Final Edit: Turns out my problems were poor connectivity!
-------
I am new to pf, and have mostly got things working as intended... but I am having trouble with port forwarding to support one specific LAN app. If I could get a hand checking my pf.conf I'd really appreciate it! It may be the case that I've made a pf.conf error--or the failure I am seeing could be a problem on the app that I am trying to reach.
The RDR rules for SINGLE ports work fine -- for example you can see I have a gadget on port 8000, Plex Server on 32400, and 2 Windows machine VNC connections on ports 5901 & 5902. Those are great.
The problematic app is Moonlight game streaming--I am trying to reach a one of the Windows machines from Internet via the Gamestream protocol. You can see I have forwarded a set of udp and tcp ports, but since it does not work at all, I wonder if I have a syntax or rules order error specific to these groups of ports. Note that the unreachable machine IS reachable via VNC.
Moonlight USED to work when I used ipfw so I suspect either a pf.conf error, or Moonlight/Gamestream is incompatible with
Code:
# excerpt from pf.conf
deck2="192.168.1.17"
moonlight_udp="{ 47998,47999,48000,48010 }"
moonlight_tcp="{ 47984,47989 }"
# other NAT, RDR stuff as in full file below
# Moonlight remote game streaming -- syntax here OK?
rdr pass on $ext_if proto udp from any to any port $moonlight_udp -> $deck2
rdr pass on $ext_if proto tcp from any to any port $moonlight_tcp -> $deck2
-------
I am new to pf, and have mostly got things working as intended... but I am having trouble with port forwarding to support one specific LAN app. If I could get a hand checking my pf.conf I'd really appreciate it! It may be the case that I've made a pf.conf error--or the failure I am seeing could be a problem on the app that I am trying to reach.
The RDR rules for SINGLE ports work fine -- for example you can see I have a gadget on port 8000, Plex Server on 32400, and 2 Windows machine VNC connections on ports 5901 & 5902. Those are great.
The problematic app is Moonlight game streaming--I am trying to reach a one of the Windows machines from Internet via the Gamestream protocol. You can see I have forwarded a set of udp and tcp ports, but since it does not work at all, I wonder if I have a syntax or rules order error specific to these groups of ports. Note that the unreachable machine IS reachable via VNC.
Moonlight USED to work when I used ipfw so I suspect either a pf.conf error, or Moonlight/Gamestream is incompatible with
scrub
. However, since it is Windows, it is totally possible that my pf forwarding works perfectly and Windows doesn't. I haven't tried to do this in months so an update could have broken things.
Code:
# pf.conf
###################
#### Variables ####
###################
#### Network interfaces
# External interface
ext_if="igb0"
# Internal interface
int_if="igb1"
# igb2 and 3 not yet in use
#### MY GADGETS (and vars for their services)
# note that ports open on the router itself are defined below in the last rules block
nvr="192.168.1.15"
shieldtv="192.168.1.16"
ps4="192.168.1.14"
ps4_udp="{ 9303 9296 9297 }"
deck2="192.168.1.17"
moonlight_udp="{ 47998,47999,48000,48010 }"
moonlight_tcp="{ 47984,47989 }"
tvpc="192.168.1.18"
# let's not support xboxes with rdr, let's try miniupnpd
xbox-mbr="192.168.1.13"
#### External IPs to block manually
# Stop local machines from connecting to these IPs -- block phoning home
# Add IPs to /usr/local/etc/pf-blacklist.conf
# Then restart pf: pfctl -F all -f /etc/pf.conf
table <blacklist> persist file "/usr/local/etc/pf-blacklist.conf"
