Strict flow implementation? (port-forwarding not working as intended)

[jamesb2147]

Hello,

I've posted about this on Reddit a couple of times:

https://www.reddit.com/r/OPNsenseFirewall/comments/dcbyo8/meraki_concentrator_partially_blocked_digging/
https://www.reddit.com/r/OPNsenseFirewall/comments/d98aii/port_forward_not_working/

Basically, I have a strong suspicion that pf or similar software underpinning OPNsense is allowing only one network "flow" through each port, either forwarded or outbound. I have observed:

• Port forwards have appeared to work for Plex, but only for a single client at a time
• Port forwards appeared to work briefly with one of my BitTorrent trackers, it now reports I am "unconnectable"
• Meraki UDP hole punching used for AutoVPN appears to only be working for one of two sites now that it's behind OPNsense

That last observation is what really pointed me at this being a restriction on the number of allowed flows. It uses the same technology at every site, and OPNsense is actually the first firewall I've found that default blocks meshing (Meraki's source paper cited a 90%+ success rate for their technique, BTW).

The port forwarding I consider a serious issue because it doesn't behave as one would expect for a port-forward to behave. However, the behavior of normally restricting users to a single flow per outbound request, while stricter than most firewalls and likely to cause problems with marginal cases (I have a sneaking suspicion this is causing Skype problems for me), is an entirely reasonable choice.

With all that said, I don't really know how to troubleshoot this, much less change it. OpenBSD's packet filter documentation isn't awful, but it is tough to wade through for someone not versed in pf terminology.

Any help in figuring out how to move forward is much appreciated. Have a great day, all!