My ISP does not supply me with a public IPv4, since he uses a carrier grade nat. This is unfortunate because I can't establish p2p connections with my Playstation4 to other customers of this ISP (which is quite common in my area). Therefore I use a service that provides me with an OpenVPN endpoint with my own public IP. That means I have the public IP on my tap interface on my FreeBSD homeserver, which I use first and foremost as NAS and torrent machine.
The FreeBSD server is not my router. My router is a provider supplied plastic box which just works.
Now to my problem: Whenever I forward my Playstation4 traffic via my FreeBSD server regardless whether I just forward to my plastic box or NAT to the tap interface I always get the message on my Playstation4 (when doing the "test internet connection") that my router does not support packet fragmentation. When just setting my plastic box as router there is no such warning.
Despite the fact that the p2p to other customers seems to work I am anxious that there is something wrong that will maybe show up later in a specific game for example. The Playstation4 is quite quirky. It requires to do the port forwarding via UPNP otherwise it won't connect to other customers even though I have manually forwarded all traffic to the PS4. So I believe it would be best to get rid of all the warnings, because it is obvious that the PS4 somehow relies on the result of that "internet test".
Remember that the fragmentation warning does not show up when I set my plastic box as router in the PS4. So the ISP is not discarding the fragments.
First thing I did was deactivating scrub. This didn't do the trick. Maybe there is something else that FreeBSD does to prevent the fragmentation. I will post my whole pf.conf and
if_lan is my actual lan. if_lan2 ist just a backup interface where no cable is plugged in. I replaced any public IP's by a _PLACEHOLDER_. To be clear: The playstation is attached to bridge0 and I route the traffic via NAT to my public IP at tap12.
The FreeBSD server is not my router. My router is a provider supplied plastic box which just works.
Now to my problem: Whenever I forward my Playstation4 traffic via my FreeBSD server regardless whether I just forward to my plastic box or NAT to the tap interface I always get the message on my Playstation4 (when doing the "test internet connection") that my router does not support packet fragmentation. When just setting my plastic box as router there is no such warning.
Despite the fact that the p2p to other customers seems to work I am anxious that there is something wrong that will maybe show up later in a specific game for example. The Playstation4 is quite quirky. It requires to do the port forwarding via UPNP otherwise it won't connect to other customers even though I have manually forwarded all traffic to the PS4. So I believe it would be best to get rid of all the warnings, because it is obvious that the PS4 somehow relies on the result of that "internet test".
Remember that the fragmentation warning does not show up when I set my plastic box as router in the PS4. So the ISP is not discarding the fragments.
First thing I did was deactivating scrub. This didn't do the trick. Maybe there is something else that FreeBSD does to prevent the fragmentation. I will post my whole pf.conf and
ifconfig output. Maybe there is some other error. The other tunnel interface (tun88) is just for torrenting (using airvpn). There is some web interface where I can forward some ports which I use to connect some services on the FreeBSD server. It won't suffice for the PS4 because you need to forward specific ports and with airvpn you share one public IP with a lot of other users of course.if_lan is my actual lan. if_lan2 ist just a backup interface where no cable is plugged in. I replaced any public IP's by a _PLACEHOLDER_. To be clear: The playstation is attached to bridge0 and I route the traffic via NAT to my public IP at tap12.
Code:
if_airvpn = "tun88"
if_public = "tap12"
if_lan = "bridge0"
if_lan2 = "re0"
if_loopback = "lo0"
ip_ps4 = "192.168.1.3"
# ps4 does not like scrub
no scrub on $if_lan
no scrub on $if_public
# scrub
scrub on $if_lan2
scrub on $if_airvpn
# create a nat on the public ip
nat on $if_public from ($if_lan:network) to any -> ($if_public) static-port
# port forwards by upnp
rdr-anchor miniupnpd
# general policy is to block everything
block log
# pass in rules on $if_public for the port forwards
anchor miniupnpd
# do not block lan and loopback
pass quick on $if_loopback
pass quick on $if_lan
pass quick on $if_lan2
# allow icmp everywhere except for deluge (we restrict any bittorent communication to airvpn tunnel)
pass quick proto icmp user != deluge
# allow outgoing IPv4 traffic on tunnel interfaces
pass out on $if_public inet
pass out on $if_airvpn inet
# redirect ps4 traffic to public ip (airvpn is the default route)
pass in log on $if_lan route-to ( $if_public _PUBLICGW_ ) from $ip_ps4 to !($if_lan:network)
# allow incoming traffic for selected services on $if_airvpn (ipv4)
pass in on $if_airvpn inet proto tcp to port 32400 # plex
pass in on $if_airvpn inet proto tcp to port 14100 # ssh
pass in on $if_airvpn inet proto tcp to port 14101 # https
# restrictive bittorent setting
block user deluge # policy for deluge: no network access
pass out on $if_airvpn inet # deluge is only allowed to access the airvpn tunnel (over IPv4)
pass in on $if_airvpn inet proto {tcp,udp} to port 7016 # deluge needs to receive incoming connections
# -----------------------------------------
Code:
igb0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO>
ether 90:e2:ba:0e:d2:00
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (10baseT/UTP <half-duplex>)
status: active
igb1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO>
ether 90:e2:ba:0e:d2:01
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
igb2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO>
ether 90:e2:ba:0e:d2:02
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: no carrier
igb3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO>
ether 90:e2:ba:0e:d2:03
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
ether a4:1f:72:96:56:73
inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: Ethernet autoselect (none)
status: no carrier
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
inet 127.0.0.1 netmask 0xff000000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
bridge0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 02:de:88:22:4e:00
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::de:88ff:fe22:4e00%bridge0 prefixlen 64 scopeid 0x7
inet6 _PUBLIC_IP_ prefixlen 64 autoconf
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
member: igb3 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 4 priority 128 path cost 2000000
member: igb2 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 3 priority 128 path cost 2000000
member: igb1 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 2 priority 128 path cost 2000000
member: igb0 flags=143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
ifmaxaddr 0 port 1 priority 128 path cost 2000000
tap12: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1454
options=80000<LINKSTATE>
ether 00:bd:b4:52:00:0c
inet6 fe80::2bd:b4ff:fe52:c%tap12 prefixlen 64 scopeid 0x8
inet _PUBLIC_IP_ netmask 0xfffffe00 broadcast _PUBLIC_IP_
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect
status: active
Opened by PID 868
tun88: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
options=80000<LINKSTATE>
inet6 fe80::92e2:baff:fe0e:d200%tun88 prefixlen 64 scopeid 0x9
inet 10.4.0.13 --> 10.4.0.1 netmask 0xffff0000
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
Opened by PID 875
pflog0: flags=0<> metric 0 mtu 33160
Last edited by a moderator:
