Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT

    Gaming
    28
    133
    12254
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • jimp
      jimp Rebel Alliance Developer Netgate last edited by jimp

      There has been some progress by the miniupnpd project on support for pf to handle rules like the Linux "masquerade" style. This may help improve how multiple consoles behave when playing the same game, or even to allow single consoles to work without setting up static port outbound NAT rules, provided the game/client sets up UPnP entries for the ports it needs.

      We have compiled a test version of miniupnpd for pfSense 2.5.0 snapshots containing the in-development code which can be used to test if this helps in your environment. [Note: This version will not work on 2.4.5, do not attempt to use it there]

      The package to download, and instructions on how to use it, are at https://redmine.pfsense.org/issues/7727#note-43

      Please post feedback and discussion here on the forum and not on the Redmine issue.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 12
      • F
        Firetop last edited by Firetop

        Hey there!

        Thanks again everyone! But weirdly, it doesn't appear to be working correctly for me for some reason, as one console can still get on the game (diablo 3) with the same configuration (Static outbound ports, uPnP ACL, NAT reflection, etc) but any other console cannot join the lobby... I noticed some IPv6 stuff in the logs, so I disabled IPv6 from the WAN interface as I don't use it anyways.

        Now I get this in the logs:

        @Jun 2 06:33:11 miniupnpd 26938 no HTTP IPv6 address, disabling IPv6
        Jun 2 06:33:11 miniupnpd 26938 Listening for NAT-PMP/PCP traffic on port 5351
        Jun 2 06:33:11 miniupnpd 26938 PCPSendUnsolicitedAnnounce() IPv6 sendto(): Bad file descriptor
        Jun 2 06:40:05 miniupnpd 26938 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
        Jun 2 06:40:05 miniupnpd 26938 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
        Jun 2 06:40:05 miniupnpd 26938 Failed to get IP for interface pppoe0
        Jun 2 06:40:05 miniupnpd 26938 SendNATPMPPublicAddressChangeNotification: cannot get public IP address, stopping
        Jun 2 06:40:05 miniupnpd 26938 PCPSendUnsolicitedAnnounce() sendto(): No route to host
        Jun 2 06:40:05 miniupnpd 26938 PCPSendUnsolicitedAnnounce() IPv6 sendto(): Bad file descriptor
        Jun 2 06:40:11 miniupnpd 26938 SendNATPMPPublicAddressChangeNotification: sendto(s_udp=10, port=5351): No route to host
        Jun 2 06:40:11 miniupnpd 26938 PCPSendUnsolicitedAnnounce() sendto(): No route to host
        Jun 2 06:40:11 miniupnpd 26938 PCPSendUnsolicitedAnnounce() IPv6 sendto(): Bad file descriptor@
        

        (I feel obligated to say I did restart the service and the whole pfsense install after the patch, still no luck)
        Seeing this version of miniupnpd creates the equivalent outbound NAT rule, maybe I need to disable the manual outbound NAT rules I've already got in place for this to be properly tested?

        Oh! and the following commands give no output unfortunantly: "pfctl -a miniupnpd -s rules" either does "pfctl -a miniupnpd -s nat"....
        I also see no miniupnp rules/requests appear in the logs either under: Status > UPnP & NAT-PMP for me :(

        Any other commands I can try on SSH or the command prompt /GUI to troubleshoot this some more for you guys?
        Thanks!

        1 Reply Last reply Reply Quote 0
        • jimp
          jimp Rebel Alliance Developer Netgate last edited by

          To make sure you're checking the right way for the rules, see what shows up in pfSsh.php playback pfanchordrill.

