From owner-freebsd-ipfw@freebsd.org Sat Nov 28 15:02:19 2015 Return-Path: Delivered-To: freebsd-ipfw@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 64401A3BBEB for ; Sat, 28 Nov 2015 15:02:19 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from sola.nimnet.asn.au (paqi.nimnet.asn.au [115.70.110.159]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id C2A9E121C for ; Sat, 28 Nov 2015 15:02:17 +0000 (UTC) (envelope-from smithi@nimnet.asn.au) Received: from localhost (localhost [127.0.0.1]) by sola.nimnet.asn.au (8.14.2/8.14.2) with ESMTP id tASErGHb027241; Sun, 29 Nov 2015 01:53:17 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sun, 29 Nov 2015 01:53:16 +1100 (EST) From: Ian Smith To: Graham Menhennitt cc: Thomas , freebsd-ipfw@freebsd.org Subject: Re: connecting a PS4 via IPFW In-Reply-To: <56592B3D.5070800@menhennitt.com.au> Message-ID: <20151129003238.F69136@sola.nimnet.asn.au> References: <5655405C.1060301@menhennitt.com.au> <20151127180317.GA3661@host> <56592B3D.5070800@menhennitt.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-BeenThere: freebsd-ipfw@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: IPFW Technical Discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 28 Nov 2015 15:02:19 -0000 On Sat, 28 Nov 2015 15:19:09 +1100, Graham Menhennitt wrote: > On 28/11/2015 05:03, Thomas wrote: > > Aren't your regular NAT rules in NAT instance 1? That command will > > overwrite those and leave just the new ones. > > > > If that's the case, you can put those rules in a different NAT instance, > > or add them to the rest of your NAT rules. > > > > > > Wed, Nov 25, 2015 at 04:00:12PM +1100, Graham Menhennitt: > >> Hello IPFWers, > >> > >> I have a box running FreeBSD 10-stable that I use as a > >> router/firewall/NAT. It runs IPFW and uses kernel NAT. My son is nagging > >> me about playing multi-player online games on his Sony PS4. > >> > >> From what I've read, I could enable UPnP. But I've tried compiling the > >> net/miniupnpd port but it won't build for IPFW (and I don't want to > >> convert to PF). > >> > >> Giving up on that, I'm now trying to enable port forwarding - > >> apparently, this will fix it. I've allocated the PS4 a static IP address > >> on my LAN. I need to port forward TCP ports 80, 443, 1935, 3478-3480, > >> and UDP ports 3478-3479. I've tried the following command: > >> > >> ... > >> but that completely kills my Internet connection for all other uses (and > >> the PS4 still doesn't work!). > >> > Thanks for responding, Thomas. You're right - that's what's killing my > Internet connection. I've changed the command to: > > ipfw nat 1 config if re1 same_ports \ > redirect_port tcp ${PS4_LAN_ADDRESS}:80 80 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:443 443 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:1935 1935 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:3478 3478 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:3479 3479 \ > redirect_port tcp ${PS4_LAN_ADDRESS}:3480 3480 \ > redirect_port udp ${PS4_LAN_ADDRESS}:3478 3478 \ > redirect_port udp ${PS4_LAN_ADDRESS}:3479 3479 > > At least it doesn't kill anything now. But the PS4 still doesn't work. > When I do "Test internet connection" on it, it says "NAT: Failed". To add a little to what Thomas has contributed .. Not knowing what ipfw rules you're running apart from NAT, it should be rewarding adding 'log' to rules that could block access, and/or adding 'count log' rules to highlight the traffic to/from $PS4_LAN_ADDRESS, which should illustrate connection problems, NAT or other ipfw issues. Firstly I'd just run tcpdump on both outside and inside interfaces over some test sessions. Again, shouldn't take too long to spot the issue/s. Often these sort of things only want to use port 80 or 443 if they can't connect on their more favoured ports and/or protocol, perhaps as a last resort behind some corporate firewalls. Personally I'd only expose 80 or 443 inbound if running host services on them; too many drive-by bots. Does the PS4 have any setting for favoured protocol/port/s? Perhaps you can limit it to a smaller range than all the above, fewer being better? For safety, you should deny and log accesses from the PS4 to unexpected hosts (including yours) and/or ports, rightly concerned about security - of which upnp is the antithesis! > For a DMZ, I need a separate network for the PS4 - is that right? That > means a separate physical connection (i.e. WAP or cable). Separate network connection, whether physical or virtual. Testing with tcpdump is a lot easier to find out how you can limit port forwarding, to see if it's wild enough to make a DMZ advisable for your use case. And if PS4 usage becomes too heavy, dummynet becomes your best mate :) cheers, Ian