Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: milesnorth on March 29, 2020, 09:18:52 AM

Title: NAT: Port Forward testing
Post by: milesnorth on March 29, 2020, 09:18:52 AM
Hello,

Need to port forward to Nintendo Switch for daughter's game but have never performed this action before.  Thought I might test a port forward configuration to a Linux box first. If the config worked then I'd try to extend it to new rule for the Switch. Don't know how to test port forwarding but gave it a try below.  Used KDE Neon box with VPN off for test.

Firewall: NAT: Port Forward config
Code Select

- Interface: WAN
- TCP/IP Version: IPv4   
- Protocol: TCP
- Source / Invert: Unchecked
- Source: any
- Source Port Range: any to any
- Destination / Invert: Unchecked
- Destination: WAN address
- Destination Port range: (other) 36000 to (other) 36000
- Redirect target IP: Alias "htpc"
- Redirect target Port: (other) 36000
- Pool Options: Default
- Log: Checked
- NAT reflection: Enable


Port forward check below:

Canyouseeme.org test for forwarded port "36000":
Code Select
Error: I could not see your service on x.x.x.x on port (36000)
Reason: Connection refused

Firewall: Log Files: Plain View for 10.1.36.80 (KDE Neon test box)
Code Select
2020-03-29T05:48:13 filterlog: 85,,,0,igb1,match,pass,in,4,0x0,,64,6022,0,DF,6,tcp,60,10.1.36.80,10.1.36.1,58006,443,0,S,4050776014,,64240,,mss;sackOK;TS;nop;wscale
2020-03-29T05:46:30 filterlog: 85,,,0,igb1,match,pass,in,4,0x0,,64,64196,0,DF,6,tcp,60,10.1.36.80,10.1.36.1,58004,443,0,S,4125679719,,64240,,mss;sackOK;TS;nop;wscale
2020-03-29T05:46:05 filterlog: 83,,,0,igb1,match,pass,out,4,0x0,,41,4375,0,DF,6,tcp,60,52.202.215.126,10.1.36.80,39715,36000,0,S,2441912499,,26883,,mss;sackOK;TS;nop;wscale
2020-03-29T05:46:05 filterlog: 91,,,0,pppoe0,match,pass,in,4,0x0,,42,4375,0,DF,6,tcp,60,52.202.215.126,10.1.36.80,39715,36000,0,S,2441912499,,26883,,mss;sackOK;TS;nop;wscale


Canyouseeme.org test for non-forwarded port "36001":
Code Select
Error: I could not see your service on x.x.x.x on port (36001)
Reason: Connection timed out

Firewall: Log Files: Plain View for 36001
Code Select
2020-03-29T05:54:17 filterlog: 9,,,0,pppoe0,match,block,in,4,0x0,,42,52835,0,DF,6,tcp,60,52.202.215.126,72.35.119.90,60412,36001,0,S,397295950,,26883,,mss;sackOK;TS;nop;wscale

The forwarded port "36000" gave a "Connection refused" error.  This seems better than the "36001" "Connection timed out" error.  What should I try next to make sure that port forwarding works correctly and safely on OPNsense.

Thanks,
Kurt
Title: Re: NAT: Port Forward testing
Post by: milesnorth on March 29, 2020, 09:12:46 PM
Good morning,

I'm about as much of a network guy as McCoy defusing a photon torpedo.  So I tend to proceed slowly.

I just ran Qbittorrent with 36000 as the listening port on the Neon box and got positive feedback.
Code Select
Canyouseeme.org:
Success: I can see your service on X.X.X.X on port (36000)
Your ISP is not blocking port 36000

Thanks to the following two posts for getting the Port Forward config set up for me.

https://forum.opnsense.org/index.php?topic=8783.0 (https://forum.opnsense.org/index.php?topic=8783.0)
https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/ (https://homenetworkguy.com/how-to/firewall-rules-cheat-sheet/)

The next step then is a port forward for the Switch box for Animal Crossing for my daughter and her college friend.  I run what I consider the critical devices on the LAN interface and all of the phones and gaming consoles on a separate WAP on the OPT1 interface.  Nintendo support calls for UDP: 1-65535 to be open.  Although a reddit post suggests that UDP: 45000-65535 will suffice.  Is having this many ports open just something you live with or are there other ways to work this problem?

Thanks,
Kurt
Title: Re: NAT: Port Forward testing
Post by: milesnorth on March 30, 2020, 12:54:43 AM
After adding the new port forward rule my daughter tried to connect to her friends game on the Switch and got 2618-0521 and 2618-0511 "NAT traversal process may have failed" error codes.  Then went to Switch System->Internet->Test Connection and received a "D" NAT score (not good).

Found two more Nintendo Switch posts for setting static NAT outbound rule at:
https://forum.opnsense.org/index.php?topic=11801.msg53771#msg53771 (https://forum.opnsense.org/index.php?topic=11801.msg53771#msg53771) and
https://forum.netgate.com/topic/112631/nintendo-switch-needs-static-port-on-its-outbound-nat (https://forum.netgate.com/topic/112631/nintendo-switch-needs-static-port-on-its-outbound-nat)

After adding the Firewall: NAT: Outbound manual rule I reran the Switch Test Connection routine and received an "A" NAT score.  Have two happy young ladies now visiting between Alaska and New Mexico.

Regards,
Kurt
Title: Re: NAT: Port Forward testing
Post by: sg on June 06, 2020, 02:16:25 PM
I had the same problem. With the settings at https://forum.opnsense.org/index.php?topic=11801.0 I was able to get NAT A (was NAT D originally)

Specifically the step

create a manual outbound NAT for my switches IP but make sure you check "static port"

This was available at Firewall > NAT > Outbound. Select Hybrid and hit save.

I also removed all of my custom NAT port rules for the Switch that didn't change anything.

Now at least the outgoing connection works to another's island. I will have to have them check the incoming.
Text only | Text with Images