Question about NAT static ports



  • I have a question about NAT rules/Port forwarding. Recently i was trying to play some 3DS games online however I was getting connection problems. I have the proper ports forwarded to the internal static address however I was still getting connection errors. After some checking it turned out the issue was that I needed to set up an outgoing NAT rule to allow for static ports.

    From how I understand NAT's when a message gets sent externally the NAT will change the external port that gets sent to the server. When the server replies it will reply to the external port and the NAT will use its internal tables to translate that port back into the internal one as well as the address.

    My question is what is the static port NAT rule for if the NAT will do a translation between the external and internal ports? Or is it needed because the game server will only accept packets from a specific port, and because the NAT will choose its own external port the server would reject the packets?

    Also does anyone have some good reading material that I can use to learn more about NAT's?



  • NAT with static port means that the source port of packets is NOT translated when they are sent out to WAN. So the source port of a packet is the same as it comes from the game console.



  • If the source is 19bit with NAT address is 24bit and the translation pool options is Source Hash with static port, will it be possible to have duplicate outgoing entries (same NAT address and port number) for multiple source hosts? If so, how to prevent this happen assume the static port is required. Many thanks.



  • @harleyip:

    If the source is 19bit with NAT address is 24bit and the translation pool options is Source Hash with static port, will it be possible to have duplicate outgoing entries (same NAT address and port number) for multiple source hosts? If so, how to prevent this happen assume the static port is required. Many thanks.

    The 19-bit vs. 24-bit part of your question makes no sense at all. A /19 IP address is just one IP address with 65536 different ports (different sets for TCP and UDP though) just like a /24 IP address is. The CIDR part (or netmask in the older way of expressing the same thing) only denotes what kind of subnet (maximum number of hosts in other words) is used in the directly connected network segment.

    For example if you have a host on the LAN that uses UDP port 12345 for sending data and you use static port pfSense would allocate UDP port 12345 on the WAN interface for the connection. Any other LAN host trying to use the UDP 12345 with static port would collide with the first host, no it wouldn't work. The PF packet filter and address rewriting engine doesn't have an option to first allocate a source port dynamically but then to keep it static for the subsequent connection from the same LAN host, that would solve this problem nicely if it was available.