          Granted I don't have IPv6 on my WAN, but I am not seeing anything like those errors. It may be specific to PPPoE, though.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          F 1 Reply Last reply Reply Quote 0
          • kiokoman
            kiokoman LAYER 8 last edited by

            i have pppoe the service start
            i have only this on my log
            i don't have any console to try, i can test later with something else

            Jun 3 17:44:00 miniupnpd 54810 Listening for NAT-PMP/PCP traffic on port 5351
            Jun 3 17:44:00 miniupnpd 54810 setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument
            Jun 3 17:44:00 miniupnpd 54810 HTTP IPv6 address given to control points : [2001:470:26:5dc::1]
            Jun 3 17:44:00 miniupnpd 54810 HTTP listening on port 2189

            ̿' ̿'\̵͇̿̿\з=(◕_◕)=ε/̵͇̿̿/'̿'̿ ̿
            Please do not use chat/PM to ask for help
            we must focus on silencing this @guest character. we must make up lies and alter the copyrights !
            Don't forget to Upvote with the 👍 button for any post you find to be helpful.

            1 Reply Last reply Reply Quote 0
            • F
              Firetop @jimp last edited by

              @jimp said in Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT:

              pfSsh.php playback pfanchordrill

              Ahhhhh! Thank you for that command and break-down.
              I see the results now, but the contents are still blank/empty as seen below:

              miniupnpd rules/nat contents:
              

              Now I currently do have each xbox on it's own static IP and static port Outbound NAT setup. I did read in your first post that it could likely allow single consoles to work without setting up static port outbound NAT rules, but I have multiple, should I be testing this updated miniupnpd version with those static port Outbbound NAT rules disabled or keep them enabled for the multiple consoles in this example?

              Capture.PNG

              I am no expert in this by any means, but do have an environment where this can be tested as much as needed.
              Simply let me know what you need, and I will provide! (logs, config files, etc) to help troubleshoot this.

              Also just to mention, I did have IPv6 on WAN, but disabled it to stop the IPv6 related errors in miniupnpd which seems to have somewhat worked as it does this now:

              miniupnpd 26938 no HTTP IPv6 address, disabling IPv6
              

              But I still get the following with IPv6 disabled on all interfaces:

              Jun 2 06:33:11 miniupnpd 26938 Listening for NAT-PMP/PCP traffic on port 5351
              Jun 2 06:33:11 miniupnpd 26938 PCPSendUnsolicitedAnnounce() IPv6 sendto(): Bad file descriptor
              Jun 2 06:40:05 miniupnpd 26938 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
              Jun 2 06:40:05 miniupnpd 26938 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
              Jun 2 06:40:05 miniupnpd 26938 Failed to get IP for interface pppoe0
              Jun 2 06:40:05 miniupnpd 26938 SendNATPMPPublicAddressChangeNotification: cannot get public IP address, stopping
              Jun 2 06:40:05 miniupnpd 26938 PCPSendUnsolicitedAnnounce() sendto(): No route to host
              

              Thanks

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                Whether or not it helps is contingent upon the game (and/or console) managing the ports it uses with UPnP. Some do, some do not.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                F 1 Reply Last reply Reply Quote 0
                • F
                  Firetop @jimp last edited by Firetop

                  @jimp

                  I was able to get everything working following this guide: https://forum.netgate.com/topic/144291/howto-multiples-xbox-play-together-without-upnp-dmz

                  I only have 2 xboxs that usually conflict using the same games even though we have 5 in the house. I was unable to get any progress with this miniupnpd version though unfortunately.
                  This seemed to solve the issue for those 2 consoles as found here:

                  Capture.PNG

                  Capture1.PNG

                  1 Reply Last reply Reply Quote 0
                  • jimp
                    jimp Rebel Alliance Developer Netgate last edited by

                    OK, this thread is just for feedback about the test version of miniupnpd, but it's a good data point to know that it didn't help your situation. I'd expect the static method to be unchanged since this is only a change to how UPnP forms its rules. If the consoles are doing static/custom ports and not UPnP then this won't help.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    F 1 Reply Last reply Reply Quote 0
                    • F
                      Firetop @jimp last edited by

                      @jimp

                      Fair enough, I am still willing to test this with other games and consoles, but the errors mentioned above seemed to cause this version of miniupnpd to shutdown.
                      I did notice some extra changes in Github, would these make a difference if compiled for testing?

