NAT help with SRCDS

  • I've been trying to get a steam server working and having had much luck.
    Setup looks like this:

    Internet -> pfSense -> LAN.
    There are 3 interfaces on the WAN side, I just need it working on one of them.
    I have the server running on port 27020.

    I have NAT port forward enabled for that interface and port -> LAN server
    Firewall rules have been created (I've also checked logs to make sure nothing is getting blocked).
    NAT reflection is enabled.
    I've tried with and without AON on port 27020.

    I have two scenarios, both are broken.

    1. People connecting externally:
      I see packets getting through, but either the responses aren't getting all the way back or they get messed up along the way. In any case, the connection doesn't get made.

    2. Connecting from the LAN side to the external IP:
      Also seeing packets make it to the server and a reply made in this case, but the reply doesn't seem to make it back. Packet capture looks like this (actual IPs replaced):

    15:02:47.187594 IP client_lan_ip.27005 > wan_ip.27020: UDP, length 23
    15:02:47.189857 IP pfsense_lan_ip.10982 > server_lan_ip.27020: UDP, length 23
    15:02:47.220092 IP server_lan_ip.27020 > pfsense_lan_ip.10982: UDP, length 58
    15:02:53.236720 IP client_lan_ip.27005 > wan_ip.27020: UDP, length 23
    15:02:53.238447 IP pfsense_lan_ip.34989 > server_lan_ip.27020: UDP, length 23
    15:02:53.266504 IP server_lan_ip.27020 > pfsense_lan_ip.34989: UDP, length 58

    My best guess is that pfsense sees the first request, does a forward back into the lan server, but then doesn't forward the reply back to the client.

    Not really sure what else I can try.

  • Chances are good that your NAT rules are messed up.  A judicious use of tcpdump will show you exactly what's happening with your packet traffic.  If the packets aren't getting back to your LAN from the server then the problem exists with your server configuration.  If, on the other hand, packets get to your LAN but don't get sent out the proper external interface, then your NAT configuration is probably borked.  Incidentally, there are limitations on what ports NAT reflection will work with.  Off the top of my head, I forget where it stops, but if this is an issue for you and you're using the DNS forwarder, you can override DNS responses for that device to your LAN clients negating the need for NAT reflection (which is ugly anyhow).

  • I'll focus on the second case for now, since it's easier to explain.
    It's definitely some issue on the pfSense box, whether it be a bug or config problem. I'll try to clarify a bit:

    Basically, I have a machine (A) on the LAN making a request to another machine (B) on the LAN using an external IP that has NAT reflection enabled. When the UDP packet goes out on A, it hits the router (R), which from what I can tell, copies the packet and sends to machine B with R as the source. Machine B then correctly replies to the packet back to R, but then it seems to be dropped and never gets forwarded back to A.

    The packet capture from before shows exactly that. I've confirmed the same results using Wireshark on both machines (essentially tcpdump on Windows).

    Edit: I should also add that I can't use the split DNS option. Since this uses the steam service, they refer to all servers by IP afaik.

Log in to reply