Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT

andrew_r

@jimp
By the way; I do get this on reboot:

Crash report begins.  Anonymous machine information:

amd64
12.1-STABLE
FreeBSD 12.1-STABLE 1626cb2f005(factory-devel-12) pfSense

Crash report details:

PHP Errors:
[11-Jun-2020 13:20:35 America/New_York] PHP Warning:  Invalid argument supplied for foreach() in /etc/rc.dyndns.update on line 52



No FreeBSD crash data found.

jimp

@andrew_r said in Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT:

@jimp I had some manual rules set up from previous attempts, but they are fairly simple.

Can you try with those rules disabled?

Was that working before this version of UPnP?

We are primarily interested in knowing if this fixed situations that were broken before, or allows things to work with less intervention overall.

andrew_r

@jimp It was not working with the previous release. There were errors upnp errors in my log, and nothing showing in the upnp status area.

I'll test disabling the rules, and get back to you but, if it's any help, I forgot to add the second xbox to the alias group at first (so the rules weren't applied to it), and that xbox reported back that it was double-nat'ed. Similarly, I forgot with the 2nd PS4 and the third Switch, they reported NAT Type 3 (rather than 1) and Nat Type 3 (rather than 2).

Does this answer your question, or would it help for me to retest with the rules completely disabled? (I have hybrid mode set, by the way).

Andrew

andrew_r

@jimp PS. Is the boot error I posted something to be concerned with?

Marc05

@andrew_r
Please test without any Outbound rules enabled.

Also, do you have any games of the same console that previously had issues with joining a lobby or playing together? If so, are those working now?

andrew_r

@andrew_r said in Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT:

eans, but this seems to do the trick. I'd appreciate it if you let me know if I've done som

I tested Minecraft on both xboxes with and without the outbound nat rule enabled.

With; everything worked fine.
Without; the first xbox was able to connect to the realm fine, but the second hung on "loading resources" before it even got to the main menu for me to join the realm.

So, I'd say the outbound rule is necessary, at least as far as Xbox goes.

Note that each console (including PS4 and Switch) reports the NAT as strict and/or double-nat'ed without the rule.

Oh, I also had "Enable NAT Reflection for 1:1 NAT" and turned on and "Automatic create outbound NAT rules that direct traffic back out to the same subnet it originated from." in the system/advanced/nat and firewall menu, if that makes a difference.

Marc05

That's weird. In my tests, I did not have the outbound rules set up and it seemed to work.

andrew_r

@Marc05
That is strange.

Not sure what's going on, but for some reason in my configuration, I require the outbound rules.

It may be to do with the ATT fiber connection? I've set the ATT box to behave as passthrough directly to the 5100, but I'm not sure that's doing exactly what I hope it is (or else why would people use pfatt?). I suspect that's the cause of the double nat error, and possibly why you're seeing a different result to me.

I guess the question I have is, if you add the rule, does your configuration still work?

andrew_r

@Marc05 By the way, this was with xbox - I didn't have anywhere near as many issues with the PS4s and the Switches.

Marc05

Adding the rules still keeps it working.

vMAC

I upgrade pfSense and then found out my son took his PS4.......so i will have to wait to verify functionality tomorrow.

andrew_r

@Marc05 My guess is that they'll be necessary for XBox One. You only tested with PS4, correct?

vMAC

Ok when I ran the command you asked for I received the following:

[2.5.0-DEVELOPMENT][admin@BridgesSense.localdomain]/root: pfSsh.php playback pfa                                                                                   nchordrill

ipsec rules/nat contents:

miniupnpd rules/nat contents:
nat quick on em0 inet proto udp from 192.168.1.30 port = 9308 to any keep state                                                                                    label "192.168.1.30:9308 to 9308 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9308
rdr pass quick on em0 inet proto udp from any to any port = 9308 keep state labe                                                                                   l "192.168.1.30:9308 to 9308 (UDP)" rtable 0 -> 192.168.1.30 port 9308

natearly rules/nat contents:

natrules rules/nat contents:

openvpn rules/nat contents:

tftp-proxy rules/nat contents:

userrules rules/nat contents:
[2.5.0-DEVELOPMENT][admin@BridgesSense.localdomain]/root: miniupnpd --version
miniupnpd 2.2.0-RC1 Jun 10 2020
using pf backend

I tried my other PS4 (COD) and got no love.
I then restarted the UPNP service and tried connecting on both PS4's then received the following:

