NAT Issues when playing games on two computers



  • I recently setup PFsense for the first time on an optiplex. I was able to get much better download speeds, which has been great, as well as seperate computers from each other using multiple physical LANs. One of the few issues I have ran into is my computers' NAT types while playing Modern Warfare (Battlenet/PC). The NAT type is strict. instead of forwarding the relevant ports to my desktop, I wanted to open the ports for all computers on my networks to use. I was told to setup uPnP to do this. The guide I followed had me create an allias including the IPs of the computers I wanted to open the NAT type on. I was then instructed to disable access to uPnP by default, but allow access to the allias/group I had made before. I also had to turn on NAT reflection as well as set hybrid NAT rules and tick "static port" for my group of machines, though I'm not sure what those last two steps actually did. The result is an Open NAT type for both of my computers. The only downside is that only one machine can play at a time. If a computer tries to launch MW while the other one is already connected, you will get a server disconnect error. I have tried everything I can think of, which is admittedly not much as I am new to networking. Any help you can offer me would be greatly appreciated!

    Not sure if I am allowed to link to YouTube videos, but here is a link to the walkthrough I followed: https://youtu.be/whGPRC9rQYw



  • There was a recent thread somewhere here about uPnP and multiple devices with the same game (though I don't think that was the title). I can't seem to find it but it referenced https://redmine.pfsense.org/issues/7727.



  • So from what what I am reading am I to assume that PFsense is actually unable to handle uPnP? If I can't have two computers using applications that want the same ports at the same time, what is the whole point of uPnP?



  • From what I gathered of that redmine issue and the other post the problem is that code to handle it is missing from FreeBSD and there's not much pfSense can do about it until FreeBSD adds it.



  • We have some private network that is under our supervision and PS4, XBox One PC gamer hardware also works without problems behind pfSense NGFW, everything is just a matter of configuration :-)

    may this help:

    c549271b-4f82-4ec9-ad71-ca78a2c17c69-image.png



  • But do you have two of each of those devices?



  • Yes of course :-)
    Each device has a fixed (non-dhcp) address and is turned on plus:

    1b895b24-5ab7-4baa-a9de-a6ccb721d25b-image.png

    and works without a problem, with any number and any gamer machine (PC, PS4, XBox)
    LAN95 is a separate interface reserved only for gaming machines!



  • It’s worth separating, because NAT-PMP and UPnP aren’t a beloved thing on firewalls, am I right? :-)



  • @DaddyGo So if you don't mind, could you walk me through what to do? I'm afraid I am a little.novice as far as networking is concerned. 😅



  • then let's see:

    First, create an independent interface for the game machines.
    This can be a physical interface, if you have an empty port on your hardware (NIC), or it can be a separate VLAN (on LAN interface)

    540de5ed-bbd9-4f1f-b532-edbd95f28099-image.png

    Second step, set a fixed IP address on the game machines or you can use dhcp too, if you record the IP addresses of the machines in the dhcp server "static mapping" - in this case run dhcp server on the interface which you created in the first step

    1ab72a84-5525-48f5-b987-f67a1d3d1b2d-image.png

    third step: add the default NAT rule of the interface (game interface), so that the interface has an internet connection, so:

    41204bcd-7b7e-4eb0-bcc4-b6ee384e27cf-image.png

    fourth step: create a hybrid outbound NAT mapping containing the IPs of the gaming machines (with / 32 subnets (no / 24!)), so:

    89e1927b-1a1d-4310-aece-9552938f071b-image.png

    step five: turn on UPnP & NAT-PMP for the game interface ONLY to separate game machines from other vulnerable network components

    0dcdca53-f0d4-4cbf-af36-053100fa88a4-image.png

    when you start a game machine (on this separated game interface) you can check the open ports in the menu: Status / UPnP & NAT-PMP

    b35d94a7-3e95-4eb6-87f0-ca40022b9d44-image.png

    As I mentioned on a firewall, UPnP & NAT-PMP is not a really good thing, so you need to separate this intarface.
    if you have any questions, I am at your disposal



  • @DaddyGo Firstly, thank you for walking me through this, I appreciate your time and recognize its value.

    So your guide differs from the one I followed only by adding a static port per-device instead of creating an alias and assigning a static port to it and by allowing UPnP to the entire "Gaming LAN" instead of doing default deny and entering the alias in the "ACL Entries" field. I only have two LANs, one for me and my wife and one for my parent that lives with us. I have three gaming desktops on my LAN (LAN1). I would like to have UPnP work for my two desktops, but not the third. It was my understanding that doing default deny and entering the alias containing the two desktops on which I wish to use UPnP into the "ACL Entries" field would accomplish this. Is this not true?



  • Yes, I’ve run into a lot of obstacles, because of the games (PS4, XBox, etc) in the past, so I think this path of experience is appropriate.

