PfSense in DMZ, 1 Public IP, Multiple PS4/PlayStation 4 Strict NAT, UPnP Enabled



  • Dear Community,

    Step by step I came closer to tame the monster PS4. Unfortunately, I've been stuck at the last step. The TL;DR is that I cannot get multiple PlayStation 4's to get a NAT Type 2 using the same public IP and using UPnP. Perhaps this is not even possible, so I hoped to get some experiences from fellow pfSense users.

    Let me first describe my network set-up shortly:

    ISP –-- ISP Router (DMZ) ---> pfSense  --- VLAN X ---- Playstation 1/2/3/4

    So there is a router from the ISP, and a router for the network. The pfSense router is set as DMZ from the ISP router.
    All gaming consoles are in a seperate VLAN, but this should not really matter.

    The configuration:
    Services -> UPnP

    • Enabled
    • Allow UPnP Port Mapping Enabled
    • Allow NAT-PMP Port Mapping Enabled
    • External Interface WAN
    • Interfaces (VLAN X selected)
    • Override WAN address: WAN adres of ISP router
    • Default Deny Enabled
    • ACL Entries: lines of:
      allow 1024-65535 172.20.6.x/32 1024-65535

    Something Works! :)
    If I check one PS4 console, test it network settings, it'll say "NAT Type 2". In the UPnP & NAT-PMP status table I'll see:
    Port / Protocol / Internal IP / Int Port / Description
    9308 udp 172.20.6.x 9308 172.20.6.55:9308 to 9308 (UDP)

    So far so good.

    The Problem:
    As soon as I try to use the second, third, whatever x ps4 console and use the same test, it'll show NAT Type 3. When I shortly disconnect the first PS4 and retest, the firstly connected console will have a Type of 2, and a corresponding rule in the UPnP status table.

    As such it appears that the entries get overridden and I can only use one console at a time for these online services.

    Is this a common problem? Are there ways around this issue without needing to have multiple IP's? I'm specifically talking about the NAT Type issue, it is not a problem to let multiple consoles to internet at the same time.


Log in to reply