I’ve had several experiences now where I’m unable to connect to a Team Fortress 2 server while someone else on the same internet connection is playing.
The status packets seem to egress using either a short lived static source port or a random source port (more research required).
It seems that the Source engine / TF2 uses port 27005 as the source port, always, when connecting to a game and the destination server port will always be the same for the two people attempting to connect.
This means that for the second connection the router re-writes the source port so that it can do NAT/PAT and route the translated traffic correctly.
However, in my case, the router seems to translate to the first available UDP port… which is often 1024. I can only assume that some Valve servers block unusually low UDP source ports and don’t respond to the connection.
It is very strange being able to ask the server for player status but not being able to join the server…
The fix, in my case, seems to be to force UDP Masquerade / Masquerading to higher ports instead:
iptables -t nat -I POSTROUTING 1 -j MASQUERADE -p udp --to-ports 27000-65534
I could and should re-write the command to only rewrite the source port(s) that TF2 uses.. but in incredible laziness and urgency to play TF2.. I’ve just settled for the above command.