Date: Mon, 30 Apr 2012 20:44:13 -0400 From: Michael MacLeod <mikemacleod@gmail.com> To: Darren Pilgrim <darren.pilgrim@gmail.com> Cc: freebsd-net@freebsd.org Subject: Re: Full Cone NAT In PF Message-ID: <CAM-FeoEFA3-thWx31kS8Y9MBfGHZQrEqbNQV%2BqTt073xO1eLUQ@mail.gmail.com> In-Reply-To: <4F9E270F.3070605@gmail.com> References: <CAM-FeoFie0aZJXu0%2BiCo=_myjz1QH89G1WSBDmp8PUZ2NYQkHg@mail.gmail.com> <4F9E270F.3070605@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Darren and Zaphod, Thanks for the response. If I understand full-cone NAT it's basically like opening a port forward in the firewall, since any packets arriving on the WAN interface for that particular external port from any source address will be forwarded to the internal host. And you are correct that UPnP should enable this type of connectivity as well, by explicitly opening a port in the firewall. I have both static-port and miniupnpd enabled on my router. According to the Microsoft Internet Evaluation Tool, my NAT Type is symmetrical but UPnP is supported. I'm currently having a problem with Battlefield 3 co-op play, so I'm using that to test. I can play regular online games fine, and I can play co-op games with friends who have Linux (mostly DD-WRT based) routers. But I configured a FreeBSD firewall at one particular friends place that uses a largely similar configuration as my own. They get the same results from the MS Eval Tool, but I cannot successfully play a co-op game with any of the people in that house. We can all play regular online games hosted on third party servers, but cannot play co-op matches. At the end of the day we could solve it by getting our ISP to route a /29 to their house and using binat (I already have a /29), but it would be nice if there was the option to use 'nat on $wan_if from <lan_net> -> ($wan_if) full-cone' in a ruleset to achieve the correct behaviour. On Mon, Apr 30, 2012 at 1:45 AM, Darren Pilgrim <darren.pilgrim@gmail.com>wrote: > On 2012-04-29 17:03, Michael MacLeod wrote: > >> I understand that cone NAT is a generally terrible and insecure way to do >> NAT, but game and application developers seem hell-bent on depending on >> cone NAT behaviour. Is there a way to make it work with PF? >> > > Not directly, no. In most cases where the application/device will not > work through symmetric NAT, all that is necessary is a port forward, not > true full-cone NAT. > > Have a look at the net/miniupnpd port. It is a UPnP daemon that anchors > to pf and maintains rdr rules for dynamic port forwarding. You can do the > same thing on a static basis by maintaining your own nat static-port and > rdr rules if your SIP devices do not support UPnP. > > For those who search mail archives, this is also how you get a FreeBSD > router to make your PS3 show NAT type 2 instead of type 3 or your Xbox show > NAT type open instead of strict or moderate. >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAM-FeoEFA3-thWx31kS8Y9MBfGHZQrEqbNQV%2BqTt073xO1eLUQ>