Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT

food007

@Marc05,
I have performed a test per your previously listed specifications.

Here is my testing scenario:

Devices:
- Firewall: Netgate SG-3100 on 2.5.0-DEVELOPMENT (built on Thu Nov 12 12:57:50 EST 2020) - 192.168.1.1
- Consoles: 1x PS4, 1x PS4 Pro - 192.168.1.2/31 respectively
- Test game: Tony Hawk's Pro Skater 1+2 (uses same ports as EA COD games)
- admin pc - 192.168.1.106

First, I reset the device to factory defaults, then followed your instructions to the letter, with the additional pre-work steps as follows:

Uncheck DHCPv6 Server for LAN interface and set IPv6 Configuration Type on the LAN interface to None
(i.e. steps to disable IPv6 on LAN interface)
Create static DHCP reservations for two consoles
Create an alias containing both of the consoles' IPs

My UPnP ACL is allow 0-65535 192.168.1.2/31 0-65535.

--
I unplugged the consoles from power to make sure they were completely off. Next, I rebooted the SG-3100. After pfSense fully booted, I plugged the consoles back in to power and started them up. Answers to your questions are below:

Test

Does it work? No - One console can connect and play fine, but the other can not start game sessions or join lobbies
What is the output of (Diagnostics / Command Prompt): pfSsh.php playback pfanchordrill

ipsec rules/nat contents:

miniupnpd rules/nat contents:
nat quick on mvneta2 inet proto udp from 192.168.1.3 port = 9308 to any keep state label "192.168.1.3:9308 to 9308 (UDP)" rtable 0 -> 68.186.83.135 port 9308
nat quick on mvneta2 inet proto udp from 192.168.1.3 port = 9306 to any keep state label "192.168.1.3:9306 to 9306 (UDP)" rtable 0 -> 68.186.83.135 port 9306
nat quick on mvneta2 inet proto udp from 192.168.1.2 port = 7777 to any keep state label "DemonwarePortMapping" rtable 0 -> 68.186.83.135 port 7777
nat quick on mvneta2 inet proto udp from 192.168.1.3 port = 7777 to any keep state label "DemonwarePortMapping" rtable 0 -> 68.186.83.135 port 7898
nat quick on mvneta2 inet proto udp from 192.168.1.2 port = 3478 to any keep state label "DemonwarePortMapping" rtable 0 -> 68.186.83.135 port 3478
rdr pass quick on mvneta2 inet proto udp from any to any port = 9308 keep state label "192.168.1.3:9308 to 9308 (UDP)" rtable 0 -> 192.168.1.3 port 9308
rdr pass quick on mvneta2 inet proto udp from any to any port = 9306 keep state label "192.168.1.3:9306 to 9306 (UDP)" rtable 0 -> 192.168.1.3 port 9306
rdr pass quick on mvneta2 inet proto udp from any to any port = 7777 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.2 port 7777
rdr pass quick on mvneta2 inet proto udp from any to any port = 7898 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.3 port 7777
rdr pass quick on mvneta2 inet proto udp from any to any port = 3478 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.2 port 3478

natearly rules/nat contents:

natrules rules/nat contents:

openvpn rules/nat contents:

tftp-proxy rules/nat contents:

userrules rules/nat contents:

Output of miniupnpd --version is

miniupnpd 2.2.0-RC1 Nov 11 2020
using pf backend

Additionally, I would like to note that when running the "Test Internet Connection" program from the PS4 Settings menu, one console comes back with a "NAT Type" of "Type 2", while the other comes back with a "NAT Type" of "Failed".

It was mentioned earlier in this thread that this is somewhat of a niche problem with not enough testers with sufficient hardware. I am more than willing to test this out on the testing environment listed above.
I believe this is a bigger deal than just a niche problem, especially seeing how COTS routers from major brands can handle this situation out of the box, and how long this issue has been open.

If there is any information I can provide that would make my testing more useful, please let me know.

w26

trunix

@food007 Maybe try two separate ACL entries, the first "allow 0-65535 192.168.1.2 0-65535" and the second "allow 0-65535 192.168.1.3 0-65535" if .2 and .3 are the addresses of your PS4s.

food007

@trunix , sure. I can try that. I will change the setting, test, and report back.

I don't think it should change anything though, as even the helper text above the ACL Entries field uses CIDR notation for its example. (see highlighted text in pic... screenshot from 2.4.5, but I believe the helper text is the same in 2.5.0 as well)

aniel

@food007 where u able to test it out ?

food007

@aniel Yes, I tested specifying each address individually... no difference.

aniel

@food007 do u think this will get fixed with the release of 2.5.5 ?

vMAC

@aniel I wouldn't bet on it. Unfortunately I tried to help on this in the spring of last year. Still not working reliably.

food007

@aniel I'm with @vMAC . I don't see this being fixed anytime soon. I ended up just DMZ'ing off my consoles and liberally opening ports, because this simply doesn't work at the time of this writing (on 2.4.5 or 2.5_development).

aniel

@food007 that is to bad :(

chrcoluk

Guys

An update

So I added an xbox series S to my network, forwarded the xbox ports and noticed nat was down, and it was reporting errors with testudo network.

