A few newbie questions.
-
i've finally altered a dl320 in a manner than i can keep it in my closet running without it sounding like a 747. so, i just yesterday loaded pfsense up on it and removed my wndr4000 from my very small network.
network laid out as follows
modem -> pfsense box -> network switch -> wireless ap and ethernet connected pc
honestly i'm still trying to wrap my head around what a nat is and how it relates/differs from the firewall rules. i'm a nerd, but only at a upper novice level when it comes to networking. all i've dealt with is off the shelf routers, such as the wndr4000, and of course to open a port it was a simple matter of going to the "port forward" tab and punch in a bit of info. thus far in pfsense i've managed to open a few ports via the nat port forward, but i'm still trying to learn.
i guess what i'd like to know is a bit more about the purpose of the firewall rules and how they relate to nat, perhaps more info on nat as well.
how do i know where to assign the firewall rule… wan, lan or both?
i also would like to know more about how pfsense works regarding the opening of ports. for instance i thought i would have to open all sorts of ports to play bf3. but bf3 played fine without me doing a single thing....... why?
im curious about traffic shaping as that is really one of the biggest reasons i wanted to try pfsense. i want to be able to play bf3 and be completely unaffected by my wife streaming something or a usenet download that will completely saturate my available bandwidth from my isp.
i've tried reading some of the how to's and whatnot on the forums and wiki but much of it seems pretty technical and i grasp bits and pieces. if anyone has a good, dumbed down source that would explain some of this stuff that would be great too. i currently have a networking for dummies book that i've been looking through trying to further my understanding of networking in general.
hopefully someone can help point me in the right direction. other questions will come, but this is what i can think of right now.
thanks in advance, hope i'm making sense.
-
NAT is Network Address Translation. It's a technology that allows 1 IP address to be used by multiple hosts "simultaneously."
It works something like this:
Host A has an ip address of 192.168.1.2
Host B has an ip address of 192.168.1.3
The NAT host has 2 ips, "internal" 192.168.1.1 and external 172.15.24.1
Host A makes a connection to dilbert.com.(Lets assume the dns is already taken care of) He opens a connection to 185.106.169.31 with a source port of 12345 and a destination port of 80
The NAT host sees a connection to 185.106.169.31 from 192.168.1.2 from a source port of 12345. It makes a note of that number and makes the connection to 185.106.169.31 using 172.15.24.1 source port 12345 and destination port 80. It then stores the source port 12345 in its state table, it "knows" that port 12345 to port 80 belongs to Host A
Host B wants to check out Dilbert too, so it opens a connection to 185.106.169.31 with a source port of 4561 and a destination port of 80.
the NAT does the same as above, storing port 4561 to port 80 as belonging to host B
Now. When dilbert.com talks back to the NAT host, it will answer back using the source port that was sent to it, either 12345 or 4561. The NAT uses this information to send the data to the right place. It does this by looking at its state table.The practical upshot of this is that NAT is a natural firewall. Any connection that wasn't made from a host on the internal network will be rejected.
NAT port forwarding is basically a shortcut of the above. It tells the NAT, "If you see traffic incoming to this port, send it to this host, it will deal with it."
pfSense exists as both a NAT and a firewall. The two functions are similar, but separate. This means if you create a NAT port forward, you need to open a firewall rule to let traffic through. You assign the rule at where it applies. Usually, NAT is done on the WAN port, so you would want a firewall rule there. You will almost never have to adjust your default LAN rules in a home situation.As for why bf3 working fine? The short answer is: "It depends on what's going on."
Some multi-player games are very clever at handling NAT. If you don't act as a server, NAT will probably never be an issue. Remember, NAT only rejects traffic that isn't solicited, think of it like a one way valve.Traffic shaping requires a fairly intimate knowledge on how computers communicate. It's well beyond me to explain it, honestly, I'm still learning it myself. I've toyed with it, but never beyond using the wizard to set up a few defaults.
I hope my very brief explanation of NAT was helpful in some way. If you want to learn more about networking, you are on the right track, I would recommend going to the library and picking up a study guide for Network+ certification. Even if you aren't chasing the cert, it will do a wonderful job giving you a basic understanding on how computer networks work.
-
yeah, that helps some. thanks for taking the time to reply. so what determines the port used on the source side? are they randomly chosen or application specific?
as for bf3 working fine….. (if im understanding this somewhat) it works because my pc sent packets out, which the nat saw and then allows the replying packets back through. if for whatever reason a bf3 server just tried to randomly send a packet to my pc, the nat would reject it because my pc had made no such request..... correct?
i'll have to play with the traffic shaper, but do i need to know the ports of bf3, sabnzbd, vnc, and whatever other apps i use in order to effectively setup the shaper? furthermore do i have to setup port forwards for apps, even if they are working fine without an existing port forward rule in order to use the shaper?
-
so what determines the port used on the source side? are they randomly chosen or application specific?
The source port is randomly chosen and usually a high number, >1024. Curiosity had me Googling this and it seems that this is not well defined but is almost always the case. You could write an application that always used the same source port for example, it would be a terrible idea though!
as for bf3 working fine….. (if im understanding this somewhat) it works because my pc sent packets out, which the nat saw and then allows the replying packets back through. if for whatever reason a bf3 server just tried to randomly send a packet to my pc, the nat would reject it because my pc had made no such request..... correct?
Yes.
Your machine opens a connection to the bf3 server. pfSense will allow replies to that connection and forwards them back to your internal machine.
It's worth noting that NAT in itself is not intended to be any sort of security. It does hide your internal network from the outside but that would not stop an external machine opening a connection to your internal machines if they already know the internal address. It is the stateful packet inspection that does the security and prevents this.i'll have to play with the traffic shaper, but do i need to know the ports of bf3, sabnzbd, vnc, and whatever other apps i use in order to effectively setup the shaper? furthermore do i have to setup port forwards for apps, even if they are working fine without an existing port forward rule in order to use the shaper?
You can traffic shape based on ports or IP address or other things. I'm no expert at that though so perhaps someone else can give you more details.
Steve
-
The source port is called an ephemeral port. It is picked at random. The actual ports used vary by operating system.
Bang on for your bf3 question. If the server tried to connect to your computer without having your computer connect first, it will be rejected, because the NAT has no idea where the data is supposed to go, enter port forwarding.
Like I said, I don't know too much about traffic shaping to be of any real use setting it up. To be a blind man describing an elephant; as I understand it, you need to set up the application as a queue and set a priority. Any un-specified traffic not picked up by a queue is dumped to an "everything" queue; a default priority. You can shape traffic by protocol, ip, ports used, even OS, there's room for very fine granularity. I'd check out the traffic shaping sub forum to learn more, that's about as much I know about it. I don't have any real need for traffic shaping at my house.
Generally, you don't have to set up port forwarding for applications, unless they were acting as a server of some sort and you want the service to face the internet.
There are protocols available for automatically setting up opening ports as needed, also known as Automatic NAT-Traversal. They are NAT-PMP and UPnP. You can set them up as a service in pfSense. I would recommend making sure you knew exactly what you were doing if you want to implement them though. Misbehaving programs can abuse automatic NAT-Traversal and cause you security problems. Make sure there is a real need for it before you turn it on.Edit Steve beat me to everything. =D
-
thanks again for the replies. i'm going to play around with this for the next few days and see what i can make heads and tails of. i'll have more questions for sure. either way…... i see my wndr4000 to likely be hitting the f.s. section of the computer forums i frequent.
