8 Replies Latest reply: May 14, 2012 5:00 PM by sliedl RSS

    How to Configure Port Forwarding for Video Games

    readysetgo

      Once a week our company will take an hour to have everybody play a video game together. Recently, we've been trying to get Battlefield 3 to work however we can't seem to establish a connection to the EA Servers due to our Sidewinder firewall cluster.

       

      The below ports need to be opened for the game to work:

       

      TCP: 80, 443, 9988, 20000-20100, 22990, 17502, 42127

      UDP: 3659, 14000-14016, 22990-23006, 25200-25300

       

       

      For some reason the unit will not allow me to create a single rule to open all of these ports, so I've configured eight different rules for them (four incoming and four outgoing).

       

      TCP ports 80 and 443 and UDP port 3659 are already open via other rules. The rules open the remaining ports. The rules created are identical except that each of them links a difference Service so as to include all of the different ports that need to be opened.

       

       

      Service 1:

      • Agent: Generic Proxy
        • Expected Connections: 8000
      • TCP Ports: 17502,20000-20100,22990,42127
      • UDP Ports: 3659
      • Timeouts:
        • TCP idle timeout: 7200 seconds
        • UDP idle timeout: 300 seconds
      • Enable fast path sessions: checked

       

       

      Service 2:

      • Agent: Generic Proxy
        • Expected Connections: 8000
      • TCP Ports: n/a
      • UDP Ports: 14000-14016
      • Timeouts:
        • TCP idle timeout: 7200 seconds
        • UDP idle timeout: 300 seconds
      • Enable fast path sessions: checked

       

       

      Service 3:

      • Agent: Generic Proxy
        • Expected Connections: 8000
      • TCP Ports: n/a
      • UDP Ports: 22990-23006
      • Timeouts:
        • TCP idle timeout: 7200 seconds
        • UDP idle timeout: 300 seconds
      • Enable fast path sessions: checked

       

      Service 4:

      • Agent: Generic Proxy
        • Expected Connections: 8000
      • TCP Ports: n/a
      • UDP Ports: 25200-25300
      • Timeouts:
        • TCP idle timeout: 7200 seconds
        • UDP idle timeout: 300 seconds
      • Enable fast path sessions: checked

       

       

      Rule for Outgoing Port Openings (Same for all four outgoing rules):

       

      • General
        • Action: Allow
        • Service: Service 1 (Generic Proxy) - Service 2-4 included in the other 3 rules
        • Audit: Standard (recommended)
      • Effective Times
        • Time Period: <any>
      • Source
        • Burb: Internal
        • Endpoint: <Any>
        • NAT: localhost (Host)
      • Destination
        • Burb: External
        • Endpoint: <Any>
        • Redirect: <None>
        • Redirect Port: n/a
      • TrustedSource
        • Enable TrustedSource: Unchecked
      • Inspection
        • n/a
        • IPS Signature Group: <None>
      • Authentication
        • Authenticator: <None>

       

       

      Rule for Incoming Port Openings (Same for all four incoming rules):

       

      • General
        • Action: Allow
        • Service: Service 1 (Generic Proxy) - Service 2-4 included in the other 3 rules
        • Audit: Standard (recommended)
      • Effective Times
        • Time Period: <any>
      • Source
        • Burb: External
        • Endpoint: <Any>
        • NAT: localhost (Host)
      • Destination
        • Burb: Internal
        • Endpoint: <Any>
        • Redirect: <None>
        • Redirect Port: n/a
      • TrustedSource
        • Enable TrustedSource: Unchecked
      • Inspection
        • n/a
        • IPS Signature Group: <None>
      • Authentication
        • Authenticator: <None>

       

       

       

       

       

      After putting these rules in place, I'm still not able to connect to the game server so I must be setting up something incorrectly. Trying to connect via a different connection works fine so I'm certain the problem must be traffic passing through our firewalls.

       

       

      Also, the rules are placed above Deny All so that is not the issue.

       

      Message was edited by: readysetgo on 3/8/12 7:36:53 AM CST
        • 1. Re: How to Configure Port Forwarding for Video Games
          readysetgo

          Anybody? Any help would be greatly appreciated as always.

          • 2. Re: How to Configure Port Forwarding for Video Games
            sliedl

            You only need one service and one rule.

             

            Create a new Service.

            Agent: TCP/UDP Packet filter (this is important, don't make it proxy, you don't need one)

            Ports:

            TCP: 80,443,9988,20000-20100,22990,17502,42127

            UDP: 3659,14000-14016,22990-23006,25200-25300

             

            Use this service in an outgoing rule that has NAT set to 'localhost (host)'.  You do not need any incoming rules for this rule to work (all response traffic will match a current outgoing session).

            • 3. Re: How to Configure Port Forwarding for Video Games
              readysetgo

              This seemed promising but I'm still running into the same issue.

               

              Is there anything else that may need to be set for this to work?

