From owner-freebsd-ipfw@freebsd.org Sat Nov 28 09:48:07 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D2985A3AC77 for ; Sat, 28 Nov 2015 09:48:07 +0000 (UTC) (envelope-from thomas5th@gmail.com) Received: from mail-qk0-x233.google.com (mail-qk0-x233.google.com [IPv6:2607:f8b0:400d:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 910361621 for ; Sat, 28 Nov 2015 09:48:07 +0000 (UTC) (envelope-from thomas5th@gmail.com) Received: by qkao63 with SMTP id o63so43201464qka.2 for ; Sat, 28 Nov 2015 01:48:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=Va9zw8Pd23jMaf2haZ4UUcckHzG/3WLepgVnVKvlzJo=; b=INy5g1HiYSLxDNV2FOFPKZcXJf86kQAE0f3TSek56rLpiJudXUwG1cfHXH5oOaaYek Mk6WjXtxlfe7HUvwqEd8rRErsXQ6e8ypEztehW9PSp6rdPbMrjqk+nytr+Uaxhq7gU9c ld00/TPnps4MzYvRMgfaK3eg0XWvMW/Fz4JacLY8Loo/NnUP193Z/ayc928fJkjGnpbO FNl/FMuH8Ak4L5S/oEdjc3OGfwFrztCfHvrel5LlhXvaFDsiKXysIE3zkLMrX+HmUNUK BsoV9S84eXB69trfMOPYPZIcoef/qb4n6KAL1kR6w+k68QuUe3D0aRbhz4SglupKntlf MgpA== X-Received: by 10.55.23.170 with SMTP id 42mr58860340qkx.42.1448704086539; Sat, 28 Nov 2015 01:48:06 -0800 (PST) Received: from bloo ([201.47.217.187]) by smtp.gmail.com with ESMTPSA id x83sm10898171qka.14.2015.11.28.01.48.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 28 Nov 2015 01:48:06 -0800 (PST) Date: Sat, 28 Nov 2015 07:47:53 -0200 From: =?iso-8859-1?B?VGhvbeFzIFMu?= Bregolin To: Graham Menhennitt Cc: freebsd-ipfw@freebsd.org Subject: Re: connecting a PS4 via IPFW Message-ID: <20151128094753.GA5426@bloo> References: <5655405C.1060301@menhennitt.com.au> <20151127180317.GA3661@host> <56592B3D.5070800@menhennitt.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <56592B3D.5070800@menhennitt.com.au> X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Nov 2015 09:48:08 -0000 Hello, Besides the redirect_port option, you still need rules allowing traffic in to those ports. Excuse-me if you've done that already (I have no way of knowing). I'd suggest forwarding one or all of those ports to another host, and testing with netcat in order to rule out problems with the PS4 configuration or some other problem upstream in your network. Sniffing with tcpdump might help. There are "port checkers" out there if you don't have another external address to test from (like canyouseeme.org). To do proper DMZ, yes, you'd either use more physical interfaces and connections, or VLANS. That could be overkill in your situation, unless you're really keen on having a very secure home network. Best of luck, Thomas Sat, Nov 28, 2015 at 03:19:09PM +1100, Graham Menhennitt: > On 28/11/2015 05:03, Thomas wrote: > > Aren't your regular NAT rules in NAT instance 1? That command will > > overwrite those and leave just the new ones. > > > > If that's the case, you can put those rules in a different NAT instance, > > or add them to the rest of your NAT rules. > > > > > > Wed, Nov 25, 2015 at 04:00:12PM +1100, Graham Menhennitt: > >> Hello IPFWers, > >> > >> I have a box running FreeBSD 10-stable that I use as a > >> router/firewall/NAT. It runs IPFW and uses kernel NAT. My son is nagging > >> me about playing multi-player online games on his Sony PS4. > >> > >> From what I've read, I could enable UPnP. But I've tried compiling the > >> net/miniupnpd port but it won't build for IPFW (and I don't want to > >> convert to PF). > >> > >> Giving up on that, I'm now trying to enable port forwarding - > >> apparently, this will fix it. I've allocated the PS4 a static IP address > >> on my LAN. I need to port forward TCP ports 80, 443, 1935, 3478-3480, > >> and UDP ports 3478-3479. I've tried the following command: > >> > >> ... > >> but that completely kills my Internet connection for all other uses (and > >> the PS4 still doesn't work!). > >> > Thanks for responding, Thomas. You're right - that's what's killing my > Internet connection. I've changed the command to: > > ipfw nat 1 config if re1 same_ports \ > redirect_port tcp ${PS4_LAN_ADDRESS}:80 80 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:443 443 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:1935 1935 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:3478 3478 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:3479 3479 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:3480 3480 \ > redirect_port udp ${PS4_LAN_ADDRESS}:3478 3478 \ > redirect_port udp ${PS4_LAN_ADDRESS}:3479 3479 > > At least it doesn't kill anything now. But the PS4 still doesn't work. > When I do "Test internet connection" on it, it says "NAT: Failed". > > For a DMZ, I need a separate network for the PS4 - is that right? That > means a separate physical connection (i.e. WAP or cable). > > Thanks again, > Graham