Jump to content



Photo

PS4 and PFSense

Answered Go to the full post

  • Please log in to reply
20 replies to this topic

#1 fusi0n

fusi0n

    The Crazy One

  • Tech Issues Solved: 1
  • Joined: 08-July 04
  • OS: OSX 10.9
  • Phone: iPhone 5S 64GB

Posted 23 November 2013 - 17:38

I am having issues with my PS4 and pfSense Box.. While using pfSense as my gateway, the PS4 is unable to connect to multiplier games or use the voice chat feature, when using my Cisco Router, it works fine. Xbox Live and PS3, never had any issues.. I snooped around on the pfsense forums, but I didn't really understand what they were talking about to be honest.. 

 

I have made no special rules,
NAT Outbound is set to, 
Automatic outbound NAT rule generation
          (IPsec passthrough included)
Here is a pic of my upnp setup, 
Untitled.png
 
Some people are talking about making a static port, but, that is were I need help.. 


Best Answer +BudMan , 29 November 2013 - 13:46

No it does not - outbound by default is all allowed, if your thinking of unsolicited inbound traffic. Then yes it does block that just like every other single nat router on the planet.

His issue sounds like he needs static port mapping in his NAPT (Network Address and Port Translation) which is what pretty much every single nat router used in homes uses. It allows the sharing of the single public IP by changing the ports used for traffic. http://en.wikipedia....ort_Translation

What happens in this is say you want to go to neowin on port 80, well there is a source port here something random above 1024

If you look at the state table you can see what is going on


So you can see private address at .100 is talking to dropbox on 108.160.162.33 via port 80.. But look at the source port connection started at 57481, but then when it leaves my router 24.13.x.x the source is 55937

What seems xbox needs to work with what they want to do is a static outbound nat. So that the port used on the outbound side is the same as what xbox is listening on.

To do this in pfsense you have to switch to manual outbound nat vs automatic, and then create your rules. If you see the 2nd picture the guy posted - this is his outbound nat for port udp 9308.. Seems his problem is that rule was not on the top of the list.. So he prob got some other nat rule doing it and not the static one. When you switch from Automatic to manual you see the rules that are in play in automatic



See that rule under the static one for port 500, that is the nat rule that changes from your lan to your public. Well its both udp and tcp and ports are not static. So if he put his static nat rule below that it would never be seen. So you need to put any static outbound nat rules you need on the top of the list.. like that 500 rule is above the general nat rule.

As to what ports he needs for whatever he is doing with xbox not sure, but if they need to be static ports then this is done in the outbound nat section and setting up the rules "above" the generic nat everything rule. That is what that thread he linked to is talking about - and as you can see from the guy saying

There we go! -- THANKS!!!!

Put it at the top of the ruleset and it worked.


Once he placed his static rule correctly in the rulesets it worked. Go to the full post



#2 GotBored

GotBored

    Brain Trust

  • Tech Issues Solved: 3
  • Joined: 24-June 13
  • OS: Windows 8.1
  • Phone: iPhone 5

Posted 23 November 2013 - 17:44

In user specified permissions 1-4 it looks like it allows you to open/make a static port.

 

Not sure what port the PS4 uses, so refer back to pfsense forums and it might just give you a line of code to copy in the user specified permissions box.



#3 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 23 November 2013 - 20:12

User specified permissions are normally for locking down to specific IPs ports, etc. If you select the deny default setting.

What do you show under status?
Status: UPnP & NAT-PMP Status

Can you point to forum post there that you do not understand?

#4 OP fusi0n

fusi0n

    The Crazy One

  • Tech Issues Solved: 1
  • Joined: 08-July 04
  • OS: OSX 10.9
  • Phone: iPhone 5S 64GB

Posted 24 November 2013 - 23:18

User specified permissions are normally for locking down to specific IPs ports, etc. If you select the deny default setting.

What do you show under status?
Status: UPnP & NAT-PMP Status

Can you point to forum post there that you do not understand?

http://forum.pfsense...e533bcb78353348

 

I guess I need to set my PS4 with a static IP and enter in the rules?



#5 The_Decryptor

The_Decryptor

    STEAL THE DECLARATION OF INDEPENDENCE

  • Tech Issues Solved: 4
  • Joined: 28-September 02
  • Location: Sol System
  • OS: iSymbian 9.2 SP24.8 Mars Bar

Posted 24 November 2013 - 23:35

Try with NAT-PMP enabled.

#6 Sikh

Sikh

    Neowin Addict!

  • Tech Issues Solved: 2
  • Joined: 11-March 07
  • Location: localhost
  • OS: Windows 7 / 10.8 / Ubuntu Server
  • Phone: Nexus 5 PA 4.4.2 / iPhone 5

Posted 24 November 2013 - 23:39

The static pote setting is under the NAT > outbound. There's a rule that's created and it allows everything and under static port it'll say no. You need to edit that rule switch it to yes and boom done.

I had to do this a long time ago for gaming on my network with multiple PCs and consoles.

#7 Sikh

Sikh

    Neowin Addict!

  • Tech Issues Solved: 2
  • Joined: 11-March 07
  • Location: localhost
  • OS: Windows 7 / 10.8 / Ubuntu Server
  • Phone: Nexus 5 PA 4.4.2 / iPhone 5

Posted 24 November 2013 - 23:40

I'm on mobile or I would post a screenshot. I hope you can find it

#8 Grogi

Grogi

    Neowinian

  • Joined: 31-July 07
  • Location: Serbia

Posted 29 November 2013 - 08:45

PFsense blocks everything unless it is defined in rules. First thing you should check is log, firewall log to see where is blocked. Also, on main page you have "Show states" where you can see requests over wan. 

