Iptables script PSN specific

well ok but my network is complex i guess... so here is what i use for dscp marks
/root/dscp.sh

#!/bin/bash -x

IPT="iptables"

#    Latency Sensitive  (CS7, CS6, EF, VA, CS5, CS4)
#	 Streaming Media    (AF4x, AF3x, CS3, AF2x, TOS4, CS2, TOS1)
#	 Best Effort        (CS0, AF1x, TOS2, and those not specified)
#	 Background Traffic (CS1)

$IPT -t mangle -N dscp_mark > /dev/null 2>&1
$IPT -t mangle -F dscp_mark
$IPT -t mangle -A dscp_mark -i wan -j DSCP --set-dscp-class CS0

iptmark(){
    $IPT -t mangle -A dscp_mark "$@"
}

## check if POSTROUTING already exits then jumps to our tables if not, add them
$IPT -t mangle -L POSTROUTING -n | grep dscp_mark || $IPT -t mangle -A POSTROUTING -j dscp_mark

sport1="3658"
sport2="9305:9308"
sport3="3074:3079"
sport4="3478:3479"
dport1="3478:3479"
dport2="9305:9308"
dport3="1117,1247,3074:3079,3893,7130,7463"

$IPT -t mangle -A PREROUTING -m set --match-set latsens srcip,srcport,dstip,dstport -j DSCP --set-dscp-class CS4 ## set dscp tag for our (latsens) ipset
$IPT -t mangle -A PREROUTING -m set --match-set streaming srcip,srcport,dstip,dstport -j DSCP --set-dscp-class AF32 ## set dscp tag for our (streaming) ipset
$IPT -t mangle -A PREROUTING -m set --match-set usrcdn srcip,srcport,dstip,dstport -j DSCP --set-dscp-class CS1 ## set dscp tag for our (usrcdn) ipset
$IPT -t mangle -A PREROUTING -p tcp -m set --match-set bulk srcip,srcport,dstip,dstport -j DSCP --set-dscp-class CS0 ## set dscp tag for our (bulk) ipset
$IPT -t mangle -A PREROUTING -m set --match-set network srcip,srcport,dstip,dstport -j DSCP --set-dscp-class CS3 ## set dscp tag for our (network) ipset
$IPT -t mangle -A PREROUTING -p udp -s 192.168.1.186 ! --dport 443 -m comment --comment "PS4 Pro Device" -j DSCP --set-dscp-class CS4
$IPT -t mangle -A PREROUTING -p udp -m udp -m multiport --sports $sport4 -j DSCP --set-dscp-class AF41 -m comment --comment "psn gaming ports"
$IPT -t mangle -A PREROUTING -p udp -m udp -m multiport --dports $dport1 -j DSCP --set-dscp-class AF41 -m comment --comment "psn gaming ports"
$IPT -t mangle -A PREROUTING -p udp -m udp -m multiport --sports $sport1,$sport2,$sport3 -j DSCP --set-dscp-class CS4 -m comment --comment "psn gaming ports"
$IPT -t mangle -A PREROUTING -p udp -m udp -m multiport --dports $dport2,$dport3 -j DSCP --set-dscp-class CS4 -m comment --comment "psn gaming ports"

# mark connections that go over 125 packets per second, not prioritized
iptmark -p udp -m hashlimit --hashlimit-name udp_high_prio --hashlimit-above 125/sec --hashlimit-burst 50 --hashlimit-mode srcip,srcport,dstip,dstport -j CONNMARK --set-mark 0x25 -m comment --comment "connmark for udp"
iptmark -p udp -m udp -m connmark ! --mark 0x25 -m connbytes --connbytes :940 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS4 -m comment --comment "small udp connection gets CS4"

iptmark -p tcp -m hashlimit --hashlimit-name tcp_low_prio --hashlimit-above 125/second --hashlimit-burst 50 --hashlimit-mode srcip,srcport,dstip,dstport --hashlimit-rate-match --hashlimit-rate-interval 1 -j DSCP --set-dscp-class CS1 -m comment --comment "big tcp connection gets CS1"
iptmark -p tcp -m set --match-set bulk srcip,srcport,dstip,dstport -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset"
iptmark -p tcp -m connbytes --connbytes 9375:187500 --connbytes-dir both --connbytes-mode bytes -j DSCP --set-dscp-class CS1
iptmark -p tcp -m connbytes --connbytes 187500: --connbytes-dir both --connbytes-mode bytes -j DSCP --set-dscp-class CS0

