Want To Disable "Source Port Rewriting On Outbound Packets"
-
@Grimson said in Want To Disable "Source Port Rewriting On Outbound Packets":
@solidservo said in Want To Disable "Source Port Rewriting On Outbound Packets":
Which means that I would like to completely disable the "Source Port Rewriting On Outbound Packets", as that appears to be the culprit here.
Sadly I have not found any information on how this can be done, everything points back to creating that NAT rule with strict ports which is not what I want.
RTFM: https://docs.netgate.com/pfsense/en/latest/nat/static-port.html#setting-static-port-using-hybrid-outbound-nat if you want to completely disable "Source Port Rewriting On Outbound Packets" then leave the source, destination and port settings as "any".
Also there is a dedicated gaming section: https://forum.netgate.com/category/36/gaming
Funny how you used "RTFM", but obviously chose to not read my post....
Not only did I link to the exact same page as you did (right below the image),
I also explained that this workaround is insufficient as it fails as soon as you have more than one person playing the same game, at the same time (like playing it together you know).So what I am talking about/asking for here is an option to disable the source port rewriting feature entirely.
-
@solidservo said in Want To Disable "Source Port Rewriting On Outbound Packets":
I also explained that this workaround is insufficient as it fails as soon as you have more than one person playing the same game.
You can't use the same source port for two different machines, that's how NAT and networking works. The second player has to use a different source port.
I am talking about disabling the entire source port rewriting feature.
And I pointed you at the way this is done, this is it.
For further information read up on the posts in the gaming section, this has been discussed a lot.
-
@Grimson said in Want To Disable "Source Port Rewriting On Outbound Packets":
@solidservo said in Want To Disable "Source Port Rewriting On Outbound Packets":
I also explained that this workaround is insufficient as it fails as soon as you have more than one person playing the same game.
You can't use the same source port for two different machines
You can't port forward the same port to 2 different PC's, that is correct.
However I have been told that UPnP and NAT-PMP get around this issue by incrementing the client connecting port on the external WAN side.As I also explained in my initial post, I never encountered this issue until I installed PfSense.
When you use an EdgeRouter from UBNT - like the EdgeRouter X that I have here - then you just have to SSH into the router and enable upnp2 and nat-pmp. Thats all you have to do to get multiple instances of Warframe to work in the same LAN without changing ports inside the game client.I literally just pluged in the ERX again to play a few rounds with my son - both gameclients work just fine using the same ports.
And I pointed you at the way this is done, this is it.
If PfSense can't provide that "Plug&Play" functionality that I get from other routers, like the EdgeRouter's, then this sadly disqualifies it for my environment. Which is a pity because I do like other aspects of it quite a lot.
-
@solidservo said in Want To Disable "Source Port Rewriting On Outbound Packets":
However I have been told that UPnP and NAT-PMP get around this issue by incrementing the client connecting port on the external WAN side.
UPnP/NAT-PMP does not create outbound NAT rules. They allow an application/host to request inbound port forwards and will then create them. So if an application is requesting port X to open and it is already in use the UPnP/NAT-PMP daemon will inform the client that the port is taken, the client can then choose a different port. Maybe the EdgeRouter is then also creating a matching outbound NAT rule. pfSense doesn't do that, but you can create static outbound port rules for your gaming hosts and you already know how to do it. Again this has been discussed a few times in the gaming forum, so read up on it.
If PfSense can't provide that "Plug&Play" functionality that I get from other routers, like the EdgeRouter's, then this sadly disqualifies it for my environment. Which is a pity because I do like other aspects of it quite a lot.
Use whatever Firewall/Router/Gateway works best for you, no one here is forcing you to use pfSense. pfSense is also intended for enterprise usage, you don't want too much plug&play there, enterprise usage is all about full control of every aspect.
-
@Grimson said in Want To Disable "Source Port Rewriting On Outbound Packets":
@solidservo said in Want To Disable "Source Port Rewriting On Outbound Packets":
However I have been told that UPnP and NAT-PMP get around this issue by incrementing the client connecting port on the external WAN side.
Maybe the EdgeRouter is then also creating a matching outbound NAT rule.
EdgeOS uses miniupnpd - not sure what PfSense's UPnP is build upon?
Thats what UPnP rules look like in EdgeOS
ubnt@ER-X8a:~$ show upnp2 rules Firewall pin holes pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 2 udp dpt:9308 1022 249K ACCEPT udp -- * * 0.0.0.0/0 192.168.1.17 3 udp dpt:4965 157 11513 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.17 3 udp dpt:4960 149 9678 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.16 5 udp dpt:4965 159 10532 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.16 5 udp dpt:4960 NAT port forwards pkts bytes target prot opt in out source destination 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9308 to:192.168.1.192:9308 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4965 to:192.168.1.173:4965 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4960 to:192.168.1.173:4960 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4966 to:192.168.1.165:4965 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4961 to:192.168.1.165:4960 pkts bytes target prot opt in out source destination 13 728 MASQUERADE udp -- * * 192.168.1.165 0.0.0.0/0 udp spt:4965 masq ports: 4966 13 728 MASQUERADE udp -- * * 192.168.1.165 0.0.0.0/0 udp spt:4960 masq ports: 4961 ubnt@ER-X8a:~$
Just to prove that what I am saying is true.
side by side, 2 gameclients on the same LAN using the same ports - on an ERX.
no special rules, just enabled upnp2 & nat-pmphttps://youtu.be/n2gfi1lsA9A
pfSense doesn't do that, but you can create static outbound port rules for your gaming hosts and you already know how to do it.
Sure, but that workaround comes with the massive downside that I have to take care of the ports used by the application, instead of having the router deal with that.
The big issue is that in most cases, the port used by the application is outside of my control. So I can't ensure that each instance uses a different port.
