Windows Defender and pfSense
This post is deleted!
@nthly Keep both. They are complementary.
On the other hand, not understanding the functionality of an enterprise grade firewall and using it is certainly a security problem.
@netblues True that. Sadly somewhere i may wish to start. Cost is a factor too. Thanks for the advice though.
So, here is a good start
@netblues Thx, I've read the portion about port forwarding, and followed it. No luck, the NAT type stays strict. I assigned a static IP to my desktop as well. Yet NAT is still strict.
Would any solution other than pfSense be more suitable to start learning the how-to?
@nthly Sorry, you can't just read nat and jump over everything else. Start from the start.
Cutting corners won't cut it.
And what exactly is strict nat? Work on the terminology to begin with.
According to https://www.cainetworks.com/support/how-to-NAT-strict-open.html, Microsoft defined three categories of NAT: open, moderate, and strict. Devices that perform strict or moderate NAT can limit the ability of gamers to find each other, participate in multiplayer sessions, or hear each other on Xbox Live.
Thx again for the suggestion.
Essentially, i believe, being behind a firewall would determine whether an NAT is of each given type. Generally the solution to it is port forwarding.
Similarly some wireless routers may determine the status of NAT type as per the above definition to be of a determined type up to until the port forwarding as modified.
I am also using an Xbox, and the only solution i could find is to dedicate an Ethernet card over a DMZ network, disabled all firewall rules, at which point the NAT type is open.
I donot wish to do so with my PC.
Grimson last edited by
https://www.netgate.com/docs/pfsense/nat/port-forward-troubleshooting.html port forwarding issues are usually PEBCAK, so follow the guide carefully and you will find where the problem is located and/or what you did wrong.
Thank you. I will read and follow the guide as much as am capable of. Sometimes i find myself completely out of my element. Perhaps netblues has a point. I may be trying to use a too complicated of a software given my knowledge. LOL
KOM last edited by
Not sure what the actual problem is. Windows Defender has nothing to do with NAT. Updates come via Windows Update which works perfectly with pfSense out of the box.
Grimson last edited by
You do have Internet access, so you can research and learn anything you need to know. It's quite simple, if you want to do something right you need to put work into it.
And if only Microsoft would NOT come up with network definitions of its own..
In any case you haven't described any problem, so essentially there is no solution.
@grimson I agree.
LOL, Each one has their own definition, unfortunately.
I assume you are not a gamer, but correct me if i'm wrong.
As i understand it, the problem comes in while trying to match make for online gaming session. Being the NAT type strict or moderate prevents successful matchmaking, preventing party with friends, and considerably extending the time it may take to successfully ending in a match.
@kom The issue is that having a strict NAT Type according to the above definition can prevent (and or severely limit) joining online multiplayer gaming sessions.
netblues last edited by netblues
Start with the fact that windows defender has nothing to do with windows firewall features.
You need to research what ports are needed.
the following are the ports used by the game.
TCP: 3074, 27014-27050
UDP: 3478, 4379-4380, 27000-27031, 27036
I similarly created rules for the other ports, accordingly to the protocol type, however the NAT type is displayed as strict.
TCP: 3074, 27014-27050
UDP: 3478, 4379-4380, 27000-27031, 27036
And is there anything in front of pfsense? Does pfsense have public IP on its wan? Did you validate that all those ports actually get to pfsense.. Simple enough to do from out on the internet create traffic on those ports... Do they hit pfsense, do they get forwarded to where pfsense was told to send them.. If so then any issues your having has nothing to do with pfsense.
Here is one thing I know for SURE... The documentation given by game makers for what ports are required for their games is very LACKING to put it nicely.. They almost never clearly state what ports are need to be allowed outbound and what are needed to be forwarded. I see for example 53 and 80 stated all the time.. You sure and the F are not going to be forwarding 53 inbound to your PC or console.. And 80 inbound is blocked by many a ISP so good luck getting your game to work if that is needed inbound..
Does your NAT come up OK if you enable UPnP? If so look to see what ports are being opened..
