Re: [pfSense-discussion] Set an OPT2 interface UDP rule with static-port option
On 1/27/06, Adam Gibson <[EMAIL PROTECTED]> wrote: > I had to remove the src and dst ports and use src and dst IPs with > static-port because a pf error scrolled across the top of the pfsense web > admin page saying that static-port does not work with port ranges. Someone > probably should find out what really can and can not be used with static-port > so that the correct fields can be greyed out so that users can't select > things that pf will not work with. > > The rule that works... > > > > > 192.168.1.140/32 > > > Attempt to keep quake4 server src port static through NAT > > wan > > > 192.246.40.28/32 > > > > > > Please file a ticket at http://cvstrac.pfsense.com/tktnew . Include as much info as possible. Thanks!
Re: [pfSense-discussion] Set an OPT2 interface UDP rule with static-port option
Bill Marquette wrote: On 1/27/06, Adam Gibson <[EMAIL PROTECTED]> wrote: Bill Marquette wrote: On 1/27/06, Adam Gibson <[EMAIL PROTECTED]> wrote: Thanks for the direction. I found the static-port setting. Someone has probably already noticed the bug but the NAT listing does not display properly for the rule I just created(the fields are in the wrong spot in the table but editing the rule looks like it is setup correctly). I wont be able to test it until later tonight. This is the xml that was generated. The UDP packets in question that originate from the OPT1 network are src=192.168.1.140 srcport=28004 dst=192.246.40.28 dstport=27650 . Odd, I fixed that display issue a while ago, it should be in the latest snapshot :-/ --Bill Below is a link that shows the problem in case you want to see it. The previous email shows the real Outbound NAT settings for it. http://www.xstatica.com/pfsense-snapshot20060125-outbound-nat-table-problem.png Bleh, ok, so I didn't fix this right. Thanks for reporting it. As you mention, it's just a display issue. --Bill Only appears to be a rule display issue. I had to make some adjustments to the outbound NAT rule to get it to work but it does seem to work. I had to remove the src and dst ports and use src and dst IPs with static-port because a pf error scrolled across the top of the pfsense web admin page saying that static-port does not work with port ranges. Someone probably should find out what really can and can not be used with static-port so that the correct fields can be greyed out so that users can't select things that pf will not work with. The rule that works... 192.168.1.140/32 Attempt to keep quake4 server src port static through NAT wan 192.246.40.28/32
Re: [pfSense-discussion] Set an OPT2 interface UDP rule with static-port option
On 1/27/06, Adam Gibson <[EMAIL PROTECTED]> wrote: > Bill Marquette wrote: > > On 1/27/06, Adam Gibson <[EMAIL PROTECTED]> wrote: > >> Thanks for the direction. I found the static-port setting. Someone has > >> probably already noticed the bug but the NAT listing does not display > >> properly for the rule I just created(the fields are in the wrong spot in > >> the table but editing the rule looks like it is setup correctly). I > >> wont be able to test it until later tonight. This is the xml that was > >> generated. The UDP packets in question that originate from the OPT1 > >> network are src=192.168.1.140 srcport=28004 dst=192.246.40.28 > >> dstport=27650 . > > > > Odd, I fixed that display issue a while ago, it should be in the > > latest snapshot :-/ > > > > --Bill > > Below is a link that shows the problem in case you want to see it. The > previous email shows the real Outbound NAT settings for it. > > http://www.xstatica.com/pfsense-snapshot20060125-outbound-nat-table-problem.png Bleh, ok, so I didn't fix this right. Thanks for reporting it. As you mention, it's just a display issue. --Bill
Re: [pfSense-discussion] Set an OPT2 interface UDP rule with static-port option
Bill Marquette wrote: On 1/27/06, Adam Gibson <[EMAIL PROTECTED]> wrote: Thanks for the direction. I found the static-port setting. Someone has probably already noticed the bug but the NAT listing does not display properly for the rule I just created(the fields are in the wrong spot in the table but editing the rule looks like it is setup correctly). I wont be able to test it until later tonight. This is the xml that was generated. The UDP packets in question that originate from the OPT1 network are src=192.168.1.140 srcport=28004 dst=192.246.40.28 dstport=27650 . Odd, I fixed that display issue a while ago, it should be in the latest snapshot :-/ --Bill Below is a link that shows the problem in case you want to see it. The previous email shows the real Outbound NAT settings for it. http://www.xstatica.com/pfsense-snapshot20060125-outbound-nat-table-problem.png
