pfSense multiple PCs, open NAT: a solution, and a grievance
-
@Rod-It said in pfSense multiple PCs, open NAT: a solution, and a grievance:
Have you seen the thread about 2.5?
https://forum.netgate.com/topic/154153/test-request-upnp-fix-for-multiple-consoles-playing-the-same-game-static-port-outbound-nat
Yeah, it looks promising.
The real problem with Pfsense is multiple xboxes playing the same game. I don't really understand why it is such a problem.
-
I will agree that i don't understand it either, but Pfsense is an enterprise grade firewall where this type of configuration would typically not be needed, consumer routers are aimed at this type of setup and generally aimed at flat networks.
Consumer routers cater for what a user at home may do and may have at home, such as consoles, an enterprise firewall is aimed at a different market and while this can be changed via code, plugs etc, you'll have to bear with it.
V3 also has an interesting setup
I hope you find a solution that is suitable until then
-
@redfox said in pfSense multiple PCs, open NAT: a solution, and a grievance:
At least you got yours to work.
I had pfsense up for like 2 days before I had to go back to an edgerouter. Currently trying Untangle, which works well for gaming, but has other issues.
I desperately want to get PFsense to work. It is a great product, if I had a small biz I wouldn't even consider anything else.
Very frustrating.
Are you still using Untangle? Ive been dealing with this issue with PFsense and OPNsense but recently tried Untangle but the other PC is still moderate. Are you able to open them for multiple PC's?
-
@redfox said in pfSense multiple PCs, open NAT: a solution, and a grievance:
The real problem with Pfsense is multiple xboxes playing the same game. I don't really understand why it is such a problem.
@thunderman said in pfSense multiple PCs, open NAT: a solution, and a grievance:
If check static NAT for the 2 Xbox One, it's appear open NAT in Xbox One interface but can't play together.
Seriously I see threads like these popping up every now and then and always ask myself what in <deity>'s name the big problem is. Perhaps I don't get it, perhaps I don't play games, that suffer from bad network design, perhaps I'm just lucky but I freakin' don't get it.
I have multiple PCs in the house. Playing together nicely. I have multiple consoles in the house from kids, wife and myself. We never ever had one gaming title we had problems connecting besides the bullshit-network-problem-release of Snowrunners on Consoles. That was a nice NAT-level fuckup on their side. But besides that? We played Division, Division 2, WoW, Destiny & Destiny 2, WD1 & 2, Minecraft, whatever floats your boat and never ever had problems playing that together. So perhaps it's the same old damn shooters with their BS-peer2peer networking, I don't know. But every title that seriously uses real servers/lobbies we never had a problem with.
-
I updated to 2.5.0 a few days ago, hoping the changes to UPnP would solve some of these issues. However, COD MW3 still won't work using UPnP. I guess it comes down to the way the game and perhaps the Demonware servers uses the ports, so port forwarding is still a must.
Playing with only one PC in the house, I can get along with just port forwarding 3074 to that PC. But for two PC's using MW3, the solution suggested in this thread (with remapping to 3075 for one PC) is the one that works for me.
However, I do have Default deny enabled for UPnP, with the gaming PCs listed as ACL entries.The PC having 3074 forwarded gets Open NAT, and the other one gets Moderate. I have tried adding a third PC using port 3076 in the same manner but that results in Strict NAT on that PC (which can be ok provided that player connects with others on Open NAT).
-
I'm running into this same issue currently, something odd I'm running into when trying this is that making the mapping, in Source type I only have ANY, FIREWALL, NETWORK, so picking network and putting in the ip address of the computer it just changes it to the full network address (example, it changes to 192.168.0.0 instead of my entered pc address of 192.168.0.9.
Anyone know why this would be? would love to get it working.
The only issue I've ran into this issue on is call of duty mw2, it really is odd no other games have this issue. Dang buggy game lol
-
You guys are doing it wrong.
It works. No issues wse.
-
@permachill Not sure exactly what you mean, but might it be so that you are trying to set a Port Forward rule for your PC (port 3074)?
You should select "Single host or alias", instead of network, which will let you input a single IP. -
@permachill A couple thoughts...since this is a 3 year old thread, since then there was a patch added to the System Patches package:
Add UPnP NAT Anchors to fix outbound NAT for multiple consoles. (Redmine #7727, Forum Thread)
That fix is already in 22.05 and will be in 2.7.
When adding an Outbound NAT "Single host" is not an option but you can choose Network and use a /32 mask. I have one using an alias with a /32 mask.
-
@steveits Thank you so much! This is exactly what I needed.
Fixed the issue right up, without any other entries I had.
-
@permachill welp, worked for a moment, then stopped again :( so frustrating
-
@permachill Could you be more specific, what exactly is not working now? Is it the game not getting Open NAT or something with the port mapping?
I have had a working setup for a long time, using static port 3074 as mentioned above (nearly 2 years ago). The issue for me has all the time been with COD MW3... To some extent also MW2 (2009 version) but as long as MW3 is "happy" = Open NAT, all other games have worked fine and I have not bothered to look any further.
With you raising the issue again, I decided to test the fix mentioned here by SteveITS:
System Patches package: Add UPnP NAT Anchors to fix outbound NAT for multiple consoles.
That fix is already in 22.05 and will be in 2.7.But, it didn't make a difference so I decided to move over to Plus (22.05)...
Made some initial tests with a clean install on VM "on the side" which didn't really work as I was stuck with double NAT. But then last night I finally got a window to switch over completely and I'm now running my house on 22.05...And now it seems like it's actually working as advertised...
