PS3 help getting NAT 2 from pfsense 2.6.0?
-
Yes I do know that there are a LOT of others who have posted about playstation fixes.
I've tried everything that I have found so far and NOTHING has worked for me even to get ONE of the two ps3's that are on my network to a NAT 2 result.
What the heck am I missing????
As I said above, my son and I both have PS3's that we would love to get back online to play multiplayer games! My other son who doesn't live with us has one as well and we have a blast when we are all online but, I can't seem to get past pfsense even with only one ps3 at a time!I do have pfsense version 2.6.0 AND Surfshark VPN which I also realize complicates things but, even with disabling the VPN I can't get anything but NAT3.
There has got to be something that I am missing!
I've got the UPnP & NAT enabled as well as the UPnP port mapping.
What's next to try???Thank you all!
-
@kilted1 On 2.6 did you install the System Patches package and install the patch:
Add UPnP NAT Anchors to fix outbound NAT for multiple consoles. (Redmine #7727, Forum Thread)
-
Looking in the "Package list" it doesn't look like it and I don't remember that one so, probably not.
All I have to do with it is "install (download) and then run it"?
If I do it now?Dale
-
I did the "install" from the package list and it shows in the "installed packages" list but, I can't find it anywhere else real quick.
Did it do it's stuff automatically already?
Dale
-
@kilted1 System/Patches menu item. It doesn't install anything by itself.
https://docs.netgate.com/pfsense/en/latest/development/system-patches.html
-
HA! I found it!
And I see the "Add UPnP..." patch.
Given that you had also helped me with the other post I had made about by-passing my VPN for certain traffic, is that the only patch that would be good for me to install?
The pic is the list that showed up of patches.
Dale
-
Oops, sorry!
Wrong Steve.Here is a link to my other topic.
Dale
https://forum.netgate.com/topic/175774/i-am-fighting-this-same-issue-in-pfsense-2-6-0-and-losing-the-battle-help/19?_=1669146413270
-
@kilted1 It's up to you. I personally just patch what I need. They will find their way into later versions, for instance I think these are all in 22.05 but there is no CE version between 2.6 and 2.7.
-
Applying the recommended patches should be fine. All of them have been tested to work. However most of them won't do anything unless your particular setup is hitting the issue they solve.
I would apply the UPnP patch and the disable pf counter patch and leave the others unless you know you need them.
(other) Steve
-
Well, got the patch installed and even rebooted it with no improvement yet.
Any other suggestions?
Still getting NAT 3
Dale
-
@Kilted1
I'm not sure how far you have got configuring upnp but have you enabled it and also put in the ip address ranges and ports that are allowed? Have you selected the correct interface? For me its the WAN interface. I have a PS4 and a PS5 and its working well for me. Have you had a look in the logs - Status\UPNP to see if any records have popped up? -
I have so far tried everything and made sure that the upnp is enabled and set up (as best that I could) and yet, I'm still getting NAT 3 on my PS3's.
Any more ideas????
I am considering setting up a DMZ in my pfSense to an OLD router that would ONLY have my PS3's connected to get around this. Is this a valid idea?
And if it is, suggestions on the DMZ setup as well as maybe ONE (and ONLY 1) outside management connection for my computer routed into the DMZ host?
Keeping in mind that, not only am I running pfsense to protect my primary network, I am ALSO running outbound traffic through a VPN as a "client."
I'm sure that does complicate things even further and I'm suspecting is the extra hurdle that is tripping me up right now but, I can't PROVE it at this point.Thank you all for all of your help and support!
Dale
-
Although, I DID just have to turn OFF my VPN to add this and the previous comments so it wouldn't be "flagged as spam" so, maybe that does prove my suspicion?
Thank you all again for all of your help and support!
Dale
-
You would certainly have to be sure your traffic to/from the PS3 does not go over the VPN because that is all NAT'd and cannot accept inbound connections at all.
UPnP can only work through one layer of NAT so if you setup another router to put consoles on it would need to be upstream of pfSense if games require UPnP. That could work.
Steve
-
Wouldn't the DMZ be "outside" of the VPN?
Isn't there any way of routing traffic through the WAN connection besides through the VPN connection?
Sadly, putting the extra router upstream to the pfsense isn't possible with my set up so it would have to be behind pfsense.
I thought the whole point of a DMZ was to bypass the firewall completely?Dale
-
DMZ could be completely separate from the VPN, yes.
Usually though a DMZ would still be NAT'd from the WAN, often with 1:1 forwarding. However that would still be two NAT translations between the public IP and the console which means UPnP would fail.
To make that work you would need to bridge the WAN to the DMZ interface so that the other router also has a public IP. That would require at least two public IPs though. -
Sadly, that makes a lot of sense.
Except (no I don't think my coffee has kicked in yet, sorry!),
IF my pfsense box NAT's the DMZ with 1:1 to the extra router and, that router added it's own NAT, wouldn't that still only be a NAT 2 situation and not a NAT 3?
Right now, our PS3's ARE up and playing online as long as I have the VPN connection deactivated in the rules. So if the DMZ does go around the VPN connection with the 1:1 NAT, and the DMZ router only adds one NAT layer, that only makes NAT 2, right?
OR am I not counting the NAT layer from my ISP in this mess???I really appreciate your time in helping me understand this! I hadn't gotten this deep into Network management before now. Even though I did pass the "98-366: MTA: Networking Fundamentals" back in 2012. It didn't go this deep so, thank you again!
Dale
-
I have no idea how Sony are defining NAT2 or NAT3. It seems similarly obsure to MSs open-NAT and closed-NAT....
Ah, previously you said you could only get NAT3 even disabling the VPN. So what is actually not working currently? You can only connect one at a time?
1:1 NATing to the other router would still be double NATing which breaks UPnP. If that's required it will fail.
Steve
-
Wow ok, I thought I had posted an update on what is going on.
Maybe it was in the post that I couldn't get to post because it kept getting flagged as spam even after disabling the VPN where that worked the first time.So I think it was two days ago I got the wild idea to try my PS3 again just for giggles. BEFORE that, no matter what I had tried with all of the setup suggestions AND turning OFF the VPN I could ONLY get NAT 3 shown in the connection settings list in my PS3.
Anyway, the other day I turned OFF the VPN and tried my PS3 and low and behold, it popped up with NAT 2!!!! I was totally shocked and surprised on the success. Found out that it had logged into the Playstation network already so decided to see if I could play one of my favorite games (COD Ghosts). It worked and showed the NAT notation of "Strict." Not sure if that is significant or not but, my son and I were able to connect and play which we hadn't been able to do ever since putting my pfsense (with the VPN) into service.
So as of now, as long as the VPN is OFF we can play. If the VPN is ON, it won't connect.
I have yet to figure out WTH I did or changed to get this to function as I had tested repeatedly after every change before to no avail. I just thought, what the heck and tried it for giggles and it worked.
Previously I had made a firewall alias for BOTH my PS3 and my son's and used it in the rule attempts. And I can go to the UPnP status and see that right now (they are turned off right now) that each of them have udp ports assigned to them (son's has one and mine has two) with the description of "DemonwarePortMapping.I don't remember when I had done it but, if you scroll back up this post to the picture of the available "Pathces", I have actually applied all of the except the top two.
Maybe one of those worked?Dale
-
Hmm. Well that implies it requires UPnP. You could test that by disabling UPnP though.
And that means it can't work behind double NAT.
However if it works by simply disabling the VPN you should be able to simply route the console traffic past it. It seems likely the VPN is changing the default route on the firewall. Or perhaps causing UPnP to show the VPN interface as the external IP.
Steve
