Can't connect to game server on my network by public IP


  • I have a rather strange issue that is just a major nuisance to me.  I have a game server for the multiplayer game Halo PC on a subnet (172.16.0.0/24) that is separate from the subnet of my home computers (10.0.0.0/24).  The game server is running on port 2001 and the private IP is 172.16.0.10.  Any player on the internet is able to connect to the server by entering my public IP address (or by joining from the server list), except for me.  However, I can join by the server's LAN address.

    This game seems to be the only thing I have an issue with.  I also run a Minecraft server on the same physical box, and I can connect to the server by public IP with no problem.  NAT reflection is enabled for the Halo server, just like with the Minecraft server, so I don’t know where else to troubleshoot this problem.  However, I’m sure this is a NAT reflection issue.  I'm not sure if it has anything to do with Halo being UDP and Minecraft being TCP.

    The reason this is such a big issue for me is because I’m unable to join my own servers from the in-game server list.  With my old cheap SOHO router, I was able to connect to the server by public IP from within my own network, so I’m sure it has to be possible with pfSense and a few tweaks.

    I have some screenshots below of the outbound NAT rule, NAT forwarding rule, and a side-by-side comparison of Halo vs. Minecraft states.  If you need any more info, or even remote access, I'll be glad to provide.

    NAT Outbound:

    NAT Port Forwarding:

    Here’s what happens when someone connects to the Halo server from outside my network:

    And here’s what happens when I try to join from inside my own network:

    And me joining Minecraft from inside my own network:

  • Rebel Alliance Developer Netgate

    Last I knew, NAT reflection was not (and has never) worked properly for UDP.


  • So, am I pretty much out of luck here?  I read about DNS forwarders helping in similar scenarios, except that won't work here since the server lists work by IP address, not FQDN's.  If there's anything else I can try, please let me know.


  • Try to create local fqdn and use that internally, if that works


  • I thought that was essentially the same as the DNS forwarder custom records, which is pointless for my configuration since the server list references each server directly by IP address, not a FQDN.


  • Hey Guys,

    –--NOT SURE HOW THIS WORKS----

    I had weird kind of idea.. Can you try static routing+rules

    1. Create a new route for that public ip
    1.1 Create a new gateway use an internal nic
    2. Create a rule: source: gaming client, destination: servers public ip and advanced option: use new gateway

    ----/NOT SURE HOW THIS WORKS----

    It might get you there, but it can also break your routing anywhere else


  • I agree with Telex. UDP NAT reflection works on the cheapest router/nat device. It's a shame it does not work on pfsense.
    Maybe the fault is in us, because there is no ticket for this error.

    If it helps to somebody, the packet arrives to the reflected ip/port (the server), but the response not gets back to the client.


  • There seem to be several old threads in this forum about implementing UDP NAT Reflection in pfsense and in fact there is relevant section in filter.inc (search for 19000)


  • You are rigth. It seems it's fully implemented. An in fact it's working in one way. The problem is with the reply packets.