    Because of these dangers (NGFW / UPnP & NAT-PMP), so without UPnP & NAT-PMP it would be a serious job to configure everything, I would further segment the network, if you needed to customize the game locations separately.
    Different game vendors, programmers - they use different ports (once for different purposes), so without UPnP & NAT-PMP it would be a serious job to configure everything.



  • @DaddyGo I already did what you instructed over Teamviewer (@work at the moment), so I will check to see what the result is when I get home tonight. Are you suggesting doing a VLAN with just open access to UPnP for the gaming machines and a separate VLAN for the devices I wish to protect? To be honest I really only game on these computers and I am not terribly worried about security. My work stuff stays at work for the most part. This is more just me trying to learn a bit more about networks as I am traditionally a hardware/client-side technician. Also my old Nighthawk was garbage compared to PFsense when it came to download speeds!



  • That's exactly it, so remember in today's world, you will be best surprised, if you experience an attack at home.
    You always have to be prepared, it’s no longer a joke, so there’s pfSense must be used properly.

    We are now past an SSH attack from 800 to 1000 IPs, it was because the networks are interconnected.
    Home to corporate / corporate to home



  • if I can help you with anything, you know where to find me ☺

    in case I helped you and you feel this, send one to me this 👍



  • So it is still doing the same thing. I can actually go through the steps and track it back to when the problem starts. It's as soon as I switch to Hybrid NAT and set the mappings. Maybe I am doing that wrong?

    f20e9288-1358-4d0c-b796-7820868369fc-image.png



  • Here is a screen shot of my desktop (192.168.1.5) successfully connecting to online services while my wife's desktop (192.168.1.6) is unable to connect.
    9cc1c2e6-a74b-4b06-8dd4-33029c160a02-image.png



  • Hi,

    This seems very strange, because it seems like a good setting.
    Well, then now comes the golden question ??? hihihihi

    What games are these, on what hardware?
    Afterwards, we need to read the game descriptions and cummunity experiences.
    For a long time, I had similar problems in an acquaintance’s system with the following Dead by Daylight (these are individual cases).
    Inside, it puts all game requests on the same port, hmmmm??? (as if it were just one game)
    I think games cause this incompatible behavior, what exactly do you experience?

    please add this
    45893774-520f-4bbe-b669-b8c29f9d27eb-image.png



  • I am only experiencing this on Modern Warfare 2019, though I haven't checked other games yet. That will be my next step. I will get this information to you as soon as I am out of work!



  • This question is very interesting, as you will have time and you want to continue and then write down what you have come up with.
    I’ll read a little bit about Modern Warfare in the meantime, maybe I will find out something that can cause such a problem.

    BTW, are we talking about two PCs or MACs? These are not consoles?



  • These are two Windows 10 desktops. Maybe it has something to do with anti-cheat seeing something weird on the network? Their anti-cheat is really strict. I don't get a "cannot connect" error, rather a "You've been disconnected" error.



  • @dmd1234498 said in NAT Issues when playing games on two computers:

    anti-cheat seeing

    Does this happen, if you run the same game in a similar environment (win10) on the same network?
    So what you say makes full sense: "anti-cheat seeing"
    Have you tried to find out about this from the game manufacturer or publisher?



  • I'm still thinking of a solution, but it's likely that the game server is monitoring your public IP as well, because it's a pattern for old LAN games.



  • That would really suck because I can't have UPnP going if it's going to screw with that title. It's the only one we play to be honest. You're saying they may be monitoring the WAN instead of the LAN? Forgive my ignorance, I am winging it here lol



  • One question, both versions of the software (on the two win10 pc) paid versions?
    because it can cause problems if not ....😉

    LAN - WAN question, the game manufacturers monitor the IP address and game serial number of those logging in to the server, so entering from one address with two identical IDs is not very possible.
    Older games, in which case only the internal LAN mode was allowed and it was not possible to play them online



  • They are both paid versions of the game ☺ I wanted to look a bit more into it last night however we just got evacuated due to some local dam failures and flash flooding. I will get back to you as soon as I can actually go back home lol (assuming my PFSense box isn't under water right now).



  • I hope everything is fine with you?
    Such an "accident" is never missing.
    Pls let me know, if everything has returned to the old track



  • Hello,

    I think I am having a similar issue (at least with just 1 computer), I have a pfsense setup with 2 vlans I am using, 1 vlan is for the rest of my house and the 2nd is basically for all of my devices. I was able to open NAT for my PS4 and Xbox One without issues following instructions I have found. However (following the same steps I did for my consoles) on my Gaming PC when I go to open multiplayer in Modern Warfare it keeps saying my NAT is strict. I have not tried other games though.



  • Hi,

    As I described above, there is no better way to more open the NAT for the game.
    Many games will not work either, because there may be / are hidden telemetries in the background and they do not work behind the firewall, for example.

    Detecting and explore this is a big job and requires a managed switch (mirror port) and Whireshark.

