HowTo/Setup Port Forwarding Behind PFSense

From I2P Wiki
Jump to navigation Jump to search

PF based firewalls and security gateways randomize components of network packets to obscure the operating systems beyond and behind the firewall. This is often valuable from a security and privacy standpoint as passive network observers and active scanners can use tools such as NMap and determine the operating system on either a client or server based on the semi-random components of their packets. The types of PF based gateways that utilize PF packet randomization include: PFSense, OPNSense, and OpenBSD.

A noteworthy component of packets randomized by PF is the source port. This typically does not interfere with services and should be left on, but i2P stands among the few services that have problems when the source port is randomized. Other applications negatively affected by source port randomization are SIP gateways and game servers.

i2P sends outbound packets with the source port set to the port it listens on, communicating to other routers in a simple fashion how they can reliably respond. PF firewalls incidentally interfere with i2P by overriding the communicated source port, resulting in a firewalled i2P node that cannot accept connections even when port forwarding is set correctly.

Behind a PF based firewall, i2P will report itself as being behind a firewall on IPv4 networks until two changes are made: NAT Port Forwarding to the correct IP and port for i2P, and Outbound NAT is set to modify outbound connections from the internal network from i2P's port is set to NAT to i2P's port.

Retrieved from "http://wiki.i2p-projekt.de/wiki/index.php?title=HowTo/Setup_Port_Forwarding_Behind_PFSense&oldid=155"