|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
nat HELP
So, I have been running FreeBSD as my router for sometime now and like it a lot, ran into a problem recently however
I've managed to forward ports to PCs across my network without problem until I tried to forward some UDP for a game, it doesn't work. Code:
nat on $ext1 from !($ext1) -> ($ext1:0) rdr on $ext1 proto {tcp, udp} from any to any port {1234} -> $pc1 Code:
binat on $ext1 from $pc1 to any -> $ext1 Some people have suggested I get another IP from my ISP and binat 1 to pc1 and nat the second to the rest of my lan, this would be fine if my ISP allowed static IPs. I am actually allowed 2 IPs but they have to be obtained with DHCP and can only obtain one per interface so as far as I can tell... I would have to setup my network as layed out in the attached image. Seems a little crazy to me to change the network so much (1 new switch, 2 new nic in gateway) just to get a game working. I should also note the game worked fine when I forwarded port 1234 when I was using some $20 Linksys POS. Finally, I had the idea to create a virtual interface on the gateway and bridge it to my modem's interface, this might allow me to set the MAC sent to my ISP DHCP server thus it leasing me the second IP. No idea how to create virtual interfaces or bridge on FreeBSD though :P ( page that give me this idea http://ezine.daemonnews.org/200406/netgraph.html ) Thanks in advance to anyone that helps me figure this out!! |
|
||||
You only show a PF rule fragment, so these are just guesses:
Guess #1: redirected traffic is blocked, you lack a pass rule for the redirected traffic. Quote:
The pflog(4) facility can be used to determine if blocking is occurring. If your problem is due to your "scrub" rule, you can either change the rule and retest, or examine the packets on $ext1 and compare them with packets on $pc1. |
|
|||
Sounds like a classic case of.. rdr without a pass.
Code:
rdr on $ext1 inet proto { tcp, udp } from any to any port 1234 -> $pc1 pass in on $ext1 inet proto { tcp, udp } from any to $pc1 port 1234 |
|
|||
pf.conf
Code:
ext1="nfe0" int1="rl0" pc1="10.0.0.2" pc2="10.0.0.3" set skip on lo # only one of the following 2 lines uncommented at a time! nat on $ext1 from !($ext1) -> ($ext1:0) #binat on $ext1 from $pc1 to any -> $ext1 rdr-anchor "miniupnpd" rdr on $ext1 proto tcp from any to any port 54378 -> $pc1 rdr on $ext1 proto tcp from any to any port 1337 -> $pc1 rdr on $ext1 proto tcp from any to any port 3389 -> $pc1 rdr on $ext1 proto {tcp, udp} from any to any port 39004 -> $pc1 rdr on $ext1 proto {tcp, udp} from any to any port 1234 -> $pc1 rdr on $ext1 proto {tcp, udp} from any to any port 3074 -> $pc2 anchor "miniupnpd" |
|
|||
That's interesting.. but did you even read my reply?
|
|
|||
ofc i read it, did you even look at my pf.conf? there is no need to pass.
|
|
|||
|
|
|||
I have no "block in" in pf.conf so the need to pass has been removed. But you have been humored I added the pass rule and same result, game does not work.
pf.conf is now Code:
# macros ext1="nfe0" ext2="ngeth0" int1="rl0" pc1="10.0.0.2" pc2="10.0.0.3" # options #set block-policy return #set loginterface $ext_if set skip on lo # scrub scrub in # nat/rdr nat on $ext1 from !($ext1) -> ($ext1:0) #binat on $ext1 from $pc1 to any -> $ext1 #nat on $ext2 from !($ext2) -> ($ext2:0) rdr-anchor "miniupnpd" # uTorrent rdr on $ext1 proto tcp from any to any port 45853 -> $pc1 # Apache rdr on $ext1 proto tcp from any to any port 1337 -> $pc1 # Remote Desktop rdr on $ext1 proto tcp from any to any port 3389 -> $pc1 # Hamachi rdr on $ext1 proto {tcp, udp} from any to any port 39004 -> $pc1 # Red Alert 2 / Yuri's Revenge #rdr on $ext_if proto tcp from any to any port {3840, 4005, 4808, 4810, 4995, 7000, 7001, 7002} -> $comp1 #rdr on $ext_if proto udp from any to any port {1234, 1235, 1236, 1237, 4000, 5400} -> $comp1 # Tiberian Sun rdr on $ext1 proto {tcp, udp} from any to any port 1234 -> $pc1 # Xbox Live #rdr on $ext_if proto udp from any to any port 88 -> $comp2 rdr on $ext1 proto {tcp, udp} from any to any port 3074 -> $pc2 #rdr on $ext_if proto {tcp, udp} from any to any port 1:65535 -> $comp1 anchor "miniupnpd" pass in on $ext1 inet proto { tcp, udp } from any to $pc1 port 1234 Quote:
Last edited by dextro; 2nd February 2009 at 08:58 AM. |
|
||||
The "alteration" you describe from the PF user's guide was an *intentional* port redirection to a new port number (80 -> 8000). That doesn't apply to your situation. None of your destination port numbers are changed in the rdr rules you've published in this thread.
