NAT Type 3 on PS4 - I've tried everything I can think of
-
Instead of setting Static IPs for consoles so you can make special Outbound NAT Rules, what I do is just set Outbound NAT to "Manual Outbound NAT" and change the "Auto created rule - LAN to WAN" and enable Static Port for the whole subnet. There is little reason or benefit to have random source ports anyways and this solves quite a few things, not just for consoles.
Okay – I went into Firewall -- NAT -- Outbound and changed it to Manual Outbound NAT rule generation. I left all of the other rules alone, except the very last rule (description says Auto Created rule - LAN to WAN) and...the only thing I changed in here was under Translation I clicked the box "Static Port". Is that correct? I have "no idea" what I'm actually doing when I do this, so we'll see how it goes.
I was able to successfully get (prior to doing this) my PS4 to grab a Type 2 NAT and 50 Mbps (my purchased bandwidth) on the internet connection test, but when I tried to play some BF4 I experienced extreme latency (lag/high ping) when playing online -- even tried different servers. I regrettably plugged my Verizon router back in and of course, everything worked perfectly. Ugh.
Thanks for your help! We'll see if this helps with my ping.
Port Forwarding/NAT issues DO NOT affect ping/latency.
They only affect connectability.
If you have Open NAT/Type 2 and you have no issue joining the game/s, and nothing complaining of NAT issues, then it is not a Port Forward issue.
-
You need to do it correctly for it to work. Please post a pic of your outbound NAT config and also post your game consoles IP.
Okay this is the outbound NAT config. Running the most current version of pfSense, 2.4.1. PS4 is a static IP 192.168.1.3 (.2 is my wireless access point that I have my PS4 connected to via ethernet). 192.168.1.1 of course is the gateway/LAN port on the pfSense box.
 -
Instead of setting Static IPs for consoles so you can make special Outbound NAT Rules, what I do is just set Outbound NAT to "Manual Outbound NAT" and change the "Auto created rule - LAN to WAN" and enable Static Port for the whole subnet. There is little reason or benefit to have random source ports anyways and this solves quite a few things, not just for consoles.
Okay – I went into Firewall -- NAT -- Outbound and changed it to Manual Outbound NAT rule generation. I left all of the other rules alone, except the very last rule (description says Auto Created rule - LAN to WAN) and...the only thing I changed in here was under Translation I clicked the box "Static Port". Is that correct? I have "no idea" what I'm actually doing when I do this, so we'll see how it goes.
I was able to successfully get (prior to doing this) my PS4 to grab a Type 2 NAT and 50 Mbps (my purchased bandwidth) on the internet connection test, but when I tried to play some BF4 I experienced extreme latency (lag/high ping) when playing online -- even tried different servers. I regrettably plugged my Verizon router back in and of course, everything worked perfectly. Ugh.
Thanks for your help! We'll see if this helps with my ping.
Port Forwarding/NAT issues DO NOT affect ping/latency.
They only affect connectability.
If you have Open NAT/Type 2 and you have no issue joining the game/s, and nothing complaining of NAT issues, then it is not a Port Forward issue.
Okay, thanks for the heads up! I posted my configs to see if I did it right I guess…even if it won't fix my PS4 latency issues. Appreciate the clarification.
-
It will work fine, but I would change that source to 192.168.1.3 / 32
I would also then switch it to hybrid outbound NAT. Just in case your network changes in the future.
-
It will work fine, but I would change that source to 192.168.1.3 / 32
I would also then switch it to hybrid outbound NAT. Just in case your network changes in the future.
So change the last rule – LAN to WAN to a Source IP of 192.168.1.3/32? What about the rest of the IPs in 192.168.1.0/24? Don't they need access to this same rule? (clearly showing my ignorance here).
And OK -- switched to Hybrid mode. Thx.
-
No. Just the 1 device you are having problems with.
-
Clarification. Make a rule for the 192.168.1.3/32 with a static port
Then below that add a rule for the 192.168.1.0/24 without static port.The rules are executed in order.
Then if you send me a pic again, I'll let you know if it is right. I'm sure you will get it right.
