UPnP Fix for multiple clients/consoles playing the same game

encrypt1d · Mar 21, 2022, 7:29 PM

You may have to perform your test in the reverse order.

Another tester provided evidence in an earlier post that Sony is not respecting the UPnP protocol RFC. That evidence suggests that the PS tries for the same port indefinitely instead of trying new ones. It was around post 65 above https://forum.netgate.com/topic/169837/upnp-fix-for-multiple-clients-consoles-playing-the-same-game/65

Power down your consoles, then delete your Miniupnpd mappings (you can clear them from the status page). Power up the Playstation first. If it doesn't get Open NAT in this scenario, then there is some other issue. If it does have Open NAT, then power up the Xbox.

You may also want to ensure the following NAT settings are set:

Jon8RFC · Mar 21, 2022, 7:29 PM

@encrypt1d I'm not familiar, so I'm asking...
From your testing to solve the upnp problem, does pfsense/miniupnp just drop those packets or reject them?

Again, I may really be misunderstanding how a system requests or initiates sending data over a port. Even if Sony doesn't follow the RFC standards, could a workaround be rejecting packets for an occupied port rather than just dropping/discarding them? Would something like that signal devices like sony's to try another port...if the packets aren't already rejected by pfsense/upnp?

encrypt1d · Mar 21, 2022, 7:51 PM

@jon8rfc

I don't have a playstation, so it was @Saber that provided the debug info.
It showed the Sony trying for the port (9308), miniupnpd responding with a "port already taken", and then the PS just kept asking for the same port over and over. If it is ever going to work, it needs to ask for a different port when the first one isn't available. It's just stuck in a retry loop that it can never escape. If the PS goes first, it should get the port it needs, and hopefully the xbox implementation will request a new one ... but I suppose we'll see. I'm not even sure if they are asking for the same ports - so @sclawrenc will have to let us know how it goes.

Saber · Mar 21, 2022, 8:00 PM

@sclawrenc

NAT Type 2 is the best you can get with Playstation unless you directly expose your Playstation to the internet. As an example having the device assigned its own Public IP address. Only in that scenario would you get a NAT Type 1.

Type 2 just lets you know that there is a NAT in place. but is open and will allow for online game play and in-game communication.

What you don't want is a NAT Type 3 which is a restricted NAT.

sclawrenc · Mar 21, 2022, 8:16 PM

@encrypt1d said in UPnP Fix for multiple clients/consoles playing the same game:

Power down your consoles, then delete your Miniupnpd mappings (you can clear them from the status page). Power up the Playstation first. If it doesn't get Open NAT in this scenario, then there is some other issue.

Thanks for your response. Unfortunately, I still only see NAT Type 2 trying this with and without the Pure NAT and Enable auto outbound NAT for Reflection selected.

@saber said in UPnP Fix for multiple clients/consoles playing the same game:

NAT Type 2 is the best you can get with Playstation unless you directly expose your Playstation to the internet.

Thanks for your feedback. I'm going to have to look into this further since I "think" NAT Type 1 is possible without fully exposing the PS5. Maybe UPnP along with some port forwards for the PS5 would do the trick?

Another question I have is whether or not this works or even needs to work with my IPv6 network. I have both IPv4 and IPv6 running on pfsense.

Saber · Mar 21, 2022, 8:40 PM

@sclawrenc

It's not possible, I've tried. The ONLY way I got it show as NAT Type 1 was with ddwrt WAY back in the day with the "DMZ" mode. MY ISP allows for the purchase of 3 static IPs for some services I run. If I assign one of those IP's to the Playstation it will show a NAT Type 1. Outside of that I have never gotten Playstation to show a NAT Type 1 and other Playstation gamers have said the same thing. Regardless online gaming will work just fine with NAT 2 type as that's what I game online with, without a problem.

NAT Types defined is a really good guide for NAT types for XBox and Playstation:

https://portforward.com/nat-types/

sclawrenc · Mar 22, 2022, 4:01 PM

@saber well, I learned something new today. Thanks for letting me know about this as I might have tried to get NAT Type 1 for days before figuring this out. Strange thing is, I think my PS4 had NAT Type 1, but I can't be certain since I don't have it anymore.

