Date: Sun, 29 Nov 2015 01:53:16 +1100 (EST) From: Ian Smith <smithi@nimnet.asn.au> To: Graham Menhennitt <graham@menhennitt.com.au> Cc: Thomas <thomas5th@gmail.com>, freebsd-ipfw@freebsd.org Subject: Re: connecting a PS4 via IPFW Message-ID: <20151129003238.F69136@sola.nimnet.asn.au> In-Reply-To: <56592B3D.5070800@menhennitt.com.au> References: <5655405C.1060301@menhennitt.com.au> <20151127180317.GA3661@host> <56592B3D.5070800@menhennitt.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 28 Nov 2015 15:19:09 +1100, Graham Menhennitt wrote:
> On 28/11/2015 05:03, Thomas wrote:
> > Aren't your regular NAT rules in NAT instance 1? That command will
> > overwrite those and leave just the new ones.
> >
> > If that's the case, you can put those rules in a different NAT instance,
> > or add them to the rest of your NAT rules.
> >
> >
> > Wed, Nov 25, 2015 at 04:00:12PM +1100, Graham Menhennitt:
> >> Hello IPFWers,
> >>
> >> I have a box running FreeBSD 10-stable that I use as a
> >> router/firewall/NAT. It runs IPFW and uses kernel NAT. My son is nagging
> >> me about playing multi-player online games on his Sony PS4.
> >>
> >> From what I've read, I could enable UPnP. But I've tried compiling the
> >> net/miniupnpd port but it won't build for IPFW (and I don't want to
> >> convert to PF).
> >>
> >> Giving up on that, I'm now trying to enable port forwarding -
> >> apparently, this will fix it. I've allocated the PS4 a static IP address
> >> on my LAN. I need to port forward TCP ports 80, 443, 1935, 3478-3480,
> >> and UDP ports 3478-3479. I've tried the following command:
> >>
> >> ...
> >> but that completely kills my Internet connection for all other uses (and
> >> the PS4 still doesn't work!).
> >>
> Thanks for responding, Thomas. You're right - that's what's killing my
> Internet connection. I've changed the command to:
>
> ipfw nat 1 config if re1 same_ports \
> redirect_port tcp ${PS4_LAN_ADDRESS}:80 80 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:443 443 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:1935 1935 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:3478 3478 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:3479 3479 \
> redirect_port tcp ${PS4_LAN_ADDRESS}:3480 3480 \
> redirect_port udp ${PS4_LAN_ADDRESS}:3478 3478 \
> redirect_port udp ${PS4_LAN_ADDRESS}:3479 3479
>
> At least it doesn't kill anything now. But the PS4 still doesn't work.
> When I do "Test internet connection" on it, it says "NAT: Failed".
To add a little to what Thomas has contributed ..
Not knowing what ipfw rules you're running apart from NAT, it should be
rewarding adding 'log' to rules that could block access, and/or adding
'count log' rules to highlight the traffic to/from $PS4_LAN_ADDRESS,
which should illustrate connection problems, NAT or other ipfw issues.
Firstly I'd just run tcpdump on both outside and inside interfaces over
some test sessions. Again, shouldn't take too long to spot the issue/s.
Often these sort of things only want to use port 80 or 443 if they can't
connect on their more favoured ports and/or protocol, perhaps as a last
resort behind some corporate firewalls. Personally I'd only expose 80
or 443 inbound if running host services on them; too many drive-by bots.
Does the PS4 have any setting for favoured protocol/port/s? Perhaps you
can limit it to a smaller range than all the above, fewer being better?
For safety, you should deny and log accesses from the PS4 to unexpected
hosts (including yours) and/or ports, rightly concerned about security -
of which upnp is the antithesis!
> For a DMZ, I need a separate network for the PS4 - is that right? That
> means a separate physical connection (i.e. WAP or cable).
Separate network connection, whether physical or virtual. Testing with
tcpdump is a lot easier to find out how you can limit port forwarding,
to see if it's wild enough to make a DMZ advisable for your use case.
And if PS4 usage becomes too heavy, dummynet becomes your best mate :)
cheers, Ian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151129003238.F69136>