From owner-freebsd-net@FreeBSD.ORG Tue May 1 00:44:34 2012 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3518E106564A for ; Tue, 1 May 2012 00:44:34 +0000 (UTC) (envelope-from mikemacleod@gmail.com) Received: from mail-iy0-f182.google.com (mail-iy0-f182.google.com [209.85.210.182]) by mx1.freebsd.org (Postfix) with ESMTP id EE1138FC12 for ; Tue, 1 May 2012 00:44:33 +0000 (UTC) Received: by iahk25 with SMTP id k25so6768654iah.13 for ; Mon, 30 Apr 2012 17:44:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Juw7r+033eJai4TOKO5QfxhIWLMacrNrpgEVp6gUT6g=; b=eTxs/tM8TbnrJAzk9vliYfpP3A3IiNfHD6OMTQkt9yY9H++t0V7sGq5ukTUQeBtFGa fmjQb9fa5xgQfuuLfNrmFbCMNttgv0/4S2obuP8a+6WpSu6AsfX/UHVmt6BKbGGl52GY rRRcNV7labv5jmdQcx0yO8mUH1ombV+D08V8nqZj4tA3Fk5l9DNvnSj4inLaCfi9ydOs u1gZZca632Nl0Wq9dlY74NI6KRbulGsr8J5BWa0yTzgJewgYOSCze+bAd9N44aJ51iyi 7ckaB8O6KM2BujsB1Cjbv7Mlk0xFBFS/UbYisGHOdZ2eIkOcek4DV18jaTR/+ZAVCZJS MwwA== Received: by 10.43.49.3 with SMTP id uy3mr3369133icb.2.1335833073633; Mon, 30 Apr 2012 17:44:33 -0700 (PDT) MIME-Version: 1.0 Received: by 10.42.133.6 with HTTP; Mon, 30 Apr 2012 17:44:13 -0700 (PDT) In-Reply-To: <4F9E270F.3070605@gmail.com> References: <4F9E270F.3070605@gmail.com> From: Michael MacLeod Date: Mon, 30 Apr 2012 20:44:13 -0400 Message-ID: To: Darren Pilgrim Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-net@freebsd.org Subject: Re: Full Cone NAT In PF X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 May 2012 00:44:34 -0000 Darren and Zaphod, Thanks for the response. If I understand full-cone NAT it's basically like opening a port forward in the firewall, since any packets arriving on the WAN interface for that particular external port from any source address will be forwarded to the internal host. And you are correct that UPnP should enable this type of connectivity as well, by explicitly opening a port in the firewall. I have both static-port and miniupnpd enabled on my router. According to the Microsoft Internet Evaluation Tool, my NAT Type is symmetrical but UPnP is supported. I'm currently having a problem with Battlefield 3 co-op play, so I'm using that to test. I can play regular online games fine, and I can play co-op games with friends who have Linux (mostly DD-WRT based) routers. But I configured a FreeBSD firewall at one particular friends place that uses a largely similar configuration as my own. They get the same results from the MS Eval Tool, but I cannot successfully play a co-op game with any of the people in that house. We can all play regular online games hosted on third party servers, but cannot play co-op matches. At the end of the day we could solve it by getting our ISP to route a /29 to their house and using binat (I already have a /29), but it would be nice if there was the option to use 'nat on $wan_if from -> ($wan_if) full-cone' in a ruleset to achieve the correct behaviour. On Mon, Apr 30, 2012 at 1:45 AM, Darren Pilgrim wrote: > On 2012-04-29 17:03, Michael MacLeod wrote: > >> I understand that cone NAT is a generally terrible and insecure way to do >> NAT, but game and application developers seem hell-bent on depending on >> cone NAT behaviour. Is there a way to make it work with PF? >> > > Not directly, no. In most cases where the application/device will not > work through symmetric NAT, all that is necessary is a port forward, not > true full-cone NAT. > > Have a look at the net/miniupnpd port. It is a UPnP daemon that anchors > to pf and maintains rdr rules for dynamic port forwarding. You can do the > same thing on a static basis by maintaining your own nat static-port and > rdr rules if your SIP devices do not support UPnP. > > For those who search mail archives, this is also how you get a FreeBSD > router to make your PS3 show NAT type 2 instead of type 3 or your Xbox show > NAT type open instead of strict or moderate. >