Xbox Live and PlayStation Network with pfSense

Many people sem to be having a problem using pfSense with Xbox Live or PlayStation Network to game online. I have both and both of them are working fine through pfSense, without opening up UPnP up to all devices on the network. This also works with the game that seems to cause the most issues… Call of Duty: Modern Warfare 3.

So here is what you need to do to make it work.

  1. Assign Static DHCP mappings to the console(s)
  2. Enable UPnP and restrict it to the console(s)
  3. Modify Outbound NAT rules for the console(s)

Each step should be repeated for each console. I should probably point out that the WAN interface on my setup is called EXTERNAL and the LAN interface is called TRUSTED.

1. Assign Static DHCP mappings to the console(s)

For this step the MAC address of the console(s) will be handy. Login to your pfSense box and go to Status > DHCP Leases in the navigation bar. Find the line that contains the MAC address of your console and click the icon to add a static mapping.

The MAC address field should contain the MAC address of the console you are configuring. IP Address is the IP that will be assigned to the console and must be outside the DCHP range of your network. Hostname can be set to PS3 or Xbox depending on the console you are configuring and Description is optional.

Click on save to save the mapping.

Click Apply Changes to set the change in stone.

Repeat this step for the other console if required.

2. Enable UPnP and restrict it to the console(s)

Go to Services > UPnP & NAT-PMP on the navigation bar.

Enable the following options.

  • Enable UPnP and NAT-PMP
  • Allow UPnP Port Mapping
  • Allow NAT-PMP Port Mapping
  • By default deny access to UPnP & NAT-PMP?

Make sure you select the Interface that your console(s) are connected to.

You can enable the “Log Packets” option to troubleshoot if you like.

Enter “allow 88-65535 88-65535” into the User specified permissions box(es), one for each console. replace with the IP address of the console you are configuring. The /32 limits the subnet to a single IP address and is important.

Click change.

3. Modify Outbound NAT rules for the console(s)

Click on Firewall > NAT in the navigation bar and select the the Outbound TAB. Change your NAT type from “Automatic Outbound NAT” to “Manual Outbound ANT”. Click Save.

Click the icon at the top of the table to create a new outbound NAT rule.

In the Source: Address box enter the IP address of the console you are configuring. Select 32 from the drop-down menu next to the address.In the Translation section check the box called Static Port. Enter a description if you wish but it is not required.

Click Save.

Repeat this step for each console if required.

In the Outbound NAT table select the check box next to the row(s) you have just created and click the icon next  to the line containing the “Auto created rule for TRUSTED to EXTERNAL ” row in the table.

Click theApply Changes button.

You should now be good to go.

My setup consists of  the following for reference.

  • pfSense 2.0 WARP running on a Watch Guard Firebox 700
  • Xbox 360 slim running latest firmware
  • PS3 slim running latest firmware

Let me know in the comments if you have any problems.

Setting up a MediaTrix 4104/4108 on a Shoretel system using SIP

Recently we started looking for an alternative method to distribute our analogue lines between our on-site buildings other than pulling fifty pair analogues under ground to our central building where our SG90’s are located. We found the solution in a product from Media 5 called a MediaTrix.

The MediaTrix units are a 19″ rack-mount unit that is available in a 4-port, 8-port, 16-port and 24-port version, although the 24-port version required 2u of rack space. They connect to your network through a 10/100 RJ45 ethernet port (the newer models have 2) and present the analogue lines on RJ11 ports on the front of the unit. Each port can be configured to connect to an IP based PBX using the SIP protocol and can be authenticated individually, which is how we have the units configured.

The units, although a great device, do have some minor bugs in the administration interfaces which, if unknown, can cause problems during configuration. Hopefully this post will help somebody configure a MediaTrix on a Shoretel telephone system.

To start with you need to install the management software (Unit Management Network) which may have been included on a CD with your MediaTrix. If not it can be downloaded from the Media 5 support site.

Once installed you need to plug the unit into your network and power it up. We will find the unit using the UMN utility. Once it is powered up open the UMN Client and click the find unit icon on the toolbar (second from left). This will open up the following dialogue box.

Insert the IP range of your network and click start. The utility will find the unit and list it in the box at the bottom of the dialogue. Select the unit from the list and click OK.

Now that you have the IP address of the unit we can start to configure it.

Hint: If you cannot find the IP of the unit you can plug an analogue phone into one of the ports and dial *#*0 and the unit will announce it’s IP address over the receiver.

This is where the configuration starts to get buggy. We need to perform configuration steps in both the UMN and the web interface of the unit as certain features don’t work in certain interfaces. First of all we will do the configuration in the web interface. Open up your browser and type in the IP of the Unit.

Hint: the default user name is “Admin” and the default password is “1234”. you may want to change these.

Once logged in click on the SIP link at the top of the page and then click “Authentication” on the sub menu.

For index 1 of each port change the “Validate Realm” option to disabled. Click “Submit” when done. It should look like the screen shot above.

