pfSense multiple PCs, open NAT: a solution, and a grievance



  • If you're like me, you bought an SG-3100 because your Spectrum "1000/30" cable internet is a joke, you were tired of buggy implementations of DD-WRT in crappy routers, and you wanted the best hardware and software at the router level possible.

    Well, the reality is that the SG-3100 hardware is probably very good, but pfSense flat out doesn't work well with common gaming scenarios -- things that consumer routers handle without any configuration.

    My out of the box experience with the SG-3100 was trying to figure out why two PCs on my network couldn't play CoD MW at the same time. And I mean that literally: one could launch the game and connect to game services, while the other couldn't get passed launching the game.

    After googling things like "pfsense open nat", "pfsense multiple PCs call of duty", etc., I found out this has been an ongoing issue for 3 years, with dozens and dozens of reddit threads, threads on this forum, youtube videos, all with conflicting information and solutions that didn't work for me.

    I managed to find a reddit user who had claimed to solve this issue within the last 3 months. I messaged him and thankfully his suggestions worked. I now have one client that is able to play with an "Open" NAT, and one with a "Moderate" NAT (as reported by CoD MW).

    Here are what my settings look like (with uPnP enabled, unchecked Default Deny and no ACL entries, and Pure NAT/NAT Reflection enabled):
    alt text

    I have two machines: .102 and .103. In the Outbound NAT rules, one machine's NAT port is set to 3075.

    alt text

    In the Port Forward section, 3074 is marked for NAT port 3074.

    Truthfully, I have no idea why this works, or if the Port Forward entry is necessary, but it worked for my environment.

    I found more information about this issue here: https://redmine.pfsense.org/issues/7727 and here: https://github.com/miniupnp/miniupnp/issues/413

    Kind of surprising pfSense doesn't pay more attention to gaming uses of their product. You would think that gaming is the ultimate demonstration of pfSense's capabilities in regards to low bandwidth packet bursts. But instead, some scuffed implementation of masquerade makes things like port forwarding a nightmare.



  • Hello,

    I agree with you !
    I tested Pfsense and OPNsense (fork) and the same result for the gaming

    I find the same workaround like you (https://forum.netgate.com/topic/144291/howto-multiples-xbox-play-together-without-upnp-dmz/2) : 1 device with static port the other with NOT static port.

    If check static NAT for the 2 Xbox One, it's appear open NAT in Xbox One interface but can't play together.

    I will stop PFsense/OPNsense for this.

    Thank you for your post


Log in to reply