OpenBSD Journal

udp/gaming proxies for openbsd

Contributed by jose on from the gamelan dept.

tacky writes :
"I've run into a bit of a problem. I have an OpenBSD frankenrouter running pf and nat, and as yet not had many problems. I allow all protocols outbound and keep state. Now I've moved in with a bunch of other people, and certain udp based protocols (halflife/counterstrike) break. Are there gaming proxies in the nature of ftp--proxy that would work under inetd/nat that could fix this? I do NOT want to open up the relevant ports to all hosts on the public internet. I do not want to put a rdr rule in nat.conf every time the users change servers. I want this to be dynamic and something that can happen while I sleep (and they play until dawn). Of course, if it automagically helped UDP based protocols in general, that would be ideal, but I'll settle for getting my users games to work. "
I don't game much, but does anyone have any suggestions on how to make games work with pf?

(Comments are closed)

  1. By schubert () on

    Could you be more specific about what is NOT working? I have an openbsd gateway/firewall that also allows all outbound protocols and traffic and a number of my roommate can play games like counterstrike just fine. That, like almost every other FPS game out there uses a client/server model (just like a webserver and browser) hence, the NATing and port changes done by NAT don't affect games like counterstrike/half-life/quake3 etc. What _will_ break are games like starcraft and others where the server is one of the players (i.e. you), this especially won't work if two of your roommates try to do something like join the same starcraft game out on

  2. By Guido () on


    We ran into the same problems; we then set up a few IPsec VPNs between the home LANs (all using OpenBSD) and now have transparent tcp/udp access.

  3. By Sitsofe () on

    We had a OpenBSD firewall in the student house I was in and we were able to play games like Return to Castle Wolfenstien and Quake 3 without any real problems. Are you sure that your nat and pf rules are correct? Does it go wrong when more than one person is trying to connect to the same server?

  4. By Tony Cosimano () on

    try this rule in pf.conf

    pass out on $external inet proto udp all keep state

  5. By Michael () on

    I've been playing halflife and counterstrike for months from behind an obsd comp doing nat and I haven't had a single problem yet.

    Had a small problem when WarCraft3 game, but the only thing that had to be changed was a simple port forward 6112 to the windows comp.

    If they're trying to play any of Microsoft's games, such as Age of Empires/Age of Kings you're going to have to set up some complicated NAT to support their crappy directplay protocol.
    or one of the other 100 sites out there that explains how to do it. =)

  6. By Isak Lyberth () on

    I have a setup that looks like this:

    Both the router and the firewall are natting. The firewall is a OpenBSD 3.1 thing setup according to the faq. i have no porblems except with the games.
    what needs to be done to make the games work?

    Regards Isak

  7. By dangit () on

    Can some of you actually post these pf.conf's?

    I play CS and I've been thinking of building a simple home OBSD firewall for a long time, but I need somewhere to start. I'm sure it'll help the original poster as well if you'll say more than "I can do it. It's easy."

  8. By tacky () on

    from original poster

    So the pf suggestions were all things I already was doing. I use the rule:

    pass out on $ext_if from any to any keep state

    which somebody had recommended for udp. It's the last one in the file, so it has the final say. As that worked for others, I decided to watch that client a bit more closely with tcpdump during a connect attempt:

    tcpdump -p -i [internal nic] udp

    turns out that the client wasn't even sending packets to the router...even thought it was using dns on udp 53 just fine. So we installed counterstrike on a fresh install of w2k...connected no prob.

    So the moral of the story is: when a programmer asks you why the innernet done broke, suspect that he made his box crazy with his nutty code.

  9. By kko () on

    I have the following setup at home:
    Internet - ADSL Router - Hub - PC1

    My router has NAT, and I have opened some ports to allow traffic from the internet to reach PC1 using port 27015, and PC2 using port 27016 on the router.
    (Basically, I've fowarded incoming traffic on the router on those ports to my PC's)...
    Now all you need to do on half-life, is to start hl.exe from a command line with "+clientport xxx", where xxx is the port that you have fowarded from the NAT router to your PC.
    For ideas on half-life servers, check out

    I'm sorry I can't help with other games, since hl is the only game I play (DoD rocks!!!)....


Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]