT-PMP

Allow UPnP Port Mapping

Allow NAT-PMP Port Mapping

External Interface : WAN

Interface : LAN + loopback

ACL Entries : allow 1-65535 192.168.0.16 1-65535

ACL Entries : allow 1-65535 192.168.0.17 1-65535

System / Advanced / Firewall & NAT NAT Reflection mode for port forwards : Pure NAT Enable NAT Reflection for 1:1 NAT Enable automatic outbound NAT for Reflection Firewall / NAT / Port Forward

Nothing, because I activate UPnP

Actually, I must use the bad ISP-box only for Warframe ;-)

Regards,

Aym