[SOLVED] Game servers not listed and are unreachable for master servers

[Mister J.]

Hi all,

I successfully run 4 game servers (latest versions of Urban Terror, Unreal Tournament 2004, Xonotic & Warsow) that I can connect to with a client from the LAN and WAN by ip.

Since I changed server OS from ClearOS to initially NethServer 7, I am having problems getting listed.
Because someone advised me to solve this problem the easiest way, I changed to the Hypervisor Proxmox and now I am running the game servers in Debian 12 based containers with a dedicated OPNsense firewall box.
Because I do not encounter this problem with UT2K4 I must assume that it's not something simple like a problem with portforwarding, because those are identical.

But with the Urban Terror, Xonotic & Warsow it's only possible to connect from the Internet by ip address and not with the in-game- or online listings.
I already tried every trick in the book that I could find, but nothing works with these 3 games.
https://arena.sh and https://www.urbanterror.info also reports that the servers are unreachable.

The only problem I have with UT2K4 is that I can't figure out how to add my server to GameTracker.com.
For unknow reasons it reports that one of the following criteria is true:

• Server is not online
• Entered the wrong Query Port
• Server is firewalled

When running these game servers on a ClearOS box in gateway mode I did not have any of these problems.
Could it have something to do with a setting in OPNsense ... ?!?

Please advice,

Mister J.

[Mister J.]

When I used a ClearOS box as firewall/gateway I didn't have these problems, but since I upgraded to first NethServer 7 and now Proxmox with a dedicated OPNsense box and a bridged router I have these problems.
According to ChatGPT there are 16 factors why OPNsense could be the cause of this, but I need some expert advice to make sure what could cause this.
Some of them are irrelevant, but most of them are new to me.

Firewall - OPNsense Settings

    Rules (Firewall > Rules > WAN)
        Ensure that inbound traffic on the necessary UDP and TCP ports for your game server is allowed on the WAN interface.
        Ensure that the outbound traffic is not blocked.

    Rules (Firewall > Rules > LAN)
        Verify that your game server traffic (including the necessary UDP/TCP ports) is allowed to leave the LAN interface if necessary.

    Aliases (Firewall > Aliases)
        Incorrectly defined aliases can block the needed IP ranges or ports for your game server. Check if you have an alias setup that might interfere.

    Advanced Settings (Firewall > Settings > Advanced)
        Reflection for port forwards (NAT reflection) might be needed for LAN clients to connect to the public IP of your server via the WAN interface.
        Bogon Networks filtering can block legitimate traffic if your game server uses IPs within the filtered ranges. Ensure that this is not overly restrictive.

    Floating Rules (Firewall > Rules > Floating)
        Check if there are floating rules that could block traffic to or from your game server.

    Firewall Optimization Settings (Firewall > Settings > Advanced)
        The firewall might be optimized for low-latency gaming or for security in ways that inadvertently block or slow down listing requests. Ensure that the firewall optimization setting is appropriate for gaming (e.g., Normal or Conservative).

Additional OPNsense Sections

    Intrusion Detection (Services > Intrusion Detection) - irrelevant because disabled
        If enabled, the Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) may block outbound or inbound traffic related to your game server. Check the logs and rules to ensure that it is not preventing the game server from communicating with external master servers.

    Outbound NAT (Firewall > NAT > Outbound)
        Incorrect outbound NAT configurations might prevent your server from sending data properly to master servers. Check if the NAT mode is set to "Hybrid" or "Manual" and ensure the proper outbound NAT rules for your game server are set up.

    States Reset (Diagnostics > States)
        Sometimes, stale states may prevent proper network communication. You can try resetting the states or connections from this menu.

    Logging (Firewall > Log Files)
        Use firewall logs to monitor if any traffic is being blocked related to your game server communication. This can help identify if there are any silent blockages.

    UPnP (Services > UPnP & NAT-PMP)
        If your game server supports UPnP, ensure this is configured correctly to allow automatic port forwarding for the game server.

    DNS Settings (System > Settings > General)
        Incorrect DNS settings can prevent your game server from resolving the master server addresses properly, which can cause listing issues. Ensure DNS is correctly configured.

    Gateway / Routing Issues (System > Gateways > Single)
        If there are issues with your WAN gateway or the routing table is misconfigured, your game server might not communicate properly with external servers.

    Traffic Shaper (Firewall > Shaper)
        If you are using traffic shaping, ensure that it is not prioritizing or throttling your game server traffic in a way that causes listing failures.