                      Thanks again Jim :)

                      1 Reply Last reply Reply Quote 0
                      • jimp
                        jimp Rebel Alliance Developer Netgate last edited by

                        Not yet, we'd have to build a new version with the new changes manually patched in like we did before. Time is short at the moment so unlikely to happen any time in the next few days.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        F 1 Reply Last reply Reply Quote 0
                        • F
                          Firetop @jimp last edited by

                          @jimp

                          No worries at all Jim :) Take your time. I at least have a static config that works for the 2 conflicting consoles for now.
                          I will keep watch for any updates or requests for testing in the future.

                          1 Reply Last reply Reply Quote 0
                          • M
                            Marc05 last edited by

                            I tested this with two PS4's.

                            The network test on a PS4 is set to a constant port of 9308. Hence, running the PS4's network test on the first console gives NAT Type 2, and running the same test on the second console gives NAT Type Failed (sometimes NAT Type 3). Running the game Destiny 2, I can see ports being opened in UPnP in the GUI, with and without the patch.

                            Here is the command output without the patch:

                            [2.5.0-DEVELOPMENT][admin@gw.ruhex.net]/root: pfSsh.php playback pfanchordrill
                            
                            ipsec rules/nat contents:
                            
                            miniupnpd rules/nat contents:
                            rdr quick on igb0 inet proto udp from any to any port = 9308 keep state label "10.0.5.40:9308 to 9308 (UDP)" rtable 0 -> 10.0.5.40 port 9308 # First PS4 network test
                            rdr quick on igb0 inet proto udp from any to any port = 3074 keep state label "DemonwarePortMapping" rtable 0 -> 10.0.5.40 port 3074
                            rdr quick on igb0 inet proto udp from any to any port = 3075 keep state label "DemonwarePortMapping" rtable 0 -> 10.0.5.43 port 3075
                            rdr quick on igb0 inet proto udp from any to any port = 22389 keep state label "DemonwarePortMapping" rtable 0 -> 10.0.5.40 port 22389
                            rdr quick on igb0 inet proto udp from any to any port = 14626 keep state label "DemonwarePortMapping" rtable 0 -> 10.0.5.43 port 14626
                            pass in quick on igb0 inet proto udp from any to 10.0.5.40 port = 9308 flags S/SA keep state label "10.0.5.40:9308 to 9308 (UDP)" rtable 0
                            pass in quick on igb0 inet proto udp from any to 10.0.5.40 port = 3074 flags S/SA keep state label "DemonwarePortMapping" rtable 0
                            pass in quick on igb0 inet proto udp from any to 10.0.5.43 port = 3075 flags S/SA keep state label "DemonwarePortMapping" rtable 0
                            pass in quick on igb0 inet proto udp from any to 10.0.5.40 port = 22389 flags S/SA keep state label "DemonwarePortMapping" rtable 0
                            pass in quick on igb0 inet proto udp from any to 10.0.5.43 port = 14626 flags S/SA keep state label "DemonwarePortMapping" rtable 0
                            
                            natearly rules/nat contents:
                            
                            natrules rules/nat contents:
                            
                            openvpn rules/nat contents:
                            
                            tftp-proxy rules/nat contents:
                            
                            userrules rules/nat contents:
                            

                            Same tests/game with the patch:

                            [2.5.0-DEVELOPMENT][admin@gw.ruhex.net]/root: pfSsh.php playback pfanchordrill
                            
                            ipsec rules/nat contents:
                            
