New COD MWII Blocked By pfSense
-
Ok, my pfsense is resolving it successfully. My fault for having that '.' in there on the domain ->
-
So check this out. Hit the firewall log to check for blocks (status>system logs>firewall). First cleared the firewall so i could start with a fresh empty log. Fired up COD and started banging at the 'retry' connection/login button ->
Refreshed firewall log. Right away I can see some unexpected related blocks on 3075 ->
Despite 3075 being open on my firewall, NAT and firewall rule (both udp and tcp) ->
albeit 3075 is not a listed port activision mentioned to open however, if you look at the connection baseline I took while successfully connected to COD over my hotspot, you'll notice an ip that if im not mistaken lives in the same subnet as the COD IP shown in my successful connection. That 185 address should be a COD ip is what i'm saying.This is everything COD was connected to when the connection was successful ->
This makes me feel like something still may be blocking on the firewall side..
-
Also does it strike anyone else as odd, looking at the successful connection baseline, the connected ports are none of what activision has advised to open for COD...
-
@emjeezy again again going to say this.. You have zero need of a port forward for this to work.
You understand most of the planet does not allow unsolicited inbound traffic. you have any idea how many people are on cgnat, and or UPnP isn't on... You think billy at 13 years old mom will him adjust the internet router they got from the isp to allow for port forwarding?
You say it works on your vpn - there is no way that is allowing inbound traffic...
What your showing in your firewall log is the source port btw, not the destination port. The source port is meaningless with your port forward.
So lets start again - after you remove all your port forwards.. With a full sniff showing the complete connection attempts and actual answers to your dns queries from the client..
Also why do you have 8.8.8.8 and quad9 as dns.. Out of the box pfsense resolves, it doesn't forward.. Why do you have those setup as dns? So your forwarding?
-
presuming this is indeed a DNS related problem, statically assigning a DNS to the client computer should eliminate the firewall from the 'dns equation' straight away and solve the problem at least temporarily right?
Will try another pcap..
-
@johnpoz said in New COD MWII Blocked By pfSense:
Also why do you have 8.8.8.8 and quad9 as dns.. Out of the box pfsense resolves, it doesn't forward.. Why do you have those setup as dns? So your forwarding?
Those are simply my preferred upstream dns servers. I am not doing doing dns query forwarding.
-
@emjeezy said in New COD MWII Blocked By pfSense:
am not doing doing dns query forwarding.
Then what is the point of setting them.. Any client asking pfsense for dns isn't going to use them.
Sure if you set your client to use say 8.8.8.8 that would eliminate any issues with pfsense dns, but still need to see a sniff and the dns queries and their answers, and then connection attempts to those. In your other sniff we saw a query for something that clearly from its name was some sort of login server, with no answer. And no other attempts etc. to something that was failing, etc.
I would make sure you do this test with min other traffic, for example your rdp traffic.. You can not exclude such stuff in the gui, but you can with just using tcpdump on pfsense to do the capture.
Here is the thing, pfsense doesn't block anything unless you set it up to do that.. There is no freaking way any sort of unsolicited inbound traffic is needed to "login" If there was - it sure wouldn't work via a vpn that is for sure.
For all we know the server is sending you a RST, maybe he doesn't like your IP? Or maybe he just isn't answering - if that was the case we would see a SYN go out, but no SYN, ACK - and then a bunch of attempts at retrans, etc. Or maybe your just not getting any answer at all because your isp has a peering problem getting to that IP, etc.
You can not even test if you can get there, because that IP I get back for that login fqdn isn't answering pings.
-
@johnpoz We know that my pfsense dns is resolving successfully and that COD works fine behind the pfsense firewall over a vpn and also works fine over a hot spot, all from the same computer. Humm..yah the more this adds up, it is feeling like issue is on the ISP end..
-
Thought of a good game plan while driving, that may just skip us over the complexities of a pcap and that is the good ol ‘process of elimination’. I plan to bypass my pfsense firewall and hardline directly to my bridge mode isp modem. From there, I will test COD. If it works then I plan to backup my pfsense config and then factory reset it, throw a generic config on there, plug my pc back into pfsense and test again…
I’ll keep you posted.