ackrate=125
iptmark -p tcp -m tcp --tcp-flags ALL ACK -o wan -m length --length 1:100 -m hashlimit --hashlimit-mode srcip,srcport,dstip,dstport --hashlimit-name ackfilter1 --hashlimit-above "${ackrate}/second" --hashlimit-burst $ackrate --hashlimit-rate-match --hashlimit-rate-interval 1 -m statistic --mode random --probability .5 -j DROP
iptmark -p tcp -m tcp --tcp-flags ALL ACK -o wan -m length --length 1:100 -m hashlimit --hashlimit-mode srcip,srcport,dstip,dstport --hashlimit-name ackfilter2 --hashlimit-above "$((ackrate*2))/second" --hashlimit-burst $ackrate --hashlimit-rate-match --hashlimit-rate-interval 1 -m statistic --mode random --probability .5 -j DROP
iptmark -p tcp -m tcp --tcp-flags ALL ACK -o wan -m length --length 1:100 -m hashlimit --hashlimit-mode srcip,srcport,dstip,dstport --hashlimit-name ackfilter3 --hashlimit-above "$((ackrate*3))/second" --hashlimit-burst $ackrate --hashlimit-rate-match --hashlimit-rate-interval 1 -m statistic --mode random --probability .5 -j DROP
iptmark -p tcp -m tcp --tcp-flags ALL ACK -o wan -m length --length 1:100 -m hashlimit --hashlimit-mode srcip,srcport,dstip,dstport --hashlimit-name ackfilter4 --hashlimit-above "$((ackrate*4))/second" --hashlimit-burst $ackrate --hashlimit-rate-match --hashlimit-rate-interval 1 -m statistic --mode random --probability .5 -j DROP

iptmark -p tcp -m tcp --tcp-flags ALL SYN -m length --length 0:500 -j DSCP --set-dscp-class CS4
iptmark -p tcp -m tcp --tcp-flags ALL ACK -m length --length 0:250 -j DSCP --set-dscp-class CS4

iptmark -m dscp ! --dscp  24 -m dscp ! --dscp  18 -m dscp ! --dscp  34 -m dscp ! --dscp  40 -m dscp ! --dscp  48 -m length --length 0:500 -j DSCP --set-dscp-class CS4 -m comment --comment "Flow contol AF32"
iptmark -m dscp ! --dscp  24 -m dscp ! --dscp  18 -m dscp ! --dscp  34 -m dscp ! --dscp  40 -m dscp ! --dscp  48 -m connbytes --connbytes 0:250 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS4 -m comment --comment "multi purpose connection gets AF32"

iptmark -p udp -m udp -m multiport --dports 53,5300 -m set ! --match-set network dstip,dstport -j DSCP --set-dscp-class CS3 -m comment --comment "dns connection and network ipset gets CS3"
iptmark -p udp -m udp -m multiport --sports 53,5300 -m set ! --match-set network srcip,srcport -j DSCP --set-dscp-class CS3 -m comment --comment "dns connection and network ipset gets CS3"

iptmark -p udp -m udp -m multiport --port 123 -j DSCP --set-dscp-class CS5 -m comment --comment "NTP udp"

iptmark -p icmp -j DSCP --set-dscp-class CS5 -m comment --comment "ICMP-pings"

this is dnsmasq for ipsets mostly is used to make netflix,youtube etc bulk

/etc/dnsmasq.conf

##CS4
ipset=/*.hardsuitlabs.com/latsens

##CS3
ipset=/abdlwi.broadband.dynamic.tds.net/*.dynamic.tds.net/*.cncrtn.broadband.dynamic.tds.net/*.tds.net/*.dynamic.tds.net/network
ipset=/pspro.lan/Fortune-3.lan/network

##CS1
ipset=/googletagmanager.com/googleusercontent.com/clients4.google.com/*.googleusercontent.com/google.com/static.xx.fbcdn.net/fbcdn.net/*.fbcdn.net/akamaihd.net/*.akamaihd.net/whatsapp.net/*.whatsapp.net/whatsapp.com/*.whatsapp.com/www-cdn.whatsapp.net/googleapis.com/*.googleapis.com/ucy.ac.cy/1e100.net/hwcdn.net/usrcdn

##CS0
# Youtube is also isolated by my isp
ipset=/cdn1-gae-ssl-default.akamaized.net/play-fe.googleapis.com/android.googleapis.com/chief-cdn.storage.googleapis.com/g.live.com/googlevideo.com/*.googlevideo.com/rr1---sn-vgqskned.googlevideo.com/rr2---sn-vgqskned.googlevideo.com/rr3---sn-vgqskned.googlevideo.com/rr4---sn-vgqskned.googlevideo.com/bulk

# AmazonVideo
ipset=/s3.ll.dash.row.aiv-cdn.net/aiv-delivery.net/amazonaws.com//api.amazonalexa.com/*.amazonalexa.com/bulk

#tiktok
ipset=/*.tiktok.*/frontier.us.tiktokv.com/*.us.tiktokv.com/bulk

### Tivo
ipset=/sage-hec.oi.tivo.com/mm3.tivoservice.com/*.tivoservice.com/control2.tvinteractive.tv/*.tvinteractive.tv/bulk

