Unable to do Open NAT in pfSense 2.7.2-RELEASE

Sherwatt

Hello, folks. I am tearing my hair out trying to make pfSense to do Open NAT.

I started using pfSense a week ago, so I am pretty new to it. I play GTA Online and Elite: Dangerous. These worked fine with my previous setup, using an ASUS RT-AC87U router behind the ISP's modem, which is in bridge mode. I did not have to open ports for these games, in fact, for any of the games I play. Now this ASUS router is in AP mode, behind pfSense. The gaming PC is connected to the AP (192.168.1.10, see it in the screenshots below).

After the switch, GTA started telling me that I am in strict NAT mode. E:D says the same in Options > Network: "PORT_RESTRICED". The interesting thing here is that now it says UPnP is OFF, however earlier it said ON. But the NAT mode did not change. I tried so many things already, spent hours and hours trying to make this work, so I don't know what could be the reason it now says OFF. Anyway.

Also, https://www.checkmynat.com says my NAT type is "Port Restricted Cone".

Among other things, I followed this guide to configure pfSense: https://www.tweaking4all.com/network-internet/pfsense-strict-nat-xbox-one/ - Even though my settings are the same, it is still not Open NAT.

I also read many forum posts here and on Reddit and watched youtube videos, did lots of googling, discussed the issue with ChatGPT, resetted States, issued all the ipconfig /release /renew /flushdns commands on my PC, rebooted pfSense, rebooted the PC, deleted and recreated firewall rules... Nothing worked.

Can someone please point me in the right direction here?

I screenshotted my settings:

Thank you

Gblenn

@Sherwatt Instead of using imgur or any other picture sharing site, just paste your snippets into the post... so much simpler for everyone.

Getting OpenNAT on pretty much any game should not require more than turning on UPnP as you have done it already.
The only exception that you do NOT need to allow all those ports from 53-65535. I play mostly Call of Duty and allow only 3074-3076 plus 28960-28963 for the two PC's in our house. Once you get this working, I'd suggest checking the Status page for UPnP, during game play, to see which ports are actually being opened. Then you can start limiting your allowed ports to only those that show up in that list.

And you do not need to use Hybrid mode although it can help speed up things during startup of the game.

The 192.168.1.10 IP, is that your PC or the ASUS router? It needs to be the PC [EDIT] which I see now from the pictures that it is. But during testing I would suggest connecting the PC directly to pfsense, via a simple switch perhaps.

How have you connected the ASUS router to the pfsense LAN? Are you connecting to a LAN port or the WAN port on the ASUS? And does it have it's DHCP server turned OFF?

BTW, when troubleshooting it helps turning on the logging and there is a tick box for that in UPnP settings. Also, I would switch back to ISC DHCP server for now...

Sherwatt

Thanks for the advice, I embedded the screenshots into my post. :)

Most of the guides I read did recommend allowing all those ports from 53-65535 (some used 1024-65535), so that's why I set that up. This is why I am using Hybrid mode. If these are not needed, but are still there, I guess it can't hurt, right? Until I can get this thing to work, I will leave those there, and then start removing unneeded things one by one, to make sure it still works.

I did keep an eye on the Status page for UPnP, but most of the time nothing showed up. Nothing during GTA Online, nothing during Elite now, however I saw an entry there during one of the tests with Elite, but according to the game, it was still using PORT_RESTRICTED.

I don't want to start manually adding/removing ports to the firewall, this should already work automatically, and I never needed to do similar things with the ASUS router. (All ports were closed by default and I manually opened a few specific ports for docker services.)

Yes, 192.168.1.10 is my gaming PC. The ASUS is 192.168.1.2, pfSense is 192.168.1.1.

@Gblenn said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

But during testing I would suggest connecting the PC directly to pfsense, via a simple switch perhaps.

What do you mean? Should I use another switch instead of the ASUS router? I don't have any other switches or routers. Or should I use a 3rd port on the pfSense machine, OPT1?