Maybe this will help:

http://pfsensesetup....np-and-nat-pmp/



#9 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 29 November 2013 - 13:46   Best Answer

No it does not - outbound by default is all allowed, if your thinking of unsolicited inbound traffic. Then yes it does block that just like every other single nat router on the planet.

His issue sounds like he needs static port mapping in his NAPT (Network Address and Port Translation) which is what pretty much every single nat router used in homes uses. It allows the sharing of the single public IP by changing the ports used for traffic. http://en.wikipedia....ort_Translation

What happens in this is say you want to go to neowin on port 80, well there is a source port here something random above 1024

If you look at the state table you can see what is going on
states.png

So you can see private address at .100 is talking to dropbox on 108.160.162.33 via port 80.. But look at the source port connection started at 57481, but then when it leaves my router 24.13.x.x the source is 55937

What seems xbox needs to work with what they want to do is a static outbound nat. So that the port used on the outbound side is the same as what xbox is listening on.

To do this in pfsense you have to switch to manual outbound nat vs automatic, and then create your rules. If you see the 2nd picture the guy posted - this is his outbound nat for port udp 9308.. Seems his problem is that rule was not on the top of the list.. So he prob got some other nat rule doing it and not the static one. When you switch from Automatic to manual you see the rules that are in play in automatic

2ndruleON.png

See that rule under the static one for port 500, that is the nat rule that changes from your lan to your public. Well its both udp and tcp and ports are not static. So if he put his static nat rule below that it would never be seen. So you need to put any static outbound nat rules you need on the top of the list.. like that 500 rule is above the general nat rule.

As to what ports he needs for whatever he is doing with xbox not sure, but if they need to be static ports then this is done in the outbound nat section and setting up the rules "above" the generic nat everything rule. That is what that thread he linked to is talking about - and as you can see from the guy saying

There we go! -- THANKS!!!!

Put it at the top of the ruleset and it worked.


Once he placed his static rule correctly in the rulesets it worked.

#10 OP fusi0n

fusi0n

    The Crazy One

  • Tech Issues Solved: 1
  • Joined: 08-July 04
  • OS: OSX 10.9
  • Phone: iPhone 5S 64GB

Posted 29 November 2013 - 14:06

I plan on trying that out today, sorry, i've been busy and haven't had time to change it since I have been using my Cisco Router in place of the pfsense box. Thank you everyone for your help



#11 OP fusi0n

fusi0n

    The Crazy One

  • Tech Issues Solved: 1
  • Joined: 08-July 04
  • OS: OSX 10.9
  • Phone: iPhone 5S 64GB

Posted 29 November 2013 - 14:20

<snipped>

I am assuming this is the page I need to be on? Correct? Do I need to change it to manual? If so, what all will that affect?

Untitled.png

Second, I am assuming I am making a rule from this screenshot from the pfsense forums?

Screen Shot 2013-11-17 at 5.47.43 PM (2).png

 

So I need to set my PS4 with a static IP, set to manual, add that rule?

 

Edit:

Add the rule that this?

port.png



#12 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 29 November 2013 - 15:03

Yes that is the correct page.. You need to change to manual.

Your not going to want to set it to ALL ports static from the ps4, just look to see what ports you need and set those. But I guess you could set your ps4 IP to just be static ports for everything.. That makes it simple, but not sure what issues that might bring up if any.. Sure give it a go..

if that 1.144 is the static IP of your ps4 then yeah - you would set the mask to /32 which just means that IP.

#13 The_Decryptor

The_Decryptor

    STEAL THE DECLARATION OF INDEPENDENCE

  • Tech Issues Solved: 4
  • Joined: 28-September 02
  • Location: Sol System
  • OS: iSymbian 9.2 SP24.8 Mars Bar

Posted 30 November 2013 - 01:22

I don't have any experience with the PS4, but I know the Xbox One uses random ports (With Teredo) as a means to break through the NAT (Since only like 25% of devices they encounter support UPnP or NAT-PMP), it wouldn't surprise me if the PS4 was doing something similar.



#14 OP fusi0n

fusi0n

    The Crazy One

  • Tech Issues Solved: 1
  • Joined: 08-July 04
  • OS: OSX 10.9
  • Phone: iPhone 5S 64GB

Posted 01 December 2013 - 19:23

Yes that is the correct page.. You need to change to manual.

Your not going to want to set it to ALL ports static from the ps4, just look to see what ports you need and set those. But I guess you could set your ps4 IP to just be static ports for everything.. That makes it simple, but not sure what issues that might bring up if any.. Sure give it a go..

if that 1.144 is the static IP of your ps4 then yeah - you would set the mask to /32 which just means that IP.

4.png

3.png

Still isn't working.. I am assuming am I am missing something?

 

Edit - I finally got it to say "Nat Type 2" instead of failed by moving it to the top of the rules. However, still fails to play online. I can access the store and see my friends.. but can't chat or play with them. 



#15 +BudMan

BudMan

    Neowinian Senior

  • Tech Issues Solved: 85
  • Joined: 04-July 02
  • Location: Schaumburg, IL
  • OS: Win7, Vista, 2k3, 2k8, XP, Linux, FreeBSD, OSX, etc. etc.

Posted 01 December 2013 - 21:56

So here is the thing did you reset your states? Its possible the ports your trying are high ports, ie above 1024 and already in use, etc. Clear the states.

I really would look into what specific ports you need that need to be static, and do you need any port forwards to play games for unsolicited traffic, nat rules are just going to be in answer to what you opened outbound or possible with UPnP - not sure on that.

But if you want to host games it better to create the port forwards directly vs hoping UPnP takes care of it for you, etc.



Click here to login or here to register to remove this ad, it's free!