## PSN Download
ipset=/party.rnps.dl.playstation.net/gs2.ww.prod.dl.playstation.net/clientsettingscdn.roblox.com/ecsv2.roblox.com/*.roblox.com/*.ubisoft.com/theia.dl.playstation.net/bulk

##pluto t.v.
ipset=/cloudfront.tubi.video/s.adrise.tv/events.cid.samba.tv/*.samba.tv/t.pluto.tv/service-stitcher.clusters.pluto.tv/siloh-fs.plutotv.net/plutotv.com/k.pluto.tv/siloh.pluto.tv/*.pluto.tv/lds-ldr-production.tvinteractive.tv/tvmeta-dynamic.tvinteractive.tv/events.cid.samba.tv/bulk
#Netflix
ipset=/cdn-0.nflximg.com/*.nflximg.com/*nflxvideo*/nrdp.prod.ftl.netflix.com/secure.netflix.com/api-global.netflix.com/*.netflix.com/*.1.oca.nflxvideo.net/nrdp-ipv6.prod.ftl.netflix.com/*.1.nflxso.net/bulk

##Guest devices
ipset=/Bedroom.lan/sonytv.lan/bulk

###EA games
ipset=/river.data.ea.com/*.ea.com/bulk

and qosify

defaults-00

# SSH
tcp:22    network_services

# NTP
udp:123   network_services

# DNS
tcp:53    network_services
tcp:5300  network_services
udp:53    network_services
udp:5300  network_services

# DNS over TLS (DoT)
tcp:853   multimedia_conferencing
udp:853   multimedia_conferencing

# HTTP/HTTPS/QUIC
tcp:80    browsing
tcp:443   browsing
#udp:80    browsing
#udp:443   browsing

# Microsoft (Download)
dns:*1drv*                 bulk
dns:*backblaze*            bulk
dns:*backblazeb2*          bulk
dns:*ms-acdc.office*       bulk
dns:*onedrive*             bulk
dns:*sharepoint*           bulk
dns:*update.microsoft*     bulk
dns:*windowsupdate*        bulk

# Custom
dns:*.hardsuitlabs.com     gaming
dns:*.broadband.dynamic.tds.net	network_services
dns:*.dynamic.tds.net	   network_services
dns:*.ea.com		   bulk
dns:river.data.ea.com	   bulk
dns:ps4.np.playstation.net network_services
dns:apps.mzstatic.com	   bulk
dns:*.np.stun.playstation.net  network_services
dns:*.cncrtn.broadband.dynamic.tds.net	network_services

# MEGA (Download)
dns:*mega*                 bulk

# Dropbox (Download)
dns:*dropboxusercontent*   bulk

# Google (Download)
dns:*drive.google*         bulk
dns:*googleusercontent*    bulk

# Steam (Download)
dns:*steamcontent*         bulk

# Epic Games (Download)
dns:*download.epicgames*   bulk
dns:*download2.epicgames*  bulk
dns:*download3.epicgames*  bulk
dns:*download4.epicgames*  bulk
dns:*epicgames-download1*  bulk

# YouTube
dns:*googlevideo*   besteffort

# Facebook
dns:*fbcdn*         besteffort

# Twitch
dns:*ttvnw*         besteffort

# TikTok
dns:*tiktok*        besteffort

# Netflix
dns:*nflxvideo*     besteffort

# Amazon Prime Video
dns:*aiv-cdn*       besteffort
dns:*aiv-delivery*  besteffort
dns:*pv-cdn*        besteffort

# Disney Plus
dns:*disney*        besteffort
dns:*dssott*        besteffort

# HBO
dns:*hbo*           besteffort
dns:*hbomaxcdn*     besteffort

# BitTorrent
tcp:6881-7000    bulk
tcp:51413        bulk
udp:6771         bulk
udp:6881-7000    bulk
udp:51413        bulk

# Usenet
tcp:119          bulk
tcp:563          bulk

# Live Streaming to YouTube Live, Twitch, Vimeo and LinkedIn Live
tcp:1935-1936    broadcast_video
tcp:2396         broadcast_video
tcp:2935         broadcast_video

# Xbox
tcp:3074         gaming
udp:88           gaming
#udp:500         gaming # UDP port already used in "VoWiFi" rules
udp:3074         gaming
udp:3544         gaming
#udp:4500        gaming # UDP port already used in "VoWiFi" rules

# PlayStation
tcp:3478-3480    gaming
#udp:3478-3479   gaming # UDP ports already used in "Zoom" rules
udp:9305-9308	 gaming

# Call of Duty
#tcp:3074        gaming # TCP port already used in "Xbox" rules
tcp:3075-3076    gaming
#udp:3074        gaming # UDP port already used in "Xbox" rules
udp:3075-3079    gaming
udp:3658         gaming

