PFSense firewall pass rules

W

wavewerx

Limp Gawd
Joined
Oct 8, 2008
Messages
284


Uploaded with ImageShack.us

Firewall System Log and Firewall Rules attached.

All of my rules are disabled except for TCP\UDP *\* - passing through anything to any port. This setup is the only way I can get low pings in games, server lists to appear, and most importantly - SC2 voice chat to work. I'd like to close down all ports except the ones I need - you know, like a firewall is supposed to act.


The only ports that I can get to successfully open are 80-http and 53-DNS. Curiously, both of those ports are 'known' by pfsense and can be selected in a dropdown menu (other 'default' port protocols do not pass FWIW). If the rule is disabled, they're blocked. If it's enabled, they pass. For all my other ports (tests were done with 27015, 3074, 389, and 1119) enabling the specific rule, disabling the specific rule, or enabling/disabling the catch-all */* rule still displays them as unreachable (cantyouseeme.com) except for 80 and 53.

Now - My firewall is letting them through - Green Light entry in the log - but cantyouseeme.com says otherwise.

FWIW I followed this guide top change my NAT from Strict to Moderate (for Crysis 2 Multiplayer Beta). Thats basically the only other work done on my router as I'm just starting to learn on it.

All I know is that I want my network secure and I want to hear my buds on SC2. Right now, I'm sacrificing security for teamwork and a better chance at fixing my w/l ratio!
 
What's under your "NAT" configuration under Firewall? I find configging NAT configs the corresponding firewall rules appropriately. The firewall comments/remarks lead me to believe you didn't configure them via NAT since they usually say things like UDP PORT 53 NAT etc...
 
I actually don't have anything setup under NAT under the assumption that 'NAT isn't something you need to mess with if everything works.' I'll check out NAT this afternoon and see if I can't get any different results.

Any reason why ports 80 / 53 work just fine though?
 
Yes, you need to look at your NAT port forward entries. Also allowing all ports in to everything is bad, if nothing else you need to give your pc a static ip (or a dhcp reservation), and change your rules to forward just your machine.
 
dave99 said:
Yes, you need to look at your NAT port forward entries. Also allowing all ports in to everything is bad, if nothing else you need to give your pc a static ip (or a dhcp reservation), and change your rules to forward just your machine.
Click to expand...

I've added a NAT port forward entry for UDP 1119 and voice chat worked today in SC2. I'll update the rest of my entrys similarly and respond.

Another reason that I didn't setup NAT Port Forwarding was because of 2 things: Source port and destination IP.

I figure source port agnostic would be the way to go. Will you ever run into an instance where the source port is different from the destination port? (I'm talking about game firewall settings, and maybe torrenting?)

Also, the destination IP needs to be 'whoever's requesting it.' I made the router (192.168.1.1) the destination IP because other users behind my firewall need to be able to voice chat and game besides just me. For something like RDP / VNC, I'll make it my computer, but for gaming - it needs to be the network. Comments there?
 
Last edited:
Ah, didn't realize there were other playing on the same network. You almost never need to set source port, only the destination port (destination being on your side), because they are rarely the same.

I'm not sure what your best solution is where you need multiple machines access the same game servers, you can only nat port forward to 1 internal IP.

Posting over at the pfsense board in the game forum might get you more answers. Might also have better luck upgrading to 2.0, I think it has more options available.
 
Quick note - Under NAT Port Forwarding I added an entry for UDP 1119, NOT UDP 1119-1120.

I've just asked this question at pfsense forums. Thanks for the suggestion dave99.

NAT Port Forwarding won't let me NOT declare a source port. Maybe 2.0 does? I don't want to continue adding entries until I can solve or learn more about that issue. SC2 Voice chat's working right now and after a day of work at the office, SC2 working is on high priority for the next few hours :)
 
You're right, 2.0 is different, it allows src prt selection (again, rarely used). On 1.2.3, your external port range & local port should be the same. You are selecting the the port the packets arrive on pfsenses external interface, and what they are translated to on your LAN side, so they should be the same.
 
dave99 said:
You're right, 2.0 is different, it allows src prt selection (again, rarely used). On 1.2.3, your external port range & local port should be the same. You are selecting the the port the packets arrive on pfsenses external interface, and what they are translated to on your LAN side, so they should be the same.
Click to expand...

I read that comment for the past few days over and over again trying to understand it. I thought you had repeated yourself but I finally figured it out!

Thanks for the help Dave99 - I'll be adding all my other rules to NAT now. or rather - originating them within NAT port forwarding. Additionally, the NAT IP address (Enter the internal IP address of the server on which you want to map the port) is mapped to the router.
 
Last edited:
You shouldn't need to have so many openings on the WAN side. I haven't needed to make many NAT port forwards either. Right now I have pretty much allow everything coming in on the LAN port and block everything coming in on the WAN port. There are a few programs I have had to make NAT port forwards for and I'm not familiar with SC2 voice so this may be an exception.

Allowing everything in on the LAN port isn't ideal but egress filtering is hell for P2P.
 
You must log in or register to reply here.
Back
Top