Did a bit of research and it turns out microsoft now use ipv6 for their multiplayer, and if native ipv6 is not detected it will use testudo, now I never figured out why testudo wouldnt work, something somewhere seemed to be blocking it.

But as soon as I put it on my main VLAN which has working ipv6, it all works fine. With native ipv6 it will have its own routable ip so all solved.

food007

@chrcoluk thanks for the update. Glad to hear it's working for you.
I'm not using IPv6 in my networks behind my WAN link, so UPnP being broken is still a blocker on this issue for me. :(

w26

theprestigepacketfilter

@food007 agreed, feels like a workaround as opposed to a solution.

chrcoluk

Well i am looking into this again, trying to play UNO on steam.

Ubisoft in their wisdom decided to use the same port as xbox (port 3074), I see connection attempts adhoc in the firewall.

I have no experience with upnp at all, so its a learning crunch to try and understand how it is supposed to work, supposed to be configured etc, but all I know at the moment is that players cannot connect to me when I host a game but I can connect to others when they are host.

As usual the game vendors documentation is awful, so left trying to figure this out. If I get any success I will report back here.

aniel

@chrcoluk they will fixed by verison 2.5.next

chrcoluk

I think the issue here is none of the developers have gaming consoles so no testing is getting done by those who can change the code.

aniel

@chrcoluk i agree i just don’t understand why they can put more resources and interest into fixing this, in the meanwhile i will keep playing with open nat and my brother with strict nat on warzone.

chrcoluk

Bunch of these

Feb 25 03:02:15 miniupnpd 33263 PCPSendUnsolicitedAnnounce(sockets[0]) sendto(): No route to host
Feb 25 03:02:15 miniupnpd 33263 SendNATPMPPublicAddressChangeNotification: sendto(s_udp=18, port=5351): No route to host
Feb 25 03:02:12 miniupnpd 33263 PCPSendUnsolicitedAnnounce() IPv6 sendto(): No route to host
Feb 25 03:02:12 miniupnpd 33263 PCPSendUnsolicitedAnnounce(sockets[0]) sendto(): No route to host
Feb 25 03:02:12 miniupnpd 33263 SendNATPMPPublicAddressChangeNotification: sendto(s_udp=18, port=5351): No route to host
Feb 25 03:02:11 miniupnpd 33263 PCPSendUnsolicitedAnnounce() IPv6 sendto(): No route to host
Feb 25 03:02:11 miniupnpd 33263 PCPSendUnsolicitedAnnounce(sockets[0]) sendto(): No route to host
Feb 25 03:02:11 miniupnpd 33263 SendNATPMPPublicAddressChangeNotification: sendto(s_udp=18, port=5351): No route to host
Feb 25 03:02:11 miniupnpd 33263 PCPSendUnsolicitedAnnounce() IPv6 sendto(): No route to host
Feb 25 03:02:11 miniupnpd 33263 PCPSendUnsolicitedAnnounce(sockets[0]) sendto(): No route to host
Feb 25 03:02:11 miniupnpd 33263 SendNATPMPPublicAddressChangeNotification: sendto(s_udp=18, port=5351): No route to host
Feb 25 03:02:11 miniupnpd 33263 PCPSendUnsolicitedAnnounce() IPv6 sendto(): No route to host
Feb 25 03:02:11 miniupnpd 33263 PCPSendUnsolicitedAnnounce(sockets[0]) sendto(): No route to host
Feb 25 03:02:11 miniupnpd 33263 SendNATPMPPublicAddressChangeNotification: sendto(s_udp=18, port=5351): No route to host

At same time in firewall log, the block RFC1918 on WAN is blocking those packets, destination ip 224.0.0.1. Source ip/port is pfsense ip and port miniupnpd listens on. This is starting to get interesting.

chrcoluk

After allowing the traffic that pfsense was blocking (created easyrule for it), its working on my xbox.

Some info here, as this was worked on for pfsense 2.5.

https://redmine.pfsense.org/issues/7727

I am still trying to get it working with windows as a upnp host which is proving more difficult, but that may be a windows issue rather than pfsense.

aniel

@chrcoluk said in Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT:

https://redmine.pfsense.org/issues/7727

yep me and my brother are on pc, we can't both have open not

chrcoluk

@aniel

Is very frustrating, the consoles have a test feature which allows debugging.

I cannot find a way in windows to simply diagnose and test upnp.

How are you even getting one peron on open nat on the pc, how are you testing it?

--edit--

Tired after a few hours of uno, but I fixed it had 2 devices using same port using upnp at same time, which I believe was the reason for this thread?

I will need to collate everything together I did and compile it into a report for the devs to look into.