# FIFA
tcp:3659         gaming
udp:3659         gaming

# Minecraft
tcp:25565        gaming
udp:19132-19133  gaming
udp:25565        gaming

# Supercell Games
tcp:9339         gaming
udp:9339         gaming

# Zoom, Microsoft Teams, Skype and FaceTime (they use these same ports)
udp:3478-3497    multimedia_conferencing

# Zoom
dns:*zoom*       multimedia_conferencing
tcp:8801-8802    multimedia_conferencing
udp:8801-8810    multimedia_conferencing

# Skype
dns:*skype*      multimedia_conferencing

# FaceTime
udp:16384-16387  multimedia_conferencing
udp:16393-16402  multimedia_conferencing

# GoToMeeting
udp:1853         multimedia_conferencing
udp:8200         multimedia_conferencing

# Webex Meeting
tcp:5004         multimedia_conferencing
udp:9000         multimedia_conferencing

# Jitsi Meet
tcp:5349         multimedia_conferencing
udp:10000        multimedia_conferencing

# Google Meet
udp:19302-19309  multimedia_conferencing

# TeamViewer
tcp:5938         multimedia_conferencing
udp:5938         multimedia_conferencing

# Voice over Internet Protocol (VoIP)
tcp:5060-5061    telephony
udp:5060-5061    telephony

# Voice over WiFi or WiFi Calling (VoWiFi)
udp:500          telephony
udp:4500         telephony

and config
/etc/config/qosify

config defaults
	list defaults /etc/qosify/*.conf
	option dscp_icmp +besteffort
	option dscp_default_tcp unmarked_traffic
	option dscp_default_udp unmarked_traffic

config class unmarked_traffic
	option ingress CS1
	option egress CS1
	option prio_max_avg_pkt_len 1256
	option dscp_prio CS4
	option bulk_trigger_pps 150
	option bulk_trigger_timeout 10
	option dscp_bulk CS1

config class browsing
	option ingress CS0
	option egress CS0
	option prio_max_avg_pkt_len 575
	option dscp_prio AF41
	option bulk_trigger_pps 940
	option bulk_trigger_timeout 10
	option dscp_bulk CS1

config class bulk
	option ingress CS1
	option egress CS1

config class besteffort
	option ingress CS0
	option egress CS0

config class network_services
	option ingress CS2
	option egress CS2

config class broadcast_video
	option ingress CS3
	option egress CS3

config class gaming
	option ingress CS4
	option egress CS4
	prio_max_avg_pkt_len 940

config class multimedia_conferencing
	option ingress AF42
	option egress AF42
	option prio_max_avg_pkt_len 1000
	option dscp_prio AF41

config class telephony
	option ingress EF
	option egress EF

config interface wan
	option name wan
	option disabled 0
	option bandwidth_up 40mbit #Upload Speed (Use mbit)
	option bandwidth_down 250mbit #Download Speed (use mbit)
	option overhead_type raw #Overhead type
	# defaults:
	option ingress 1
	option egress 1
	option mode diffserv4
	option nat 1
	option host_isolate 1
	option autorate_ingress 0
	option ingress_options ""
	option egress_options "ack-filter wash"
	option options "ether-vlan noatm overhead 22 mpu 64"

logs...

root@OpenWrt:~# qosify-status
===== interface wan: active =====
egress status:
qdisc cake 8001: root refcnt 2 bandwidth 40Mbit diffserv4 dual-srchost nat wash ack-filter split-gso rtt 100ms noatm overhead 22 mpu 64
 Sent 326892923 bytes 453069 pkt (dropped 1757, overlimits 458995 requeues 0)
 backlog 0b 0p requeues 0
 memory used: 364Kb of 4Mb
 capacity estimate: 40Mbit
 min/max network layer size:           28 /    1472
 min/max overhead-adjusted size:       64 /    1494
 average network hdr offset:           14

                   Bulk  Best Effort        Video        Voice
  thresh       2500Kbit       40Mbit       20Mbit       10Mbit
  target         7.13ms          5ms          5ms          5ms
  interval        102ms        100ms        100ms        100ms
  pk_delay       4.88ms        156us         95us        700us
  av_delay        352us          6us          5us         55us
  sp_delay          3us          1us          2us          3us
  backlog            0b           0b           0b           0b
  pkts           220655        57482       159723        16966
  bytes       289124060      9560675     24580955      3791193
  way_inds            8         2158          927         1373
  way_miss          382          292         8287          803
  way_cols            0            0            1            0
  drops              23            2            3            1
  marks               0            0            0            0
  ack_drop          124          105         1498            1
  sp_flows            0            0            0            1
  bk_flows            0            0            1            0
  un_flows            0            0            0            0
  max_len          2776         1486         1486         1486
  quantum           300         1220          610          305


ingress status:
qdisc cake 8002: root refcnt 2 bandwidth 250Mbit diffserv4 dual-dsthost nat nowash ingress no-ack-filter split-gso rtt 100ms noatm overhead 22 mpu 64
 Sent 2616622705 bytes 2000751 pkt (dropped 9116, overlimits 1843540 requeues 0)
 backlog 0b 0p requeues 0
 memory used: 2854840b of 12500000b
 capacity estimate: 250Mbit
 min/max network layer size:           46 /    1472
 min/max overhead-adjusted size:       68 /    1494
 average network hdr offset:           14

