Port forwarding sanity check

I’m trying to open UDP ports for a dedicated game server and it refuses to show online.

I can connect directly to the vm so i know its not windows firewall etc.

The server lives on a separate vlan, do I need to add an accompanying rule in firewall > rules > server vlan?

When you create port forward it should automatically create a corresponding firewall rule. If it didn’t create a corresponding firewall rule (base on your screenshot it created a corresponding rule named “NAT VRising Serer”), you need to manually create it.

By the way what version is your pfsense?

I’m on version 2.5.2.

It automatically created a firewall rule on the WAN interface called NAT VRising Server but not on the servers.

I tried creating a rule here matching that other one and the server still shows offline in the list. Also UDP nmap scan showing port filtered.

Source: WAN Address
Destination: single host 10.0.10.129
Port: same as other rule in WAN
protocol: ipv4 UDP

Should I use WAN net instead?

Regarding the creation of firewall that is expected. Because the expected traffic is coming from Internet that is why it is only opening ports on WAN. There is no need to open ports on “server” because pfsense is smart enough to know a traffic is a returning traffic.

UDP is a different beast. Unlike TCP, UDP does not have a handshake where it informs the sender that it was able to establish hence why you are getting that message of being filtered. Have you tried using “-sU” parameter when you ran nmap?

Please refer to this for nmap scanning on UDP:
https://nmap.org/book/scan-methods-udp-scan.html

Yes I used nmap -sU -p 9876 -v (my external ip)

image

can you try nmap -sUV

Same thing unfortunately. I launch the game and can join using 10.0.10.129:9876.

When I attempt to join using external-IP:9876 it results in connection failed. The port is definately being blocked.

9876 is for the game server and 9877 is for the steam query. My server shows in the list as offline. I have to be doing something wrong.

I also checked my ISP for blocked ports and these aren’t listed. Internet Ports Blocked or Restricted by Cox

I’m running nmap from a separate computer over a vpn.

I figured it out. Nat reflection wasn’t configured properly.

All works fine now.

Hey! Try configuring a static outbound NAT for the server. I had this same issue when setting up an Urban Terror server which uses a UDP connection. Basically what happens is that without static OB NAT the pfsense firewall is going to send traffic out on a random UDP port as it leaves your network (this is default behavior and thought to enhance security). When the ‘master server’ for the game network receives the traffic it will assume that your server lives on that random UDP port and try to reply to it via the random port, but when that traffic gets back to your firewall it’s going to drop or reject the traffic because your inbound NAT is set for port 9876-9877, and not the random port. Then the game’s ‘master server’ is going to assume that your server is down because it isn’t responding to the traffic it sent back to your server. Assigning outbound NAT tells the firewall to send traffic out from the firewall on the same port it was received on from your server.

TL;DR: It’s your firewall doing NAT translation. Setup static outbound NAT for the server (or the network the server lives on) within your firewall and the issue should resolve.