Hi all, I've been using OpenBSD as a gateway for quite a while now and
recently I got a PS3, so I decided to connect it to the network.
Unfortunately, it kept complaining that I had a restrictive type of
NAT and that other people would not be able to connect to me. At
first, I thought it was some problem with my router, but when I
connected the PS3 directly to the router all connection tests were
successful, so I tried this very simple pf.conf:
#############
ext_if = "rl0"
int_if = "rl1"
#
ps3 = "10.0.0.8"
#
nat on $ext_if from $int_if:network to any -> ($ext_if)
#
rdr on $ext_if proto udp from any to ($ext_if) port 1:65535 -> $ps3 port 1:65535
#
pass all
#############
Even with that I was getting a restrictive type of NAT, so I decide to
capture the packets being sent and received by the PS3 when it was
doing the connection test both when connected directly to the router
and when connected to the OpenBSD box.
After comparing the packets I noticed something that could be the
cause of the connection error.
This is a packet when the connection is successful
############################################
No. Time Source Destination Protocol Info
171 33.894835 198.107.158.129 192.168.1.3 STUN
Message: Binding Response
Frame 171 (122 bytes on wire, 122 bytes captured)
Ethernet II, Src: D-Link_e1:b9:00 (00:1b:11:e1:b9:00), Dst:
SonyComp_96:61:25 (00:1f:a7:96:61:25)
Internet Protocol, Src: 198.107.158.129 (198.107.158.129), Dst:
192.168.1.3 (192.168.1.3)
User Datagram Protocol, Src Port: stun (3478), Dst Port: 50526 (50526)
Source port: stun (3478)
Destination port: 50526 (50526)
Length: 88
Checksum: 0xe9db [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Simple Traversal of UDP Through NAT
[Request In: 170]
[Time: 0.140815000 seconds]
Message Type: Binding Response (0x0101)
Message Length: 0x003c
Message Transaction ID: BCEA76A6F4EAEE3ABFEA173E40579CBC
Attributes
Attribute: SOURCE-ADDRESS
Attribute: CHANGED-ADDRESS
Attribute: XOR_MAPPED_ADDRESS
Attribute Type: XOR_MAPPED_ADDRESS (0x8020)
Attribute Length: 8
Protocol Family: IPv4 (0x0001)
Port (XOR-d): 31156
[Port: 50526]
IP (XOR-d): 117.178.149.236 (117.178.149.236)
[IP: 201.88.227.74 (201.88.227.74)]
Attribute: MESSAGE-INTEGRITY
#################################################
And this is a packet when the connection fails
#################################################
No. Time Source Destination Protocol Info
162 36.836648 198.107.157.137 10.0.0.8 STUN
Message: Binding Response
Frame 162 (122 bytes on wire, 122 bytes captured)
Ethernet II, Src: CnetTech_67:99:f8 (00:08:a1:67:99:f8), Dst:
SonyComp_96:61:25 (00:1f:a7:96:61:25)
Internet Protocol, Src: 198.107.157.137 (198.107.157.137), Dst:
10.0.0.8 (10.0.0.8)
User Datagram Protocol, Src Port: stun (3478), Dst Port: 50516 (50516)
Source port: stun (3478)
Destination port: 50516 (50516)
Length: 88
Checksum: 0x6f8f [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Simple Traversal of UDP Through NAT
[Request In: 161]
[Time: 0.133701000 seconds]
Message Type: Binding Response (0x0101)
Message Length: 0x003c
Message Transaction ID: 0FDF0B74DA2676EC4751BFB3AE4CBAC2
Attributes
Attribute: SOURCE-ADDRESS
Attribute: CHANGED-ADDRESS
Attribute: XOR_MAPPED_ADDRESS
Attribute Type: XOR_MAPPED_ADDRESS (0x8020)
Attribute Length: 8
Protocol Family: IPv4 (0x0001)
Port (XOR-d): 50030
[Port: 52401]
IP (XOR-d): 198.135.232.62 (198.135.232.62)
[IP: 201.88.227.74 (201.88.227.74)]
Attribute: MESSAGE-INTEGRITY
#################################################
On the successful packet the port number inside the XOR_MAPPED_ADDRESS
attribute is the same as the Destination port of the packet, on the
failed connection those ports are different.
What could be the cause of this?
Any help is appreciated.
I have posted the full packets here:
Request (Successful): http://paste2.org/p/337420
Response (Successful): http://paste2.org/p/337422
Request (Failure): http://paste2.org/p/337424
Response (Failure): http://paste2.org/p/337426
Thanks in advance
--
Allegari nihil et allegatum non probare, paria sunt.