    GeoIP Blocking (Firewall > Aliases > GeoIP) - irrelevant because before I enabled it, the problem was there.
        If you are using GeoIP-based rules, ensure that you are not inadvertently blocking regions where the game server master servers are hosted.

    VPN Settings (if applicable)
        If your OPNsense setup involves a VPN, make sure the traffic from the game server is correctly routed and not blocked by VPN rules.

Please advice.

[Mister J.]

ChatGPT is known to hallucinate a lot so it's probably none of these reasons why it's not working.
Most of them are irrelevant or not applicable anyway.
My firewall log files are as good as empty, so nothing interesting to report there.

The thing that troubles me the most is that these links don't work anymore while the game servers are up and running and the required ports are forwarded (also confirmed by someone who is experienced with OPNsense and Proxmox):
https://arena.sh/game/<WAN ip>:44400/ - (Warsow)
https://arena.sh/game/<WAN ip>:25000/ - (Xonotic)
https://www.urbanterror.info/servers/<WAN ip>:27960/ - (Urban Terror)

And I cannot add UT2K4 to GameTracker anymore:
https://www.gametracker.com/servers/

According to the forums and my previous experiences with ClearOS as my gateway/firewall, my servers are setup correctly and the only real change is that I now bridged my router and use an OPNsense firewall box.
The fact that I now use a Proxmox box with every server in a separate container should not matter.

Please assist

[Mister J.]

I have confirmed that "Block private networks" and "Block bogon networks" is disabled in Interfaces - LAN.
These are still enabled in Interfaces - WAN, but afaik this should remain the case.
I have tested disabling these settings in Interfaces - WAN, but without result.

I also enabled "Multicast Handling" by allowing the following in Firewall - Rules - LAN:
224.0.0.0/4
Afaik this is redundant, because this option is enabled by default.

Old situation:

LAN (switch with clients) - Gateway server - (LAN) router & WiFi (WAN) - Internet

New situation:

LAN (switch with clients, Proxmox box & Access Point) - (LAN) OPNsense box (WAN) - router (bridged) - Internet

Code Select Expand

[root@UT2K4 ~]# ss -tuln | grep -E '7777|7778|7787|10777|28902'
udp   UNCONN 0      0      192.168.100.142:7777       0.0.0.0:*
udp   UNCONN 0      0      192.168.100.142:7778       0.0.0.0:*
udp   UNCONN 0      0      192.168.100.142:7787       0.0.0.0:*
udp   UNCONN 0      0      192.168.100.142:10777      0.0.0.0:*
udp   UNCONN 0      0      192.168.100.142:28902      0.0.0.0:*

Code Select Expand

[root@UT2K4 ~]# nmap -sU -p 7777,7778,7787,10777,28902 192.168.100.142
Starting Nmap 7.93 ( https://nmap.org ) at 2024-10-20 23:47 UTC
Nmap scan report for UT2K4.<domain>.nl (192.168.100.142)
Host is up.

PORT      STATE         SERVICE
7777/udp  open|filtered cbt
7778/udp  open|filtered interwise
7787/udp  open|filtered popup-reminders
10777/udp open|filtered unknown
28902/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 3.14 seconds

Code Select Expand

[root@UT2K4 ~]# iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     0    --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
ACCEPT     17   --  0.0.0.0/0            192.168.100.142      udp dpt:7777
ACCEPT     17   --  0.0.0.0/0            192.168.100.142      udp dpt:7778
ACCEPT     17   --  0.0.0.0/0            192.168.100.142      udp dpt:7787
ACCEPT     17   --  0.0.0.0/0            192.168.100.142      udp dpt:10777
ACCEPT     17   --  0.0.0.0/0            192.168.100.142      udp dpt:28902
DROP       0    --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
ACCEPT     17   --  192.168.100.142      0.0.0.0/0            udp dpt:7777
ACCEPT     17   --  192.168.100.142      0.0.0.0/0            udp dpt:7787
ACCEPT     17   --  192.168.100.142      0.0.0.0/0            udp dpt:28902

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Please advice.

[Mister J.]

Enabling the following, could sound like a solution, but first it wasn't and secondly, it can create a loopback situation with delays and that's unwanted with game servers:

Firewall - Settings - Advanced
Network Address Translation    

• Reflection for port forwards
• Reflection for 1:1
• Automatic outbound NAT for Reflection

IDS/IPS is disabled.

