Emulator Issues #11287
STUN implementation is not compatible with source port remapping
What's the problem? Describe what went wrong.
pfSense (and several other router firmwares) have a security feature enabled by default called source port remapping, which randomizes the outbound port of connections to something different than what the client behind NAT is using. This breaks Dolphin's STUN implementation, as it relies on the port opened through the NAT being the one originally chosen by the application, rather than whatever is reported in the UDP header. More details in source port remapping can be found here: https://www.netgate.com/docs/pfsense/nat/static-port.html
What steps will reproduce the problem?
- Be behind a NAT with source port remapping.
- Set up Traversal Server NetPlay session.
- Attempt to connect using host code. It won't work.
Is the issue present in the latest development version? For future reference, please also write down the version number of the latest development version.
Yes, the STUN protocol hasn't changed to my knowledge. 5.0-8453
Is the issue present in the latest stable version?
What are your PC specifications? (CPU, GPU, Operating System, more)
Although, this is of no relevance here.
Is there anything else that can help developers narrow down the issue? (e.g. logs, screenshots,
configuration files, savefiles, savestates)
Nothing in particular.
Through some research and testing, I have determined I misunderstood the nature of this problem. The issue is not source port remapping itself, as the correct port is being reported back to clients who look up the host code. The issue is stateful firewalls, specifically when source port remapping is enabled in pfSense the firewall won't allow inbound packets from anything other than the original remote address and port, making hole punching impossible in this configuration. Disabling source port remapping also makes the firewall more permissive to allow hole punching to work (likely intentional).
What this all means is there's nothing wrong with Dolphin's STUN implementation, and hosting netplay behind strict stateful firewalls (especially carrier-grade NAT) is impossible.