                            miniupnpd rules/nat contents:
                            nat quick on igb0 inet proto udp from 10.0.5.40 port = 9308 to any keep state label "10.0.5.40:9308 to 9308 (UDP)" rtable 0 -> x.x.x.x port 9308
                            nat quick on igb0 inet proto udp from 10.0.5.40 port = 22388 to any keep state label "DemonwarePortMapping" rtable 0 -> x.x.x.x port 22388
                            nat quick on igb0 inet proto udp from 10.0.5.43 port = 3076 to any keep state label "DemonwarePortMapping" rtable 0 -> x.x.x.x port 3076
                            nat quick on igb0 inet proto udp from 10.0.5.43 port = 14625 to any keep state label "DemonwarePortMapping" rtable 0 -> x.x.x.x port 14625
                            nat quick on igb0 inet proto udp from 10.0.5.40 port = 3075 to any keep state label "DemonwarePortMapping" rtable 0 -> x.x.x.x port 3075
                            rdr quick on igb0 inet proto udp from any to any port = 9308 keep state label "10.0.5.40:9308 to 9308 (UDP)" rtable 0 -> 10.0.5.40 port 9308
                            rdr quick on igb0 inet proto udp from any to any port = 22388 keep state label "DemonwarePortMapping" rtable 0 -> 10.0.5.40 port 22388
                            rdr quick on igb0 inet proto udp from any to any port = 3076 keep state label "DemonwarePortMapping" rtable 0 -> 10.0.5.43 port 3076
                            rdr quick on igb0 inet proto udp from any to any port = 14625 keep state label "DemonwarePortMapping" rtable 0 -> 10.0.5.43 port 14625
                            rdr quick on igb0 inet proto udp from any to any port = 3075 keep state label "DemonwarePortMapping" rtable 0 -> 10.0.5.40 port 3075
                            pass in quick on igb0 inet proto udp from any to 10.0.5.40 port = 9308 flags S/SA keep state label "10.0.5.40:9308 to 9308 (UDP)" rtable 0
                            pass in quick on igb0 inet proto udp from any to 10.0.5.40 port = 22388 flags S/SA keep state label "DemonwarePortMapping" rtable 0
                            pass in quick on igb0 inet proto udp from any to 10.0.5.43 port = 3076 flags S/SA keep state label "DemonwarePortMapping" rtable 0
                            pass in quick on igb0 inet proto udp from any to 10.0.5.43 port = 14625 flags S/SA keep state label "DemonwarePortMapping" rtable 0
                            pass in quick on igb0 inet proto udp from any to 10.0.5.40 port = 3075 flags S/SA keep state label "DemonwarePortMapping" rtable 0
                            
                            natearly rules/nat contents:
                            
                            natrules rules/nat contents:
                            
                            openvpn rules/nat contents:
                            
                            tftp-proxy rules/nat contents:
                            
                            userrules rules/nat contents:
                            

                            I'm not certain if this is an improvement given that I no longer have the game I could reproduce the issue with 100% of the time (Ghost Recon Wildlands). I do see that additonal NAT rules are added however, and I'd assume that these are an improvement, though @jimp would have to say if that's true or not.

                            1 Reply Last reply Reply Quote 0
                            • Z
                              zman442 last edited by

                              So if am reading this correctly through the various posts I see two issues, uPNP isnt working at all and more than one console or system attempting to play the same game or service can fail if they need to use the same port on the firewall? I just installed pfSense this weekend and immediately started running into issues with our Nintendo Switch, Amazon tablet etc.

                              Can someone smarter than myself help me understand how this works with consumer grade firewalls like eero, netgear, comcast, etc...without issue but pfSense chokes on it? This isn't a knock on pfSense by any means as the increase level of visibility and control and plethora of additional features is worth the extra steps provided they work as I am looking to invest in the 7100 model router/firewall but I am just having hard time wrapping my head around an issue thats apparently been around for at least three years and still isnt fully functional. I have read that other routers apparently can be affected by the NAT traversal issue but on my old router I could use two Nintendo Switch's on the same network and same game without NAT issues.

                              I would love to help test but with the flack I am receiving from my kids I will be forced to put back the other router for now.

                              Regards

                              1 Reply Last reply Reply Quote 0
                              • jimp
                                jimp Rebel Alliance Developer Netgate last edited by jimp

                                There are plenty of topics covering those questions already, this thread is only for testing this fix.

                                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                F 1 Reply Last reply Reply Quote 2
                                • F
                                  Firetop @jimp last edited by Firetop

                                  This post is deleted!
                                  1 Reply Last reply Reply Quote 0
                                  • V
                                    vMAC last edited by

                                    So I'm willing to upgrade to 2.5.0 image to test. My only concern is if I switch to the new image will I be able to get back to a stable version without having to wait for a new version? For instance can I go to 2.5.0 and then downgrade back to 2.4.5_1?