Login to your Shoreware Director web interface and create a new user (or modify an existing one). Ensure the option to “Allow use of Soft Phone” is set and select “Soft Phone” for the default phone for the user. Scroll down to the bottom of the page and enter a User name and SIP Password for the user. We have chosen to use the extension number of the user in Director as the user name to make things easier to manage. Save the User.

Now go back to UMN and expand your unit from the left hand pane. Right-click the “SIP” object and click Edit.

Uncheck the “Use DHCP” option and enter the address of the SIP server to use. This might be the IP of your SG90 or the Shared IP of multiple SG90’s with SIP proxy enabled. Unless you have an advances setup you should enter the same address for both the SIP Registrar and the SIP proxy.

Double-click the line where the value in # corresponds to the port you wish to configure. In “User name” enter the SIP user name setup earlier in ShoreWare Director. “Friendly Name” can be set to anything that will help identify the device that is connected.

While the line is highlighted click on the Authentication button.

In the user column enter the same value as the User name in the previous screen. Password should be set to the password configured earlier in Shoreware Director.

Click OK and then OK again.

Now restart the unit. This can be done by right-clicking the unit in the left hand pane and selecting “Actions > restart (Graceful)”. Once the unit if back up you can check the status of the port you have just configured by single left-clicking the SIP object from the left hand pane. In the right hand pane it will display “Registered” next to the port that you have just configured.

Hint: This took roughly five minutes on our system before the port will register. Once registered it is instant the next time the unit is restarted.

Just remember that you cannot disable realm validation from the UMN and for some reason the unit will not register ports that were configured in the web interface. Hopefully this will be fixed with the next software update.



Custom File Type Icons in SharePoint 2010

The chances that your Company, like ours, is going to want to upload documents to SharePoint 2010 that are not recognised by SharePoint out of the box and show the generic “blank document” style icon. Fear Not! It’s relatively simple to add an icon for a certain file type – PDF’s for example. These steps will need to be repeated on each WFE server in your SharePoint farm.

First thing you are going to want to do is get an icon for PDF files, or any other file type for that matter. (The icon for PDF’s can be found here)

Then head on over to C:/Program Files/Common Files/Microsoft Shared/Web Server Extensions/14/TEMPLATE/IMAGES/ on your SharePoint server and place the downloaded icon there.

Once this is done open C:/Program Files/Common Files/Microsoft Shared/Web Server Extensions/14/TEMPLATE/XML/DOCICON.xml in notepad or something similar. Remember to make a backup of this file before you modify it incase everything goes Pete Tong!

Look for the lines in the file that start “<Mapping Key=” and add <Mapping Key=”pdf” Value=”pdficon_small.gif”> on its own line. Save the file when you are done.

Now depending on your maintenance schedule you need to restart IIS for this change to take effect. If you don’t have a certain maintenance window then go ahead and open an elevated command prompt and type IISRESET. A system restart would also do the trick.

Once either the service has restarted, or your server is back up from that long reboot while the RAID card initiates, browse to one of your SharePoint sites and upload a PDF. Simple.

Of course this method can be used for any file type you like by simply substituting Key=”pdf” with Key=”<File Extension>” and Value=”pdfIcon_small.giz” with Value=”<Icon_Path.jpg>”. Don’t forget that most web browsers will not render a .ico file though!

SharePoint 2010 “Group cannot be found” error

I ran into a very interesting error in SharePoint today and thought I would document it as I attempt to fix it. Hopefully it will help somebody else in the future.

In my site collection -> Site Actions – > Site Settings – > People and Groups I noticed that all of my groups were duplicated. If you try to click on one of the groups to edit it there is no issue, but the second group throws the following error.

I was actually going to delete a load of groups to start with, so I decided to delete them all and re-create the ones I need. Since I can’t get into edit the group in the GUI, I tried powershell on the server. This didn’t work either and bombed me out with the same error.

Now what? I decided to check Central Admin and take a look at the content databases. There appeared to be 2 site collections in the content database. I can only remember creating 1, although the site was migrated from Sharepoint 2007 so maybe that had something to do with it.

I then backed up the content database and restored it in our development environment to do a bit more digging. When you hover over the group name in SharePoint the URL has ID=### at the end. I fired up MS SQL Management Studio and took a look in the “Groups” table and noticed that the groups present had the same ID’s as the URLs for the groups displayed in SharePoint that I could still edit. There were no rows for the groups that I could not edit though. It looks like the groups have had their ID’s changed for some reason.

Then I edited the table and copied the row of a working group and inserted a new row, pasting from my clipboard and changing the ID to the ID in the URL or the group that was not working. I couldn’t commit this as the Title already existed in the bale, so I added a 1 to the end of the title for the row I had just created and committed it.

I went back to SharePoint and clicked on the group that was not working. It worked…. I could now click Settings – > Group Settings -> Delete and the group was gone, both from SharePoint and from the Groups table.

I seriously wouldn’t recommend this on a live server, but I repeated these steps in our development environment for each group and I was successful in deleting all of the groups from the SharePoint site collection.