PF Is it possible to overcome "Strict-NAT" for 2 simultaneous devices behind PF?

B

BreakArms

The below rules allow a single PC on my network to enjoy an "Open" NAT in Rainbow Six Siege multi-player (and many other games). This makes it possible for me to host games and improves match making speed.

Code: 
        match out log on egress from !$gaming_pc to any nat-to ($ext_if:0) port 1024:65535
        match out log on egress from $gaming_pc to any nat-to ($ext_if:0) static-port
        pass in log on $ext_if inet proto tcp from any to any port $siege_ports_tcp rdr-to $gaming_pc
        pass in log on $ext_if inet proto udp from any to any port $siege_ports_udp rdr-to $gaming_pc
The problem with this setup is that it's limited to a single host at any given time, so my PS4 has to be "strict" while the PC is "open" or vice-versa, and I manually have to update pf.conf if I want to switch which one is open and which is strict. I realize one alternative would be to enable UPnP but I don't want to do that unless I absolutely have to. I asked my ISP for an additional IP address but they don't offer multiple IP addresses for residential, so I don't believe I can take advantage of separate VLAN's.

Is there a way to make this work without UPnP or am I trying to do something impossible with PF alone?
 
Humm are you using OpenBSD? Those rules are using the newer syntax that doesn't work on FreeBSD. To answer your question though it's not possible with PF alone, the NAT engine in PF doesn't know any "medium ground" between static-port and the full source port randomization it does without the static-port option.

If I remember the details correctly what it should do is this:
Code: 
Gaming PC:<udp src port0>  ----- Router:<udp src port1> ------ <dst udp port>Internet host1

Gaming PC:<udp src port0>  ----- Router:<udp src port1> ------ <dst udp port>Internet host2

What it does now is:

Code: 
Gaming PC:<udp src port0>  ----- Router:<udp src port1> ------ <dst udp port>Internet host1

Gaming PC:<udp src port0>  ----- Router:<udp src port2> ------ <dst udp port>Internet host2

This happens only because of the different destination address which makes PF think the connection as completely new.

Edit: All of this applies of course only to UDP traffic, TCP connections are fully stateful and have a direction so they always allocate a new source port on the external interface of the NATing device.
 
You must log in or register to reply here.
Back
Top