                                    jimp 1 Reply Last reply Reply Quote 0
                                    • jimp
                                      jimp Rebel Alliance Developer Netgate @vMAC last edited by

                                      @vMAC said in Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT:

                                      So I'm willing to upgrade to 2.5.0 image to test. My only concern is if I switch to the new image will I be able to get back to a stable version without having to wait for a new version? For instance can I go to 2.5.0 and then downgrade back to 2.4.5_1?

                                      There is no downgrade procedure. Take a config backup first and keep an installer handy for 2.4.5-p1. If something goes wrong on 2.5.0, reinstall 2.4.5-p1 and restore the 2.4.x backup.

                                      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                      Need help fast? Netgate Global Support!

                                      Do not Chat/PM for help!

                                      1 Reply Last reply Reply Quote 1
                                      • jimp
                                        jimp Rebel Alliance Developer Netgate last edited by

                                        We have added the 2.2.0-RC1 version of miniupnpd to the repository for pfSense 2.5.0 and so it should be included in snapshots shortly, later today or tomorrow, for additional (and easier) testing.

                                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                        Need help fast? Netgate Global Support!

                                        Do not Chat/PM for help!

                                        1 Reply Last reply Reply Quote 1
                                        • A
                                          andrew_r last edited by

                                          I updated my 5100 from the web UI this morning (from the latest stable official release to the latest devel release.)

                                          I can confirm that, with the correct NAT rules, I seem to be able to get multiple consoles online successfully using UPNP. My household has 3 switches, 2 XBox Ones and 2 PS4s, and I was able to get them all connected simultaneously with suitable NAT levels and no error reports.

                                          I can provide more detailed information to @jimp if necessary.

                                          I'll be doing some more testing later today to make sure I haven't missed anything, but so far so good.

                                          Andrew

                                          jimp 1 Reply Last reply Reply Quote 0
                                          • jimp
                                            jimp Rebel Alliance Developer Netgate @andrew_r last edited by

                                            That's good news!

                                            @andrew_r said in Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT:

                                            with the correct NAT rules

                                            Do you mean the correct NAT rules generated automatically by UPnP, or did you have manual rules setup for those consoles?

                                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                            Need help fast? Netgate Global Support!

                                            Do not Chat/PM for help!

                                            A 1 Reply Last reply Reply Quote 0
                                            • A
                                              andrew_r @jimp last edited by

                                              @jimp I had some manual rules set up from previous attempts, but they are fairly simple.

                                              (1) Assign each console a static IP.
                                              (2) Set up an firewall alias called UNPNP_NAT_GROUP containing those IPs.
                                              (3) Set up an outbound NAT rule as follows:
                                              Interface: WAN
                                              Address Family: IPv4 (I don't use IPv6)
                                              Protocol: any
                                              Source: Network / UNPNP_NAT_GROUP / 32 <-- not sure the 32 is right.
                                              Destination: Any
                                              Static Port: Checked
                                              Description: UNPNP NAT Static Port Rule

                                              Anything not mentioned was left as default.

                                              (4) UPNP Settings:
                                              Enable UPnP & NAT-PMP: Checked
                                              Allow UPnP Port Mapping: Checked
                                              Allow NAT-PMP Port Mapping: Checked

                                              External Interface: WAN
                                              Interfaces: LAN

                                              Log Packets: Checked.

                                              I haven't played around with the default deny option, and I have "allow 1024-65535 x.x.x.0/24 1024-65535" in the ACL field (where x.x.x is my network), although I think it might not be necessary unless I enable default deny.

