NAT Loopback for Opensim
-
What do you mean by 'server side'? I looked at that trace and there are no TCP packets at all. The client side trace was useless because it just shows the 3-way handshake. Remember that the reflector process on pfsense talks to the VNC server on a different port. Look at the /tmp/rules.debug and see what the reflected port is (something around 19000 or so I think?)
-
I'm sorry, I'm trying to be as much help as possible. What I meant by server side is I ran the packet capture on the the server PC itself. I'm simply choosing Start capture in Wireshark and then saving the captured packets.
I'm getting pretty confused right now as you talk about reflected ports. I included my rules.debug file for you to look at since now I don't know what I'm looking for.
I feel like we're real close now.
Thanks again so much for your help.
-Mike -
Sorry, I mixed this thread with another NAT reflection thread. In a nutshell: NAT reflection works by having a process started on the firewall which accepts input on 127.0.0.1:P2 where P2 is a specially chosen port. A rdr rule is put in which redirects access to port P on the WAN to the localhost on P2. The process then opens a connect to the real LAN host on port P. This is all necessary because you can't redirect a packet back out the same interface with the same port number :( So, that all said, this is the line from rules.debut which we care about:
rdr on $lan proto tcp from any to 24.21.73.53 port { 9000 } -> 127.0.0.1 port 19016
this means the reflector process is splicing together 127.0.0.1:19016 to the real LAN IP, port 9000. What that means is: run wireshark on port 19016 :)
-
Well, now I'm at a complete loss again. Just as I thought I was closing in, it works. I have no idea why. Why is this a problem? Because it works with VNC but not with opensim which is the original problem. So now that it's working and opensim isn't I don't know where to go next.
What I do know is that it's the router. Anyone else that has this problem solves it either by enabling loopback or buying a router that supports it. Like a D-Link gaming router. So I'm back at square one and don't know what to try next except give up on pfSense. It's too bad because I liked having a VPN option.
Maybe you have another thing for me to look at, I don't know. I'm still willing to try if you are.
-Mike
-
Best bet I can think of: the opensim server is not happy seeing the connection coming from the pfsense LAN IP. Question: is there a reason you have to use the WAN IP? Why can't you connect on the LAN IP? You could have a name opensim.yourdomain.com (or whatever) with your external DNS provider that points to the pfsense WAN IP, and a name opensim.yourdomain.com on the pfsense (under DNS forwarder, I believe). That way, your client can reference the name and it works wherever you are. This is called split DNS and is preferable to reflection.
-
I have tried to do what you're saying about a split DNS, but I'm not sure I have implemented it correctly.
I do have a dynDNS of sixteentrees.homeip.net that points to my WAN and I have the DNS forwarder enabled for sixteentrees.homeip.net -> 192.168.2.157 (opensim server).
My DHCP server sets 192.168.2.1 as the DNS server so my clients should start there. My general setup has the DNS servers of 208.67.222.222 & 208.67.222.220. I guess, from my understanding, if my client wants sixteentrees.homeip.net, the router should provide 192.168.2.157 as the IP instead of the WAN.
For shits & giggles, I've attached my current config file. This time I'll send the whole file instead of editing out what I thought was irrelevant. In the process of editing the file to hide names and pswds, I saw that the DNS forwarder was using my other dynDNS. I changed it, tried it, and it still didn't work. I may try restarting the router.
-
I tried the reboot and it didn't fix it. I forgot to answer you question about why I can't use the local IP of the server.
Best I can tell, I have no control over that. With the opensim simulator, I log into a grid that hosts users and their inventory. One can run a server and connect it to the grid for anyone to access that is on the grid. So when I connect to the grid and then teleport to my sim my client and the grid doesn't know that the server is mine and on the same side of the router as my client. I believe it is the client accessing the grid and the grid then accessing my server, but since both are behind the same router, the router is not handling it properly.
I don't fully understand this communication protocol, but only from what I've gotten from the opensim forums. They have a set of recommended routers that properly handle the loopback needed. They are listed on this page "http://opensimulator.org/wiki/NAT_Loopback_Routers" and they are "gaming" routers. I believe what they mean by "gaming" is that gamers have the exact situation I have with opensim. A user accesses a group server and may serve their own region as well to the group. Therefore, for them to access their own region, they need the same NAT loopback.
I hope I'm making some sense and not either or both confused or confusing due to my lack of a full understanding of what's really going on.
-
It sounds like a real mess (and a badly designed system, IMO, not your fault.) And another reason to get rid of NAT and to to IPv6. Yeah, I know some NAT implementations work, but… Sounds like you are screwed, since the client seems to get the IP from the server, ugh :(
-
Now that I think about it, if the server can hand out a name (as opposed to an IP), this can still be made to work - you do the split DNS approach I mentioned before.
-
Problem solved! I moved away from pfSense and got a linksys router running DD-WRT and it works wonderfully. Maybe someday this will work in pfSense since I like the sw so much better, but DD-WRT has VPN and NAT loopback operates great.
-Mike