# PF IPFW-Classifyd PAT



## cj (Aug 8, 2013)

I'm running a couple of FreeBSD servers that act as a gateway for 5000+ nodes and I'm trying to solve the infamous PlayStation NAT Type 3 problem on my network.

It seems some games on the PS network uses a decentralized approach where one of the players is picked as the host. This causes problems in a situation such as mine where you have many people trying to play using the same incoming port number and public IP address.  The firewall changes the incoming port to the next available port number because there are more than one host on the same public IP address. Itâ€™s explained here: 



> Strict: You will get a â€œStrictâ€ NAT type if your RG is using Port Address Translation (PAT) which is part of NAT. PAT happens when you have multiple PS3 devices sharing the same public IP address. When a PS3 attempts to connect to a host it allocates a source port for the communication â€“ if it is the only device using this source port then NAT will use this source port as well. However, if multiple devices use the same source port then the PAT function will change the source port. This is what causes a â€œStrictâ€ NAT type and can limit your ability to join games and other features like in-game chat.


netnix.org/2011/09/06/understanding-ps3-nat

Iâ€™m currently looking into an Application Level Gateway for FreeBSD similar to Netfiliter that is used for Linux as a possible solution.   Iâ€™ve read that I could possible divert traffic to certain PSN IP and Ports to handle the PSN traffic in a way that It would work in a PAT environment.  

Iâ€™ve recompiled some kernel options with ipfw, dummynet, and ipdivert.  I was thinking that ipfw-classifyd could help with resolving this issue.  Does anyone have any information that may be useful in my quest?


----------



## kpa (Aug 8, 2013)

As far as I know the problem exhibits itself only with UDP traffic and the reason is that the NAT translation in FreeBSD's firewalls always allocates a new random source port on the public IP when a new UDP connection is detected from a client host (a new state in other words). With PF there's the static-port option that can be used on a nat rule to state that the source port should be kept the same on outgoing connections. Something like this:


```
nat on $ext_if inet proto udp from $int_if:network to any -> $ext_if static-port
# Default nat rule
nat on $ext_if ...
```

That might need to be tightened to match only the game traffic assuming the source port is known. This depends on the game and if it does actually use the same source port always for outgoing connections.

Also if the LAN hosts are using the same source port there will be a collision on the public IP address when two LAN hostort pairs are mapped to the same port.


----------



## cj (Aug 8, 2013)

Thanks for your reply it's logical and insightful.

I previously had an Astaro Security Gateway providing NAT/PAT and it was able to have multiple host on PSN connect without issues.  I know it's Linux/iptables but I was hoping to replicate that behavior with FreeBSD.


----------