                                              I'm not a firewall expert by any means, but this seems to do the trick. I'd appreciate it if you let me know if I've done something dumb here :)

                                              Andrew

                                              jimp 1 Reply Last reply Reply Quote 0
                                              • A
                                                andrew_r last edited by

                                                @jimp
                                                By the way; I do get this on reboot:

                                                Crash report begins.  Anonymous machine information:
                                                
                                                amd64
                                                12.1-STABLE
                                                FreeBSD 12.1-STABLE 1626cb2f005(factory-devel-12) pfSense
                                                
                                                Crash report details:
                                                
                                                PHP Errors:
                                                [11-Jun-2020 13:20:35 America/New_York] PHP Warning:  Invalid argument supplied for foreach() in /etc/rc.dyndns.update on line 52
                                                
                                                
                                                
                                                No FreeBSD crash data found.
                                                
                                                1 Reply Last reply Reply Quote 0
                                                • jimp
                                                  jimp Rebel Alliance Developer Netgate @andrew_r last edited by jimp

                                                  @andrew_r said in Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT:

                                                  @jimp I had some manual rules set up from previous attempts, but they are fairly simple.

                                                  Can you try with those rules disabled?

                                                  Was that working before this version of UPnP?

                                                  We are primarily interested in knowing if this fixed situations that were broken before, or allows things to work with less intervention overall.

                                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                                  Need help fast? Netgate Global Support!

                                                  Do not Chat/PM for help!

                                                  A 1 Reply Last reply Reply Quote 0
                                                  • A
                                                    andrew_r @jimp last edited by

                                                    @jimp It was not working with the previous release. There were errors upnp errors in my log, and nothing showing in the upnp status area.

                                                    I'll test disabling the rules, and get back to you but, if it's any help, I forgot to add the second xbox to the alias group at first (so the rules weren't applied to it), and that xbox reported back that it was double-nat'ed. Similarly, I forgot with the 2nd PS4 and the third Switch, they reported NAT Type 3 (rather than 1) and Nat Type 3 (rather than 2).

                                                    Does this answer your question, or would it help for me to retest with the rules completely disabled? (I have hybrid mode set, by the way).

                                                    Andrew

                                                    A 1 Reply Last reply Reply Quote 0
                                                    • A
                                                      andrew_r @andrew_r last edited by

                                                      @jimp PS. Is the boot error I posted something to be concerned with?

                                                      1 Reply Last reply Reply Quote 0
                                                      • M
                                                        Marc05 last edited by

                                                        @andrew_r
                                                        Please test without any Outbound rules enabled.

                                                        Also, do you have any games of the same console that previously had issues with joining a lobby or playing together? If so, are those working now?

                                                        1 Reply Last reply Reply Quote 0
                                                        • A
                                                          andrew_r last edited by

                                                          @andrew_r said in Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT:

                                                          eans, but this seems to do the trick. I'd appreciate it if you let me know if I've done som

                                                          I tested Minecraft on both xboxes with and without the outbound nat rule enabled.

                                                          With; everything worked fine.
                                                          Without; the first xbox was able to connect to the realm fine, but the second hung on "loading resources" before it even got to the main menu for me to join the realm.

                                                          So, I'd say the outbound rule is necessary, at least as far as Xbox goes.

                                                          Note that each console (including PS4 and Switch) reports the NAT as strict and/or double-nat'ed without the rule.

                                                          Oh, I also had "Enable NAT Reflection for 1:1 NAT" and turned on and "Automatic create outbound NAT rules that direct traffic back out to the same subnet it originated from." in the system/advanced/nat and firewall menu, if that makes a difference.

                                                          1 Reply Last reply Reply Quote 0
                                                          • M
                                                            Marc05 last edited by

                                                            That's weird. In my tests, I did not have the outbound rules set up and it seemed to work.

                                                            1 Reply Last reply Reply Quote 0
                                                            • A
                                                              andrew_r last edited by

                                                              @Marc05
                                                              That is strange.

                                                              Not sure what's going on, but for some reason in my configuration, I require the outbound rules.

                                                              It may be to do with the ATT fiber connection? I've set the ATT box to behave as passthrough directly to the 5100, but I'm not sure that's doing exactly what I hope it is (or else why would people use pfatt?). I suspect that's the cause of the double nat error, and possibly why you're seeing a different result to me.

                                                              I guess the question I have is, if you add the rule, does your configuration still work?

