I've recently acquired an old (out of support) 60F to "play around with" at home and learn its interface.
One issue I've run into that I cannot seem to figure out is how to host a Factorio server.
From their wiki they list the following:
It is the not randomized source port that I cannot seem to figure out. To me what makes sense would be under Firewall Policy having it's own policy and under Firewall/Network Options have Nat enabled, use outgoing interface address and preserve source port. Am I missing something?
FortiGate actually only changes the source port of a SNATed session if not changing it would lead to a session clash (another session with the same IPs and ports).
With that said, requiring static source ports is generally considered silly, maybe this is just a misunderstanding? (maybe the documentation is looking at this from a stateless firewall POV and is asking you not to change the src-port of the reply traffic from your server to the clients, e.g. <SRV-IP>:34197 ---> <client-IP>:<random-port>)
Have you tried testing if it works as-is?
I have tried just as is. And I agree, I don't know why you'd design it this way. The whole idea is to setup a headless server for the game. But the documentation linked all goes to pfsense, which is what I had before this fortigate and was able to get it to work (although it was a headache there too, even WITH documentation). I've tried various methods as well beyond that, I figure it's got to be some combination of factors I'm not understanding
Created on 10-29-2024 07:55 AM Edited on 10-29-2024 07:57 AM
I still don't really want to believe that at face value, as it would imply that it is very likely impossible to have two clients in the same location (behind the same NAT IP) connecting to the same server online. (how would the router decide who the reply packets belong to?)
Anyway: If you're using a VIP (let's say for just the port 34197), this will not only keep the session's destination port static to 34197 in reply-direction traffic (server->client), but it will also automatically apply static SNAT in the reverse direction (traffic initiated from sever:34197 should have src-port 34197 after NAT as well, even though I have no idea why any game server would be initiating a traffic session to a client).
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.