@Gblenn said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

How have you connected the ASUS router to the pfsense LAN? Are you connecting to a LAN port or the WAN port on the ASUS? And does it have it's DHCP server turned OFF?

Now that it is in AP mode, there is not even a DHCP setting page on the router anymore. So I guess it is off? The router is connected to the LAN port of the pfSense device, via a LAN port on the ASUS itself. The WAN port on the ASUS is unplugged.

@Gblenn said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

BTW, when troubleshooting it helps turning on the logging and there is a tick box for that in UPnP settings. Also, I would switch back to ISC DHCP server for now...

OK, I turned on logging for UPnP. Where can see these logs? In Status > System Logs > Firewall?
Switched back to ISC DHCP.
The Check My NAT site says my NAT is still Port Restricted Cone.

Sherwatt

Now Elite reports working UPnP again:

But the "router type" is still PORT_RESTRICTED.

At the same time this entry appeared in the UPnP Status page:

And this is from the firewall logs:

This is happening after I switched back to ISC DHCP.

But so far, both the game and the tester site reports the same restricted NAT mode.

EDIT: well, Elite just reports OFF again for UPnP without me changing anything in pfSense, and now nothing is showing up on the UPnP Status page. :(

Sherwatt

One additional note, when I am testing with Check My NAT, I can see lots of "Default deny rule IPv4 (1000000103)" with the site's IP address.

Interesting... Why it is not my 192.168.1.10 IP being used here? Only WAN and the site's IP.

Gblenn

@Sherwatt said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

What do you mean? Should I use another switch instead of the ASUS router? I don't have any other switches or routers. Or should I use a 3rd port on the pfSense machine, OPT1?

No you are all set up then with your ASUS in AP mode. I think I got confused initially thinking that IP was the ASUS and wasn't sure if that could have been the problem...

@Sherwatt said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

The Check My NAT site says my NAT is still Port Restricted Cone.

Yes and that should be fine, although if I remember correctly, I always had Symmetric . That was until I tested with Outbound NAT changed to Hybrid and introduced Static Port for the gaming PC. Still worked fine with all my games also with Symmetric, so I don't think you should bother too much about that.

It's strange that it seems to work and suddenly stop... When testing some of these things, it's always a good idea to do ipconfig /release and ipconfig /renew on the gaming PC after making changes. Also to reset UPnP so that any reserved ports are released and can be requested again.

I belive the logs from UPnP show up under Status / Routing... but it might be more places??

@Sherwatt said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

Interesting... Why it is not my 192.168.1.10 IP being used here? Only WAN and the site's IP.

Not sure how that site works but it might be probing your WAN as part of the testing it does, and it get's blocked...

Sherwatt

@Gblenn said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

When testing some of these things, it's always a good idea to do ipconfig /release and ipconfig /renew on the gaming PC after making changes. Also to reset UPnP so that any reserved ports are released and can be requested again.

Yeah, I keep spamming those commands in the terminal window and also I restart upnp or remove the states from the states table that belong to my IP address.

Here are the latest entries from Status > System Logs > System > Routing.

01:25 was the time I restarted upnp. I am a bit concerned about those "Invalid argument" messages.
08:57 - that IP belongs to my brother's phone, I don't know what he did at that time, should I ask?
He did a test though using that test site, but earlier, around 08:44. He used his phone, which is not configured. I told him to test on his PC, which is. But none of those attempts show up here.
10:04 is when I turned on my PC. I am concerned about those time outs, and then there is an error.

How can I resolve that invalid argument and time out issues?

Gblenn

@Sherwatt From Listening for NAT-PMP it looks normal to me.

And from your screenshots it looks like you have everything set up as it should be for gaming...

Elite : Dangerous seems to need only 5100 open on PC. So it would likely show up in the status page for UPnP if it is being requested by that game.
https://portforward.com/elite-dangerous/

The time out that you see is actually UPnP sending to your PC over Windows SSDP (Simple Service Discovery Protocol). But your PC is either blocking it (check firewall) or was not online at the moment.