               

               

              Also, just to clarify...the rule I've created is below:

               

               

              Rule for Outgoing Port Openings (Same for all four outgoing rules):

               

              • General
                • Action: Allow
                • Service: Battlefield 3 (TCP/UDP Packet Filter with all the ports necessary, per your instructions)
                • Audit: Standard (recommended)
              • Effective Times
                • Time Period: <any>
              • Source
                • Burb: Internal
                • Endpoint: <Any>
                • NAT: localhost (Host)
              • Destination
                • Burb: External
                • Endpoint: <Any>
                • Redirect: <None>
                • Redirect Port: n/a
              • TrustedSource
                • Enable TrustedSource: Grayed out
              • Inspection
                • <Default Group>
                • IPS Signature Group: <None>
              • Authentication
                • Authenticator: Grayed out

               

              Message was edited by: readysetgo on 3/9/12 6:49:14 AM CST
              • 4. Re: How to Configure Port Forwarding for Video Games
                PhilM

                I'd say the rule looks OK.

                 

                The next thing is to try and establish whether the failure is indeed down to a concious decision on the Firewall's part. If it is then it will tell you in the logs.

                 

                This can be acheived using the CLI and I'm sure Sam (sliedl) will know exactly the best "ACAT" or "Showaudit" command to use. Personally, I still favour the Audit Viewer in the GUI. It is a little slower by I find it easier to understand and control.

                 

                From the naming conventions you are using, I'm guessing that you are running version 7, but I don't know which specific release. This is a minor problem as the Audit Viewer changed during v7 - so if you're running v7.0.xx it looks different to a 7.0.1.xx box.

                 

                Anyway, I'll assume that you're relatively up to date.

                 

                Make a note of the IP address of one of the PCs trying to connect to this game server. It will also help if the machine in question is doing as little as possible (other than trying to connect to the game server)

                 

                In the Firewall GUI go to Monitor -> Audit Viewing

                 

                In the field at the top enter the following:-

                 

                     src_ip a.b.c.d

                 

                -where a.b.c.d is the IP address of your client PC.

                 

                Now attempt to run the game and connect to the server. What do you see?

                 

                Entries in green or blue are all good, but you should look out for entries where the Syslog category column says "Critical" or where the entry in the Type column reads "attack" or "netprobe". You can then double-click on these to see a more verbose output.

                 

                Given you are now using a packet filter service, I don't think you'll see any protocol violation-type messages. If you see netprobes these entries will identify ports which the firewall isn't passing because it doesn't yet know about them. These can be added to your packet filter service and you can give it another try.

                 

                What baffles me, at the end of the day, is why these games need so many ports?! It isn't a problem for a home user as their router/firewall will almost certainly allow anything to pass outbound. But because this Firewall operates with an implicit "deny all" rule to begin with you will need to find, and allow, each port needed to make this service work.

                 

                -Phil.

                • 5. Re: How to Configure Port Forwarding for Video Games
                  readysetgo

                  PhilM...thanks for the follow up. I have a couple things I have to work on this morning before I can get back to this. I will follow your advice as soon as I have a moment and report back.

                   

                   

                  Thanks again.

                  • 6. Re: How to Configure Port Forwarding for Video Games
                    readysetgo

                    PhilM...well, having me use the audit lead me to the answer. What I found when using the audit was that there was a netprobe that various ports in the 10000-10100 range were being blocked as against policy.

                     

                    When you look at the requisite open ports for Battlefield 3 here: https://help.ea.com/article/online-ports-for-battlefield-3

                     

                     

                    You'll notice that it only requires those ports for PS3 and not PC. However, this problem was being experienced on a PC. I went ahead and added them to the original service and now things are working fine.

                     

                     

                     

                     

                    I'm going to award sliedl with the answer because it was his instructions that truly told me what I needed for most of it, however your answer was extremely helpful as well and neither of them would have been sufficient without the other. Thank you both for your help in this matter.

                     

                     

                     

                    EA needs to update their documentation...

                    • 7. Re: How to Configure Port Forwarding for Video Games
                      cm17x

                      Hi all, sorry for bump this "old" thread.

                      I'm facing the same problem and i read the post, saw your solutions but i can't follow the steps to solve my problem.

                      I have VirusScan Enterprise 8.7.0i. Reading the help that Sliedl gave to readysetgo, i can't find where to "Create a new service".

                      Can someone please help me with instructions about in which panel, tab, section, or option i can set that rulre in order to run the gam without problems? So fr i need to disable the whole AV for play, and thats not good at all.

                      • 8. Re: How to Configure Port Forwarding for Video Games
                        sliedl

                        Here's the VirusScan Enterprise community:  https://community.mcafee.com/community/business/system/vse

                         

                        Edit:  Oh, you already posted there I see.  Good luck.

                         

                        Message was edited by: sliedl on 5/14/12 5:00:51 PM CDT