Quake 4 or game servers behind pfSense

MuDvAyNe · Sep 26, 2006, 7:38 PM

On occasion, I run a Quake 4 server off of one of my servers behind my firewall. When I was
running Brazil Firewall, I just opend the games UDP port and fired up the server no problems, it
was also listed in the Quake 4 ingame server browser.
Since I switched to PFSense, I can run my game server but it will not show up in the ingame
browser list. I have the UDP port opened as I did with the Brazil FW is there something I am
missing?
The reason I am asking this is because it appears that when a machine behind a pfSense firewall
needs to send outbound UDP connections, you need set up the Firewall>NAT>Outbound to allow
it otherwise it won't work. I experienced this trying to use Hamachi and Emule's KAD connection.
Both use outbound UDP and both required further setup whereas when using Brazil Firewal or even
IPCOP, I did not need to set this up.
It says in the documentation for Quake 4 that all game traffic is UDP, and when starting a server,
it displays:

Sending heartbeat to 192.246.40.28:27650
Sending heartbeat to 192.246.40.28:27650
Sending heartbeat to 192.246.40.28:27650

Which is ID's masterserver. I thought I would be proactive and setup a rule to allow UDP traffic
from my server machine to ANY destination on UDP port 27650 but it didn't seem to work. :(
I have successfully worked through the Hamachi configuration problem which I thought was going to
drive me to drink, and the Kad problem which was pretty much identical to Hamachi, but just different
ports, what am I doing wrong with this game server? Any insight as to how to run a game behind pfSense
would be greatly appreciated.

hoba · Sep 26, 2006, 7:46 PM

You usually don't need to set up additional outbound NATs. This only is needed for special protocols/applications. I guess you need a static port option for this game to work.

Btw, shifting ports outgoing through a NAT is a securityfeature that the firewalls that you list simply don't have. If you want to make pfSense act like these enable a static port option for your complete subnet and not only single ports. Also make sure your advanced outbound NAT rules order is correct. It's matched top down. First rule that applies wins.

MuDvAyNe · Sep 26, 2006, 10:39 PM

What threw me for a loop was normally with IPCOP or Brazil FW, I would fire up my server
and within a few mins, see it listed in the game browser. This afternoon, I checked for my
game server from an outside PC with Qtracker and my it was listed, so it appears as though pfSense
is letting the UDP communication out properly after all. It is just that I am used to
being able to check it from within my LAN to make sure it is listed.
What is weird is I have the NAT reflection turned on, so I can connect to FTP and Web
servers using their external domain names and I just thought I would be able to do
the same thing with the Quake 4 server. Could it be that the NAT reflection is only
"reflecting" TCP and not UDP? Not that I would want to connect to my external Quake 4
server address, I can easily connect to the LAN IP. The only reason I ask this, is because
programs like Qtracker and Server Watch, which allow you to admin game servers, are
very useful in monitoring and admining game servers and when they can be set up to
monitor using the internet address, it is a quick way to tell if things are working properly.
Yeah, I can set them to use the LAN address, but how to I know if my server is actually
being published for other players to find?

As a side note…
I am not looking to setup pfSense to be exactly like the other two, otherwise
I would just use them. Just a newbie trying to get things configured with a new firewall.
I just mentioned the other firewalls just because that is what I was used to. I had used IPCOP
and Coyote/BrazilFW for a couple of years off and on and never even heard of pfSense. I
discovered pfSense off the BrazilFW messageboard where someone had mentioned it so I checked
it out. The reason I have switched, is because pfSense is giving me the best performance
overall compared to the other two firewalls. For some reason, after the other Firewalls were
running for a couple of hours, their performance would start to decline. I was loosing 1000-1500 kbps
downstream bandwidth after about 6hours with BrazilFW, and IPCOP was even more than
that. So far, using the exact same equipment (P2 450Mhz, 256MB Mem, 3 3comNICS, installed to hardDisk)
pfSense is solid and getting consistant results when I do a speed test. The interface is nice
and there is a nice forum to help you with things. I think I will be sticking with pfSense. ;D

sullrich · Sep 26, 2006, 11:02 PM

We fixed a number of udp reflection bugs recently.

Make sure you are on http://www.pfsense.com/~sullrich/1.0-SNAPSHOT-09-26-06/

MuDvAyNe · Sep 27, 2006, 3:29 AM

I updated to this latest snapshot and then tried to monitor my server via Server Watch
and Qtracker and it still can't connect to it. It appears as though it is still not reflecting
the UDP correctly at least for Quake 4.