Perhaps try turning off the windows firewall for a moment to see if that resolves some of these issues with gaming.

Sherwatt

Yes, looks like everything is set up to work, but it still doesn't. Not even a simple port opening (forwarding) seem to work.

As a test I added a port forwarding rule for my PC with port 4444 and tested with multiple external port checker sites and all reported it Closed. Then I changed it to 5100 and it still showed closed, and Elite still reported restricted.

I did a packet capture during starting up Elite with 5100 open and I could see my PC communicating with an external IP on that port. But only the request from external sites show up in packet capture when doing a port check.

I am starting to give up and just return to my old shitty ASUS router... Which is bad as I purchased new hardware for pfSense. And I will need to open more ports later for other services, but first I need to resolve this NAT issue.

Can I turn on some kind of debug log in pfSense somewhere?
Or, can I just test pfSense on another device that is not connected to the internet? The reason behind this is that I can't just test it on the real WAN connection, as other people need working internet in the house. But I have some other hardware I could install pfSense, I just don't know if/how to test NAT on that...

Gblenn

@Sherwatt Hmmm, it's really strange that you don't seem to be able to open ports. However, using port checkers may not always give you the truth... Try opening port 443 towards your PC since that will show at least. But even some of those ports listed may show up as closed even if they are open.

You can test with netcap from linux or WSL on your PC.
Run the command nc -zvu yourexternalip PORT# (the -u command is for UDP and if you remove it the test will run TCP).

For me without UDP it doesn't render a result but with UDP it shows this for SIP :
Connection to myexternal-IP 5060 port [udp/sip] succeeded!

If I test for 25565 (Minecraft), I get "port 25565 (tcp) failed: No route to host"
Because the Minecraft server is down, so nothing responds on that port.

However, when I run yougetsignal or portchecker.co, they both report these ports to be closed.

Another thing... the MAC on your ASUS router, have you cloned that onto your pfsense WAN interface? If not I think that could be a good idea, since it will make sure you can change between them without issues. Also, could you check your public IP to make sure it is in fact a public IP and not from some CG-NAT range.

Also you say Elite reports "restricted" but that doesn't necessarily mean it is a problem. You should never have Full Cone NAT on your home router, and Retricted NAT or Port Restricted NAT are both ok as long as the right ports get opened...

Sherwatt

Hey @Gblenn, thank you for all your inputs so far. Now I think there might still be hope...

I opened up port 443, but both test sites reported it as closed. Then I ran the nc command in WSL and for TCP it timed out, but with UDP it succeeded, same as your situation.

EDIT: I spoke too soon. After removing this test rule and removing the States from pfSense and even rebooting my PC, the UDP port 443 still succeeds. Maybe something else is causing it to succeed and not my tinkering in the firewall. :/

I did not clone the router's MAC. Maybe I will give it a try later, I just don't know why would I need that.
I checked and the public IP is not in the CG-NAT range (not in 100.64.0.0/10).

@Gblenn said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

Also you say Elite reports "restricted" but that doesn't necessarily mean it is a problem. You should never have Full Cone NAT on your home router, and Retricted NAT or Port Restricted NAT are both ok as long as the right ports get opened...

Maybe this is true. I hope it is.
I don't know what NAT type different games thought my ASUS router had when I was using that, as no game complained and all multiplayer sessions worked. I started looking into this whole thing after switching to pfSense and then GTA Online warned me that my NAT type is strict. But it is much more difficult to test this with GTA, as that game takes ages to load. I hope I can get into a session soon with my friends and see if that message now pops up or not (I don't think you can check the NAT type anywhere in the menu, but I might be wrong).

BTW, I am not sure anymore if I remember correctly, but I think when I opened up ports in the ASUS router, I could always verify they are open using any external port tester sites, as the response was always "open", even when I had not yet started the service on that port (first I wanted to confirm it is open). Is it possible that that has now changed with this pfSense + AP setup?