                   Bulk  Best Effort        Video        Voice
  thresh      15625Kbit      250Mbit      125Mbit    62500Kbit
  target            5ms          5ms          5ms          5ms
  interval        100ms        100ms        100ms        100ms
  pk_delay       7.84ms        1.7ms       1.06ms        735us
  av_delay       3.01ms        152us         45us         32us
  sp_delay       1.24ms          6us          2us          2us
  backlog            0b           0b           0b           0b
  pkts          1663602       287700        45863        12702
  bytes      2217100816    396149367     10720461      4905340
  way_inds            8            4          167           12
  way_miss          340          608         1309          801
  way_cols            0            0            0            0
  drops            9098           13            3            2
  marks               0            0            0            0
  ack_drop            0            0            0            0
  sp_flows            1            0            1            1
  bk_flows            0            1            0            0
  un_flows            0            0            0            0
  max_len         68356        63898        19318         5630
  quantum           476         1514         1514         1514


and bufferbloat

but done with openwrt for the moment now running pfsense!!!!

back to square 1 fun fun fun!!!!

almost forgot this goes in /etc/config/firewall for ipsets to work...

config ipset
	option enabled '1'
	option name 'latsens'
	option storage 'hash'
	option match 'ip'
	option family 'ipv4'
	option timeout '86400'

config ipset
	option enabled '1'
	option name 'network'
	option storage 'hash'
	option match 'ip'
	option family 'ipv4'
	option timeout '86400'

config ipset
	option enabled '1'
	option name 'streaming'
	option storage 'hash'
	option match 'ip'
	option family 'ipv4'
	option timeout '86400'

config ipset
	option enabled '1'
	option name 'usrcdn'
	option storage 'hash'
	option match 'ip'
	option family 'ipv4'
	option timeout '86400'

config ipset
	option enabled '1'
	option name 'bulk'
	option storage 'hash'
	option match 'ip'
	option family 'ipv4'
	option timeout '86400'


1 Like

thanks for everything, a question in ""pfsense"" do you have all these scripts configured or do you have them all by default
and in which version of openwrt do you work, I say this because I have a netgear xr500 and I feel that it reacts differently depending on the version that I run

sorry for my english but it's not my first language :sweat_smile:

1 Like

you’re not the only one. i’m also using xr500 and it seems like every version runs different

1 Like

Sry for late response no pfsense doesnt use scripts or i dont... I love it!!! Lots more NAT stuff you can do which ive learned is better than any script!!! Upnp is key to lag free gaming and NAT is the key to upnp...

I respectfully disagree, UPNP is a fudge around port remapping (NAT) firewalls. It can help getting a network game up and runing quicker, but it will offer little advantage during run time over the equivalent static/manually configured port redirects. Not saying convenience/ease of use is not important, it is, but UPNP is no magic bullet against lag and packerloss.
I am not doubting your xxsense router does work better for your gaming needs than the previous OpenWrt router, just arguing that it is unlikely that UPNP is the differentiating factor (but since UPNP can be used under OpenWrt as well, that should be easy to test).

3 Likes

Well i tried the same nat config on my wrt32x and never worked... I dont want to talk pfsense here its disrespect but these nat configs are TITS for me on psn...

Also with the best of scripts before my ping was always from low end 50 high end 130 now is low end 4 high end 20 and this is on wifi...

For me my pspro has a static source port of 3658 which all connections from 3658 got to 9305:9308

9305:9308 go to 3478:3479 or to 9305:9308... ive also learned that 9306 is for match making and bullets fly on 9305 and i think 9308 is party chat but i dont use chat so...

also always got nat2 at best now psn says nat2 upon network test but all games i play say nat1!!!!

Well I humbly disagree with you Moeller0 I suggest you guys do some more testing as this config only having to do with NAT outbound trumps all guarenteed as far as gaming performance!!!
I think this is like ipsets linked to nat but dont know for sure...

was gonna attempt to flash openwrt on my box but now im not so sure...

Edit: Gonna put openwrt 86 on a flash drive so i can still play on it too...

Love this community to much to leave...

Now the question is, what do you get with static port forwards achieving the same under OpenWrt... as I said UPNP is a tool to automatically configure port forwards, but the "magic" if any is in what happens at run-time of the game and there I maintain UPNP will be identical to the matching static rules.

Again, I have no data indicating that your perception that XXsense gives you better gaming performance than OpenWrt is anything but true; I am just doubting that UPNP is the thing that makes the difference. I stopped playing reaction-time gated games before on-line gaming became a big thing (around till after the original quake came about; and I stopped because even then my reaction time was at best mediocre :wink: ) so I will not be able to compare my own gaming perceptions...

