Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Only one device on LAN able to create state for port X

    Scheduled Pinned Locked Moved NAT
    5 Posts 3 Posters 915 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • B Offline
      birarda
      last edited by

      Hi there!

      We run pfSense 2.2.3 (still need to update once I get a window where people aren't working) here in our office.

      We develop a server piece of software that wants to listen on UDP 40102 by default, and use UDP hole punching to connect clients from outside the network.

      It seems that it is only possible for the firewall to handle one client on the LAN listening on 40102 and communicating externally. This is easily detectable by running one instance of the server on machine A, seeing that it communicates with our STUN server successfully (and gets the right public IP), and then running a second instance of the server on machine B and seeing that it is unable to communicate with the STUN server.

      If I stop the server on machine A, machine B can't grab the port at the NAT level until the firewall state from machine A's session is cleared.

      Is there some way to make the pfSense automatically choose a port at the WAN level that will map to 40102 for each of the machines?

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        Yeah, indeed it seems only possible for ANY firewall there to port-forward a single port to a single machine. Would suggest to rewrite your broken software

        1 Reply Last reply Reply Quote 0
        • B Offline
          birarda
          last edited by

          Thanks for your helpful message! Obviously the server software can run on a custom or randomized port. I'm trying to solve the default case.

          I suspect this may be because we need the "Static-port" option for outbound NAT, since otherwise it behaves like a symmetric NAT and that is not conducive to UDP hole punching.

          1 Reply Last reply Reply Quote 0
          • B Offline
            birarda
            last edited by

            Seems that the issue is that without the "Static-port" option pfsense is a symmetric NAT (which is no good for hole punching) but with that option it refuses to do any remapping of source ports at all, allowing only one client to use the given source port at a time.

            jimp explains that here:
            https://forum.pfsense.org/index.php?topic=63424.msg343571#msg343571

            1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator
              last edited by

              "Is there some way to make the pfSense automatically choose a port at the WAN level that will map to 40102 for each of the machines?"

              Yeah UPnP would be one solution, your wanting to forward pubicIP:X to ipA:40102 and publicIP:Y to ipB:40102  Correct?  And you want pfsense to auto pick X and Y based upon ports that are open.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07.1 | Lab VMs 2.8, 25.07.1

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.