|
|||
network address translation
I have an xbox and a ps4 that both need static ports (outbound). The following code works fine for just my xbox:
Code:
xbox = "192.168.1.111" ps4 = "192.168.1.112" # Perform source-port randomization for all hosts which are not the xbox match out log on egress from !$xbox to any nat-to ($ext_if:0) port 1024:65535 # Do not perform source-port randomization for the xbox match out log on egress from $xbox to any nat-to ($ext_if:0) static-port Code:
xbox = "192.168.1.111" ps4 = "192.168.1.112" # Perform source-port randomization for all hosts which are not the xbox match out log on egress from !$xbox to any nat-to ($ext_if:0) port 1024:65535 # Do not perform source-port randomization for the xbox or ps4 match out log on egress from $xbox to any nat-to ($ext_if:0) static-port match out log on egress from $ps4 to any nat-to ($ext_if:0) static-port Code:
match out log on egress from {!$xbox || !$ps4} to any nat-to ($ext_if:0) port 1024:65535 |
|
|||
jggimi I've tested numerous match settings to see if I could get static ports for just 2 ip addresses on my network. I've come up with only one solution that is similar to the one I had already posted except with PS4 added. Still doesn't seem like an ideal solution.
I would figure match would act similar to a pass rule and the last rule that matches would be used. Using match with network address translation does not appear to act the same way as a pass rule. Unfortunately I don't have the time to post what code had worked for me but will do so later. By the way you code suggestions didn't work for me. More on this later. |
|
||||
Thanks for the brief report. I'm sorry my suggestions were not successful.
As I noted above, the match rule is not the same as block or pass. Last matching does not apply, every packet is tested. The pf.conf(5) man page says, "...match rules differ from block and pass rules in that parameters are set every time a packet matches the rule, not only on the last matching rule." Using pass rather than match may be more helpful for your use case. |
|
|||
So this is what worked for me. I'm not really sure why it does. Static-port is definitely working for my Xbox but I'm not really sure about the PS4 as I've not setup port forwarding yet to make sure the PS4 NAT is open and not restricted. I can tell when my Xbox static-ports isn't working correctly when my Xbox Nat shows restricted instead of open.
This works: Code:
match out on egress inet from !$XBOX to any nat-to ($WAN:0) port 1024:65535 match out on egress from {$PS4 $XBOX} to any nat-to (egress) static-port pfctl -vf pf.conf output ------------------------------- match out on em0 inet from ! 10.200.200.114 to any nat-to (em0:0) port 1024:65535 match out on egress inet from 10.200.200.110 to any nat-to (egress) round-robin static-port match out on egress inet from 10.200.200.114 to any nat-to (egress) round-robin static-port Quote from the pf.conf man page reference a match rule: Quote:
|
|
|||
I wanted to limit static ports to just my gaming consoles for security reasons. Would prefer to have source port randomization for the rest of the network.
For now I've set the entire network to have static ports as a "possible solution". I would suspect that a pass rule with nat-to would always have to match otherwise network address translation for a specific IP wouldn't work. Wouldn't this end up with a pass quick rule with nat-to? I'm really not sure. When I have the time I'll test pass rules with nat-to and report back. |
|
|||
I'm curious as to what is not working, per your original post:
Quote:
Unable to sign-on to PSN? Getting NAT Type 3? Unable to game online? Getting "fragmented packets" message on network check? I have PS4 and Xbox 1 and both are working fine on my OpenBSD 6.0 firewall. |
|
|||
Code:
match out on egress inet from !$XBOX to any nat-to ($WAN:0) port 1024:65535 match out on egress from {$PS4 $XBOX} to any nat-to (egress) static-port Yes the above match code seams to work fine but I really don't see it as the best solution. I think there has to be a better match rule solution. The match logic doesn't seem right and the PS4 I would suspect would end up with port randomization. The first match rule is setting all other IP addresses on the network with non static ports except the Xbox. This rule would be sticky at this point and anything afterwards would not override the first match. The second match rule setting the Xbox and PS4 with static ports works with the Xbox. I'm not so sure of the PS4 since the fist match applied to everything else including the PS4 but excluded the Xbox. junkym what does your match rules or rule look like? are you using a single match rule making all ports static for the entire network? Would you mind providing your pf.conf setup? Thanks. MY goal: Apply static-ports only to the Xbox and PS4. All other IP ports on the network should default to having port randomization. Last edited by bsdsource; 1st October 2016 at 06:54 PM. |
|
|||
Not sure of your network layout, but my firewall has a 4-port nic:
em0 = WAN em1 = LAN em2 = GSN -- Gaming and Streaming Network em3 = VMN -- Virtual Machines Network em2 goes to a wireless access point for my gaming consoles/Apple TV/Smart TV etc. Here are my match rules for NAT: Quote:
This has worked for me for the last couple of years. |
|
|||
junkym thanks for the code snippet. What does the $LAN_NET equal to? Hmm looking at your code it would seem I overlooked the obvious. Using match out first for my Xbox and PS4 with static ports and then match out for rest of the network with source port randomization (default) should work. The third match out shouldn't modify my first 2 match outs since they are sticky. I'll test this out.
Are you able to obtain and open NAT with your Xbox? Are you using IPv4 or IPv6? Just curious. Edit: Just finished with my testing and now have a working match rule set. It appears a match rule will not override a previous match rule. So the sequence of match rules are essential. Below are my final match rules that work: Code:
match out on $WAN inet from $PS4 to any nat-to ($WAN:0) static-port match out on $WAN inet from $XBOX to any nat-to ($WAN:0) static-port match out on $WAN inet from $LAN:network to any nat-to ($WAN:0) port 1024:65535 Last edited by bsdsource; 1st October 2016 at 10:57 PM. |
|
|||
$LAN_NET is a macro defined as:
Quote:
I get moderate NAT on my Xbox One and NAT Type 2 on my PS4. I use IPV4 only. |
|
|||
junkym do me a favor and try this rule. Let me know if you end up with an open Xbox One NAT. Took me awhile to figure this out with the help of tcpdump. This is the only rule I have for my Xbox One. Just make sure you don't restrict outbound access.
Code:
pass in quick on $WAN proto udp from any port 3544 to ($WAN) port 3074 rdr-to $XB1 port 3074 Get rid of any other 3544 or 3074 port rules you have otherwise they will conflict. Last edited by bsdsource; 1st October 2016 at 10:59 PM. |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
PF and NAT: Specify SRC IP Address? | jasonvp | FreeBSD Security | 5 | 25th November 2015 08:04 PM |
Address book | fossala | Programming | 6 | 5th July 2011 05:26 PM |
could not look up internet address for .lan | idefix | FreeBSD General | 2 | 31st January 2009 02:22 PM |
MAC address to IP | rex | FreeBSD General | 9 | 11th November 2008 07:06 PM |
Asking about IPv6 address | berlowin | Off-Topic | 2 | 9th July 2008 02:39 AM |