Project

General

Profile

Emulator Issues #11287

STUN implementation is not compatible with source port remapping

Added by Techjar about 2 years ago. Updated 9 months ago.

Status:
Working as intended
Priority:
Normal
Assignee:
-
% Done:

0%

Operating system:
N/A
Issue type:
Bug
Milestone:
Regression:
No
Relates to usability:
No
Relates to performance:
No
Easy:
No
Relates to maintainability:
No
Regression start:
Fixed in:

Description

What's the problem? Describe what went wrong.

pfSense (and several other router firmwares) have a security feature enabled by default called source port remapping, which randomizes the outbound port of connections to something different than what the client behind NAT is using. This breaks Dolphin's STUN implementation, as it relies on the port opened through the NAT being the one originally chosen by the application, rather than whatever is reported in the UDP header. More details in source port remapping can be found here: https://www.netgate.com/docs/pfsense/nat/static-port.html

What steps will reproduce the problem?

  1. Be behind a NAT with source port remapping.
  2. Set up Traversal Server NetPlay session.
  3. Attempt to connect using host code. It won't work.

Is the issue present in the latest development version? For future reference, please also write down the version number of the latest development version.

Yes, the STUN protocol hasn't changed to my knowledge. 5.0-8453

Is the issue present in the latest stable version?

Ditto.

What are your PC specifications? (CPU, GPU, Operating System, more)

Arch Linux
i7-7700K
GTX 1080

Although, this is of no relevance here.

Is there anything else that can help developers narrow down the issue? (e.g. logs, screenshots,
configuration files, savefiles, savestates)

Nothing in particular.

History

#1 Updated by Techjar 9 months ago

Through some research and testing, I have determined I misunderstood the nature of this problem. The issue is not source port remapping itself, as the correct port is being reported back to clients who look up the host code. The issue is stateful firewalls, specifically when source port remapping is enabled in pfSense the firewall won't allow inbound packets from anything other than the original remote address and port, making hole punching impossible in this configuration. Disabling source port remapping also makes the firewall more permissive to allow hole punching to work (likely intentional).

What this all means is there's nothing wrong with Dolphin's STUN implementation, and hosting netplay behind strict stateful firewalls (especially carrier-grade NAT) is impossible.

#2 Updated by Billiard26 9 months ago

  • Status changed from New to Working as intended

Firewalls doing their job sometimes. :P

Also available in: Atom PDF