Full Cone NAT In PF

Darren Pilgrim darren.pilgrim at gmail.com
Mon Apr 30 05:45:57 UTC 2012


On 2012-04-29 17:03, Michael MacLeod wrote:
> I understand that cone NAT is a generally terrible and insecure way to do
> NAT, but game and application developers seem hell-bent on depending on
> cone NAT behaviour. Is there a way to make it work with PF?

Not directly, no.  In most cases where the application/device will not 
work through symmetric NAT, all that is necessary is a port forward, not 
true full-cone NAT.

Have a look at the net/miniupnpd port.  It is a UPnP daemon that anchors 
to pf and maintains rdr rules for dynamic port forwarding.  You can do 
the same thing on a static basis by maintaining your own nat static-port 
and rdr rules if your SIP devices do not support UPnP.

For those who search mail archives, this is also how you get a FreeBSD 
router to make your PS3 show NAT type 2 instead of type 3 or your Xbox 
show NAT type open instead of strict or moderate.


More information about the freebsd-net mailing list