Allowing additional UDP ports after initial connection
-
I have an SG-2440 in front of a gaming server running a program called Parsec (https://www.parsec.tv). Basically this software should allow a connection between a client and server to stream games. I am trying to connect to the server from a remote network.
The issue I'm running into is that there are additional UDP port requests made after the initial connection, and they get blocked by the firewall since there is no explicit rule to allow them.
I have a NAT rule that looks like this:
WAN UDP * * WAN address 8000 - 8005 <game server="">8000 - 8005 Parsec UDP 8000-8005</game>
According to Parsec support, this is all that's needed to get the connection between the two machines going. When I initiate the connection though, it fails at the last step. I checked my firewall logs and noticed the following:
Jun 16 15:21:12 WAN <client wan="">:63383 <server wan="">:33836 UDP Jun 16 15:21:12 WAN <client wan="">:63384 <server wan="">:54692 UDP Jun 16 15:21:12 WAN <client wan="">:63382 <server wan="">:16519 UDP Jun 16 15:21:12 WAN <client wan="">:63381 <server wan="">:29189 UDP Jun 16 15:21:12 WAN 54.211.104.40:41284 <server wan="">:8632 UDP Jun 16 15:21:12 WAN 54.211.104.40:41284 <server wan="">:2906 UDP Jun 16 15:21:12 WAN 54.211.104.40:41284 <server wan="">:16864 UDP</server></server></server></server></client></server></client></server></client></server></client>
I checked the block reason, and they're all getting caught by the "Default deny rule IPv4." Additionally, every time I attempt the connection and check the logs, a different set of random ports is used.
I know that I need to create a rule to allow these connections, but I'm unsure of a few things:
- I think I need to allow a range of ports, but how? They are randomized and seem to go from UDP 2900-55000. Should I just allow UDP 1024-65535?
- If I end up needing to allow that range, what sort of security compromises am I making?
I've also tried using only UPnP, and while I am able to see the server successfully map its ports on startup, the actual connection is still blocked by the firewall's default deny IPv4 rule.