I tried both (pass out quick right below nat-to line and also let it go to the end of my rulebase) and it didnt change anything.
Martin On Tue, Jan 23, 2018 at 3:19 PM, Michael Price <[email protected]> wrote: > The lack of a quick keyword on that line makes me wonder if you have a later > rule that is matching. > > Michael > > On Mon, Jan 22, 2018 at 5:34 PM Martin Hlavatý <[email protected]> wrote: >> >> Interesting. I did a few tests now, and here are results. >> >> This doesn't map ports statically on 6.2 but does on 5.9: >> pass out from 10.11.12.13 to any nat-to 1.2.3.4 static-port >> >> This works fine: >> pass out quick from 10.11.12.13 to any nat-to 1.2.3.4 static-port >> >> This works fine too: >> match out from 10.11.12.13 to any nat-to 1.2.3.4 static-port >> >> Martin >> >> >> On Mon, Jan 22, 2018 at 8:23 PM, Michael Price <[email protected]> >> wrote: >> > It appears to be working on two boxes I checked using a match out rule. >> > I’m >> > not using a binat-to line. >> > >> > Michael >> > >> > On Mon, Jan 22, 2018 at 10:49 AM Martin Hlavatý <[email protected]> >> > wrote: >> >> >> >> Hello everyone, >> >> in December I upgraded from 5.9 to 6.2 (including 6.0 and >> >> 6.1) and shortly after that few customers contacted me >> >> that they are getting nat type 3 on their xbox\playstation. >> >> When doing some investigation, I noticed that binat-to >> >> rules have static-port specified, but looking into states >> >> table, they were actually not mapped statically. Failing >> >> over to backup box still running 5.9 with identical ruleset, >> >> ports are actually mapped statically and online gaming >> >> on consoles works fine. >> >> >> >> I tried to do some investigation, but am not aware of any >> >> change in pf syntax. So wondering if anyone would be >> >> able to confirm this behavior? >> >> >> >> this is in rules: >> >> >> >> pass out inet from 10.11.12.13 to any flags S/SA nat-to 5.6.7.8 >> >> static-port >> >> pass in inet from any to 5.6.7.8 flags S/SA rdr-to 10.11.12.13 >> >> >> >> and example of states: >> >> >> >> all udp 5.6.7.8:65350 (10.11.12.13:3074) -> 52.166.52.75:1986 >> >> MULTIPLE:MULTIPLE >> >> all tcp 5.6.7.8:63203 (10.11.12.13:38010) -> 31.13.91.33:443 >> >> ESTABLISHED:ESTABLISHED >> >> all tcp 5.6.7.8:59711 (10.11.12.13:42530) -> 74.125.133.188:5228 >> >> ESTABLISHED:ESTABLISHED >> >> >> >> >> >> >> >> Regards, >> >> Martin >> >> >> >