So based on my initial and brief testing, the UPnP patch works as expected! Great job to all who helped make this a reality! This new UPnP functionality was a deciding factor for me to come back to the pfsense world. :)

Bob.Dig · Apr 4, 2022, 8:25 AM

I had this fix enabled and later added another interface to pfSense (ah yes, the wonders of virtualization) and that interface was not shown in the upnp webui.
I then disabled this patch, rebooted pfSense and now it is shown.
Just to let you know (22.01-RELEASE)

jimp · Apr 4, 2022, 1:38 PM

@bob-dig said in UPnP Fix for multiple clients/consoles playing the same game:

I had this fix enabled and later added another interface to pfSense (ah yes, the wonders of virtualization) and that interface was not shown in the upnp webui.
I then disabled this patch, rebooted pfSense and now it is shown.
Just to let you know (22.01-RELEASE)

That is completely unrelated to this patch. It only touches the NAT rules and there is no way it could interfere with anything like that.

Bob.Dig · Apr 4, 2022, 1:57 PM

@jimp Your right, had no success now in recreating this problem.

Jon8RFC · Apr 9, 2022, 1:33 PM

@encrypt1d @Saber
I can't find any official channel to report a PS5 bug. The only thing I found is their bounty program. However, if it's worded properly (which I couldn't do or understand), they may pass it along to whoever needs to fix the problem. I even looked on linkedin to find someone specific that I could contact directly, and found nobody useful.

I couldn't find the appropriate RFC to reference, so I couldn't mention that when I attempted making a report and reference the post of the logs, which I decided against.

You both seem to know what's going on with hands-on experience with the UPnP problem in general, and with Sony devices, so I hope you'll consider sending a report and mention that there's no appropriate venue to report this issue:
https://hackerone.com/playstation/reports/new?type=team&report_type=vulnerability

aniel · Apr 9, 2022, 4:44 AM

how can i implement this network wise. it has been so long that i don't remember how?

encrypt1d · Apr 9, 2022, 1:33 PM

@jon8rfc

I believe this is the RFC, and I have linked the relevant section. I am not a UPNP expert :)

https://datatracker.ietf.org/doc/html/rfc6970#section-5.6.2

It shows that when the UPNP client asks for a port that is already taken, the protocol dictates that it should respond with error 718 / ConflictInMappingEntry and then proceed to try another port.

The evidence @Saber collected showed it continuing to try the same port every time, which is where their problem likely is.

I don't have any playstations, so I would not be able to help further.

Argon 0 · Apr 14, 2022, 6:48 PM

@encrypt1d I have tested the patch with two PlayStation 3's (OS also based on FreeBSD) and see the same behaviour as @Saber i.e. the first booted PS gets NAT type 2 and shows up in the UPnP & NAT-PMP status section, but the second PS does not and gets NAT type 3 assigned.

Is there any other way to setup both PlayStations with NAT type 2 i.e. "open"?

Saber · Apr 18, 2022, 2:14 PM

@argon-0 Yeah, just configure the normal gaming setup for PFSense which is to setup an Outbound static port rule:

https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#nat-staticport

I configured that to get both my playstations on at the same time with NAT type 2. Network wise the behavior remains the exact same with second powered up playstation requesting the same damn port, but for whatever reason gets a Type 2 NAT with the outbound static port configuration.

encrypt1d · May 4, 2022, 5:49 PM

I had some friends over to really test this out last weekend and below are my results:

Verdict: Success

6 Windows PCs total, Five Windows 10 / One Windows 11.

Games tested: Call of Duty Black OPS III and WWII

All five of the windows 10 machines got OPEN NAT in game straight away. The Windows 11 machine would NOT play ball. No matter what we tried, the Win 11 game client just refused to send any UPnP requests to the pfSense. To be clear - that is not a pfSense issue. I have reproduced it since, and will continue to debug that. Manually adding the ports via the Windows 11 gui worked to get open NAT (Windows File Explorer -> Network -> Right click on FreeBSD router -> Properties -> General -> Settings -> Add). So Windows 11 can talk to the miniupnpd server, just CoD doesn't seem to even try.

Has anyone else gotten a CoD game on Windows 11 to talk UPnP? Would like to know if there is a magic secret. This is totally unrelated to pfSense as far as I know. Of course I had all software firewalls disabled for the test, and file & printer sharing on, network discovery on.

Saber · May 5, 2022, 3:07 PM

@encrypt1d

Did you confirm that the network is Private and not Public? This document discusses some steps for network discovery for Windows 11 which appears to be a little different than previous versions of Windows.

https://www.minitool.com/news/windows-11-workgroup-not-showing-all-network-computers.html

encrypt1d · May 5, 2022, 3:14 PM

@saber
Yes indeed it, is set to Private.

Saber · May 5, 2022, 3:23 PM

@encrypt1d

Win 11 is so new, it honestly wouldn't surprise me if its a bug.

encrypt1d · May 5, 2022, 3:52 PM

@saber
Could very well be. I plan to test CoD Warzone soon, as it works fine on Windows 10 with UPnP, and is updated regularly at this point.