Firewall rules, NAT and other stuff that escapes me

Octopuss

I am not a networking guy. I never was, I wanted to, but it will never happen. So basically, speak idiot to me.

I set up pfSense on a virtualized home server with much trial and error and outside help about two years ago, and every single time I need to change something, I basically have to figure everything out from scratch again, because I simply forgot everything I knew.

This time around I will make some basic notes to make the process easier though.

ANYWAY.
After spending two days dealing with a coop mode in a game not working properly, I realized I had no idea what the difference between the various options under Firewall tab was.

I need some very basic explanation what to use when. I have managed to learn that port forwarding really is incoming traffic, and outbound is obviously outgoing. BUT what's up with the WAN rules? What is that good for and how do I use it?

It gets even worse when I get into specifics. The port I use for qbittorrent won't appear open until I add a port forward and a WAN rule BOTH, whereas the game I mentioned works fine with a port forward and an outbound rule.
If I understand correctly, pfsense allows all outgoing traffic by default, so why is it that coop in the game in question doesn't work unless I add rules to the outbound section? (the game complained about NAT being either symmetrical or strict, whatever that means)

I thought the point of the WAN rules was to add rules for traffic on non-standard ports, otherwise the relevant programs wouldn't work, but that's not the case it seems: the game I mentioned uses some TCP/UDP ports somewhere in the 10000 and 40000 range for coop purposes, and all it took was rules in outbound (primarily, to get rid of the NAT error message) and port forwarding section without the need of WAN rules, so what the heck is going on here?

So the TL;DR question is: what's the relatioship between WAN rules and the other two options, and how do I use them? Especially the WAN rules.

Bob.Dig

@octopuss Some of those games are special cases because they want you to be a server, but don't tell you exactly what the requirements are. And it can get really messy if there is more than one device in your space playing the same game at the same time.

Portforwards by default create a corresponding WAN-rule (see Filter rule association), so this shouldn't be much of a problem in general. Again, those pesky games are special.

Octopuss

@bob-dig said in Firewall rules, NAT and other stuff that escapes me:

Portforwards by default create a corresponding WAN-rule

OH!!!
I had no idea it worked like this! That explains a lot.
The interface could be a little more explanatory I guess. Yes I'm aware this is an advanced software not meant for people like me, but still.
The same goes to port forwarding actually meaning incoming connections. Pretty confusing.

What do you mean by filter rule association? It's been months since I logged in the router to do any changes and it will take a while before I get used to terminology and whatnot again.

johnpoz

@octopuss said in Firewall rules, NAT and other stuff that escapes me:

filter rule association?

https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html

Did you click the little ? mark up on the top of the port forward page? It goes over port forwarding..

And clearly goes over the association drop down box.

If you are new to pfsense, I would highly suggest you atleast breeze over the topics in the documentation that your unfamiliar with or need refreshing or want to know how pfsense might handle that specific thing, etc.

https://docs.netgate.com/pfsense/en/latest/preface/index.html

And pretty much every page of the gui, along with notes on many of the checkbox and forms and dropdown have hints/notes on them. But the ? mark in the top right would link to the documentation for that section of the gui, etc.

Octopuss

Ah I see. I had the help opened for each of the pages but the amount of information is so overwhelming I got lost.
I am technically speaking not new to pfSense, I've been running it on a server I built and mostly set up myself (with lots of frustration and cursing and outside help), but since this not something I do on daily basis (the exact opposite) despite being somewhat of an IT person, I simply forget most if not all of it soon afterwards.

johnpoz

@octopuss said in Firewall rules, NAT and other stuff that escapes me:

the amount of information is so overwhelming I got lost.

Well there are a lot of moving parts, and there are lots of lots of features.. So yeah there is going to be a lot of information in the docs ;)

You got your model-t little engine, and then you have current day fuel-injection computer controlled engines.. A bit of information required to understand the differences ;)

Octopuss

One related question.
I guess plenty of people play games and are familiar with Steam.
They have a page with ports the client requires for various tasks https://support.steampowered.com/kb_article.php?ref=8571-GLVN-8711
Some of the ports are listed as local and some as remote. Can anyone make a guess (or know for a fact) which ones are for incoming connections, meaning which ones I likely want to add to port forwards? I could just blindly throw the entire ranges in and call it a day, but I'd like to do it "more properly".

johnpoz

@octopuss I hear you - see it all the time on games not just steam where they list ports that need to be open but do not state in what direction..

For example I see 53 listed quite often - this sure and the F is not an inbound unsolicited requirement..

Its not all that difficult to list, outbound and inbound on the required ports.. But they rarely do

To log into Steam and download content:

    HTTP (TCP remote port 80) and HTTPS (443)

Those sure and the hell our not need "inbound" for you to log into steam and download content ;)

I have played some steam games - and ZERO ports were required to be forwarded for it to work.

From looking at that for 10 seconds, I would say that local means inbound (port forward)..

Octopuss

I know, most of those ports are irrelevant (like the streaming and whatever features I don't use), but some of them are used for - I presume - multiplayer, and those are of interest to me in all this mess.

johnpoz

@octopuss if they were going to do it correctly.. They would clearly state you need to port forward or allow unsolicited inbound to your device. And they should list any specific IPs they could.. For example if coming from their network(s) - list those.. If need to be from any, say servers your hosting or whatever that other players would need to be able to connect, state that, etc.