subject:"\[6.2\] pf nat\-to ignoring static\-port\?"

Re: [6.2] pf nat-to ignoring static-port?

2018-01-24 Thread Martin Hlavatý

I tried both (pass out quick right below nat-to line and also let it
go to the end of my rulebase) and it didnt change anything.

Martin

On Tue, Jan 23, 2018 at 3:19 PM, Michael Price  wrote:
> The lack of a quick keyword on that line makes me wonder if you have a later
> rule that is matching.
>
> Michael
>
> On Mon, Jan 22, 2018 at 5:34 PM Martin Hlavatý  wrote:
>>
>> Interesting. I did a few tests now, and here are results.
>>
>> This doesn't map ports statically on 6.2 but does on 5.9:
>> pass out from 10.11.12.13 to any nat-to 1.2.3.4 static-port
>>
>> This works fine:
>> pass out quick from 10.11.12.13 to any nat-to 1.2.3.4 static-port
>>
>> This works fine too:
>> match out from 10.11.12.13 to any nat-to 1.2.3.4 static-port
>>
>> Martin
>>
>>
>> On Mon, Jan 22, 2018 at 8:23 PM, Michael Price 
>> wrote:
>> > It appears to be working on two boxes I checked using a match out rule.
>> > I’m
>> > not using a binat-to line.
>> >
>> > Michael
>> >
>> > On Mon, Jan 22, 2018 at 10:49 AM Martin Hlavatý 
>> > wrote:
>> >>
>> >> Hello everyone,
>> >> in December I upgraded from 5.9 to 6.2 (including 6.0 and
>> >> 6.1) and shortly after that few customers contacted me
>> >> that they are getting nat type 3 on their xbox\playstation.
>> >> When doing some investigation, I noticed that binat-to
>> >> rules have static-port specified, but looking into states
>> >> table, they were actually not mapped statically. Failing
>> >> over to backup box still running 5.9 with identical ruleset,
>> >> ports are actually mapped statically and online gaming
>> >> on consoles works fine.
>> >>
>> >> I tried to do some investigation, but am not aware of any
>> >> change in pf syntax. So wondering if anyone would be
>> >> able to confirm this behavior?
>> >>
>> >> this is in rules:
>> >>
>> >>   pass out inet from 10.11.12.13 to any flags S/SA nat-to 5.6.7.8
>> >> static-port
>> >>   pass in inet from any to 5.6.7.8 flags S/SA rdr-to 10.11.12.13
>> >>
>> >> and example of states:
>> >>
>> >> all udp 5.6.7.8:65350 (10.11.12.13:3074) -> 52.166.52.75:1986
>> >> MULTIPLE:MULTIPLE
>> >> all tcp 5.6.7.8:63203 (10.11.12.13:38010) -> 31.13.91.33:443
>> >> ESTABLISHED:ESTABLISHED
>> >> all tcp 5.6.7.8:59711 (10.11.12.13:42530) -> 74.125.133.188:5228
>> >> ESTABLISHED:ESTABLISHED
>> >>
>> >>
>> >>
>> >> Regards,
>> >> Martin
>> >>
>> >

Re: [6.2] pf nat-to ignoring static-port?

2018-01-23 Thread Michael Price

The lack of a quick keyword on that line makes me wonder if you have a
later rule that is matching.

Michael

On Mon, Jan 22, 2018 at 5:34 PM Martin Hlavatý  wrote:

> Interesting. I did a few tests now, and here are results.
>
> This doesn't map ports statically on 6.2 but does on 5.9:
> pass out from 10.11.12.13 to any nat-to 1.2.3.4 static-port
>
> This works fine:
> pass out quick from 10.11.12.13 to any nat-to 1.2.3.4 static-port
>
> This works fine too:
> match out from 10.11.12.13 to any nat-to 1.2.3.4 static-port
>
> Martin
>
>
> On Mon, Jan 22, 2018 at 8:23 PM, Michael Price 
> wrote:
> > It appears to be working on two boxes I checked using a match out rule.
> I’m
> > not using a binat-to line.
> >
> > Michael
> >
> > On Mon, Jan 22, 2018 at 10:49 AM Martin Hlavatý 
> wrote:
> >>
> >> Hello everyone,
> >> in December I upgraded from 5.9 to 6.2 (including 6.0 and
> >> 6.1) and shortly after that few customers contacted me
> >> that they are getting nat type 3 on their xbox\playstation.
> >> When doing some investigation, I noticed that binat-to
> >> rules have static-port specified, but looking into states
> >> table, they were actually not mapped statically. Failing
> >> over to backup box still running 5.9 with identical ruleset,
> >> ports are actually mapped statically and online gaming
> >> on consoles works fine.
> >>
> >> I tried to do some investigation, but am not aware of any
> >> change in pf syntax. So wondering if anyone would be
> >> able to confirm this behavior?
> >>
> >> this is in rules:
> >>
> >>   pass out inet from 10.11.12.13 to any flags S/SA nat-to 5.6.7.8
> >> static-port
> >>   pass in inet from any to 5.6.7.8 flags S/SA rdr-to 10.11.12.13
> >>
> >> and example of states:
> >>
> >> all udp 5.6.7.8:65350 (10.11.12.13:3074) -> 52.166.52.75:1986
> >> MULTIPLE:MULTIPLE
> >> all tcp 5.6.7.8:63203 (10.11.12.13:38010) -> 31.13.91.33:443
> >> ESTABLISHED:ESTABLISHED
> >> all tcp 5.6.7.8:59711 (10.11.12.13:42530) -> 74.125.133.188:5228
> >> ESTABLISHED:ESTABLISHED
> >>
> >>
> >>
> >> Regards,
> >> Martin
> >>
> >
>

Re: [6.2] pf nat-to ignoring static-port?

2018-01-22 Thread Martin Hlavatý

Interesting. I did a few tests now, and here are results.

This doesn't map ports statically on 6.2 but does on 5.9:
pass out from 10.11.12.13 to any nat-to 1.2.3.4 static-port

This works fine:
pass out quick from 10.11.12.13 to any nat-to 1.2.3.4 static-port

This works fine too:
match out from 10.11.12.13 to any nat-to 1.2.3.4 static-port

Martin


On Mon, Jan 22, 2018 at 8:23 PM, Michael Price  wrote:
> It appears to be working on two boxes I checked using a match out rule. I’m
> not using a binat-to line.
>
> Michael
>
> On Mon, Jan 22, 2018 at 10:49 AM Martin Hlavatý  wrote:
>>
>> Hello everyone,
>> in December I upgraded from 5.9 to 6.2 (including 6.0 and
>> 6.1) and shortly after that few customers contacted me
>> that they are getting nat type 3 on their xbox\playstation.
>> When doing some investigation, I noticed that binat-to
>> rules have static-port specified, but looking into states
>> table, they were actually not mapped statically. Failing
>> over to backup box still running 5.9 with identical ruleset,
>> ports are actually mapped statically and online gaming
>> on consoles works fine.
>>
>> I tried to do some investigation, but am not aware of any
>> change in pf syntax. So wondering if anyone would be
>> able to confirm this behavior?
>>
>> this is in rules:
>>
>>   pass out inet from 10.11.12.13 to any flags S/SA nat-to 5.6.7.8
>> static-port
>>   pass in inet from any to 5.6.7.8 flags S/SA rdr-to 10.11.12.13
>>
>> and example of states:
>>
>> all udp 5.6.7.8:65350 (10.11.12.13:3074) -> 52.166.52.75:1986
>> MULTIPLE:MULTIPLE
>> all tcp 5.6.7.8:63203 (10.11.12.13:38010) -> 31.13.91.33:443
>> ESTABLISHED:ESTABLISHED
>> all tcp 5.6.7.8:59711 (10.11.12.13:42530) -> 74.125.133.188:5228
>> ESTABLISHED:ESTABLISHED
>>
>>
>>
>> Regards,
>> Martin
>>
>

Re: [6.2] pf nat-to ignoring static-port?

2018-01-22 Thread Michael Price

It appears to be working on two boxes I checked using a match out rule. I’m
not using a binat-to line.