But since you have a pretty small set of ports, I think you really should try to configure static port forwards for those under OpenWrt and see how/if that improves fluidity/reactivity of the games you play.

Side-note: I am not surprised that an elaborate QoS prioritization hierarchy is a bit brittle, IMHO priority "games" work best the more sparsely they are used, as I repeatedly post on this forum, for any packet given better/faster/lower-queueing-delay treatment other packet(s) will need to be treated worse, so unless there are enough packets around to treat worse prioritization will not be able to do wonders.

4 Likes

I see what you are saying... Also i want to be clear i dont think xxsense is any better just has different options. Again im just a self taught guy with a good mentor you could say... I dont know all the theory of how the wheels spin but A +B always = X!!! Everything i test is by trial and error everytime i change a setting i turn on the game to see if the change made a difference that is how i came to these settings no theory involved at all... Anyways i appreciate you Moeller0 for responses

1 Like

Well OCD me found how to get psn upnp fully working lmao crazy how long it took me though but mission is now over!!!!

Here is what made it happen:

Now how to duplicate on openwrt but firewall4 is breaking upnp atm... Maybe need to make new topic about upnp all that i see is outdated stuff available...

hi reeves and @moeller

apply this patch to firewall the name is ruleset.uc

{% let flowtable_devices = fw4.resolve_offload_devices(); -%}

table inet fw4
flush table inet fw4
{% if (fw4.check_flowtable()): %}
delete flowtable inet fw4 ft
{% endif %}

table inet fw4 {
{% if (length(flowtable_devices) > 0): %}
	#
	# Flowtable
	#

	flowtable ft {
		hook ingress priority 0;
		devices = {{ fw4.set(flowtable_devices, true) }};
{% if (fw4.default_option("flow_offloading_hw")): %}
		flags offload;
{% endif %}
	}

{% endif %}
	#
	# Set definitions
	#

{% for (let set in fw4.ipsets()): %}
	set {{ set.name }} {
		type {{ fw4.concat(set.types) }}
{%  if (set.maxelem > 0): %}
		size {{ set.maxelem }}
{%  endif %}
{%  if (set.timeout >= 0): %}
		timeout {{ set.timeout }}s
{% endif %}
{%  if (set.interval): %}
		flags interval
		auto-merge
{%  endif %}
{%  fw4.print_setentries(set) %}
	}

{% endfor %}

	#
	# Defines
	#

{% for (let zone in fw4.zones()): %}
{%  if (length(zone.match_devices)): %}
	define {{ zone.name }}_devices = {{ fw4.set(zone.match_devices, true) }}
{%  endif %}
{%  if (length(zone.match_subnets)): %}
	define {{ zone.name }}_subnets = {{ fw4.set(zone.match_subnets, true) }}
{%  endif %}
{% endfor %}

	#
	# User includes
	#

	include "/etc/nftables.d/*.nft"


	#
	# Filter rules
	#

	chain input {
		type filter hook input priority filter; policy {{ fw4.input_policy(true) }};

		iifname "lo" accept comment "!fw4: Accept traffic from loopback"

		ct state established,related accept comment "!fw4: Allow inbound established and related flows"
{% if (fw4.default_option("drop_invalid")): %}
		ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
{% endif %}
{% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): %}
		tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets"
{% endif %}
{% for (let rule in fw4.rules("input")): %}
		{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
{% for (let zone in fw4.zones()): for (let rule in zone.match_rules): %}
		{%+ include("zone-jump.uc", { fw4, zone, rule, direction: "input" }) %}
{% endfor; endfor %}
{% if (fw4.input_policy() == "reject"): %}
		jump handle_reject
{% endif %}
	}

	chain forward {
		type filter hook forward priority filter; policy {{ fw4.forward_policy(true) }};

{% if (length(flowtable_devices) > 0): %}
		meta l4proto { tcp, udp } flow offload @ft;
{% endif %}
		ct state established,related accept comment "!fw4: Allow forwarded established and related flows"
{% if (fw4.default_option("drop_invalid")): %}
		ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
{% endif %}
{% for (let rule in fw4.rules("forward")): %}
		{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
{% for (let zone in fw4.zones()): for (let rule in zone.match_rules): %}
		{%+ include("zone-jump.uc", { fw4, zone, rule, direction: "forward" }) %}
{% endfor; endfor %}
{% if (fw4.forward_policy() == "reject"): %}
		jump handle_reject
{% endif %}
	}

	chain output {
		type filter hook output priority filter; policy {{ fw4.output_policy(true) }};

		oifname "lo" accept comment "!fw4: Accept traffic towards loopback"