Use whatever Firewall/Router/Gateway works best for you, no one here is forcing you to use pfSense.
I was looking into PfSense again because of TrafficShaping and AES-NI support.
As good as the EdgeRouter's are, they are a bit handicapped when it comes to their processing power. Especially if you intend to use FQ_CoDel on connections with > 200Mbps.When it comes to these points then PfSense would be a great upgrade. :)
pfSense is also intended for enterprise usage, you don't want too much plug&play there, enterprise usage is all about full control of every aspect.
Fair point.
The thing that I am wondering about however, which you might be able to shed some light on, is: "what is the UPnP / NAT-PMP in PfSense intended to be used for?"
When it is enabled, the NAT status stays "strict" on PlayStation, XBox and online games in general - (which usually is fixed by enabling UPnP on any other router).
And it also does not help in situations where multiple instances of the same application use a fixed port.So I hope you can see why I am a "bit" confused when it comes to the UPnP support in PfSense, coming from EdgeOs. :)
-
@solidservo said in Want To Disable "Source Port Rewriting On Outbound Packets":
Sure, but that workaround comes with the massive downside that I have to take care of the ports used by the application, instead of having the router deal with that.
You don't have to make a rule for every port of every game, you can allow static port for the hosts you use for gaming.
The thing that I am wondering about however, which you might be able to shed some light on, is: "what is the UPnP / NAT-PMP in PfSense intended to be used for?"
Read https://docs.netgate.com/pfsense/en/latest/book/services/upnp-and-nat-pmp.html as I have written above, it allows clients to create port forwards.
Port forwards and outbound NAT rules are two entirely different things. Port forwards decide where (and if) connections initiated from WAN will be redirected. Outbound NAT rules decide how connections initiated from LAN are translated to the outgoing/public interface address.
-
@Grimson said in Want To Disable "Source Port Rewriting On Outbound Packets":
@solidservo said in Want To Disable "Source Port Rewriting On Outbound Packets":
Sure, but that workaround comes with the massive downside that I have to take care of the ports used by the application, instead of having the router deal with that.
You don't have to make a rule for every port of every game, you can allow static port for the hosts you use for gaming.
You misunderstood.
Look at Warframe as example. Its gameclient uses the the same ports on every install.
This is why that "NAT static ports" workaround in PfSense only works as long as you have just 1 person in your LAN playing Warframe.
Once a 2nd player starts the game, that player gets a warning inside the game that UPnP is malfunctioning and the required ports are blocked.As I showed, this usecase is not an issue for an EdgeRouter, but to get this usecase to work in PfSense I must manually change the ports used by the 2nd gameclient to something else than what the first uses.
The issue is that Warframe is pretty much the only game I know where you can change the ports inside the options menu.
In other games you might have a chance to change the ports inside a cfg file or the windows registry. But generally speaking, games do not allow you to change which ports they use.When it comes to consoles, then changing ports is simply impossible.
That is really what this topic is all about.
PfSense appears to have no solution for the usecase, where you need UPnP AND have 2 clients run the same application at the same time, where both instances use the same ports
Furthermore consoles maintain a "Strict" NAT status even when UPnP is enabled (which again, is a first on any UPnP capable router I ever tested/used)
-
The described problem makes it hard to use pfSnese for example on bigger game events. So maybe it would be good to make a community effort to find the solution for this situation.
But first it is important to understand the real cause - I'm not able to point one, but it should be possible because both pfSense and EdgeRouter use miniupnpd. And pfSense team prepared port of miniupnpd for pfSense (written here - http://miniupnp.free.fr/).
But there are some questions I don't know answers of:
- could it be caused by not using the newest version of miniupnpd in pfSense
- is it caused by the way how miniupnpd is ported to the pfSense or everything is OK with miniupnpd implementation but we should look on firewall/NAT configuration and/or it defaults
- there is something else involved, but I'm not able to point it correctly
I believe if we find out what is really happening, then sooner or later fix will be prepared. Probably by the community because I don't believe UPnP has a high priority on a busy schedule of pfSense team. And I believe that having better configuration (and similar to other good firewalls) will make pfSense even greater.
... or maybe all other firewalls/routers are doing it wrong and only pfSense is right? ;)
-
UPnP is for inbound port forwarding only.
The problem most people have is with needing static port on outbound NAT, which isn't governed at all by UPnP/NAT-PMP.
You can't use the same static source port going to the same destination (address:port) for two different clients.
Maybe if miniupnpd gets PCP-PEER support on FreeBSD+PF and the clients support that, it might help in the future. At the moment I believe that's Linux-only.
-
ubnt@ER-X8a:~$ show upnp2 rules Firewall pin holes pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.19 2 udp dpt:9308 1022 249K ACCEPT udp -- * * 0.0.0.0/0 192.168.1.17 3 udp dpt:4965 157 11513 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.17 3 udp dpt:4960 149 9678 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.16 5 udp dpt:4965 159 10532 ACCEPT udp -- * * 0.0.0.0/0 192.168.1.16 5 udp dpt:4960 NAT port forwards pkts bytes target prot opt in out source destination 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:9308 to:192.168.1.192:9308 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4965 to:192.168.1.173:4965 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4960 to:192.168.1.173:4960 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4966 to:192.168.1.165:4965 0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4961 to:192.168.1.165:4960 pkts bytes target prot opt in out source destination 13 728 MASQUERADE udp -- * * 192.168.1.165 0.0.0.0/0 udp spt:4965 masq ports: 4966 13 728 MASQUERADE udp -- * * 192.168.1.165 0.0.0.0/0 udp spt:4960 masq ports: 4961 ubnt@ER-X8a:~$
So the ERX uses the Masquerade ports it auto-generated as the destination port in its port forwarding rules for the clients. Pretty cool.