News: This forum is now permanently frozen.
linktree m0n0wall Forum  >  m0n0wall Support (English)  >  Firewall/NAT
linktree Topic: Gameserver behind NAT
Pages: [1]
Topic: Gameserver behind NAT  (Read 4246 times)
« on: September 11, 2007, 14:47:18 »
flo1000 *
Posts: 8
Hey people, im coming up here with a general Problem in Nat...
The issue affect many gameservers, or better the masterlists.
The issue im talking bout is called "source port mapping"

Most games have a Master list, u can find Servers to play on.
The Gameservers send "Heartbeat" packets to the Master list server.
In many cases, the source port of the Packet specify the Gameserver.

Im running for example a Quake3 Server on Port 27960.
the server send now Heartbeat to master.id3soft.com. Source Port of this Packet: 27960

in the nat now the source port get exchanged. in the case of monowall eg. Port 1047
This is called "Source Port Mapping".
The technic prevent that many users use the same port from the LAN.

with that packet the Masterlist Server now get informed that my gameserver run on port 1047, whats not true. a backward check on that port wont bring any, server wont appear in the list.

trapped by this mechanism, no (!!!) quake-engine-based gameserver will get entry in masterlist.
players cant simply find the server. btw, same with all halflife- based games.

i found several topics here in this forums, but just in one case they find right way.
its in the "advanced outbound nat"
here u can simply deactivate the H4T3D outbound port mapping:

(http://q3ana.de/monowall/m0n0.01.png)

so far so perfect. a single source rule can reactivate all needed outbound traffic for the whole subnet.

just now comes the point:

if a port is already forwarded in the INBOUND NAT, this setting wont work.
but in order to share a gameserver with the Internet, i MUST do that.
the result is: u cant have gameservers behind monowall, like any soft firewall, exept windows ble sharing.

here 2 pics of the packet sent by the server and the translated packet, send by the monowall:

Original Packet (quake3):
(http://q3ana.de/monowall/m0n0.02.png)

Routed packet, outgoing from Monowall WAN interface:
(http://q3ana.de/monowall/m0n0.03.png)

Hm, anyone suggestions?
  Lips sealed Tongue Roll Eyes Huh Shocked Cool  Cry

thx for reading, hope developers with a heart for poor gamers fall from the sky Wink

flo aka <<<Wurst

* m0n0.01.png (11.33 KB, 573x452 - viewed 196 times.)

* m0n0.02.png (20 KB, 611x474 - viewed 199 times.)

* m0n0.03.png (20.43 KB, 609x473 - viewed 203 times.)
« Last Edit: January 13, 2010, 19:52:02 by flo1000 »
« Reply #1 on: November 02, 2007, 20:39:35 »
schroedi *
Posts: 1
I've got the same problem. When I set up a dedicated counter-strike server, it can't be connected to by other players.

Did you find a solution yet?
« Reply #2 on: November 03, 2007, 17:57:30 »
flo1000 *
Posts: 8
no, im still not able to use monowall for nating gameservers.
no developers with heart for poor gamers fall from the sky yet (or noone survived the impact, maybe some are still in hospital)

some days ago i thought bout dmz and firewall rules to prevent abuse.
or better: to make it without nat.
maybe i try that later.

for me would be important to have additional portforwarding to the webserver (makes me pretty lag on gameserver)

counterstrike btw is same problematic mechanism.

lots of home routers can do it.
just the bigger devices are not so flexible with such changes that sure compromise certain functionality (the case that 2 machines in dmz use same sourceport)
monowall makes allready great job with that "disable port mapping"

it should be just vice versa in our case:
the packet from the natted machine should stay with the sourceport, the others could get then whatever switched source ports (for the case some other application use the same sourceport of gameserver)
« Last Edit: November 03, 2007, 17:59:01 by flo1000 »
« Reply #3 on: March 17, 2008, 19:31:19 »
flo1000 *
Posts: 8
hey people !

its working with pfsense.
look here:

http://q3ana.de/viewtopic.php?f=16&t=793&p=9182


greets

wursti
« Reply #4 on: March 17, 2008, 20:44:34 »
ChainSaw
Guest
I beleive m0n0wall has this same feature under "Advanced outbound NAT".

CS...
« Reply #5 on: March 18, 2008, 22:26:31 »
flo1000 *
Posts: 8
jes, thats true.

just for inbound forwarded ports it dont work.
in other words:
it works perfectly, exept i make the gameserver accessible from outside...

dont ask me, i just tryed it in pfsense again (like in 1000 firewalls) there it worked somehow.
i know that this is a wanted functionality somehow, just i dont know how to get rid of it.

monowall would be very nice for gameserver admins to run.
cause that great performance.
allthough its very small theres the traffic shaper. thats specially great for those of us that have server on shared dsl line (yes, its usual behaviour for us quake3 childrens...)

hmhmhm. im sure theres somewhere a way to fix it and im sure theres gameserver admins who need it.
i myself have enough resources for runnig a bigger firewall and i think i have a need too, so im better with that pfsense anyways.

greets

wursti
 
Pages: [1]
 
 
Powered by SMF 1.1.20 | SMF © 2013, Simple Machines