NAT Issues when playing games on two computers

DaddyGo

We have some private network that is under our supervision and PS4, XBox One PC gamer hardware also works without problems behind pfSense NGFW, everything is just a matter of configuration :-)

may this help:

SteveITS

But do you have two of each of those devices?

DaddyGo

Yes of course :-)
Each device has a fixed (non-dhcp) address and is turned on plus:

and works without a problem, with any number and any gamer machine (PC, PS4, XBox)
LAN95 is a separate interface reserved only for gaming machines!

DaddyGo

It’s worth separating, because NAT-PMP and UPnP aren’t a beloved thing on firewalls, am I right? :-)

dmd1234498

@DaddyGo So if you don't mind, could you walk me through what to do? I'm afraid I am a little.novice as far as networking is concerned.

DaddyGo

then let's see:

First, create an independent interface for the game machines.
This can be a physical interface, if you have an empty port on your hardware (NIC), or it can be a separate VLAN (on LAN interface)

Second step, set a fixed IP address on the game machines or you can use dhcp too, if you record the IP addresses of the machines in the dhcp server "static mapping" - in this case run dhcp server on the interface which you created in the first step

third step: add the default NAT rule of the interface (game interface), so that the interface has an internet connection, so:

fourth step: create a hybrid outbound NAT mapping containing the IPs of the gaming machines (with / 32 subnets (no / 24!)), so:

step five: turn on UPnP & NAT-PMP for the game interface ONLY to separate game machines from other vulnerable network components

when you start a game machine (on this separated game interface) you can check the open ports in the menu: Status / UPnP & NAT-PMP

As I mentioned on a firewall, UPnP & NAT-PMP is not a really good thing, so you need to separate this intarface.
if you have any questions, I am at your disposal

dmd1234498

@DaddyGo Firstly, thank you for walking me through this, I appreciate your time and recognize its value.

So your guide differs from the one I followed only by adding a static port per-device instead of creating an alias and assigning a static port to it and by allowing UPnP to the entire "Gaming LAN" instead of doing default deny and entering the alias in the "ACL Entries" field. I only have two LANs, one for me and my wife and one for my parent that lives with us. I have three gaming desktops on my LAN (LAN1). I would like to have UPnP work for my two desktops, but not the third. It was my understanding that doing default deny and entering the alias containing the two desktops on which I wish to use UPnP into the "ACL Entries" field would accomplish this. Is this not true?

DaddyGo

Yes, I’ve run into a lot of obstacles, because of the games (PS4, XBox, etc) in the past, so I think this path of experience is appropriate.

Because of these dangers (NGFW / UPnP & NAT-PMP), so without UPnP & NAT-PMP it would be a serious job to configure everything, I would further segment the network, if you needed to customize the game locations separately.
Different game vendors, programmers - they use different ports (once for different purposes), so without UPnP & NAT-PMP it would be a serious job to configure everything.

dmd1234498

@DaddyGo I already did what you instructed over Teamviewer (@work at the moment), so I will check to see what the result is when I get home tonight. Are you suggesting doing a VLAN with just open access to UPnP for the gaming machines and a separate VLAN for the devices I wish to protect? To be honest I really only game on these computers and I am not terribly worried about security. My work stuff stays at work for the most part. This is more just me trying to learn a bit more about networks as I am traditionally a hardware/client-side technician. Also my old Nighthawk was garbage compared to PFsense when it came to download speeds!

DaddyGo

That's exactly it, so remember in today's world, you will be best surprised, if you experience an attack at home.
You always have to be prepared, it’s no longer a joke, so there’s pfSense must be used properly.

We are now past an SSH attack from 800 to 1000 IPs, it was because the networks are interconnected.
Home to corporate / corporate to home

DaddyGo

if I can help you with anything, you know where to find me

in case I helped you and you feel this, send one to me this

dmd1234498

So it is still doing the same thing. I can actually go through the steps and track it back to when the problem starts. It's as soon as I switch to Hybrid NAT and set the mappings. Maybe I am doing that wrong?

dmd1234498

Here is a screen shot of my desktop (192.168.1.5) successfully connecting to online services while my wife's desktop (192.168.1.6) is unable to connect.

DaddyGo

Hi,

This seems very strange, because it seems like a good setting.
Well, then now comes the golden question ??? hihihihi

What games are these, on what hardware?
Afterwards, we need to read the game descriptions and cummunity experiences.
For a long time, I had similar problems in an acquaintance’s system with the following Dead by Daylight (these are individual cases).
Inside, it puts all game requests on the same port, hmmmm??? (as if it were just one game)
I think games cause this incompatible behavior, what exactly do you experience?

please add this

dmd1234498

I am only experiencing this on Modern Warfare 2019, though I haven't checked other games yet. That will be my next step. I will get this information to you as soon as I am out of work!

DaddyGo

This question is very interesting, as you will have time and you want to continue and then write down what you have come up with.
I’ll read a little bit about Modern Warfare in the meantime, maybe I will find out something that can cause such a problem.

BTW, are we talking about two PCs or MACs? These are not consoles?

dmd1234498

These are two Windows 10 desktops. Maybe it has something to do with anti-cheat seeing something weird on the network? Their anti-cheat is really strict. I don't get a "cannot connect" error, rather a "You've been disconnected" error.

DaddyGo

@dmd1234498 said in NAT Issues when playing games on two computers:

anti-cheat seeing

Does this happen, if you run the same game in a similar environment (win10) on the same network?
So what you say makes full sense: "anti-cheat seeing"
Have you tried to find out about this from the game manufacturer or publisher?

DaddyGo

I'm still thinking of a solution, but it's likely that the game server is monitoring your public IP as well, because it's a pattern for old LAN games.

dmd1234498

That would really suck because I can't have UPnP going if it's going to screw with that title. It's the only one we play to be honest. You're saying they may be monitoring the WAN instead of the LAN? Forgive my ignorance, I am winging it here lol