Getting M0n0wall/PfSense to play nice with GameSpy, PS3 and some other multiplayer games
I didn't come up with this, but it sure as heck works so I'll put it on here to share. Personally I had the issues with M0n0wall, but the same issues and fix probably apply to PfSense too.
No matter what ports I forwarded I could never reliably play GameSpy based MP games such as Borderlands or The Scourge Project, nor did GTA4 ever work right. With some fiddling around I'd sometimes get them to somewhat work; GTA4 I could play by hosting games and inviting friends, Borderlands worked if my friend hosted and we both had the required ports forwarded. However, it was all rather quirky, especially considering the fact that Borderlands shouldn't need ports forwarded at all.
Investigating the fix I found for this I also came across people who had successfully used it to get their PlayStation 3s to switch from 'NAT type 3' to 'type 2', whatever that means exactly, which allowed them to play internet games.
The problem at the root of this is that by default, M0n0wall rewrites the local port used by outgoing connections. This way, if two people try to connect to the same server using the same local port, they can still do so. However, some protocols can't seem to cope with this. The problem is that hole-punching, a technique to allow two hosts behind a (NAT) router to communicate without forwarding any ports, does not work with symmetric NAT. The solution is to disable this port rewriting; of course, it does mean that limits are imposed on two computers on the network making the exact same connections. However, this is probably not an issue for home networks at least, and the new firewall rule can always be tweaked to only apply to certain computers or ports.
The fix is to go into the NAT settings and enable advanced outbound NAT. This will disable automatic outbound rule generation. Next, add a blanket rule that allows all outgoing traffic but disables port remapping. For the source network it's easiest to just set your whole network; my DHCP server assigns 192.168.1.2 to 192.168.1.100 (.1 is the M0n0wall) so I just set it to use the /24 subnet of 192.168.1.0; that means .0 to .255.