2

I’ve followed the guide in the OpenBSD FAQs for setting up a firewall and doing port forwarding.

https://www.openbsd.org/faq/pf/example1.html https://www.openbsd.org/faq/pf/rdr.html

The reason I am attempting to do port forwarding is for online gaming. As shown in the examples, the port forward rule should come after the block all rule. However, when I follow this setup, my port forward never triggers. The port I want to forward is consistently blocked and never matches on the last rule.

My rule is

pass in on egress inet proto udp from any to any port 3074:3079 rdr-to $gamepc

But everytime I start the game, the connection is blocked on port 3075 and the game considers my NAT to be strict

Am I Missing something?

EDIT: Additional information

Following my block all rule which is currently written as block drop in log on $pubif, I have the following rules:

pass out on { $l1 $l2 $l3 $l4 $l5 } inet keep state

This next rule is repeated for each port $l1 to $l5:

pass out on $pubif inet from $l1:network to any nat-to ($pubif)

Then

# Gaming Port Forward Begins Here
pass in on egress inet proto udp from any to any port 3074:3079 rdr-to $gamepc
pass in on egress inet proto udp from any to any port 3478 rdr-to $gamepc
pass in on egress inet proto udp from any to any port 4379:4380 rdr-to $gamepc
pass in on egress inet proto udp from any to any port 27000:27031 rdr-to $gamepc
pass in on egress inet proto udp from any to any port 27036 rdr-to $gamepc
pass in on egress inet proto tcp from any to any port 3074 rdr-to $gamepc
pass in on egress inet proto tcp from any to any port 27014:27050 rdr-to $gamepc
Zé Loff
  • 2,112
brokaryote
  • 51
  • Initial thoughts 1) are you attempting to access $gamepc from another LAN client? 2) Where you have pass in on egress **inet** proto **udp** from any to any port 3074:3079 rdr-to $gamepc why are you specifying inet, and are you sure you don't need any tcp rules? – caffeinatedbits Sep 24 '22 at 03:50
  • No, I am not trying to access from another client on the LAN. I specified inet because I did not setup any ipv6 and I read that inet specifies ipv4. That being said, I have tried multiple versions of this rule and one of those versions does not specify inet. I do also need tcp rules which I have but none of the rules match; the one I posted is an example – brokaryote Sep 25 '22 at 02:44

1 Answers1

2

It's hard to tell without seeing the rest of your pf rules, since there might be some precedence issues at play.

Note that your rule only applies to the incoming packets on the egress interface. Do you have a pass out rule that applies to the redirected packets? Sometimes a simple catch-all pass out quick rule makes things much simpler, and then you only need to add rules for incoming traffic either from the internet or from your LAN, which is usually enough for a simple router/firewall.

It is also helpful to add a log directive to your block rule, and then use tcpdump -ei pflog0 to check whether your packets are being blocked. Equally, a log directive on the pass rules might also aid in debugging and/or monitoring things.

Update (after additional info from OP):

Your ruleset seems correct. Are you sure the game connects only over UDP (or tests the connection over UDP)? You have no pass rule for TCP/3075. Does tcpdumping pflog0 or the internal interface offer any clues?

Update 2 (after comments to this answer)

Make sure you have pass rules for incoming traffic from the $gamepc, as well. In summary:

# Some macros to improve readibility
gamer_udp = "{ 3074:3079, 3478, 4379:4380, 27000:27031, 27036 }"
gamer_tcp = "{ 3074, 27014:27050 }"

Block (and log) by default


block log


Generic outgoing traffic (NAT)


pass out on $pubif inet from $l1:network nat-to ($pubif)


Incoming traffic (redirection)


pass in on egress inet proto udp to port $gamer_udp rdr-to $gamepc
pass in on egress inet proto tcp to port $gamer_tcp rdr-to $gamepc


Incoming (redirected) traffic must be allowed to pass out to the LAN


pass out on $l1 inet proto udp to $gamepc port $gamer_udp
pass out on $l1 inet proto tcp to $gamepc port $gamer_tcp


LAN must be allowed to reach the internet (and me)


pass in on $l1 from $l1:network

Caveat: this obviously hasn't been tested, but I believe it is mostly correct. Please don't copy-paste it blindly, adapt as you see fit and integrate it into your ruleset. You might want to insert some other rules among these. You can also add log directives for debugging purposes (I always log my block rules). This example can also be further simplified by adding a simple pass out rule, right after the block rule, and dropping the two pass out rules on $l1 (note that you need to keep the nat-to rule). Also, changing pf rules via SSH is a tried and tested way to lock yourself out of the machine, so console access is preferred.

Good luck!

Zé Loff
  • 2,112
  • I have amended the original post to contain more information from my config. I have tried many versions of these rules but the NAT in-game is always considered strict. I do have pass out rules and the firewall and routing works perfectly for everything. The only thing I can't seem to get working is port forwarding. To be clear, I am still able to game even with this "strict" NAT but I do wonder if it makes it tougher for me to find games – brokaryote Sep 26 '22 at 23:02
  • The ports that I have opened are directly from the game’s site. I do have tcp ports listed at the end. The block rule blocks UDP on port 3075 when I connect to the game (confirmed by tcpdump) and the game states that my NAT is strict because this port was blocked. This leads me to believe these pass in rules are somehow not capturing these packets. I have added log to them and they never match during play – brokaryote Sep 27 '22 at 11:30
  • Apologies in advance if this is a silly question, but are you allowing for incoming connections from $gamepc on the LAN interface? I assume so, but I am asking since all the pass in rules you show apply to the egress group (which probably only has the internet-facing interface in it)... – Zé Loff Sep 27 '22 at 13:28
  • This very well could be my issue. Would you mind showing me an example of what you mean? I have a limited understanding of the requirements for port forwarding properly so the pass in rules at the end are the extent of what I have tried and I took this syntax from the OpenBSD FAQs – brokaryote Sep 27 '22 at 13:58
  • After trying that, I'm sad to say I still don't have any success getting a connection on port 3075 and my NAT is still strict. I'm baffled. With the new rules logged, I do see outbound connections on port 3076 from my PC but those were already present from an earlier rule in my (pass out on { $l1 $l2 $l3 $l4 $l5 } inet keep state). I tried finding a game with these new rules to see if it would be any different. It wasn't. I'm beginning to believe that it's the game and not my router. Thank you for all the help with this. I'm thinking I'm just going to let it go – brokaryote Sep 29 '22 at 00:22