Packet Port Number Changes on Playstation Network

skypilot65

I am trying to get a Playstation 4 console which sit behind the TZ670 firewall to be properly recognized by the Playstation network (PSN). The console has a static IP of 192.168.1.70. My problem is that when I look at the packet trace is that the destination port of 3478 is changed by the PSN server to a source address of 3479. This means that when the packet is received by the firewall it will be dropped since it doesn't have the original 3478 port number, which is exactly what it should do. The dropped pack indicates a drop code of 742, yet when I look it up it is "Packet dropped - TCP option (MSS) not allowed in non-SYN segment".

I have tried to use specific NAT rules but nothing seems to work, including turning off the "Source Port Remap" option.

I have attached an image of the packet trace, the access rules and service groups used.

If anyone out there has any clue on how to solve this issue it would greatly appreciated.

TCP Service Group.png

UDP Service Group.png

TCP Access Rule.png

UDP Access Rule.png

PacketDrop.png

skypilot65

Solution:

Was to raise the NAT rule priority! Something SW techs didn't even come up with.

https://www.sonicwall.com/support/knowledge-base/restricted-playstation-functionalities-due-to-natv3/171204070735334

Arkwright

That's pretty odd behaviour. It's not your end doing the port remapping, it's them, so that NAT policy option won't make any difference.

The only way you're going to get this working would be to forward port 3479 to the device in question.

TKWITS

I dont recommend ANY zone to ANY zone rules.

Also I noticed you are specifying the Source Port in your access rule as the same as the Destination Port. Thats not how this works. Source ports are usually ephemeral.

What happens if you do a specific LAN (or whatever zone the PS4 is in) to WAN access rule allowing the PS4 IP access to any IP on any port? Does it work?

Suggested reading:

https://en.wikipedia.org/wiki/Port_%28computer_networking%29

https://en.wikipedia.org/wiki/Ephemeral_port

skypilot65

@Arkwright & @TKWITS

Here is the latest setup I have in the TZ670 and it is still dropping the packet as shown previously. Unfortunately, I am a newbie when it comes to Sonicwall firewalls, but I'm learning on the fly.

PS4 Service Group.png

PS4 Services.png

PS4 NAT Rule.png

PS4 Access Rule.png

I have reviewed numerous documents from Sonicwall about port forwarding but they don't solve the problem. One document said to create a "Security Policy" but for the life of me I can't find it in the firewall. Thanks

Arkwright

https://community.sonicwall.com/technology-and-support/discussion/comment/22459#Comment_22459

TBH, it hadn't even occurred to me to just google it! Behaviour in the packet capture looked so odd I thought there was no chance of fixing this.