Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    UDP Hole Punching

    Scheduled Pinned Locked Moved Firewalling
    9 Posts 3 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mobydick426
      last edited by mobydick426

      Hi all,

      (I'm using latest version of pfSense)

      I've a private server with a 1:1 NAT, but without any incomming rules enabled in pfSense.

      To access this private server from any remote computer, there is a client who can connect using port 443 or UDP Hole Punching.

      During our tests, we realize that connections are successfull without any rules enabled/created because of UDP Hole Punching.

      Can you help me understanding why this is possible ?

      I thinked that rules are in front of any traffic between external computers/servers and our private servers.

      But it seems that some traffic is possible whever no rule are defined !

      How can I force UDP Hole Punching working only if a specific UDP rule is created ?

      Thanks for your help/explanation

      Regards,

      1 Reply Last reply Reply Quote 0
      • kiokomanK
        kiokoman LAYER 8
        last edited by kiokoman

        @mobydick426 said in UDP Hole Punching:

        During our tests, we realize that connections are successfull without any rules enabled/created

        pfSense is a stateful firewall, which means it remembers information about connections flowing through the firewall, the data is retained in the State Table
        resetting the state table is the only way to make sure all connections respect the new ruleset
        did you kill/reset the state table after editing the rules?

        https://docs.netgate.com/pfsense/en/latest/firewall/fundamentals.html#stateful-filtering
        https://docs.netgate.com/pfsense/en/latest/monitoring/status/firewall-states-reset.html#reset-state-table-source-tracking-table

        ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
        Please do not use chat/PM to ask for help
        we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
        Don't forget to Upvote with the 👍 button for any post you find to be helpful.

        M 1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan
          last edited by

          @kiokoman : even when they are not

          @mobydick426 said in UDP Hole Punching:

          created

          Not created means to me me : no states could exist.
          Or maybe a (gone now) WAN firewall rule was hiding another WAN firewall rule - they overlapped ?

          1:1 NAT : looks scary to me. Everything is natted to a device, but WAN firewall rules still apply ?
          A couple of classic NAT rules look better to me.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          M 1 Reply Last reply Reply Quote 0
          • M
            mobydick426 @kiokoman
            last edited by

            @kiokoman : thanks for your reply. Tests have been made since some months ago. But rules was disabled (or deleted) and the firewall has been restarted many times for different reason.
            So I don't think that any state are or was available on pfSense.

            1 Reply Last reply Reply Quote 0
            • M
              mobydick426 @Gertjan
              last edited by

              @Gertjan : thanks for your reply. We use 1:1 NAT on many firewalls and servers without any problem. What do you mean by "looks scary for me" ?
              Your question is interresting but no, no other existing rules can explain this.
              We use 1:1 to not have identical rules for many servers (no global rules).

              GertjanG 1 Reply Last reply Reply Quote 0
              • kiokomanK
                kiokoman LAYER 8
                last edited by

                even with nat 1:1 you need firewall rules to permit traffic, you only need to be more careful with rules. but other than that there shouldn't be any problems

                ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                Please do not use chat/PM to ask for help
                we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                M 1 Reply Last reply Reply Quote 0
                • GertjanG
                  Gertjan @mobydick426
                  last edited by

                  @mobydick426 said in UDP Hole Punching:

                  What do you mean by "looks scary for me" ?

                  You're right to ask for clarification.
                  I never used 1:1: NAT . That's all.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 Reply Last reply Reply Quote 0
                  • M
                    mobydick426 @kiokoman
                    last edited by

                    @kiokoman Thanks for your reply and sorry for my late reply.

                    That's the reason of this topic.

                    We had never rules allowed, only 1:1 NAT defined.

                    And we have noted that traffic was accepted by pfSense !!

                    So why and how to impose rules for all traffic ?

                    Regards,

                    kiokomanK 1 Reply Last reply Reply Quote 0
                    • kiokomanK
                      kiokoman LAYER 8 @mobydick426
                      last edited by kiokoman

                      @mobydick426
                      uhm i've made some tests and nothing is passing without a firewall rule
                      tcp client is blocked, udp also

                      Dec 7 15:23:17	WAN	USER_RULE (1559836757)	  93.36.17.251:36738	  217.133.xx.xxx:48570	UDP
                      Dec 7 15:23:14	WAN	USER_RULE (1559836757)	  93.xx.xx.251:36738	  217.133.xx.xxx:48570	UDP
                      Dec 7 15:23:02	WAN	USER_RULE (1559836757)	  93.xx.xx.251:36738	  217.133.xx.xxx:48570	UDP
                      Dec 7 15:14:31	WAN	USER_RULE (1559836757)	  93.xx.xx.251:36228	  217.133.xx.xxx:48569	TCP:S
                      Dec 7 15:14:28	WAN	USER_RULE (1559836757)	  93.xx.xx.251:36162	  217.133.xx.xxx:48569	TCP:S
                      

                      Immagine.jpg

                      ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
                      Please do not use chat/PM to ask for help
                      we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
                      Don't forget to Upvote with the 👍 button for any post you find to be helpful.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.