### Incoming hacker IPs to block manually
# Stop trying to log in, jerk!
# Add IPs to /usr/local/etc/pf-hackers.conf
# Then restart pf: pfctl -F all -f /etc/pf.conf
table <hackers> persist file "/usr/local/etc/pf-hackers.conf"
# Follow RFC1918 and don't route to non-routable IPs
# http://www.iana.org/assignments/ipv4-address-space
# http://rfc.net/rfc1918.html
nonroute= "{ 0.0.0.0/8, 20.20.20.0/24, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 224.0.0.0/3, 255.255.255.255 }"
# Set allowed ICMP types
icmp_types = "{ 0, 3, 4, 8, 11, 12 }"
####################################
#### Options and optimizations #####
####################################
# Set interface for logging (statistics)
set loginterface $ext_if
# Optimization
# normal = default
# aggressive = Drop states as fast as possible without having excessively low timeouts
set optimization normal
# Block policy, either silently drop packets or tell sender that request is blocked
set block-policy return
# Don't bother to process (filter) following interfaces such as loopback:
set skip on lo0
# Scrub traffic
# If there is trouble, this is the first thing to comment out.
# Said to cause problems for game consoles?
scrub on $ext_if all
###########################################
#### RULES ORDER: NAT, RDR, PASS/BLOCK ####
###########################################
#######################
#### NAT ####
#######################
# Enable NAT
nat on $ext_if inet from $int_if:network to any -> ($ext_if)
# UPnPd rdr anchor
rdr-anchor "miniupnpd"
#######################
#### RDR ####
#######################
# Hikvision NVR port 8000
rdr pass on $ext_if inet proto tcp from any to any port 8000 -> $nvr
# Plex port for server running on Shield Android TV
rdr pass on $ext_if inet proto tcp from any to any port 32400 -> $shieldtv
# PS4 remote play
# udp ports are defined above with the device ip
rdr pass on $ext_if inet proto udp from any to any port $ps4_udp -> $ps4
# Moonlight remote game streaming
rdr pass on $ext_if proto udp from any to any port $moonlight_udp -> $deck2
rdr pass on $ext_if proto tcp from any to any port $moonlight_tcp -> $deck2
## VNC for Windows
# WAN port 5902 goes to upstairs PC
rdr pass on $ext_if inet proto tcp from any to any port 5902 -> $deck2 port 5900
# WAN port 5901 goes to downstairs PC
rdr pass on $ext_if inet proto tcp from any to any port 5901 -> $tvpc port 5900
## Bit Torrent for downstairs Windows
# App set to port 8999
rdr pass on $ext_if inet proto tcp from any to any port 8999 -> $tvpc
################################
#### Rules inbound (int_if) ####
################################
# Pass on everything
pass in quick on $int_if inet all keep state
#################################
#### Rules outbound (int_if) ####
#################################
# Pass on everything
pass out quick on $int_if inet all keep state
################################
#### Rules inbound (ext_if) ####
################################
# Drop packets from non-routable addresses directly
block drop in quick on $ext_if from $nonroute to any
# Block IPs in the hacker list
block in log quick on $ext_if from <hackers> to any
# DHCP on ext_if turned off, we have a static IP from the ISP
# pass in quick on $ext_if inet proto udp to ($ext_if) port { 67, 68 }
# Allow ICMP
pass in quick on $ext_if inet proto icmp all icmp-type $icmp_types
# Allow FTPs to connect to our FTP-proxy--turned off, left in for example
#pass in quick on $ext_if inet proto tcp to ($ext_if) port ftp-data user proxy
# TCP ports that we allow in to the router itself
# 22=ssh
pass in quick on $ext_if inet proto tcp to any port { 22 }
# Block everything else
block in on $ext_if all
#################################
#### Rules outbound (ext_if) ####
#################################
# note there is an implicit PASS ALL at the beginning of a ruleset.
# Packets are evaluated against ALL rules, with the last match winning
# QUICK forces an instant match
###### BLOCK this traffic from LAN to WAN: ###########
# add IPs to /etc/pf-blacklist.conf
block out log quick on $ext_if from any to <blacklist>
# Drop packets to non-routable addresses directly
#block drop out log quick on $ext_if from any to $nonroute
# uPnPd rule anchor
anchor "miniupnpd"
# pass out everything to the WAN inteface unless it was blocked above
pass out on $ext_if from any to any
Last edited: