NATting with Hybrid Outbound Sometimes Working
-
I use https://canyouseeme.org/ to just tell me if my port is open from outside my network. What I want to open is UDP, but I've been opening both TCP/UDP just to test.
I have a webserver using 443 and don't have any issues with it. I had opened that port a few years back.
Unless my understanding is wrong, I should be able to open a port forward in pfSense and it should be able to be seen from outside my network as open.
I tried on Linux and Windows systems and still says closed.
Regarding the Hybrid, I'm talking about Firewall/NAT/Outbound, the Outbound NAT Mode is set to Hybrid. I don't remember the reasoning behind it, but the mini PC I have pfSense on has 4 ports, 1 I have set for WAN and the other 3 are internal. I have 1 for my LAN which is all of my systems. At one point I had a Guest Network on one of them, but nothing is connected any more, so it is just mapping. I just changed it back to automatic.
-
@kaysersosa said in NATting with Hybrid Outbound Sometimes Working:
I use https://canyouseeme.org/ to just tell me if my port is open from outside my network. What I want to open is UDP, but I've been opening both TCP/UDP just to test.
My point is, you can't always trust the result from port testing sites...
What type of server is it you are trying to open the port towards?
Best way to test is to actually have the server up and running and try accessing it from the internet. Use a VPN or a laptop tethered to your phone...
Or, if you set Pure NAT and Automatic NAT reflection under System > Advanced > Firewall & NAT, you test from any device on your LAN using your external IP. -
Check the firewall settings under GoogleFiber router?
-
I am trying to setup a game server. I have had the server up and running on a couple different Windows systems. I'm building a Ubuntu server to test on as well. I have hosted game servers (not this one) in the past without issues, but having problems now.
The game server calls for UDP ports, but I'm opening TCP and UDP, mainly so I can see if the ports are visible using something like https://canyouseeme.org/. I've never had an issue with this site in the past.
From the game I can access the server only if I'm running on the same system I'm playing the game from. If I host the server on another internal system, I then can't see it. This is throwing possible Windows firewall issues.
I have confirmed that I have Windows Defender firewalls open for inbound TCP & UDP to the program on the needed ports. Nmap comes back stating closed for TCP and UDP.
nmap -Pn -p<portnum> -sS -sV <ip address> -- TCP closed
nmap -Pn -p<portnum> -sU -sV <ip address> -- UDP closed
nmap -Pn -p<portnum> -sT -sV <ip address> -- TCP filtered sw-orionI found this site that will tell you if your game server is up, and mine has never shown up in it.
https://gamemonitoring.net/. I have also had a friend outside my home tell me they don't see the server.My NAT Reflection mode is set to Pure NAT -- under System > Advanced > Firewall & NAT
I am honestly at a loss and have no clue what and where the block it. I figured I would at least start with the NAT in pfSense and go from there.
-
@kaysersosa Get a public IP from your ISP
-
@kaysersosa said in NATting with Hybrid Outbound Sometimes Working:
From the game I can access the server only if I'm running on the same system I'm playing the game from. If I host the server on another internal system, I then can't see it. This is throwing possible Windows firewall issues.
So just so I understand... if you run the server on PC A, and try to access it from PC B, both on your LAN, your can't?
It only works if you host it on A and try to access it from A ??@kaysersosa said in NATting with Hybrid Outbound Sometimes Working:
My NAT Reflection mode is set to Pure NAT -- under System > Advanced > Firewall & NAT
And what about Automatic NAT reflection, is that on?
-
@Strike1asd
There isn't a GoogleFiber router and GoogleFiber doesn't block any ports from what I've researched.My pfSense is connected directly into the Fiber to Ethernet connector.
-
@Gblenn
Correct on the PC setup.Enable automatic outbound NAT for Reflection is not checked.
Enable NAT Reflection for 1:1 NAT is not checked. -
@kaysersosa said in NATting with Hybrid Outbound Sometimes Working:
@Gblenn
Correct on the PC setup.Ok, but that means that the problem is at the PC running the server, not with pfsense... At least to start with.
Since any communication between PC A and B on the same LAN, doesn't involve pfsense at all...So perhaps the game server is either not broadcasting it's existance at all, or something is blocking it from doing so. And it might be windows firewall which you also mentioned earlier.
Once you get that sorted, so that PC B can access the server on PC A, you should be good to go if you forward the correct ports on pfsense.If you set "NAT Reflection mode for port forwards" to Pure, and check the box for "Enable automatic outbound NAT for Reflection", you will then be able to access the game server using your external IP. pfsense will recognize the request and figure out that it should go to the IP of the game server (provided the port forward works).
-
@kaysersosa said in NATting with Hybrid Outbound Sometimes Working:
My setup is Google Fiber -> pfSense ->
What device are you using in front of pfsense? What is the make and model of this device?
Did you setup pfsense wan IP in the dmz of your google fiber device?
https://support.google.com/fiber/answer/4643957?hl=en
As to hybrid outbound - you really wouldn't need that unless you were wanting to nat something to a different interface/ip - say if you had a vpn connection or something and you wanted to policy route some traffic out the vpn, or you had a vip on your wan you wanted to nat some specific traffic too.
Normally you would just have automatic with no need for hybrid outbound nat.
-
@Gblenn I realize this forum is for pfSense, but any help you can provide regarding the Windows Firewall or testing I can do. Tools I can run and provide information. If not, I understand.
-
@johnpoz said in NATting with Hybrid Outbound Sometimes Working:
What device are you using in front of pfsense? What is the make and model of this device?
There isn't a router in front of my pfsense. It is just the fiber to ethernet connection into my house.
I have changed the Hybrid back to Automatic, still no change. I do have OpenVPN setup and working. Was starting to tinker with VLANs but none of that is setup or used.
-
@kaysersosa said in NATting with Hybrid Outbound Sometimes Working:
@Gblenn I realize this forum is for pfSense, but any help you can provide regarding the Windows Firewall or testing I can do. Tools I can run and provide information. If not, I understand.
Well the simplest test you can do is to turn off Windows defender (if that is what you use) on the PC where you run the game server. Restart the game server and see if you now can both find it and then connect to it from the other PC.
Which game is it you are trying to host btw?
-
I will give that a try when I have a moment. I think I've done it without luck before, but I'll do it and let you know the results.
The game is Icarus. I have tried using both of the following methods without luck.
https://github.com/RocketWerkz/IcarusDedicatedServer/wiki/Server-Setup
https://makeyourownserver.com/easiest-way-to-host-your-own-icarus-dedicated-server/ -
@kaysersosa said in NATting with Hybrid Outbound Sometimes Working:
The game is Icarus. I have tried using both of the following methods without luck.
Ok looks like only two ports need to be forwarded 17777 and 21015. Doesn't say which protocol so I'd select TCP/UDP for both.
What does your NAT rule look like? Can you paste a picture?