I don't know if you still need help, but, First, I wanted to say that I was going to bridge the connections on my system, I found several posts saying basically "Shame on you, bridges are bad" and after researching, yes, bridges are bad. They are forcing software to act like a switch, which will never work as well as a switch. What most people DON'T tell you, ( I think they expect you to work out) is that the only thing stopping your other networks (subnets) from communicating is the firewall rules (or lack thereof) for that interface, I duplicated the default "Lan to any" rule on my second network, because I wanted that network to be able to communicate, and it worked fine, it does mean doing every firewall rule twice, but it works! So consider doing this.

If you want to be a bridge troll (kidding) them I do have one question. PFsense filters traffic in the interfaces that are bridge members by default, NOT in the bridge itself, you can change this behavior, if you edit some lines in system tunables. Here is the quote from pfsense docs

By default, traffic is filtered on the member interfaces and not on the bridge interface itself. This behavior may be changed by toggling the values of net.link.bridge.pfil_member and net.link.bridge.pfil_bridge under System > Advanced on the System Tunables tab

Has this been done?

I copied this config set by set, for my two Xbox ones. Now I don't get any NAT as my Xbox cannot get a Teredo IP

Can you do ipv6 with your isp?  The xbox one supports ipv6 and is currently the only console to do so AFAIK.

IPV6 would solve these issues for you.

They use P2P - and yes it can "destroy" your cpu if you're using proxy and anti virus.
I only have 150mb down and it was only saturating 90mb at it would shoot my cpu to 100%.  Once I turned of the AV (which I assumed was only scanning port 80 and 443) the cpu went back down to nearly nothing.  However, I have very bad nics which are being replaced today.
Bad nics can destroy your cpu when you're doing high traffic over a ton of simultaneous connections.
You should only experience this when downloading the game not during gameplay.
Intel(R) Core(TM)2 CPU 4300 @ 1.80GHz

@arsenic32:

I actually found the opposite to be true in practice. When I used UPNP and randomized outbound ports, my xboxs reported a moderate nat, but were able to play together in multiplayer games.

When enabling static nat, one xbox was able to join multiplayer games (with open nat) while the other 3 could not. I suspect that the xboxs are accessing static ports that are not reported to UPNP, and therefore all of the packets for that port are being routed back to a single box. With the random source port nat, the router was able to assign a different port for each xbox so the return packets were able to reach the correct xbox.

I'm not sure if there is a way to tell pfSense to only randomize packets that have the same port, but different lan addresses. If that would even solve the issue here.

Right.  The order of setup should be UPNP by itself.

If that doesn't work then port foward/nat forward.

I'm sure one setup doesn't work for everything.

You might get more attention to your issue if you post it in the Traffic Shaping forum.

@Navok:

The ingame ping value is determined by calling/"pinging" battlelog.battlefield.com via Port80/443

Had the same problem on our 400+ people Lan Party. Firewall was set up with TrafficShaping/QOS optimized for gaming. Even they could play without any lags, the ingame PING shows something with 1000ms and above and player get kicked for high ping after a while. Later we discovered that the client doesn't use ICMP to discover the ping. Instead the ping was high because port 80/443 was "punished" in traffic shaping/QOS. After prioritize battlelog.battlefield.com in QOS/TS the pings was good again.

Hope this helps.

Hi, would you mind explaining how you did that ?

Thanks !

Doesn't play well with my xbox one or computers with steam.  Works great with my mac, though.

The NAT forwards are enough.  I've just turned off uPNP.

Once I reloaded my config file, suddenly the xbox one is working.  I have no idea why and I did not change any of the settings after restore.  Very odd.  Maybe it was a hardware reboot that fixed it.

I have a network segment on its own interface just for gaming, and have only static NAT configured for it - no UnPNP. Two WII-U consoles can splat with no issues.

The 3DS games that set the packet TTL to 3 hops are the ones that are killing me.

I just updated the XBox guide on how to make this work, and this should resolve your issue as well. Look for my recent post.

https://forum.pfsense.org/index.php?topic=73012.15

@exodus21:

So based on my settings, its probably not my PFSense blocking the connection over the hotspot, but the hotspot itself?

I just want to ensure that my internal settings are correct and arent blocking external sources from connecting.

Thanks

Check the UPnP status and make sure that the PS4 is listed after doing a network test on the PS4 itself. After that, check that your Verizon public IP isn't being blocked by pfSense. If UPnP is set up correctly, and the IP isn't being blocked, I don't see how it could be pfSense.

I checked the block rule, and sure enough it was the default rule, to block private networks.  I should have grabbed a screenshot of the message, but I didn't.  I decided to upgrade to 2.3 this morning, and viola- UPnP is working, I can see the session under the status page, and my PS4 is reporting NAT Type 2.  Thanks

Better later than never I guess :)

Try disabling pf scrubbing, it should work now.

Don't know exactly why, nor any way to disable scrubbing just for those ports. Any suggestion is welcome, since I like my packets well scrubbed and I have to turn it off when I want to play, and back on again after playing. It's very annoying.

@cyanic:

Strict NAT occurs when A. hosts cant initiate connections to you on a specific port and B. your firewall is changing the source port for your outbound connections on that specific port.

Fix B and you will have a Moderate NAT
FIX A & B and you will have an Open NAT

Look here for B

https://doc.pfsense.org/index.php/Static_Port

This is correct, lots of games/consoles require static outbound for their traffic.  The easiest way to do this for multiple consoles is to just set Static outbound to apply as if it were applying to a subnet, i.e set the subnet mask of the static outbound rule to a /25 subnet and just stick all of the game console DHCP leases in addresses above 128.

As a small update the last couple games ive played forward 3074 themselves with UPNP however I'm now trying to see how to get multiple PCs to do it.  What consoles do you have that you had to mess with the NAT settings?  I'd rather change outbound for one port than NAT functionality for all of them