Re: [pfSense-discussion] Set an OPT2 interface UDP rule with static-port option
On 1/27/06, Adam Gibson <[EMAIL PROTECTED]> wrote: > Thanks for the direction. I found the static-port setting. Someone has > probably already noticed the bug but the NAT listing does not display > properly for the rule I just created(the fields are in the wrong spot in > the table but editing the rule looks like it is setup correctly). I > wont be able to test it until later tonight. This is the xml that was > generated. The UDP packets in question that originate from the OPT1 > network are src=192.168.1.140 srcport=28004 dst=192.246.40.28 > dstport=27650 . Odd, I fixed that display issue a while ago, it should be in the latest snapshot :-/ --Bill
Re: [pfSense-discussion] Set an OPT2 interface UDP rule with static-port option
Bill Marquette wrote: On 1/27/06, Adam Gibson <[EMAIL PROTECTED]> wrote: I need quake4 UDP master server updates to try and keep the real source port when going through NAT. The master servers use the src port that they receive when listing your server. I noticed that pf does support that capability through the static-port option but I do not see a way of adding that to the pfsense rules. I read somewhere in the pfsense discussions that this might be a 1.0 Beta2 feature addition. I am currently testing the 20060125 snapshot and do not see an obvious feature addition for that. Anyone know if this will be added sometime in the future? It's in outbound nat. You'll have to create an advanced rule for this. Thanks for the direction. I found the static-port setting. Someone has probably already noticed the bug but the NAT listing does not display properly for the rule I just created(the fields are in the wrong spot in the table but editing the rule looks like it is setup correctly). I wont be able to test it until later tonight. This is the xml that was generated. The UDP packets in question that originate from the OPT1 network are src=192.168.1.140 srcport=28004 dst=192.246.40.28 dstport=27650 . 192.168.1.140/32 28004 Attempt to keep quake4 server src port on the SVC network static through NAT for q4master updates wan 28004 27650
Re: [pfSense-discussion] Set an OPT2 interface UDP rule with static-port option
On 1/27/06, Adam Gibson <[EMAIL PROTECTED]> wrote: > I need quake4 UDP master server updates to try and keep the real source > port when going through NAT. The master servers use the src port that > they receive when listing your server. I noticed that pf does support > that capability through the static-port option but I do not see a way of > adding that to the pfsense rules. > > I read somewhere in the pfsense discussions that this might be a 1.0 > Beta2 feature addition. I am currently testing the 20060125 snapshot > and do not see an obvious feature addition for that. Anyone know if > this will be added sometime in the future? It's in outbound nat. You'll have to create an advanced rule for this. > This is one feature that I believe pfsense can have that m0n0wall can't. > They use ipfilter which does not seem to have a NAT static-port > equivalent. Actually, I believe ipfilter can do this (at least I know I used to use that feature for IPSec way back when). --Bill
[pfSense-discussion] Set an OPT2 interface UDP rule with static-port option
I need quake4 UDP master server updates to try and keep the real source port when going through NAT. The master servers use the src port that they receive when listing your server. I noticed that pf does support that capability through the static-port option but I do not see a way of adding that to the pfsense rules. I read somewhere in the pfsense discussions that this might be a 1.0 Beta2 feature addition. I am currently testing the 20060125 snapshot and do not see an obvious feature addition for that. Anyone know if this will be added sometime in the future? This is one feature that I believe pfsense can have that m0n0wall can't. They use ipfilter which does not seem to have a NAT static-port equivalent. Just for those interested... Linux iptables will try to keep outgoing NATed UDP packets with the same source port unless that port is already in use on the firewall or by a previous state. TCP src ports during NAT are changed on Linux iptables.
