Real needs for Punkbuster to work through a firewall

I have been through hell to get Punkbuster to work reliably through my firewall, so I thought I would share the (hard) lessons learned along the way:

Evenbalance is wrong in their FAQ when they write: “Do I have to re-configure my firewall or proxy to use PunkBuster?
In general, if a connection can play the Game online successfully without PunkBuster, then there will be no need to make any changes to a firewall or proxy that may be in use when PunkBuster is Installed and Enabled. PunkBuster communicates over the Internet (and in LAN environments) using the same network channels created and used by the Game, and therefore requires no changes.”

I had ET working perfectly well on non-PB servers, but giving me the “Valid GUID is not reaching master auth server” type of message most of the time on PB servers (1 out of 20 times, it would work and connect me to the game). I fixed it by adding a rule on my firewall allowing TCP incoming ports 27949 to 27971 (source ports) through to any ports >1024 (destination) ports. I am sure that I could open less ports than that, but that’s the best I have found so far. Key things I learned while tweaking the rule:

• Some ports outside 27960 (the default ET port) are used by PB. I read some threads mentioning 27950 and 27951 to communicate with PB master server, which is which my range of ports opened starts at 27949.
• On a NAT firewall, the incoming connections seem to go to ports outside the range 27949-27871, which is why I opened to all non-privileged ports (>1024).

Feel free to correct me where I am wrong, and add your own experimentation results, so that other players can resolve their firewall issues more easily in the future.

Interesting, Ive been having problems since the PB update 4 days ago.

I can join games fine now, but will often get net jacked mid game while PB is trying to either contact auth server, or waiting its reply. PB wants to reauth players several times a game, and this is when I get hosed. I went to PB FAQ and found same info you did.

** If, however, you had to adjust your firewall to use the game in the first place, you may need to extend that adjustment to include ports used by PB’s auto-update feature. PunkBuster Clients use outgoing UDP Port 24349 to get security info from the PunkBuster Master Servers, PunkBuster Servers use UDP Ports 24349 and 24305.**

I opened 24349 and 24305 but have yet to test it today. Ill see if their advice works and repost results.

Yes, I have read about the UDP ports mentioned in the FAQ, but they are outgoing, not incoming, so in my firewall config, this cannot be a problem (I let everything go through outgoing). That’s why I think there are other TCP ports used by PB, not mentioned in PB manual or FAQ.

Just out of interest why are you playing behind a firewall? Is it out of your own peace of mind or is it a case that you have too?

For me, connecting to a pb enabled server does not cause any TCP traffic. (verified with tcpdump on my firewall)

PB updates may require a TCP connection. If I were them I would just do it as an http get on port 80, but you never know

Im behind a router w. built in firewall. I opened up the ports for UDP and TCP that PB FAQ indicated and no dice.

THe problem Im having is when PB re-autherizes me midgame, I guess it cant send response back so it ferezes me out of game. I am able to send to evenbalance auth server, but I hang and the awaiting response, causing net jack icon to appear.

I bypassed my firewall and did not have any issues, so I am certain there are ports PB is trying to send to other than the ones mentioned in FAQ. Because I share my DSL w/ 2 other PCs, I need to solve this. Im not putting my gaming rig in the DMZ, and I hope someone out there has solved this.

This started happening after an update last thursday, never had this happen before this. I thinkj I will eamil PB support on this, see if they respond.