I am attempting to host a dedicated game server behind my IPFire firewall connected to Comcast / Xfinity router in bridge mode. I forwarded the required ports but attempts to connect are failing. After extensive troubleshooting I have discovered that my “public” IP is behind a CGNAT router.
Port Control Protocol (PCP ) is a computer networkingprotocol that allows hosts on IPv4 or IPv6 networks to control how the incoming IPv4 or IPv6 packets are translated and forwarded by an upstream router that performs network address translation (NAT) or packet filtering. By allowing hosts to create explicit port forwarding rules, handling of the network traffic can be easily configured to make hosts placed behind NATs or firewalls reachable from the rest of the Internet (so they can also act as network servers), which is a requirement for many applications.
My question is does IPFire have some method for supporting PCP?
Just a quick reminder that IPFire is derived from IPCop but has significantly evolved and branched off from it. IPCop itself has been discontinued for many years.
In response to your query about the Port Control Protocol (PCP): To the best of my knowledge, IPFire does not natively support the PCP protocol. Additionally, there are no add-ons within the IPFire ecosystem that facilitate the installation of miniupnpc or similar clients to implement PCP functionality.
Please bear in mind that my response is based on my experience and understanding as a fellow IPFire user, and I may not have the complete picture like a developer would. If there are any inaccuracies in my answer, I hope they will be corrected by someone with more authoritative knowledge on the matter.
Wishing you the best in resolving your server hosting challenges.
I don’t believe that IPFire does anything with PCP.
The miniupnp addon was removed from IPFire in May 2021 due to the security risks of that software, especially on a firewall.
From what I have read about PCP this afternoon I believe that the ISP’s CGNAT implementation also needs to be set up and configured to be able to correctly respond to the PCP requests and not all ISP’s do that.
It would be worth asking the ISP involved if their CGNAT is set up to work with PCP.
Brain fart… I’m using IPFire (and have been for multiple years). I’m just so frustrated with Comcast and their CGNAT that I said IPCop instead of IPFire!
The Comcast / XFinity support people don’t even know what CGNAT is so asking them if it is setup for PCP is probably worthless at this point in time.
Since I’ve read of one instance where they changed a customer’s account from no CGNAT to CGNAT from one week to the next, my only hope is there is a way to turn it off (i.e. to flag my account so it doesn’t get used). Otherwise, I guess I’m S.O.L.
I think this is the plan in America.
Then charge you more fora public IP.
Utah is in for it with them mandating the ISP filter content on customer devices.
So kids can have Filtered content… All the while giving them more info on all your traffic.
Tor usage is up in Utah.
My Comcast modem/router is currently in bridge mode so my IPFire firewall has the “public” IP. There are almost no controls in the admin interface of the modem/router… Disable bridge mode is there, of course.
When not in bridge mode, I believe there are controls for port forwarding but I don’t know if they will work. I’m not comfortable with losing my firewall but that may be necessary as I don’t want to double NAT.
I don’t think, ‘double NATing’ is the real problem. But switching these modem/routers into router mode usually activates firewall functions also, not all packets directed to my endpoint reach the red interface of IPFire.
Some thoughts about internet traffic with NAT and firewalls:
two applications communicate using the addresses <IP1>:<port1> and <IP2>:<port2>. Example: desktop 12.34.67.89 sends from port 56234 requests to we server 98.76.54.32:80.
This demands both globally unique IPs of the two devices.
to reduce the amount of necessary addresses, NAT allows a structuring into sub nets. Private IPs are matched to one public IP. Ports chosen by the end device are mapped to a unique port of the concentrator device ( router ).
this allows regualation of the connections <local device> <—> <remote device>, called firewall. Especially it is possible to deny accesses from outside ( connections initiated by a device in WAN ).
to allow access to single applications in the local net ( a server, e.g. ) you can define port forwards. A destination address <public IP>:<server port> is translated to <private IP>:<app port>, where private IP is the local IP of the device serving the application. This demands a ‘static’ definition of the application port.
to allow a ‘dynamic’ definition protocols are defined to set these port forwarding rules ‘on the fly’. PCP is one of them.
this inhibits the sole decision of the firewall gateway, IMO. An arbitrary device inside the protected local network can ‘drill holes into the wall’. This can originate in malware installed on this device.
