OpnSense breaking UDP hole punching

Started by PassionLynx, December 28, 2022, 02:20:03 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 28, 2022, 02:20:03 PM
Hey guys,

I wondered why p2p in many applications just doesn't seem to work and did some digging.
It turns out that for two connections:

- [InternalPeer] -> [ExternalPeer0]:[dstPort]
- [InternalPeer] -> [ExternalPeer1]:[dstPort]

OpnSense uses different source ports from the NAT outgoing. At least as far as I understand, this breaks the UDP hole punching concept, because you contact a STUN server on a specific dstPort and then the server reports the external port you used to the other peer you want to create a direct connection to.
But when you then contact the peer directly, OpnSense uses a completely different srcPort behind the NAT.
So when the other peer sends something to the srcPort with which you contacted the STUN server, it is simply blocked.

Some NATs use a consecutive numbering in the choice for srcPorts, and p2p applications often also attempt eSrcPort+n, but at least from the logs I looked at, that wasn't the case.

Is there any kind of setting to change this behavior for OpnSense?
December 28, 2022, 02:28:41 PM #1
"static port" in the outbound NAT rule.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
December 28, 2022, 04:29:10 PM #2
Using the "static port" option would mean I had to move from automatically generated outbound NAT rules to manual ones, right?
(I can't create an outbound rule only for the applications in question, because the ports used by p2p applications are most often completely randomized).

And if I understood it correctly, this option means that the NAT then simply uses the internal peer's source port also for behind the NAT, which causes its own share of problems. (Like when two internal peers use the same source port to reach the same host)
Or did I misunderstand something here?
May 06, 2023, 08:48:00 PM #3
Hi,

late answer but I hope it helps someone. I just got the same problem as PassionLynx. I found that as default firewall randomizes the source port on passing packets out. On UDP it can break some apps. Typicaly some streaming or VOIP apps. The reason for this is security by obfuscating info about source port app allocation. But bidirectional UDP traffic needs this to keep the "punch hole" automatically open for bidirectional traffic.

I discovered how to solve this problem. You have two options:

1. If you want to keep NAT more secure, you can create a special Outbound NAT rule only for your app, usually it is enough to specify the destination port or server address and 'STATIC' parameter enabled.

2. You can replace the default NAT rule with a manually configured one with the same parameters as the default one with the difference in 'STATIC' parameter.

Before you are able to make this change you must switch to Manual or Hybrid outbound NAT rule generation

If you can not predict the destination or source address or port, you must use option 2. I think that security risk at this case increase is usually minimal.
June 22, 2023, 11:16:33 AM #4
I'm struggling with this...

Do I also still need to port forward that port (8555 for WebRTC) to my internal IP (192.168.1.21)?
Print
Go Up Pages1
User actions