Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Downside of Static Port for All Traffic from One Device?

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • beremonavabiB
      beremonavabi
      last edited by

      One of my wife's games was giving her "Strict NAT" warnings and refusing to run.  To get it working, I had to add an outbound NAT firewall rule making all traffic from her machine static.  I used the following somewhat vague article as the basis:

      https://doc.pfsense.org/index.php/Static_Port

      That article says to specify the particular ports that need to be open, but that doesn't work.  My guess is the Ubisoft/Uplay/Uno people have listed incorrect port information here:

      https://support.ubi.com/en-US/Faqs/000025273/Connectivity-Issues-PC-UNO

      So, until I can figure out which ports the game actually needs to be statically mapped, what's the downside of making all traffic from her computer static?  Is it just a slight hit to security?

      By default, pfSense rewrites the source port on all outgoing packets. Many operating systems do a poor job of source port randomization, if they do it at all. This makes IP spoofing easier, and makes it possible to fingerprint hosts behind the firewall from their outbound traffic. Rewriting the source port eliminates these potential (but unlikely) security vulnerabilities.

      SG-4860, pfSense 2.4.5-RELEASE-p1 (amd64)

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        not really a hit to security.  But can cause a problem with actual nat.. You have multiple devices behind your NAPT (network address port translation)  What if some other device was natted to use port X on source port to your internet connection.  And then now your device you want to use as static is using the same port.  There is no way for pfsense to then make that a static port.

        There is no possible way for pfsense to reserve ALL the ports for use only by your specific device.  So while there is really not security issues with what your doing.  It is a borked config when you have more than 1 device behind a napt.  Sooner or later you going to run into a conflict that prevents a connection.  When multiple devices try and use the same port since you have locked your one device into using static.  The more devices you have behind your napt the more likely you are to run into the conflict.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • beremonavabiB
          beremonavabi
          last edited by

          Ouch (and thanks).  I've written Ubisoft to see if they'll provide a correct list of ports the game needs.  Hopefully, they'll answer.

          SG-4860, pfSense 2.4.5-RELEASE-p1 (amd64)

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.