[SOLVED] Public IPs - Ports Available?
Hi all, Please excuse if this is posted in the wrong area as i am not sure if this is a routing or firewall or port forwarding issue ........ or just possibly how it should work anyway. I'm an IT professional but networking is definitely not my forte........i know enough to be be dangerous
I have a static IP from my ISP x.x.x.80/30 which is split out for private LAN and also a routed public block x.x.x.104/29 on separate interface, pretty much the same as posted here https://docs.netgate.com/pfsense/en/latest/book/routing/routing-public-ip-addresses.html except i've allowed all traffic out on the public interface unlike the guide which limits some traffic.
The sole reason for doing this was to put one of the PS4's in the household on a public IP so to avoid any NAT which has worked for the most part except for one PS4 has moderate NAT. Initially i only had UPnP enabled for the LAN but i enabled it for the PS4 on the public IP and i noticed that the PS4 which has moderate NAT has port 3074 remapped to another port. If i change which PS4 i power on first......it's always the secondary and the PS4 that has port 3074 remapped that has moderate NAT.
I thought that by giving the PS4 a public IP and disabling NAT that it would have the full port range 1-65535 available to it from the WAN but that doesn't look to be the case, anyone know if this is expected and if there is a way around it so port 3074 can be static mapped for both?
I think maybe what you're looking for is 1:1 NAT? Where a secondary public IP is NATted to a private IP. https://docs.netgate.com/pfsense/en/latest/book/nat/1-1-nat.html
That way the PS4 would keep a private IP on the LAN, and the WAN only needs one public IP subnet. Or at least, that's another way to do it with one less subnet.
In your picture the public ports are 3186 and 3074 so since they are going to different IPs (devices) the internal port being the same doesn't matter.
Do you have firewall rules allowing traffic from * (world) to the public IP on the PS4?
Thanks teamits I'll have a look into the 1:1 NAT which sounds like i'll need to setup another private subnet just like the LAN.
The 3074 port remapping to 3186 is the problem because that is what gives it moderate NAT within the games, it's like it's seeing that 3074 is already mapped so assigns it to 3186 but since it has it's own public IP i thought it wouldn't need to re-map it. I know in the picture the device with the private IP has the 3074 port remapped but it's the opposite if the other PS4 is powered on first.
1:1 doesn't need a separate subnet unless you're trying to keep that PS4 isolated from other LAN devices. It basically says "external IP 22.214.171.124 gets forwarded to 192.168.1.2" or whatever. I would probably set up firewall rules to allow only port 3074 though.
I disable uPnP everywhere so can't really help much but it sounds like it is mixing the two as you describe.
OK so i added one of the public IP's as a Virtual IP and did 1:1 NAT to one of the PS4 which worked as expected - PS4 has a private IP and checking it's external IP shows the public IP. I only managed to test quickly (very awkward to test all the way through as it involves joining lobbies within the game on both PS4's) but it showed NAT Type 2 when i did the quick test so i assume it it will still be moderate.
I need to do some further testing and making sure what i've implemented is correct and i've removed anything that isn't needed but i will be coming back to this thread until completion.
Thanks again for your time teamits (won't misspell your name again either :) )
All sorted now thanks teamits :)
I've now set each PS to have a public IP with 1:1 NAT for each virtual IP and allowed all traffic from the WAN to each PS as per below:
Tested this worked by visiting ShieldsUp from the PS and all ports are showing closed instead of stealth.....as expected and shows the public IP expected from the 1:1 NAT.
No matter what i did, if one PS had one of the public IP's and the other just normally NAT'd then one PS would always have moderate NAT. They seem happy to both have a public IP so i'll go with that and i'll look to disable the allow all rule later this evening when gaming has ceased to see if it makes a difference :)
Thanks again for your time teamits, owe you a glass/jar/mug of a beverage of your choice.
What’s a “teamits”?
I suppose i could of called him Steve :)