UT2004 Server & PFSense NAT Issues… I know, I know :(

  • I know this has been discussed many times here, and I've read through everything I can on UT-related forums, and PFSense related stuff, and still have come up with no solution.

    Here is my problem:

    The UT2004 (Unreal Tournament 2004) Server is not accessible from the "Master Server List".  It shows up in the list (showing that it is in fact making the connection), but the ping is N/A and it cannot be joined from the "Master Server List".  However, when a friend tries to join by typing in my IP address manually, it connects fine with no problems, and we can play all day long.  The UT2004 Server is located on an OpenVZ Virtual Machine on my server, and the VM is running Gentoo, without a firewall, on top of CentOS.  CentOS is firewalled, but the VMs pay no attention to it, as they use the single network interface as their own, even though it is shared among the host and the VMs.  I have other ports forwarded from my PFSense box to the host (the server), and they are working correctly.  There are also some other ports forwarded to another VM located on the server, which are functioning great.

    The ports forwarded to the UT2004 server located on one of the VMs appear to be working fine as well, as clients can connect by directly conneting with the IP address.  But as I said, they cannot join from the "Master Server List".

    The configuration of the UT2004 Server is set to inform the server that it is located behind a NAT.  I have tried with that setting both on and off.

    Here's my situation, I'll try to make this as informative and as quick as is possible.

    My PFSense box sits between my ISP and me.

    LAN - Subnet
    DMZ - Subnet

    My server is located on the DMZ interface.

    UT2004 requires that the following ports be forwarded:

    7777  UDP/IP  (Game Port)
    7778  UDP/IP  (Query Port; game port + 1)
    7787  UDP/IP  (GameSpy Query Port; game port + 10)
    28902  TCP/IP  (Allows your Server to Connect to the UT2004 Master Server Browser)

    I have checked, doublechecked, and tripplechecked again to make sure that these ports are forwarded to a.  the correct IP address b.  are the forwarded as the correct protocol (UDP/TCP).

    I have done some reading about the "Static Ports", so I set up Outbound NAT to use "Static Ports" with all traffic originating from my DMZ, and function as it normally would with my LAN.

    It seems as though the "Master Server List" has some issues when it comes to connecting to clients through NAT.

    Here is a quote from a forum on which other UT200X server admins were discussing the issue:

    Inbound UDP from the Master Server would get back to my UT2003 server, but importantly as far as the Master was concerned it was commmunicating with the source ports used by the NAT router's WAN interface, not the server.
    Clients connecting directly could get through no problem because those packets had destination ports that the router had been told to forward straight to the UT2003 Server.

    So, I assume, by setting up the "Static Ports" on my PFSense for traffic leaving the DMZ, it should solve this problem.  But, apparently it is not.

    Any help would be GREATLY appreciated, as I am all out of ideas.  I've attached some screenshots of my configuration below, if they may help.




    Attaching some output from netstat -a -l on the Gameserver VM.

    gameserver ~ # netstat -a -l
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0 *:10000                 *:*                     LISTEN
    tcp        0      0 *:10001                 *:*                     LISTEN
    tcp        0      0 gameserver:59745       ESTABLISHED
    tcp        0      0 *:ssh                   *:*                     LISTEN
    tcp        0    132 gameserver:ssh          ::ffff: ESTABLISHED
    tcp        0      0 gameserver:ssh          ::ffff: ESTABLISHED
    udp        0      0 *:7777                  *:*
    udp        0      0 *:7778                  *:*
    udp        0      0 *:7787                  *:*
    udp        0      0 *:7788                  *:*
    udp        0      0 *:10000                 *:*
    udp        0      0 *:10777                 *:*
    udp        0      0 localhost.localdo:43691 localhost.locald:syslog ESTABLISHED
    Active UNIX domain sockets (servers and established)
    Proto RefCnt Flags       Type       State         I-Node Path

  • The "static port" option in your AoN rule for the Server is still not active.

  • How would I go about activating it besides letting it go through the "reload process", after I click "Save"?

  • Sorry i dont understand your question.

    Just change the existing rule for your DMZ.

  • Ok, sorry if that was confusing.

    You said:

    The "static port" option in your AoN rule for the Server is still not active.

    Can  you explain to me how you know it is not active?

    My server is on the subnet, and under the outbound NAT mappings, it says "Yes" under the Static Port column.

    Is there more I need to do?

  • d'oh.
    I got your ranges mixed up.
    Without diagram that can happen pretty fast…

    You're writing that the ping says N/A. How does the masterserver do this "ping"
    Is it a real ping to your WAN? Because then you could just allow ICMP on the WAN.

  • Pinging works correctly.  The UT2004 communicates with the "Master Server List" via TCP Port 28902.

    If it matters at all, I do have NAT refection enabled.

    Is there a way (by using netstat or something similar) to test to see if "Static Ports" are actually functioning correctly?

    There was only one other UT2004 thread I found on here…


    By the way,  your help is GREATLY appreciated.  Thanks :).

  • Look in diagnostics -> states.  The source port will match the destination port if static port is working.  Also do not forget to clear your states after making the static port changes.

Log in to reply