Michael

On Mon, Jan 22, 2018 at 10:49 AM Martin Hlavatý  wrote:

> Hello everyone,
> in December I upgraded from 5.9 to 6.2 (including 6.0 and
> 6.1) and shortly after that few customers contacted me
> that they are getting nat type 3 on their xbox\playstation.
> When doing some investigation, I noticed that binat-to
> rules have static-port specified, but looking into states
> table, they were actually not mapped statically. Failing
> over to backup box still running 5.9 with identical ruleset,
> ports are actually mapped statically and online gaming
> on consoles works fine.
>
> I tried to do some investigation, but am not aware of any
> change in pf syntax. So wondering if anyone would be
> able to confirm this behavior?
>
> this is in rules:
>
>   pass out inet from 10.11.12.13 to any flags S/SA nat-to 5.6.7.8
> static-port
>   pass in inet from any to 5.6.7.8 flags S/SA rdr-to 10.11.12.13
>
> and example of states:
>
> all udp 5.6.7.8:65350 (10.11.12.13:3074) -> 52.166.52.75:1986
> MULTIPLE:MULTIPLE
> all tcp 5.6.7.8:63203 (10.11.12.13:38010) -> 31.13.91.33:443
> ESTABLISHED:ESTABLISHED
> all tcp 5.6.7.8:59711 (10.11.12.13:42530) -> 74.125.133.188:5228
> ESTABLISHED:ESTABLISHED
>
>
>
> Regards,
> Martin
>
>

Re: [6.2] pf nat-to ignoring static-port?

2018-01-22 Thread Jordan Geoghegan

I too have had issues with static port not working and causing game 
consoles to complain about not having an "open nat". I would love to 
solve this issue as it makes it nearly impossible to "host" for games 
and chat on the consoles.


Jordan


On 01/22/18 07:28, Martin Hlavatý wrote:

Hello everyone,
in December I upgraded from 5.9 to 6.2 (including 6.0 and
6.1) and shortly after that few customers contacted me
that they are getting nat type 3 on their xbox\playstation.
When doing some investigation, I noticed that binat-to
rules have static-port specified, but looking into states
table, they were actually not mapped statically. Failing
over to backup box still running 5.9 with identical ruleset,
ports are actually mapped statically and online gaming
on consoles works fine.

I tried to do some investigation, but am not aware of any
change in pf syntax. So wondering if anyone would be
able to confirm this behavior?

this is in rules:

   pass out inet from 10.11.12.13 to any flags S/SA nat-to 5.6.7.8 static-port
   pass in inet from any to 5.6.7.8 flags S/SA rdr-to 10.11.12.13

and example of states:

all udp 5.6.7.8:65350 (10.11.12.13:3074) -> 52.166.52.75:1986
MULTIPLE:MULTIPLE
all tcp 5.6.7.8:63203 (10.11.12.13:38010) -> 31.13.91.33:443
ESTABLISHED:ESTABLISHED
all tcp 5.6.7.8:59711 (10.11.12.13:42530) -> 74.125.133.188:5228
ESTABLISHED:ESTABLISHED



Regards,
Martin

[6.2] pf nat-to ignoring static-port?

2018-01-22 Thread Martin Hlavatý

Hello everyone,
in December I upgraded from 5.9 to 6.2 (including 6.0 and
6.1) and shortly after that few customers contacted me
that they are getting nat type 3 on their xbox\playstation.
When doing some investigation, I noticed that binat-to
rules have static-port specified, but looking into states
table, they were actually not mapped statically. Failing
over to backup box still running 5.9 with identical ruleset,
ports are actually mapped statically and online gaming
on consoles works fine.

I tried to do some investigation, but am not aware of any
change in pf syntax. So wondering if anyone would be
able to confirm this behavior?

this is in rules:

  pass out inet from 10.11.12.13 to any flags S/SA nat-to 5.6.7.8 static-port
  pass in inet from any to 5.6.7.8 flags S/SA rdr-to 10.11.12.13

and example of states:

all udp 5.6.7.8:65350 (10.11.12.13:3074) -> 52.166.52.75:1986
MULTIPLE:MULTIPLE
all tcp 5.6.7.8:63203 (10.11.12.13:38010) -> 31.13.91.33:443
ESTABLISHED:ESTABLISHED
all tcp 5.6.7.8:59711 (10.11.12.13:42530) -> 74.125.133.188:5228
ESTABLISHED:ESTABLISHED



Regards,
Martin

Re: [6.2] pf nat-to ignoring static-port?

Re: [6.2] pf nat-to ignoring static-port?

Re: [6.2] pf nat-to ignoring static-port?

Re: [6.2] pf nat-to ignoring static-port?

Re: [6.2] pf nat-to ignoring static-port?

[6.2] pf nat-to ignoring static-port?

6 matches

Site Navigation

Mail list logo

Footer information