Gblenn

@Sherwatt said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

I did not clone the router's MAC. Maybe I will give it a try later, I just don't know why would I need that.
I checked and the public IP is not in the CG-NAT range (not in 100.64.0.0/10).

My thinking about cloning here is if there is anything on the ISP side, the modem/router or their gateway that is interfering, cloning your ASUS MAC might solve it. Since you know that router worked...
Btw, what ISP and what modem is it?

EDIT: I spoke too soon. After removing this test rule and removing the States from pfSense and even rebooting my PC, the UDP port 443 still succeeds. Maybe something else is causing it to succeed and not my tinkering in the firewall. :/

Hmm, I'm thinking that this is likely due to the "connectionless" nature of UDP, not expecting any handshake. So perhaps a false positive. I get the same result as you, closing that port off running the test with netcap and UDP. Testing with portchecker.co works though. So in this case (443) I suppose only TCP should be tested.

And just double check that you selected both TCP/UDP for that rule, and clicked Apply after saving? You also need to wait a short moment for rules to reload...
Another, better way of testing would be to use a VPN, to make sure you are really testing from the internet.

But I just realized another setting, under System > Advanced > Firewall & NAT. What have you set at NAT Reflection mode for port forwards and Enable automatic outbound NAT for Reflection?
I have Pure NAT and the tick box activated for Automatic creation of outbound rules.

Also, even though GTA takes a lot of time to load, that information about Strict, Moderate or Open NAT is really what you are looking for. The reporting from Elite will probably not help you much in this case. Unless it has that info somewhere else?
In fact you could test it by going back to Automatic Outbound rules instead, so you no longer have Static ports. To see if Elite changes from Port Restricted, and if checkmynat.com also gives a different result. It should now say Symmetric NAT, and having UPnP should still allow for Open NAT in your games...

Here's how it looks for me, https://www.checkmynat.com:

And the system menu in a CoD game:

Also, did you try disabling windows defender during testing?

Sherwatt

@Gblenn said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

Btw, what ISP and what modem is it?

It is now called One, previously DIGI in Hungary. This is PPPoE connection and the ISP modem is a Huawei OptiXstar with fiber connection.

@Gblenn said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

And just double check that you selected both TCP/UDP for that rule, and clicked Apply after saving? You also need to wait a short moment for rules to reload...

Yes, I did, and before testing I released and renewed the PC's IP config.

@Gblenn said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

But I just realized another setting, under System > Advanced > Firewall & NAT. What have you set at NAT Reflection mode for port forwards and Enable automatic outbound NAT for Reflection?
I have Pure NAT and the tick box activated for Automatic creation of outbound rules.

Yeah, I already played with these without success. Most online forums I read don't mention this part and since these are disabled by default, I assume I wouldn't need to touch these. For now I left them disabled, also because of what you said next and what I did:

@Gblenn said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

Also, even though GTA takes a lot of time to load, that information about Strict, Moderate or Open NAT is really what you are looking for. The reporting from Elite will probably not help you much in this case. Unless it has that info somewhere else?
In fact you could test it by going back to Automatic Outbound rules instead, so you no longer have Static ports. To see if Elite changes from Port Restricted, and if checkmynat.com also gives a different result. It should now say Symmetric NAT, and having UPnP should still allow for Open NAT in your games...

I just tested this and you are right. When I change pfSense from Hybrid to Automatic, I do get Symmetric as a result in the Check My NAT, but Elite still reports as restricted and still reports UPnP as ON. Then I did a quick google search and it turns out you can check your NAT type in GTA, just open the Home menu and clicking on the gear icon you will be able to see Network information. It said Moderate, which is great news, as it is not Strict anymore. :) And since I never checked this before pfSense, maybe I was using it with Moderate all these years and it was fine, and I really don't need Open.
I could also see an entry related to GTA appear in the Status > UPnP page, so UPnP definitely works now, I think. :)

@Gblenn said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

Also, did you try disabling windows defender during testing?

