Novice question:  If I'm setting up a MineCraft server (on a separate FreeNAS box) located on my local LAN and I want others (i.e. my kid's friends) to be able to access the server from WAN, then this is the setup to use, correct? Thanks!

It only works for me with manual outbound nat with per device static port entries in the outbound nat rules for allow any udp to that device.  I could make it more secure but I have a "gaming" subnet with more lax rules.

I don't know if you still need help, but, First, I wanted to say that I was going to bridge the connections on my system, I found several posts saying basically "Shame on you, bridges are bad" and after researching, yes, bridges are bad. They are forcing software to act like a switch, which will never work as well as a switch. What most people DON'T tell you, ( I think they expect you to work out) is that the only thing stopping your other networks (subnets) from communicating is the firewall rules (or lack thereof) for that interface, I duplicated the default "Lan to any" rule on my second network, because I wanted that network to be able to communicate, and it worked fine, it does mean doing every firewall rule twice, but it works! So consider doing this. If you want to be a bridge troll (kidding) them I do have one question. PFsense filters traffic in the interfaces that are bridge members by default, NOT in the bridge itself, you can change this behavior, if you edit some lines in system tunables. Here is the quote from pfsense docs By default, traffic is filtered on the member interfaces and not on the bridge interface itself. This behavior may be changed by toggling the values of net.link.bridge.pfil_member and net.link.bridge.pfil_bridge under System > Advanced on the System Tunables tab Has this been done?

I copied this config set by set, for my two Xbox ones. Now I don't get any NAT as my Xbox cannot get a Teredo IP

Can you do ipv6 with your isp?  The xbox one supports ipv6 and is currently the only console to do so AFAIK. IPV6 would solve these issues for you.

They use P2P - and yes it can "destroy" your cpu if you're using proxy and anti virus. I only have 150mb down and it was only saturating 90mb at it would shoot my cpu to 100%.  Once I turned of the AV (which I assumed was only scanning port 80 and 443) the cpu went back down to nearly nothing.  However, I have very bad nics which are being replaced today. Bad nics can destroy your cpu when you're doing high traffic over a ton of simultaneous connections. You should only experience this when downloading the game not during gameplay. Intel(R) Core(TM)2 CPU 4300 @ 1.80GHz

@arsenic32: I actually found the opposite to be true in practice. When I used UPNP and randomized outbound ports, my xboxs reported a moderate nat, but were able to play together in multiplayer games. When enabling static nat, one xbox was able to join multiplayer games (with open nat) while the other 3 could not. I suspect that the xboxs are accessing static ports that are not reported to UPNP, and therefore all of the packets for that port are being routed back to a single box. With the random source port nat, the router was able to assign a different port for each xbox so the return packets were able to reach the correct xbox. I'm not sure if there is a way to tell pfSense to only randomize packets that have the same port, but different lan addresses. If that would even solve the issue here. Right.  The order of setup should be UPNP by itself. If that doesn't work then port foward/nat forward. I'm sure one setup doesn't work for everything.

You might get more attention to your issue if you post it in the Traffic Shaping forum.

@Navok: The ingame ping value is determined by calling/"pinging" battlelog.battlefield.com via Port80/443 Had the same problem on our 400+ people Lan Party. Firewall was set up with TrafficShaping/QOS optimized for gaming. Even they could play without any lags, the ingame PING shows something with 1000ms and above and player get kicked for high ping after a while. Later we discovered that the client doesn't use ICMP to discover the ping. Instead the ping was high because port 80/443 was "punished" in traffic shaping/QOS. After prioritize battlelog.battlefield.com in QOS/TS the pings was good again. Hope this helps. Hi, would you mind explaining how you did that ? Thanks !

Doesn't play well with my xbox one or computers with steam.  Works great with my mac, though. The NAT forwards are enough.  I've just turned off uPNP.

Once I reloaded my config file, suddenly the xbox one is working.  I have no idea why and I did not change any of the settings after restore.  Very odd.  Maybe it was a hardware reboot that fixed it.

I have a network segment on its own interface just for gaming, and have only static NAT configured for it - no UnPNP. Two WII-U consoles can splat with no issues. The 3DS games that set the packet TTL to 3 hops are the ones that are killing me.

I just updated the XBox guide on how to make this work, and this should resolve your issue as well. Look for my recent post. https://forum.pfsense.org/index.php?topic=73012.15

@exodus21: So based on my settings, its probably not my PFSense blocking the connection over the hotspot, but the hotspot itself? I just want to ensure that my internal settings are correct and arent blocking external sources from connecting. Thanks Check the UPnP status and make sure that the PS4 is listed after doing a network test on the PS4 itself. After that, check that your Verizon public IP isn't being blocked by pfSense. If UPnP is set up correctly, and the IP isn't being blocked, I don't see how it could be pfSense.

I checked the block rule, and sure enough it was the default rule, to block private networks.  I should have grabbed a screenshot of the message, but I didn't.  I decided to upgrade to 2.3 this morning, and viola- UPnP is working, I can see the session under the status page, and my PS4 is reporting NAT Type 2.  Thanks

Better later than never I guess :) Try disabling pf scrubbing, it should work now. Don't know exactly why, nor any way to disable scrubbing just for those ports. Any suggestion is welcome, since I like my packets well scrubbed and I have to turn it off when I want to play, and back on again after playing. It's very annoying.