Part of the problems with many of these games is they need the source to match the dest port. So for example in your 3074 example the game might create a connection to 3074 outbound, from source port 3074... Out of the box pfsense when it does outbound nat will change that source port to something esle.. That is how NAPT works... Unless you tell pfsense to do its outbound nat static.. And not change that source port..
This is where the game makers really need to step up their game on documentation of how their games actually function through a firewall..
Allowing UPnP to be used - should show you what the game is wanting to do.. So you can do it with manual forwarding. And manipulation of your outbound nats (if needed).
@ johnpoz. I do not believe being anything wrong with pfSense. I am just unable to understand what am i doing wrong.
I see, I believe you have a good point. Game makers are all secretive, sloppy maybe? About what the requirements are. Nothing is really documented. I believe the assumption is, "You Wire your PC to the Modem. Period".
While that may be useful for gaming, it may be kinda problematic for everything else. But again the former is certainly a possibility.
I'm now asking myself, should i buy a switch and plug in my PC into om DMZ dedicated Ethernet card and plug it back to my switch every time i want to play, ir can i do something else that may allow my pc to move to an un-firewalled ares for the time i wish to play?
I can almost promise you some of those ports need to use specific source port.. Which NAPT breaks by its very nature..
Takes all of 2 minutes to enable UPnP validate your game gives the correct NAT you want, and then look to see what ports and if static or not were opened.. Then create those in port forwards and outbound nat configurations.
KOM last edited by
@nthly Yes, but what does that have to do with Windows Defender and pfSense, the title of this post??? Granted I can't really tell what the original post was about due to it being deleted.
my bad, here is the copy of it.
Nthly about 2 hours ago
i am running pfSense before my desktop which runs windows 10. Windows 10 has defender that does some fire-walling. My question is, what should I do with Defender, keep it, disable it, or customize either pfSense or Defender so not to run into issues, and what issues may i expect from this combo?"
Thank you. I will try to see if i can do as you described.
Nothing in front of pfSense, it is running and i use some of my devices with it, including Xbox over a dedicated NIC and LANDMZ with UPnP enabled and firewall disabled completely. That is the only way i was able to have an open NAT with it.
The rest is a bit hard for me as first i have to become familiar on a few things, before being able to understand how to do it. The ISP said they are not filtering any ports.
I did it, I now have an open NAT.
What i did is the following.
Assign a static Mapping to the PC. (I had already done this). Added static ports.
Firewall > Aliases > Create an Alias for my gaming pc.
Firewall > NAT > Outbound > add PC there > add pc to ACL.
Port Forwarding was already created for the specific game.
Tested the game and it has now open NAT.
I thank everyone for pointing me in the right direction. I have another question. Is what i have done correct or would it expose me to some atrocious threats?
You did what? You set everything from that PC to be static outbound? Yeah that is NOT the right way to do it.. Unless that PC is the only device on your network behind the napt..
What I said to do was look to see which ports the game used that were static, and then set those up as static outbound.. Not EVERY connection from the PC..
Your going to run into issues with such a setup.. What happens when device A used port X as source.. And then your PC wants to use X as source as well.. Now what happens? The more devices you have the more sessions they create the more likely you going to conflict with the source ports the PC wants to use.
You need to find the ports the game uses that require static source ports. Not set every port your pc ever uses on every connection as static.
i may have to do some more digging then.
Sadly, I believe my whole setup is well, how to put it, just ... meh.
Does anyone know of a good and easy book that would help me with the basic of networking so that i may be better equipped (and use it as a reference) to better follow advice on this forum and/or the available manual?
Have you read the pfsense book?
Linked too in my sig..
Or you looking for something more basic to tcp?
I am reading the pfSense book here and there, meaning as needed. Yeah, i definitely need something more basic, to fill in some knowledge the pfSense book assumes.
Have you checked out
@johnpoz Thank you very much. I will work a bit with it. Whenever i need to lknow what the pfSense book is talking about i can fall back on the TCP/IP guide.
What does it mean to validate my game? How can i do so? Where do i look for what ports are open and if static or not?