-
Perfect! Did just that. Thanks.
-
Great. Enjoy.
-
Clarification. Make a rule for the 192.168.1.3/32 with a static port
Then below that add a rule for the 192.168.1.0/24 without static port.
[/quoteWhy?
Make 192.168.1.0/24 static port, that way it is done for any future Consoles or P2P apps, then no need to make more rules for each new console/app/device and such, there is practically no reason not to have static port today, except to further break P2P.
Also Why tell Op to switch to hybrid then negate that with a rule covering the /24, a rule which is already in place due to hybrid?
-
Because there is no need to make the entire /24 static.
Also, I can tell by the lack of mistakes that he can do this again for another device any time he likes. He isn't lost at all.
I'd be really surprised if a automatic rule trumped his manual rule in hybrid mode, but if it did, I'd say thats a bug.
-
Because there is no need to make the entire /24 static.
There is also no (real) reason not to, and again takes care of any futures consoles/P2P apps that have issues with randomized ports.
I'd be really surprised if a automatic rule trumped his manual rule in hybrid mode, but if it did, I'd say that's a bug.
No I was saying YOU told him to use hybrid mode vs manual, then also told them to make a /24 rule (in addition to the /32)… there was no point to the 2nd /24 rule since you had them do hybrid, that /24 was already made.
-
You may be right about the last part. Won't hurt anything, but you may be right that it isn't necessary.
BTW - I can't tell anyone to do anything… Can't even make my dog sit. haha
-
Just as long as it isn't opening my network up to China, I'm happy. I think I'll do 192.168.1.0/24 static, and hybrid. That covers everything, right?
-
Just as long as it isn't opening my network up to China, I'm happy. I think I'll do 192.168.1.0/24 static, and hybrid. That covers everything, right?
https://doc.pfsense.org/index.php/Static_Port
That shows why they're doing it by default. But even it states those are very unlikely and not really useful attacks in today's world.
It's how I have my network setup I don't use hybrid I use manual but effectively how you're doing it it doesn't exactly matter.
-
You would only need the entire /24 set with static outbound if you had no idea what the IP of your PS4 was going to be or if its IP changed often.
Since you have a static IP, there is no need to assign more than a /32 as static. In other words, only the one device that needs it.Will it break anything to make the entire /24 static? No. But it does neutralize source port randomization for your entire network.
Feel free to do whichever way sounds better and more secure to you. I think most of the people who run this site would recommend only assigning a /32 static though.
-
You would only need the entire /24 set with static outbound if you had no idea what the IP of your PS4 was going to be or if its IP changed often.
Since you have a static IP, there is no need to assign more than a /32 as static. In other words, only the one device that needs it.Will it break anything to make the entire /24 static? No. But it does neutralize source port randomization for your entire network.
Feel free to do whichever way sounds better and more secure to you. I think most of the people who run this site would recommend only assigning a /32 static though.
"Security" through obscurity AKA More ways for NAT (NAPT Really) to break stuff/mangle traffic. Unless you are running a really old OS or DNS server/client, it breaks way more then it "secures"/helps.
-
I find that disabling the firewall completely makes everything work very well.
-
I find that disabling the firewall completely makes everything work very well.
NAT/NAPT is not a Firewall. It's a hack as is, and having it futher mangle traffic/break stuff (by randomizing ports), is backwards, especially for the extreamly tiny tiny "benifit" it provides if you are even being targeted by such attack vs the Apps/Services/Devices (Consoles/Games, VoIP, P2P) it causes issues with, which are in the scheme of things are still small but still much much much bigger then what it helps. Again it's not security, it's obscurity.
Nice straw man argument though.
Can't wait for legacy IP and its associated NAPT and the thinking that comes with it to be gone, or atleast in the minority, not going to be able to rely on that crutch with IPv6.
Edit: Added "(by randomizing ports)" for clarification.
-
I'd never argue with a straw man (-;
On that, I totally agree. NAT is a huge PITA. I'm a huge fan of IPV6. Can't' wait for IPV4 to become mostly extinct so that all these broken connection problems disappear. I run IPV6 and it solves so many problems, particularly for servers.