    ++++: I can't say this enough, beware of NGFW / UPnP & NAT-PMP!!!

    this is the only way you can play, but always split your (always segment) network into a separate game VLAN





  • I had the same issue with Warzone and moved over to OpenWRT for the time being as its just a tick box for UPnP and it all works.

    I'm following the work done on MiniUPnPd which DaddyGo linked to and will be moving back over to PF once I get some downtime on the network



  • I have exactly the same problem! Is it possible to fix that?? I wanted to play some games of chance together with my best friend, but I couldn't do that because of this issue. If anyone has found a solution, please, share it here. We were already desperate, so we started gambling and placing bets on some verified sites that we have found on https://www.mt-plus.net. We actually like it very much, it's very comfortable. The most important thing is that these sites are verified, and we can be sure that it's not a scam



  • @JosephSlater007 I just stopped playing MW lol Every other game as far as I can tell works fine with uPnP. as @m0t0k0 said it sounds like an issue with the way pfsense and MW work (or don't) together. That game's netcode is garbage lol. Good ol' activision.


  • LAYER 8 Moderator

    As a non-Massive-Online-Shooter-player myself, we had no problems in the past years to get MP games to run on our gaming VLAN. uPNP is configured, static port and static dhcp mappings are set up and I've never seen a console drop below "NAT type 2" Never before seen 3 or strict. We were at one point even playing on three PS4pros at the same time and partly in the same group without a hitch. Most often then not it's lazy or buggy netcode programming of those games itself or another one hyping it being P2P enabled when that makes the most problems with many gamers behind NAT.
    Last/worst example in a long line is e.g. SnowRunner which was released with CoOp and isn't even able to connect two players in the same household (behind the same NAT IP). Developer simply shrugs it off now 2 months with "yeah we are on it, don't exactly know why and just use a VPN for one of the players". Amazing response...
    OTOH: we already played Destiny 2 or Division 2 with 3 consoles behind NAT and pfSense without a hitch. Borderlands Collection, too and even Minecraft via Crossplay, 1 using the Xbox, 2 running on PS4 and 1 joining with W10 client (and the windows client even joined from our more secure LAN network and wasn't even in the "gaming" network). So pfsense and NATPNP work for what they have to, but it's the game devs that have to step up their game and stop being lazy with things like online lobbies and netcode.



  • @DaddyGo said in NAT Issues when playing games on two computers:

    then let's see:

    First, create an independent interface for the game machines.
    This can be a physical interface, if you have an empty port on your hardware (NIC), or it can be a separate VLAN (on LAN interface)

    540de5ed-bbd9-4f1f-b532-edbd95f28099-image.png

    Second step, set a fixed IP address on the game machines or you can use dhcp too, if you record the IP addresses of the machines in the dhcp server "static mapping" - in this case run dhcp server on the interface which you created in the first step

    1ab72a84-5525-48f5-b987-f67a1d3d1b2d-image.png

    third step: add the default NAT rule of the interface (game interface), so that the interface has an internet connection, so:

    41204bcd-7b7e-4eb0-bcc4-b6ee384e27cf-image.png

    fourth step: create a hybrid outbound NAT mapping containing the IPs of the gaming machines (with / 32 subnets (no / 24!)), so:

    89e1927b-1a1d-4310-aece-9552938f071b-image.png

    step five: turn on UPnP & NAT-PMP for the game interface ONLY to separate game machines from other vulnerable network components

    0dcdca53-f0d4-4cbf-af36-053100fa88a4-image.png

    when you start a game machine (on this separated game interface) you can check the open ports in the menu: Status / UPnP & NAT-PMP

    b35d94a7-3e95-4eb6-87f0-ca40022b9d44-image.png

    As I mentioned on a firewall, UPnP & NAT-PMP is not a really good thing, so you need to separate this intarface.
    if you have any questions, I am at your disposal

    Thank you very much for these instructions. I finally got my gaming VLAN to come up with NAT Type open. 👍

    I followed the steps exactly and it was perfect except for one thing which messed me up. After the last step, I had to go to Diagnostics > States. I filtered for my Xbox static IP and then I had to Kill the states. Without doing that it kept the old states and kept showing NAT type strict.

    Just wanted to add that in since that could cause headaches for others. By the way, I'm not taking credit for discovering this, I found it in the documentation. I just knew I was missing something!
    https://docs.netgate.com/pfsense/en/latest/nat/static-port.html



  • @Raffi_ said in NAT Issues when playing games on two computers:

    I followed the steps exactly and it was perfect except for one thing which messed me up. After the last step, I had to go to Diagnostics > States. I filtered for my Xbox static IP and then I had to Kill the states. Without doing that it kept the old states and kept showing NAT type strict.

    you're absolutely right...👍
    since, I always restart (NGFW) when such a configuration change (greater extent) is made, I forgot to describe it


Log in to reply