I did try that once, but didn't like it, because I never had to disable it and I am sure I will not tolerate Windows constantly reminding me to turn it on, so I after a quick test I turned it back.

Thanks for all your insights and advice on this topic @Gblenn, I appreciate your time very much. I owe you a few beers. :) I will stop testing this now and just will go ahead and start rebuilding my home lab, hopefully everything will work.
Cheers!

Gblenn

@Sherwatt said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

Most online forums I read don't mention this part and since these are disabled by default, I assume I wouldn't need to touch these. For now I left them disabled, also because of what you said next and what I did:

If you are hosting a separate server of some sort, like TeamSpeak, Minecraft or perhaps NextCloud. You probably want to use your public IP to access it, for simplicity and consistency. Applying those settings will let pfsense accept the external IP and translate it back to the correct LAN IP based on your port forwards that you have for the server.
So not needed in this scenario...

It said Moderate, which is great news, as it is not Strict anymore. :) And since I never checked this before pfSense, maybe I was using it with Moderate all these years and it was fine, and I really don't need Open.
I could also see an entry related to GTA appear in the Status > UPnP page, so UPnP definitely works now, I think. :)

Well that is really good, since Moderate will give you more flexibility that Strict ever does. But I would actually have expected Open NAT since you are running UPnP. And all your settings seem correct...

Also as I think I mentioned earlier, setting Outbound NAT to Hybrid mode and Static Ports for your gaming PC's, will likely speed up the startup of some games. At least I have noticed a slight improvement with CoD for example.

Sherwatt

@Gblenn said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

If you are hosting a separate server of some sort, like TeamSpeak, Minecraft or perhaps NextCloud. You probably want to use your public IP to access it, for simplicity and consistency. Applying those settings will let pfsense accept the external IP and translate it back to the correct LAN IP based on your port forwards that you have for the server.

I did run a few services that relied on port forwarding with the previous setup and I want to rebuild them, so fingers crossed that I already have all the knowledge I need to make them work.

@Gblenn said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

But I would actually have expected Open NAT since you are running UPnP. And all your settings seem correct...

Oh, no, don't say that and send me back to troubleshooting hell! Moderate is probably enough... :) I hope.

@Gblenn said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

Also as I think I mentioned earlier, setting Outbound NAT to Hybrid mode and Static Ports for your gaming PC's, will likely speed up the startup of some games. At least I have noticed a slight improvement with CoD for example.

Yes, and it is set to Hybrid now and I do have the two gaming PCs mapped in this outbound NAT mode with static IPs. I didn't really had time to play games in the past few days partly due to this issue, but soon I will see how they behave.

Gblenn

@Sherwatt said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

did run a few services that relied on port forwarding with the previous setup and I want to rebuild them

In that case, you will likely want to turn those things on in the Advanced > Firewall & NAT settings anyway.

Oh, no, don't say that and send me back to troubleshooting hell! Moderate is probably enough... :) I hope.

Haha, no I think you will be fine. The only situation I know when Moderate is not good enough, is if your friends have Strict NAT and you want to play together. Strict will only be able to connect to those with Open NAT.

Yes, and it is set to Hybrid now and I do have the two gaming PCs mapped in this outbound NAT mode with static IPs. I didn't really had time to play games in the past few days partly due to this issue, but soon I will see how they behave.

Aha, so two PC's playing the same game? In that case, it might be so that you can only get Open NAT on one and Moderate on the other. I have a vague memory of that being discussed in some of the older threads about UPnP...

Sherwatt

@Gblenn said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

Aha, so two PC's playing the same game?

No, we play different games, so this shouldn't be a problem. :)

Gblenn

@Sherwatt said in Unable to do Open NAT in pfSense 2.7.2-RELEASE:

No, we play different games, so this shouldn't be a problem. :)

Unless they require the same port... Which for example many Activision games do, like port deamonware port 3074. But then again, they usually have the ability to select alternative ports as well. So with UPnP they should be able to retry another if the first one is already in use.