One caveat though... Although reboot was clearly part of the process, all I did was to remove the 3074 port mapping and switch from Hybrid mode to Automatic. I also cleared the UPnP mappings and rebooted the Gaming PC, twice. But you never know with these things... perhaps a reboot of pfsense should be part of the process but that will have to wait.None of this worked before, even when I applied the patch (or thought I did)...
One clearly visible difference this time is that port 3074 for my PC is showing up under Status -> UPnP & NAT-PNP. That never happened before, with the same settings applied.
-
@gblenn Working ok for me at home too.
I also switched from the manual port forward/mapping method documented here in old threads and elsewhere on the internet to using UPnP with the UPnP patch (on 2.6.0) and it works great on both our Xboxes (including at the same time) as well as my PC.
The only thing non-default I've done is added allow ACL entries in UPnP so that only our two Xboxes and the one PC in the house set up for gaming are allowed to use UPnP, other devices especially internet of things cannot.
Allowing all devices on your network to make use of UPnP essentially turns your firewall into swiss cheese if any of these numerous devices gets compromised, so best to limit it to only those devices that absolutely need it.
By the way one thing that might be causing confusion and inconsistent results when people make changes to settings and then test it is state persistence in the pf firewall.
Unlike the majority of firewalls which apply rules immediately even to currently active connections (usually breaking them in the process when the rules are flushed) PFSense allows any existing states to continue to apply until they naturally terminate or time out.
This is good because it means you are not breaking all the active connections people are using every time you save a firewall rule change, but confusing in the sense that a change you make might not seem to apply for a while.
For example if you start a PC pinging a device that is blocked by a firewall rule and add a rule to allow it, it will start responding to pings immediately, however if you remove the rule and save the changes the ping will continue indefinitely... if you don't understand why this can be very confusing. (In this case if you stop pinging for 20 seconds the state times out and then it will no longer allow those pings through)
In Diagnostics -> States you can delete states related to a certain IP address or all IP addresses to immediately force them to be gone. If you're testing on a home network and there is nobody you're going to bother by doing so the nuclear option "Reset states" will remove ALL states and force everything to apply to the newly defined rules, and can be useful when testing changes like these without rebooting...
As well as the state persistence in pf, I've noticed Xboxes are a bit "slow" to figure out when the network has changed, especially in relation to UPnP or which ports have been forwarded. After making changes on PFSense and refreshing the states as necessary I would recommend going into the network settings on the XBox and forcing it to run through all the network tests, especially the one that tells you which network type you have. (Open etc)
This quickly "wakes it up" to the changes that have happened to its internet connectivity if you have changed UPnP settings etc.
-
@dbmandrake Good point wrt ACL, which I'm also using to limit UPnP to the few gaming PC's in the house.
I'm absolutely with you on the states issue here. One day things seem to work and the next they don't, which may be what @permachill is experiencing.
Really good point on filtering out the test PC (no Xbox in the house) rather than nuking everything, or worse, rebooting.. Not very popular with the rest of the family...
I just noticed something else...
First of all, starting MW3 and immediately clicking Play, brings me to the "Open NAT page" much quicker now (nearly instant vs minimum 6-7 seconds before).
Looking into states I find 4 listings for my PC. Two of which relate to port 3074 only (state:MULTIPLE:MULTIPLE).
And then there are two where port 3075 is involve, looking like this:
WAN udp 185.34.107.129:3075 -> 192.168.1.91:3074 (MYWANADDRESS:3074) NO_TRAFFIC:SINGLE
LAN udp 185.34.107.129:3075 -> 192.168.1.91:3074 SINGLE:NO_TRAFFICIf I keep hitting the filter button I see packets increasing for the two first one's, and these two disappear after a minute or so. Never looked at this before so I can't tell if there is a difference from earlier. I'm guessing there is something related to 3075 which I never had mapped. Possibly it's part of the setup process which now goes much faster...
-
Well what's not working was being able to have 2 people open the game at the same time, the second person gets a network error that they can't connect to mw2 servers.
But I decided to switch to the 2.7.0-DEVELOPMENT of pfsense as I believe this fix is built into that version, after switching and rebooting it seems to be working again as in both computers can connect and play, just 1 user gets a strict nat, but hey at least it works.
-
@permachill said in pfSense multiple PCs, open NAT: a solution, and a grievance:
Well what's not working was being able to have 2 people open the game at the same time, the second person gets a network error that they can't connect to mw2 servers.
Weird. Haven't tried that game but we have had two Xboxes joining the same Roblox server instance and playing together without problems since configuring UPnP with the patch...
-
@dbmandrake said in pfSense multiple PCs, open NAT: a solution, and a grievance:
@permachill said in pfSense multiple PCs, open NAT: a solution, and a grievance:
Well what's not working was being able to have 2 people open the game at the same time, the second person gets a network error that they can't connect to mw2 servers.
Weird. Haven't tried that game but we have had two Xboxes joining the same Roblox server instance and playing together without problems since configuring UPnP with the patch...
That is wierd...
@permachill, which version of MW2 are you referring to?The 2009 version doesn't use port 3074. Testing just now, I see ports 28960-28962 showing up as external ports and 28960 as internal (remapping as it seems?)
The 2022 version is asking for port 3074 and perhaps 3075 etc if that is not available. Interestingly it seems to ask for the port being closed when you leave the game, as 3074 disappears from the list immediately.