[2.5.0-DEVELOPMENT][admin@BridgesSense.localdomain]/root: pfSsh.php playback pfanchordrill

ipsec rules/nat contents:

miniupnpd rules/nat contents:
nat quick on em0 inet proto udp from 192.168.1.31 port = 9308 to any keep state label "192.168.1.31:9308 to 9308 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9308
nat quick on em0 inet proto udp from 192.168.1.31 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3074
rdr pass quick on em0 inet proto udp from any to any port = 9308 keep state label "192.168.1.31:9308 to 9308 (UDP)" rtable 0 -> 192.168.1.31 port 9308
rdr pass quick on em0 inet proto udp from any to any port = 3074 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.31 port 3074

natearly rules/nat contents:

natrules rules/nat contents:

openvpn rules/nat contents:

tftp-proxy rules/nat contents:

userrules rules/nat contents:

Still not working with both PS4's online have to completely disconnect one to get it to work.
Let me know what other settings or logs you might need to help diag.

I have assigned Static IPs to both PS4s (192.168.1.30 and 192.168.1.31)

Marc05

@vMAC

Make sure you enable Pure NAT, and check "Enable automatic outbound NAT for Reflection" under System / Advanced / Firewall & NAT

vMAC

@Marc05
After changing those settings this is what I get:

[2.5.0-DEVELOPMENT][admin@BridgesSense.localdomain]/root: pfSsh.php playback pfanchordrill

ipsec rules/nat contents:

miniupnpd rules/nat contents:
nat quick on em0 inet proto udp from 192.168.1.31 port = 9308 to any keep state label "192.168.1.31:9308 to 9308 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9308
nat quick on em0 inet proto udp from 192.168.1.31 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3074
nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3108
nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3167
nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3116
nat quick on em0 inet proto udp from 192.168.1.31 port = 9305 to any keep state label "192.168.1.31:9305 to 9305 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9305
nat quick on em0 inet proto udp from 192.168.1.31 port = 9306 to any keep state label "192.168.1.31:9306 to 9306 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9306
nat quick on em0 inet proto udp from 192.168.1.31 port = 3659 to any keep state label "EA Tunnel" rtable 0 -> 24.255.xxx.xx port 3659
nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3172
nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3096
rdr pass quick on em0 inet proto udp from any to any port = 9308 keep state label "192.168.1.31:9308 to 9308 (UDP)" rtable 0 -> 192.168.1.31 port 9308
rdr pass quick on em0 inet proto udp from any to any port = 3074 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.31 port 3074
rdr pass quick on em0 inet proto udp from any to any port = 3108 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074
rdr pass quick on em0 inet proto udp from any to any port = 3167 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074
rdr pass quick on em0 inet proto udp from any to any port = 3116 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074
rdr pass quick on em0 inet proto udp from any to any port = 9305 keep state label "192.168.1.31:9305 to 9305 (UDP)" rtable 0 -> 192.168.1.31 port 9305
rdr pass quick on em0 inet proto udp from any to any port = 9306 keep state label "192.168.1.31:9306 to 9306 (UDP)" rtable 0 -> 192.168.1.31 port 9306
rdr pass quick on em0 inet proto udp from any to any port = 3659 keep state label "EA Tunnel" rtable 0 -> 192.168.1.31 port 3659
rdr pass quick on em0 inet proto udp from any to any port = 3172 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074
rdr pass quick on em0 inet proto udp from any to any port = 3096 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074

natearly rules/nat contents:

natrules rules/nat contents:

openvpn rules/nat contents:

tftp-proxy rules/nat contents:

userrules rules/nat contents:

It now appears to be working. Tonight we will try it out and see if we can get matchmaking.

vMAC

When playing I get Strict NAT on both devices. Should this be the case with UPnP setup?

Marc05

@vMAC

Under firewall rules, make an IPv4 allow LAN to any rule with the advanced option checked "Allow IP options". Test again after and see what happens.

vMAC

@Marc05 said in Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT:

@vMAC

Under firewall rules, make an IPv4 allow LAN to any rule with the advanced option checked "Allow IP options". Test again after and see what happens.

Still STRICT

Marc05

You tried playing the game?

Try following the steps in this guide:
https://www.youtube.com/watch?v=whGPRC9rQYw

Then test again, first without the outbound NAT rules, and second with them. Make sure the test involves playing a game, and not just doing a network test in the console.

ELMcDonald

Upgraded today to 2.5.0DEVELOPMENT and getting this error miniupnpd 80987 setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument
After looking at the redmine, it did't look like i needed to update miniupnpd.

Any ideas or more info needed?