                                                              A 1 Reply Last reply Reply Quote 0
                                                              • A
                                                                andrew_r @andrew_r last edited by

                                                                @Marc05 By the way, this was with xbox - I didn't have anywhere near as many issues with the PS4s and the Switches.

                                                                1 Reply Last reply Reply Quote 0
                                                                • M
                                                                  Marc05 last edited by

                                                                  Adding the rules still keeps it working.

                                                                  A 1 Reply Last reply Reply Quote 0
                                                                  • V
                                                                    vMAC last edited by

                                                                    I upgrade pfSense and then found out my son took his PS4.......so i will have to wait to verify functionality tomorrow.

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • A
                                                                      andrew_r @Marc05 last edited by

                                                                      @Marc05 My guess is that they'll be necessary for XBox One. You only tested with PS4, correct?

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • V
                                                                        vMAC last edited by vMAC

                                                                        Ok when I ran the command you asked for I received the following:

                                                                        [2.5.0-DEVELOPMENT][admin@BridgesSense.localdomain]/root: pfSsh.php playback pfa                                                                                   nchordrill
                                                                        
                                                                        ipsec rules/nat contents:
                                                                        
                                                                        miniupnpd rules/nat contents:
                                                                        nat quick on em0 inet proto udp from 192.168.1.30 port = 9308 to any keep state                                                                                    label "192.168.1.30:9308 to 9308 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9308
                                                                        rdr pass quick on em0 inet proto udp from any to any port = 9308 keep state labe                                                                                   l "192.168.1.30:9308 to 9308 (UDP)" rtable 0 -> 192.168.1.30 port 9308
                                                                        
                                                                        natearly rules/nat contents:
                                                                        
                                                                        natrules rules/nat contents:
                                                                        
                                                                        openvpn rules/nat contents:
                                                                        
                                                                        tftp-proxy rules/nat contents:
                                                                        
                                                                        userrules rules/nat contents:
                                                                        [2.5.0-DEVELOPMENT][admin@BridgesSense.localdomain]/root: miniupnpd --version
                                                                        miniupnpd 2.2.0-RC1 Jun 10 2020
                                                                        using pf backend
                                                                        
                                                                        

                                                                        I tried my other PS4 (COD) and got no love.
                                                                        I then restarted the UPNP service and tried connecting on both PS4's then received the following:

                                                                        [2.5.0-DEVELOPMENT][admin@BridgesSense.localdomain]/root: pfSsh.php playback pfanchordrill
                                                                        
                                                                        ipsec rules/nat contents:
                                                                        
                                                                        miniupnpd rules/nat contents:
                                                                        nat quick on em0 inet proto udp from 192.168.1.31 port = 9308 to any keep state label "192.168.1.31:9308 to 9308 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9308
                                                                        nat quick on em0 inet proto udp from 192.168.1.31 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3074
                                                                        rdr pass quick on em0 inet proto udp from any to any port = 9308 keep state label "192.168.1.31:9308 to 9308 (UDP)" rtable 0 -> 192.168.1.31 port 9308
                                                                        rdr pass quick on em0 inet proto udp from any to any port = 3074 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.31 port 3074
                                                                        
                                                                        natearly rules/nat contents:
                                                                        
                                                                        natrules rules/nat contents:
                                                                        
                                                                        openvpn rules/nat contents:
                                                                        
                                                                        tftp-proxy rules/nat contents:
                                                                        
                                                                        userrules rules/nat contents:
                                                                        
                                                                        

                                                                        Still not working with both PS4's online have to completely disconnect one to get it to work.
                                                                        Let me know what other settings or logs you might need to help diag.