When you enable UPnP - you can look in the interface of UPnP and see what ports got opened and if static or not, etc.
I reversed the modifications i previously had done.
I restored pfSense to a previous configuration.
I enabled UPnP on my LAN as well. Nothing shows up under StatusUPnP & NAT-PMP. It is completely empty.
As far as firewall logs go, nothing from my PC tries to connect to any of the ports listed by the game provider. Yet i keep having that strict NAT.
in the states all i can see is this:
LAN udp .192.168.xxx.xxx:3074 -> 184.108.40.206:3074 MULTIPLE:MULTIPLE 117 / 2 6 KiB / 86 B
LAN tcp .192.168.xxx.xxx:65145 -> 220.127.116.11:3074 ESTABLISHED:ESTABLISHED 296 / 287 63 KiB / 151 KiB
LAN tcp .192.168.xxx.xxx:49240 -> 18.104.22.168:3074 CLOSED:SYN_SENT 2 / 0 104 B / 0 B
LAN tcp .192.168.xxx.xxx:49241 -> 22.214.171.124:3074 CLOSED:SYN_SENT 3 / 0 156 B / 0 B
LAN tcp .192.168.xxx.xxx:49242 -> 126.96.36.199:3074 CLOSED:SYN_SENT 1 / 0 52 B / 0 B
LAN tcp .192.168.xxx.xxx:49244 -> 188.8.131.52:3074 CLOSED:SYN_SENT 3 / 0 156 B / 0 B
LAN udp .192.168.xxx.xxx:3074 -> 184.108.40.206:30380 MULTIPLE:MULTIPLE 46 / 43 6 KiB / 32 KiB
Is this the right way to do what I am trying to do?
Is the person in the video showing "the right way"?
States can show you sure.. But just look in the UPnP interface.. It shows you what was requested and what was opened.
@johnpoz When I start the game on my pc nothing happens there with UPnP enabled. On the other hand it does show activity from my xbox.
What do you think of this method instead? is from the video i linked.
- Status > DHCP Leases > add a Static Mapping for the gaming platform(s)
- In static mapping fill in Client Identifier, give an IP address, Hostname, and Description > Save > Apply Changes.
- Repeat steps 1 and 2 above for each gaming platform, if needed.
- Firewall > Aliases > Add . Fill in the fields Name, Description, IP or FQDN and the description field next to it. If needed add mutiple Hosts, based on how many Gaming Platforms are needed. > Save > Apply Changes.
- Firewall > NAT > Outbound > Select Hybrid Outbound Mode > Save > Apply.
- in Firewall > NAT > Outbound, add a New Mapping. Interface: WAN, Protocol: Any, Source: Network for the Outbound Mapping: type in your Alias. and select 32 after the forward slash, "/". Scroll down to the section titled Translation and check Static Ports. In the bottom section named Misc, add a description. > Save > Apply.
Services > UpnP > check Enable UPnP & NAT-PNP > check Allow UPnP Port Mapping > check Allow NAT-PNP Poirt Mapping. Keep External Interfaces selection to WAN. Interfaces: slect the interface(s) used by your gaming platform(s). Check Default Deny at the bottom of the settings section.
make an ACL entry with the following format. allow 53-65535 "your gaming console Ip"/32 53-65535. Add other entries if needed. Save.
For Multiple gaming platforms NAT Reflection is needed. To Enable NAT Reflection do the following.
- System > Advanced > Firewall & NAT > Scroll down to Network Address Translation section > set Network Default Mode for Port Forwards to Pure NAT. > check Enable Automatic Outbound NAT for Reflection. > Save.
- Reboot your gaming Platforms.
- Diagnostics > States > Reset States > check Reset the Firewall States Table > click Reset.
What if at step 8, "make an ACL entry with the following format. allow 53-65535 "your gaming console Ip"/32 53-65535. Add other entries if needed. Save." instead of opening all those ports i would only open 3074 for instance, but just tailored to the ports specified by the game provider. Would that help. I guess i would still need Reflection with multiple gaming platforms. Am I correct?
Would using IPV6 help solve the issue?