I am having issues with my PS4 and pfSense Box.. While using pfSense as my gateway, the PS4 is unable to connect to multiplier games or use the voice chat feature, when using my Cisco Router, it works fine. Xbox Live and PS3, never had any issues.. I snooped around on the pfsense forums, but I didn't really understand what they were talking about to be honest..
Best Answer +BudMan , 29 November 2013 - 13:46
No it does not - outbound by default is all allowed, if your thinking of unsolicited inbound traffic. Then yes it does block that just like every other single nat router on the planet.
His issue sounds like he needs static port mapping in his NAPT (Network Address and Port Translation) which is what pretty much every single nat router used in homes uses. It allows the sharing of the single public IP by changing the ports used for traffic. http://en.wikipedia....ort_Translation
What happens in this is say you want to go to neowin on port 80, well there is a source port here something random above 1024
If you look at the state table you can see what is going on
So you can see private address at .100 is talking to dropbox on 188.8.131.52 via port 80.. But look at the source port connection started at 57481, but then when it leaves my router 24.13.x.x the source is 55937
What seems xbox needs to work with what they want to do is a static outbound nat. So that the port used on the outbound side is the same as what xbox is listening on.
To do this in pfsense you have to switch to manual outbound nat vs automatic, and then create your rules. If you see the 2nd picture the guy posted - this is his outbound nat for port udp 9308.. Seems his problem is that rule was not on the top of the list.. So he prob got some other nat rule doing it and not the static one. When you switch from Automatic to manual you see the rules that are in play in automatic
See that rule under the static one for port 500, that is the nat rule that changes from your lan to your public. Well its both udp and tcp and ports are not static. So if he put his static nat rule below that it would never be seen. So you need to put any static outbound nat rules you need on the top of the list.. like that 500 rule is above the general nat rule.
As to what ports he needs for whatever he is doing with xbox not sure, but if they need to be static ports then this is done in the outbound nat section and setting up the rules "above" the generic nat everything rule. That is what that thread he linked to is talking about - and as you can see from the guy saying
There we go! -- THANKS!!!!
Put it at the top of the ruleset and it worked.
Once he placed his static rule correctly in the rulesets it worked. Go to the full post