		ct state established,related accept comment "!fw4: Allow outbound established and related flows"
{% if (fw4.default_option("drop_invalid")): %}
		ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state"
{% endif %}
{% for (let rule in fw4.rules("output")): %}
		{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
{% for (let zone in fw4.zones()): for (let rule in zone.match_rules): %}
		{%+ include("zone-jump.uc", { fw4, zone, rule, direction: "output" }) %}
{% endfor; endfor %}
{% if (fw4.output_policy() == "reject"): %}
		jump handle_reject
{% endif %}
	}

	chain handle_reject {
		meta l4proto tcp reject with {{
			(fw4.default_option("tcp_reject_code") != "tcp-reset")
				? "icmpx type " + fw4.default_option("tcp_reject_code")
				: "tcp reset"
		}} comment "!fw4: Reject TCP traffic"
		reject with {{
			(fw4.default_option("any_reject_code") != "tcp-reset")
				? "icmpx type " + fw4.default_option("any_reject_code")
				: "tcp reset"
		}} comment "!fw4: Reject any other traffic"
	}

{% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")):
	let r = fw4.default_option("synflood_rate");
	let b = fw4.default_option("synflood_burst");
%}
	chain syn_flood {
		limit rate {{ r.rate }}/{{ r.unit }}
		{%- if (b): %} burst {{ b }} packets{% endif %} return comment "!fw4: Accept SYN packets below rate-limit"
		drop comment "!fw4: Drop excess packets"
	}

{% endif %}
{% for (let zone in fw4.zones()): %}
	chain input_{{ zone.name }} {
{%  for (let rule in fw4.rules("input_"+zone.name)): %}
		{%+ include("rule.uc", { fw4, rule }) %}
{%  endfor %}

		ct status dnat accept comment "!fw4: Accept port redirections"

		jump {{ zone.input }}_from_{{ zone.name }}
	}

	chain output_{{ zone.name }} {
{%  for (let rule in fw4.rules("output_"+zone.name)): %}
		{%+ include("rule.uc", { fw4, rule }) %}
{%  endfor %}
		jump {{ zone.output }}_to_{{ zone.name }}
	}

	chain forward_{{ zone.name }} {
{%  for (let rule in fw4.rules("forward_"+zone.name)): %}
		{%+ include("rule.uc", { fw4, rule }) %}
{%  endfor %}

		ct status dnat accept comment "!fw4: Accept port forwards"

		jump {{ zone.forward }}_to_{{ zone.name }}
	}

{%  for (let verdict in ["accept", "reject", "drop"]): %}
{%   if (zone.sflags[verdict]): %}
	chain {{ verdict }}_from_{{ zone.name }} {
{%    for (let rule in zone.match_rules): %}
		{%+ include("zone-verdict.uc", { fw4, zone, rule, egress: false, verdict }) %}
{%    endfor %}
	}

{%   endif %}
{%   if (zone.dflags[verdict]): %}
	chain {{ verdict }}_to_{{ zone.name }} {
{%   for (let rule in zone.match_rules): %}
		{%+ include("zone-verdict.uc", { fw4, zone, rule, egress: true, verdict }) %}
{%   endfor %}
	}

{%   endif %}
{%  endfor %}
{% endfor %}

	#
	# NAT rules
	#

	chain dstnat {
		type nat hook prerouting priority dstnat; policy accept;
{% for (let zone in fw4.zones()): %}
{%  if (zone.dflags.dnat): %}
{%   for (let rule in zone.match_rules): %}
		{%+ include("zone-jump.uc", { fw4, zone, rule, direction: "dstnat" }) %}
{%   endfor %}
{%  endif %}
{% endfor %}
	}

	chain srcnat {
		type nat hook postrouting priority srcnat; policy accept;
{% for (let redirect in fw4.redirects("srcnat")): %}
		{%+ include("redirect.uc", { fw4, redirect }) %}
{% endfor %}
{% for (let zone in fw4.zones()): %}
{%  if (zone.dflags.snat): %}
{%   for (let rule in zone.match_rules): %}
		{%+ include("zone-jump.uc", { fw4, zone, rule, direction: "srcnat" }) %}
{%   endfor %}
{%  endif %}
{% endfor %}
	}

{% for (let zone in fw4.zones()): %}
{%  if (zone.dflags.dnat): %}
	chain dstnat_{{ zone.name }} {
{%   for (let redirect in fw4.redirects("dstnat_"+zone.name)): %}
		{%+ include("redirect.uc", { fw4, redirect }) %}
{%   endfor %}
	}

{%  endif %}
{%  if (zone.dflags.snat): %}
	chain srcnat_{{ zone.name }} {
{%   for (let redirect in fw4.redirects("srcnat_"+zone.name)): %}
		{%+ include("redirect.uc", { fw4, redirect }) %}
{%   endfor %}
{%   if (zone.masq): %}
{%    for (let saddrs in zone.masq4_src_subnets): %}
{%     for (let daddrs in zone.masq4_dest_subnets): %}
		{%+ include("zone-masq.uc", { fw4, zone, family: 4, saddrs, daddrs }) %}
{%     endfor %}
{%    endfor %}
{%   endif %}
{%   if (zone.masq6): %}
{%    for (let saddrs in zone.masq6_src_subnets): %}
{%     for (let daddrs in zone.masq6_dest_subnets): %}
		{%+ include("zone-masq.uc", { fw4, zone, family: 6, saddrs, daddrs }) %}
{%     endfor %}
{%    endfor %}
{%   endif %}
	}

