It appears to be working on two boxes I checked using a match out rule. I’m not using a binat-to line.
Michael On Mon, Jan 22, 2018 at 10:49 AM Martin Hlavatý <[email protected]> wrote: > Hello everyone, > in December I upgraded from 5.9 to 6.2 (including 6.0 and > 6.1) and shortly after that few customers contacted me > that they are getting nat type 3 on their xbox\playstation. > When doing some investigation, I noticed that binat-to > rules have static-port specified, but looking into states > table, they were actually not mapped statically. Failing > over to backup box still running 5.9 with identical ruleset, > ports are actually mapped statically and online gaming > on consoles works fine. > > I tried to do some investigation, but am not aware of any > change in pf syntax. So wondering if anyone would be > able to confirm this behavior? > > this is in rules: > > pass out inet from 10.11.12.13 to any flags S/SA nat-to 5.6.7.8 > static-port > pass in inet from any to 5.6.7.8 flags S/SA rdr-to 10.11.12.13 > > and example of states: > > all udp 5.6.7.8:65350 (10.11.12.13:3074) -> 52.166.52.75:1986 > MULTIPLE:MULTIPLE > all tcp 5.6.7.8:63203 (10.11.12.13:38010) -> 31.13.91.33:443 > ESTABLISHED:ESTABLISHED > all tcp 5.6.7.8:59711 (10.11.12.13:42530) -> 74.125.133.188:5228 > ESTABLISHED:ESTABLISHED > > > > Regards, > Martin > >