DNS resolution is functioning inside the containers:

Code Select Expand

[root@UT2K4 ~]# nslookup google.com
Server:         8.8.8.8
Address:        8.8.8.8#53

Non-authoritative answer:
Name:   google.com
Address: 142.251.39.110
Name:   google.com
Address: 2a00:1450:400e:810::200e

Correct me if I am wrong, but afaik this verifies outbound traffic on the necessary port and that the port is open:

Code Select Expand

[root@UT2K4 ~]# nc -zv ut2004master.errorist.eu 28902
Warning: inverse host lookup failed for 150.230.23.146: Unknown host
ext.errorist.eu [150.230.23.146] 28902 (?) open

I don't understand how to use packet capture to analyze traffic to/from master servers and GameTracker.

The game server logs do not report any errors concerning the master servers:

Code Select Expand

Log: MasterServerUplink: Resolved utmaster.openspy.net as 134.122.16.249
Log: MasterServerUplink: Connection to utmaster.openspy.net established.

I can connect to the master servers, but it seems they cannot connect to me.

Please assist.


EDIT:
Attempted to solve this issue by disabling IPv6 on the WAN interface without success.
After a reboot I confirmed that this was not the solution I am looking for.

[thecrankygamer]

You are trying alot of stuff without actually having any basis for doing so.

1. find out how the game's master servers query's the game servers.
2. see if anything is missing in the firewall needed for the master server to query the gameserver.


You've probably setup the firewall wrong, as many of us did when we first started using Opnsense, rules are to be seen FROM the firewall.
Show the rules you have in place now please.

Either way you SHOULD see the query coming in on the firewall, being blocked or passed, so check the live log.

If you dont see any of them reaching the firewall theres something else wrong network wise.

[Mister J.]

Thanks for responding crankygamer,

I get this message from GameTracker for UT2K4:

One of the following suggestions may help you:

• Your server is currently offline. (False, I can ping and connect from the LAN & WAN with an ip.)
      GameTracker needs your server to be online before you can add it to our database. Please restart your server and make sure it's up before hitting ADD SERVER again.
• You entered the wrong query port. (False, I used the default port 7787, but also tested the others.)
      Please update your query port and hit scan again
• Your server is firewalled. (Not by the default rules, see pictures below.)
      Please turn off any firewall you have that may block scanning or whitelist the gametracker scanning IP addresses:
      149.28.43.230
      45.77.96.90
      108.61.78.150
      108.61.78.149

I also saw this line in the live log (in green) when pressing the Add Server button:

Code Select Expand

Interface Time             Source          Destination         Proto        Label
LAN 2024-10-27T17:02:49 45.77.96.90:60840 192.168.100.142:7787 udp let out anything from firewall host itself
See: Packet Capture

This confirms that GameTracker is scanning on the correct port, but there's no indication of a response packet from my server back to 45.77.96.90.
I suspect that there is a rule missing and I confirmed in the live log that it is not blocked/dropped.
I Whitelisted all of the other UT2K4 master servers (source- & destination port = any), but that still didn't solve the problem.
White listing the master servers for the other games also didn't help.

These are my current rules:

• Portforward rules
• WAN rules
• LAN rules
• Automatically generated rules

Btw ... these rules where checked by a friend who has 35+ years of experience with OPNsense, but hardly has the time to help me.
And I have been running these game servers for the last 20+ years.
He doesn't know much about game servers and I don't know much about OPNsense, so I have no choice then trying out stuff that may not sound logical to you.

I checked the live log and there are a lot of denials, but not from the master servers.

Please advice.

PS.
When I used a ClearOS box as gateway/firewall I didn't have to Whitelist any server.
And no, ClearOS is not made for game servers and does not Whitelist servers automatically.

[Mister J.]

I am not sure but I have a gut feeling that I am getting closer to the cause of  the problem.
That's all I have because I lack the experience that some of you guys and girls have.
Let me explain why ...

I locally opened 2 Putty windows and connected to my UT2K4 container.
In the first window I started this command:

Code Select Expand

[root@UT2K4 ~]# nc -u -l 7787
In the second window I did this command:

Code Select Expand

[root@UT2K4 ~]# echo "test packet" | nc -u 127.0.0.1 7787
The result was that in the first window the message appeared:

Code Select Expand

[root@UT2K4 ~]# nc -u -l 7787
test packet

Don't ask me why but I needed to make a VPN connection from my laptop to test the following:
In the first window I started this command:

Code Select Expand

[root@UT2K4 ~]# nc -u -l 7787
In the second window I did this command:

Code Select Expand

[root@UT2K4 ~]# echo "test packet" | nc -u 192.168.100.142 7787
The result was that in the first window the message appeared:

Code Select Expand

[root@UT2K4 ~]# nc -u -l 7787
test packet

So far so good, but what I actually need is to test this from outside of my LAN to confirm that UDP packages get a proper response too, but I can't seem to figure it out on my own.
I tried to open port 22 temporary on my WAN to be able to access my network from the WAN, but for unknown reasons this failed.

