Emulator Issues #11287: STUN implementation is not compatible with source port remapping - Emulator - Dolphin bug tracker

Actions

Copy link

Emulator Issues #11287

closed

STUN implementation is not compatible with source port remapping

Added by Techjar almost 6 years ago. Updated over 4 years ago.

Status:

Working as intended

Priority:

Normal

Assignee:

% Done:

Operating system:

N/A

Issue type:

Bug

Milestone:

Regression:

Relates to usability:

Relates to performance:

Easy:

Relates to maintainability:

Regression start:

Fixed in:

Description

What's the problem? Describe what went wrong.

pfSense (and several other router firmwares) have a security feature enabled by default called source port remapping, which randomizes the outbound port of connections to something different than what the client behind NAT is using. This breaks Dolphin's STUN implementation, as it relies on the port opened through the NAT being the one originally chosen by the application, rather than whatever is reported in the UDP header. More details in source port remapping can be found here: https://www.netgate.com/docs/pfsense/nat/static-port.html

What steps will reproduce the problem?

Be behind a NAT with source port remapping.
Set up Traversal Server NetPlay session.
Attempt to connect using host code. It won't work.

Is the issue present in the latest development version? For future reference, please also write down the version number of the latest development version.

Yes, the STUN protocol hasn't changed to my knowledge. 5.0-8453

Is the issue present in the latest stable version?

Ditto.

What are your PC specifications? (CPU, GPU, Operating System, more)

Arch Linux
i7-7700K
GTX 1080

Although, this is of no relevance here.

Is there anything else that can help developers narrow down the issue? (e.g. logs, screenshots,
configuration files, savefiles, savestates)

Nothing in particular.

Actions

Copy link

Updated by Techjar over 4 years ago

Through some research and testing, I have determined I misunderstood the nature of this problem. The issue is not source port remapping itself, as the correct port is being reported back to clients who look up the host code. The issue is stateful firewalls, specifically when source port remapping is enabled in pfSense the firewall won't allow inbound packets from anything other than the original remote address and port, making hole punching impossible in this configuration. Disabling source port remapping also makes the firewall more permissive to allow hole punching to work (likely intentional).

What this all means is there's nothing wrong with Dolphin's STUN implementation, and hosting netplay behind strict stateful firewalls (especially carrier-grade NAT) is impossible.

Actions

Copy link