Cannot specifiy source IP when creating manual outbound static NAT



  • Setup:

    2.2.4-RELEASE (i386)
    built on Sat Jul 25 19:56:41 CDT 2015
    FreeBSD name.domain 10.1-RELEASE-p15 FreeBSD 10.1-RELEASE-p15 #0

    Dual core Atom with 2gigs Ram and 120gb ssd

    Packages Installed:

    • Snort
    • pfBlockerNG
    • Cron
    • Squid3
    • Using DNS Forwarding instead of the resolver

    Problem:

    My son plays PS4 and it's reporting NAT3, which doesn't allow him to communicate with friends using in game voice chat.

    I did some digging and Playstation Network doesn't appreciate port randomization.

    I found the instructions here https://doc.pfsense.org/index.php/Static_Port for setting up static port outbound NAT.

    When I reached this line in the doc " Edit the rule so it only covers the source IP of the device that needs static port, and any other required settings. "  I noticed the interface does not allow for entry of a single IP address.

    The options I'm given in the copied rule for the SOURCE -> NETWORK dropdown are:  (Screen capture attached)

    • Any
    • This Firewall (self)
    • Network

    Any idea how to specify a single LAN IP in the source portion of the rule? I tried different combinations of interface and protocol thinking it might trigger a change in the dropdown.

    I was tempted to create the rule, move it, then root around in the shell looking for a file I could manually edit.

    Any insight is appreciated.

    ![Screen Shot 2015-08-14 at 3.36.02 PM.png](/public/imported_attachments/1/Screen Shot 2015-08-14 at 3.36.02 PM.png)
    ![Screen Shot 2015-08-14 at 3.36.02 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2015-08-14 at 3.36.02 PM.png_thumb)



  • An IPV4 Network address with a netmask of 32 is a single IP, no?  Did you try selecting Network, then for the address specify the single IP you want, then the netmask dropdown, select 32:

    192.168.1.1/32 is a network address of 192.16.1.1 only.

    192.168.1.0/24 is a network address covering 192.168.1.0 to 192.168.1.255.

    Netmask is your friend.



  • That worked!  Thank you so much for the help.