What I want to achieve is this:
In the first window (LAN) start this command:

Code Select Expand

[root@UT2K4 ~]# nc -u -l 7787
In the second window (WAN) run this command:

Code Select Expand

[root ~]# echo "test packet" | nc -u <WAN ip> 7787
The successful result would be that in the first window the message appears:

Code Select Expand

[root@UT2K4 ~]# nc -u -l 7787
test packet

Now going back to my gut feeling.
I suspect that from the WAN it does not get a proper response, what would explain why all my game servers have the problem of being able to connect to the master servers, but the master servers are unable to connect to my game servers, because they don't get a response back when connecting from the WAN.

If this logic is correct than how do I enable this with OPNsense ... ?!?
Could it be solved by some outgoing rules, or maybe with some advanced settings ... ?!?
Or maybe this is a bug that no one thought of before ... ?!?

Please advice or at least confirm or deny my logic.

PS.
Don't tell me that I am trying out stuff without having a basis for doing so, because doing nothing is not an option and this forum doesn't really give me a high number of feedback.

[cookiemonster]

This is a forum for OPNSense, a router/firewall solution. Most of que questions are of a networking nature but related to the opnsetup.
Your questions have so far begun with game servers and how they're not working as you expect them. Well, those would be better served in a game server forum.
Once you have specific opnsense questions, they are easier to answer. So far you seem to still be expecting someone to figure out what you need to do networking-wise, to get your game specific requirements into opn. Well, that might take a while to happen, when someone using your gameservers comes to help. You can see the chances are very high that you are the only one.
Then it is very unclear what your setup is:

>Because someone advised me to solve this problem the easiest way, I changed to the Hypervisor Proxmox and now I am running the game servers in Debian 12 based containers with a dedicated OPNsense firewall box.
Proxmox in the mix is another complication.

> When I used a ClearOS box as firewall/gateway I didn't have these problems, but since I upgraded to first NethServer 7 and now Proxmox with a dedicated OPNsense box and a bridged router I have these problems.
Bridged router is another networking complication.

So all in all what I'm saying is that you have made a lot of changes that require a good solid understanding of networking so you can apply the correct settings in the different elements of your setup.
I suggest you start on your journey by studying the basic networking concepts, there are good resources online. Then start your changes or your diagnostics.

[Mister J.]

In Dutch we have a saying ... "van het kastje naar de muur" ... roughly translated it means something like "being sent from one unhelpful person to the next".

I already posted this issue in several other (game)forums and no one seems to get the grasp of it.
All I did was follow the advice given to me by so called specialists, with the intent of simplifying things, but according to your reply I should go back to the drawing board because I did the opposite.

I can't be sure, but according to my knowledge the problem is with OPNsense, so I hope that there is someone else in this forum who is willing and able to at least point me in the right direction.
Sure thing is that I need to learn a lot, but all I read in your answer is that you don't have a clue either.

[Patrick M. Hausen]

The right direction might be that your old router had UPnP enabled by default while OPNsense doesn't.

You need to install os-upnp from System > Firmware > Plugins.

I cannot help with configuration, because I do not use it.

[cookiemonster]

Sure thing is that I need to learn a lot, but all I read in your answer is that you don't have a clue either.

You're totally right. I haven't a clue what your game servers need nor what your setup is in detail.
As Patrick says, os-upnp could do what you need. Trouble is, nobody yet knows what is that is needed. The setup is not clear yet.

[axsdenied]

You should also consider turning on Hybrid outbound NAT.

[Mister J.]

Thanks Patrick and axsdenied,

I have been experimenting with UPnP and Hybrid outbound NAT, but it didn't solve my issue.
First of all my game servers are older games and do not support UPnP, but it was worth investigating because it was another way of looking at my problem.
I confirmed this by checking if any new connected sessions where created in the status of UPnP and there where none.

If you have any other suggestions than they are welcome.

[Mister J.]

At the Urban Terror support they confirmed that my configuration files are not the problem.
They ran a server with them and it got listed, so the problem is probably Proxmox or more likely OPNsense.

Please advice