Packet normalization ("scrub") was not enabled in your original pf.conf in post #4, above. It was one of my guesses as to a possible source to your problem. Now that you have it enabled, per post #8, packet normalization can change packets destined for your private network. According to the PF Users Guide: Quote:
To confirm this possibility, you must analyze the packets entering your external interface with a tool such as tcpdump(1), and compare that with the packets being passed to your internal interface. Not only will it show you if your remote game server is sending packets to ports you've not listed, it will show you if the packets are being redirected as you expect. |
|
|||
What should this tcpdump command look like? My tcpdump knowledge is minimal.
|
|
|||
I did a tcpdump -vv udp then played a game and got:
Code:
tcpdump: listening on nfe0, link-type EN10MB (Ethernet), capture size 96 bytes 06:20:36.618694 IP (tos 0x0, ttl 112, id 64720, offset 0, flags [none], proto UDP (17), length 131) 195.189.97.122.57944 > 207.6.123.87.45853: UDP, length 103 06:20:37.435792 IP (tos 0x0, ttl 64, id 1928, offset 0, flags [none], proto UDP (17), length 71) 207.6.123.87.58444 > 75.154.133.68.domain: [udp sum ok] 32387+ PTR? 87.123.6.207.in-addr.arpa. (43) 06:20:37.481066 IP (tos 0x0, ttl 247, id 27864, offset 0, flags [DF], proto UDP (17), length 201) 75.154.133.68.domain > 207.6.123.87.58444: 32387 q: PTR? 87.123.6.207.in-addr.arpa. 1/2/2 87.123.6.207.in-addr.arpa.[|domain] 06:20:38.213907 IP (tos 0x0, ttl 107, id 58831, offset 0, flags [none], proto UDP (17), length 126) 78.131.211.178.27370 > 207.6.123.87.45853: UDP, length 98 06:20:40.509953 IP (tos 0x0, ttl 116, id 59345, offset 0, flags [none], proto UDP (17), length 90) 222.83.215.126.16001 > 207.6.123.87.45853: UDP, length 62 06:20:40.799499 IP (tos 0x0, ttl 114, id 9179, offset 0, flags [none], proto UDP (17), length 126) 210.253.80.120.13899 > 207.6.123.87.45853: UDP, length 98 06:20:41.177728 IP (tos 0x0, ttl 113, id 5882, offset 0, flags [none], proto UDP (17), length 126) 60.53.86.102.26535 > 207.6.123.87.45853: UDP, length 98 06:20:41.317674 IP (tos 0x0, ttl 116, id 59410, offset 0, flags [none], proto UDP (17), length 90) 222.83.215.126.16001 > 207.6.123.87.45853: UDP, length 62 06:20:42.439868 IP (tos 0x0, ttl 64, id 1929, offset 0, flags [none], proto UDP (17), length 71) 207.6.123.87.50541 > 75.154.133.100.domain: [udp sum ok] 32387+ PTR? 87.123.6.207.in-addr.arpa. (43) 06:20:42.498969 IP (tos 0x0, ttl 246, id 45275, offset 0, flags [DF], proto UDP (17), length 201) 75.154.133.100.domain > 207.6.123.87.50541: 32387 q: PTR? 87.123.6.207.in-addr.arpa. 1/2/2 87.123.6.207.in-addr.arpa.[|domain] 06:20:44.442275 IP (tos 0x0, ttl 64, id 1930, offset 0, flags [none], proto UDP (17), length 71) 207.6.123.87.58444 > 75.154.133.68.domain: [udp sum ok] 32387+ PTR? 87.123.6.207.in-addr.arpa. (43) 06:20:44.488482 IP (tos 0x0, ttl 247, id 31714, offset 0, flags [DF], proto UDP (17), length 201) 75.154.133.68.domain > 207.6.123.87.58444: 32387 q: PTR? 87.123.6.207.in-addr.arpa. 1/2/2 87.123.6.207.in-addr.arpa.[|domain] |
|
|||
I just did a local packet sniff with Wireshark while I playing a game and the IPs of the users I was in game with sent me UDP packets on port 1234, thats it. PF changes the packet dest addr, that must be whats breaking it.
Also as I said in my first post, all I did with my old router was forward port 1234 and it game worked fine. |
|
|||
new pf.conf
Code:
ext1="nfe0" int1="rl0" pc1="10.0.0.2" pc2="10.0.0.3" # options #set block-policy return #set loginterface $ext1 set skip on lo # scrub #scrub in # nat/rdr nat on $ext1 from !($ext1) -> ($ext1:0) #binat on $ext1 from $pc1 to any -> $ext1 rdr-anchor "miniupnpd" rdr on $ext1 proto {tcp, udp} from any to any port 1:65535 -> $pc1 anchor "miniupnpd" pass in on $ext1 inet proto { tcp, udp } from any to $pc1 port 1:65535 |
|
||||
Looking at the UDP traffic from tcpdump, you will see an IP address followed by the port number: xx.xx.xx.xx.yy
So, taking the first packet as an example: the source was 195.189.97.122, in the Ukraine, using source port #57944, and the destination was your IP address at Telus in British Columbia, destination port # 45853. Taking the second packet as an example, it was from your IP at Telus to another IP at Telus. The destination port was "domain" -- port #53, used for DNS. I assume this is your local Domain Name Server at your ISP. The third packet was the reply. and so on... The reason I recommended the "host <remote server>" expression was to reduce your analysis to game traffic, assuming you can determine the address of the game server, or even the netblock it comes from. The host expression can use CIDR notation to capture entire subnets. e.g.: "host 192.168.0.0/8" would log only traffic from the entire 192.168.x.x network. Quote:
Show me. |
|
|||
dest addr (ip) not port
|
|
|||
Quote:
Must be what makes the difference for my game working and not working eh? |
|
|||
all this time all i had to do was add static-port to end of nat line
nat on $ext1 from !($ext1) -> ($ext1:0) static-port everything on my lan now works great! |
Thread Tools | |
Display Modes | |
|
|