                                                                        I have assigned Static IPs to both PS4s (192.168.1.30 and 192.168.1.31)

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • M
                                                                          Marc05 last edited by

                                                                          @vMAC

                                                                          Make sure you enable Pure NAT, and check "Enable automatic outbound NAT for Reflection" under System / Advanced / Firewall & NAT

                                                                          V 1 Reply Last reply Reply Quote 0
                                                                          • V
                                                                            vMAC @Marc05 last edited by

                                                                            @Marc05
                                                                            After changing those settings this is what I get:

                                                                            
                                                                            [2.5.0-DEVELOPMENT][admin@BridgesSense.localdomain]/root: pfSsh.php playback pfanchordrill
                                                                            
                                                                            ipsec rules/nat contents:
                                                                            
                                                                            miniupnpd rules/nat contents:
                                                                            nat quick on em0 inet proto udp from 192.168.1.31 port = 9308 to any keep state label "192.168.1.31:9308 to 9308 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9308
                                                                            nat quick on em0 inet proto udp from 192.168.1.31 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3074
                                                                            nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3108
                                                                            nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3167
                                                                            nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3116
                                                                            nat quick on em0 inet proto udp from 192.168.1.31 port = 9305 to any keep state label "192.168.1.31:9305 to 9305 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9305
                                                                            nat quick on em0 inet proto udp from 192.168.1.31 port = 9306 to any keep state label "192.168.1.31:9306 to 9306 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9306
                                                                            nat quick on em0 inet proto udp from 192.168.1.31 port = 3659 to any keep state label "EA Tunnel" rtable 0 -> 24.255.xxx.xx port 3659
                                                                            nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3172
                                                                            nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3096
                                                                            rdr pass quick on em0 inet proto udp from any to any port = 9308 keep state label "192.168.1.31:9308 to 9308 (UDP)" rtable 0 -> 192.168.1.31 port 9308
                                                                            rdr pass quick on em0 inet proto udp from any to any port = 3074 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.31 port 3074
                                                                            rdr pass quick on em0 inet proto udp from any to any port = 3108 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074
                                                                            rdr pass quick on em0 inet proto udp from any to any port = 3167 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074
                                                                            rdr pass quick on em0 inet proto udp from any to any port = 3116 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074
                                                                            rdr pass quick on em0 inet proto udp from any to any port = 9305 keep state label "192.168.1.31:9305 to 9305 (UDP)" rtable 0 -> 192.168.1.31 port 9305
                                                                            rdr pass quick on em0 inet proto udp from any to any port = 9306 keep state label "192.168.1.31:9306 to 9306 (UDP)" rtable 0 -> 192.168.1.31 port 9306
                                                                            rdr pass quick on em0 inet proto udp from any to any port = 3659 keep state label "EA Tunnel" rtable 0 -> 192.168.1.31 port 3659
                                                                            rdr pass quick on em0 inet proto udp from any to any port = 3172 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074
                                                                            rdr pass quick on em0 inet proto udp from any to any port = 3096 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074
                                                                            
                                                                            natearly rules/nat contents:
                                                                            
                                                                            natrules rules/nat contents:
                                                                            
                                                                            openvpn rules/nat contents:
                                                                            
                                                                            tftp-proxy rules/nat contents:
                                                                            
                                                                            userrules rules/nat contents:
                                                                            
                                                                            

                                                                            It now appears to be working. Tonight we will try it out and see if we can get matchmaking.

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • V
                                                                              vMAC last edited by

                                                                              When playing I get Strict NAT on both devices. Should this be the case with UPnP setup?

                                                                              M 1 Reply Last reply Reply Quote 0
                                                                              • M
                                                                                Marc05 @vMAC last edited by

                                                                                @vMAC

                                                                                Under firewall rules, make an IPv4 allow LAN to any rule with the advanced option checked "Allow IP options". Test again after and see what happens.

                                                                                V 1 Reply Last reply Reply Quote 0
                                                                                • V
                                                                                  vMAC @Marc05 last edited by

                                                                                  @Marc05 said in Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT:

                                                                                  @vMAC

                                                                                  Under firewall rules, make an IPv4 allow LAN to any rule with the advanced option checked "Allow IP options". Test again after and see what happens.

                                                                                  Still STRICT

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • M
                                                                                    Marc05 last edited by Marc05

                                                                                    You tried playing the game?

                                                                                    Try following the steps in this guide:
                                                                                    https://www.youtube.com/watch?v=whGPRC9rQYw

                                                                                    Then test again, first without the outbound NAT rules, and second with them. Make sure the test involves playing a game, and not just doing a network test in the console.

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post