{%  endif %}
{% endfor %}

	#
	# Raw rules (notrack & helper)
	#

	chain raw_prerouting {
		type filter hook prerouting priority raw; policy accept;
{% for (let target in ["helper", "notrack"]): %}
{%  for (let zone in fw4.zones()): %}
{%   if (zone.dflags[target]): %}
{%    for (let rule in zone.match_rules): %}
{%     let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, false); %}
{%     let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, false); %}
{%     if (rule.devices_neg || rule.subnets_neg || devices_pos || subnets_pos): %}
		{%+ if (rule.family): -%}
			meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
		{%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnets_pos } }) -%}
		jump {{ target }}_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} {{
			(target == "helper") ? "CT helper assignment" : "CT bypass"
		}}"
{%     endif %}
{%    endfor %}
{%   endif %}
{%  endfor %}
{% endfor %}
	}

	chain raw_output {
		type filter hook output priority raw; policy accept;
{% for (let target in ["helper", "notrack"]): %}
{%  for (let zone in fw4.zones()): %}
{%   if (zone.dflags[target]): %}
{%    for (let rule in zone.match_rules): %}
{%     let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, true); %}
{%     let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, true); %}
{%     if (devices_pos || subnets_pos): %}
		{%+ if (rule.family): -%}
			meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%}
		{%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnets_pos } }) -%}
		jump {{ target }}_{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} {{
			(target == "helper") ? "CT helper assignment" : "CT bypass"
		}}"
{%     endif %}
{%    endfor %}
{%   endif %}
{%  endfor %}
{% endfor %}
	}

{% for (let helper in fw4.helpers()): %}
{%  if (helper.available): %}
{%   for (let proto in helper.proto): %}
	ct helper {{ helper.name }} {
		type {{ fw4.quote(helper.name, true) }} protocol {{ proto.name }};
	}

{%   endfor %}
{%  endif %}
{% endfor %}
{% for (let target in ["helper", "notrack"]): %}
{%  for (let zone in fw4.zones()): %}
{%   if (zone.dflags[target]): %}
	chain {{ target }}_{{ zone.name }} {
{% for (let rule in fw4.rules(target+"_"+zone.name)): %}
		{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
	}

{%   endif %}
{%  endfor %}
{% endfor %}

	#
	# Mangle rules
	#

	chain mangle_prerouting {
		type filter hook prerouting priority mangle; policy accept;
{% for (let rule in fw4.rules("mangle_prerouting")): %}
		{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
	}

	chain mangle_postrouting {
		type filter hook postrouting priority mangle; policy accept;
{% for (let rule in fw4.rules("mangle_postrouting")): %}
		{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
	}

	chain mangle_input {
		type filter hook input priority mangle; policy accept;
{% for (let rule in fw4.rules("mangle_input")): %}
		{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
	}

	chain mangle_output {
		type filter hook output priority mangle; policy accept;
{% for (let rule in fw4.rules("mangle_output")): %}
		{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
	}

	chain mangle_forward {
		type filter hook forward priority mangle; policy accept;
{% for (let rule in fw4.rules("mangle_forward")): %}
		{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
{% for (let zone in fw4.zones()): %}
{%  if (zone.mtu_fix): %}
{%   for (let rule in zone.match_rules): %}
		{%+ include("zone-mssfix.uc", { fw4, zone, rule, egress: false }) %}
		{%+ include("zone-mssfix.uc", { fw4, zone, rule, egress: true }) %}
{%   endfor %}
{%  endif %}
{% endfor %}
	}
}

replace this file in /usr/share/firewall4/templates/ :wink:

you can see the nat open and the firewall4 the nat open

personally i has only one console i use the port fordward

keep me informed

1 Like

Tks Dopam-IT_1987 will boot into openwrt and try the patch and see how it goes...

1 Like

The name of the files is ruleset.uc not templates :sweat_smile:

The original files of memory is 14kb the patch 12 kb

Then reboot

And vérify in status firewall

You can see the port 3074 if you play cod appair

But not appair always in upnp service...

Normally in game you are in nat open :ok_hand:

1 Like

All right my friend booting into openwrt right now.. well I have to update my image and then I'll apply the patch and post results for you to see

yes it's work at my home the subject is here if you search :wink:

1 Like

Damn will be a day till i can use it having problems installing new openwrt snapshot to my box... Have to be quick or my kids will lynch me bios and everything is right so not sure what im doing wrong worked on generic image... Learning i am sry