-
@emjeezy said in New COD MWII Blocked By pfSense:
I plan to bypass my pfsense firewall and hardline directly to my bridge mode isp modem.
while that is a plan, it doesn't always work out - the one thing that people forget is that your IP will change. So while it is a good plan.. Just because it works with IP X, doesn't mean that the ISP or the peering doesn't have a problem when you have IP Y..
So unless your going to make sure you use the same mac, and get the same IP when you change devices - its "still" possible to be upstream issue, or the destination blocking your specific IP.
But I agree its a good test.. Anything that provides more info leads us to what the actual root cause is.
-
@johnpoz right I hear you. It would be just for test purpose, basically to see if COD connects if I go straight through the isp equipment. Unfortunately that test got cut short because I plugged direct to isp modem and I get a 169..grrr.. don’t know why. Must of set the isp modem/router to bridge mode at some point, I factory reset it and still giving me a 169.
Usually I don’t even use the isp router/modem, rather, My current config I literally just have the frontier moca Ethernet adapter with plugged straight into my firewall (no isp router/modem) and this supplied my firewall with my public ip on my wan interface
Next test though, I have a spare sg1100 laying around that I forgot about, gonna default the config on it, hook her up and test that out…
-
@emjeezy reboot the cable modem. It's MAC-locked to the 1100. When you're done you will need to do it again to get the 1100 back online
-
we'll shucks, now my chances of my ip changing really just went up since i dont pay for static ip. Was trying to avoid that lol. Fair enough...will give it a go. Want to get to the bottom of this. Sure appreciate @johnpoz and @rcoleman-netgate tips and assistance.
-
@emjeezy Configure and enable Dynamic DNS. https://docs.netgate.com/pfsense/en/latest/services/dyndns/check-services.html
-
@rcoleman-netgate welp, when you said it's MAC-locked, you said a mouth full. I cannot get this ISP modem/router to budge. I finally got it to give me a valid internal IP but then it can't DNS/has no route...
Soon as I pop back in my PFsense and connect to the ISP moCA ethernet adapter, internet comes right back up. It's like it's stuck to my pfsense firewall/router which is a good thing and i'm becoming hesitate to keep fluxing with it from this perspective because then i'm gonna end up locked back to the ISP equipment and not be able to plug up my pfsene..
I am working on swapping my firewall out for one with a default config..we'll see how that plays..
-
alright so here i am behind my defaulted config firewall. Literally just defaulted the config and next through the initial setup. Very vanilla, default config and still cannot log into COD. New error though ->
-
Note - still works fine over my PIA vpn though..
-
has to be something on my ISP and or activision side right? They don't like me or my isp or my ip i suppose...
-
Detrick Lester? Travis Rilea? Yeah..presuming these are probably just COD dev names and mean nothing aside from indicating a general connection failure error.
We'll I do have my PIA vpn, which is fast and a useable workaround to game with COD but still...such a unique issue makes me curious. All the evidence so far points to an upstream issue and the options i think are to further explore some pcaps and or follow up with my ISP (frontier), perhaps partner with activision...
sigh...
-
Hi guys, so I think I nailed this down. Revisited my successful connection baseline - This connection baseline shows everything connected to COD from my machine while successfully logged into the new COD MWII using my VPN and this IP stood out to me ->
Why? Because after further analyzing my failed cod connection attempt pcaps, whattayah know - this 185.34.106.18 is throwing RST, ACK's at my public ip & dropping the connection (for whatever reason). Seeing lots of TCP Retransmissions as well as RST, ACKS from their end to my public IP.
I believe successful connection to this 184.34.106.18 is required for successful login to cod online services.
Just for good measure, I enabled DNS forwarding on my firewall and used google, same issue persisted.
Thinking this rules out a DNS problem. I'd conclude the issue is upstream between my ISP and COD/activision servers unfortunately.
Any further thoughts?
