Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT
-
@andrew_r said in Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT:
eans, but this seems to do the trick. I'd appreciate it if you let me know if I've done som
I tested Minecraft on both xboxes with and without the outbound nat rule enabled.
With; everything worked fine.
Without; the first xbox was able to connect to the realm fine, but the second hung on "loading resources" before it even got to the main menu for me to join the realm.So, I'd say the outbound rule is necessary, at least as far as Xbox goes.
Note that each console (including PS4 and Switch) reports the NAT as strict and/or double-nat'ed without the rule.
Oh, I also had "Enable NAT Reflection for 1:1 NAT" and turned on and "Automatic create outbound NAT rules that direct traffic back out to the same subnet it originated from." in the system/advanced/nat and firewall menu, if that makes a difference.
-
That's weird. In my tests, I did not have the outbound rules set up and it seemed to work.
-
@Marc05
That is strange.Not sure what's going on, but for some reason in my configuration, I require the outbound rules.
It may be to do with the ATT fiber connection? I've set the ATT box to behave as passthrough directly to the 5100, but I'm not sure that's doing exactly what I hope it is (or else why would people use pfatt?). I suspect that's the cause of the double nat error, and possibly why you're seeing a different result to me.
I guess the question I have is, if you add the rule, does your configuration still work?
-
@Marc05 By the way, this was with xbox - I didn't have anywhere near as many issues with the PS4s and the Switches.
-
Adding the rules still keeps it working.
-
I upgrade pfSense and then found out my son took his PS4.......so i will have to wait to verify functionality tomorrow.
-
@Marc05 My guess is that they'll be necessary for XBox One. You only tested with PS4, correct?
-
Ok when I ran the command you asked for I received the following:
[2.5.0-DEVELOPMENT][admin@BridgesSense.localdomain]/root: pfSsh.php playback pfa nchordrill ipsec rules/nat contents: miniupnpd rules/nat contents: nat quick on em0 inet proto udp from 192.168.1.30 port = 9308 to any keep state label "192.168.1.30:9308 to 9308 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9308 rdr pass quick on em0 inet proto udp from any to any port = 9308 keep state labe l "192.168.1.30:9308 to 9308 (UDP)" rtable 0 -> 192.168.1.30 port 9308 natearly rules/nat contents: natrules rules/nat contents: openvpn rules/nat contents: tftp-proxy rules/nat contents: userrules rules/nat contents: [2.5.0-DEVELOPMENT][admin@BridgesSense.localdomain]/root: miniupnpd --version miniupnpd 2.2.0-RC1 Jun 10 2020 using pf backend
I tried my other PS4 (COD) and got no love.
I then restarted the UPNP service and tried connecting on both PS4's then received the following:[2.5.0-DEVELOPMENT][admin@BridgesSense.localdomain]/root: pfSsh.php playback pfanchordrill ipsec rules/nat contents: miniupnpd rules/nat contents: nat quick on em0 inet proto udp from 192.168.1.31 port = 9308 to any keep state label "192.168.1.31:9308 to 9308 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9308 nat quick on em0 inet proto udp from 192.168.1.31 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3074 rdr pass quick on em0 inet proto udp from any to any port = 9308 keep state label "192.168.1.31:9308 to 9308 (UDP)" rtable 0 -> 192.168.1.31 port 9308 rdr pass quick on em0 inet proto udp from any to any port = 3074 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.31 port 3074 natearly rules/nat contents: natrules rules/nat contents: openvpn rules/nat contents: tftp-proxy rules/nat contents: userrules rules/nat contents:
Still not working with both PS4's online have to completely disconnect one to get it to work.
Let me know what other settings or logs you might need to help diag.I have assigned Static IPs to both PS4s (192.168.1.30 and 192.168.1.31)
-
Make sure you enable Pure NAT, and check "Enable automatic outbound NAT for Reflection" under System / Advanced / Firewall & NAT
-
@Marc05
After changing those settings this is what I get:[2.5.0-DEVELOPMENT][admin@BridgesSense.localdomain]/root: pfSsh.php playback pfanchordrill ipsec rules/nat contents: miniupnpd rules/nat contents: nat quick on em0 inet proto udp from 192.168.1.31 port = 9308 to any keep state label "192.168.1.31:9308 to 9308 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9308 nat quick on em0 inet proto udp from 192.168.1.31 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3074 nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3108 nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3167 nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3116 nat quick on em0 inet proto udp from 192.168.1.31 port = 9305 to any keep state label "192.168.1.31:9305 to 9305 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9305 nat quick on em0 inet proto udp from 192.168.1.31 port = 9306 to any keep state label "192.168.1.31:9306 to 9306 (UDP)" rtable 0 -> 24.255.xxx.xxx port 9306 nat quick on em0 inet proto udp from 192.168.1.31 port = 3659 to any keep state label "EA Tunnel" rtable 0 -> 24.255.xxx.xx port 3659 nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3172 nat quick on em0 inet proto udp from 192.168.1.30 port = 3074 to any keep state label "DemonwarePortMapping" rtable 0 -> 24.255.xxx.xxx port 3096 rdr pass quick on em0 inet proto udp from any to any port = 9308 keep state label "192.168.1.31:9308 to 9308 (UDP)" rtable 0 -> 192.168.1.31 port 9308 rdr pass quick on em0 inet proto udp from any to any port = 3074 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.31 port 3074 rdr pass quick on em0 inet proto udp from any to any port = 3108 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074 rdr pass quick on em0 inet proto udp from any to any port = 3167 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074 rdr pass quick on em0 inet proto udp from any to any port = 3116 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074 rdr pass quick on em0 inet proto udp from any to any port = 9305 keep state label "192.168.1.31:9305 to 9305 (UDP)" rtable 0 -> 192.168.1.31 port 9305 rdr pass quick on em0 inet proto udp from any to any port = 9306 keep state label "192.168.1.31:9306 to 9306 (UDP)" rtable 0 -> 192.168.1.31 port 9306 rdr pass quick on em0 inet proto udp from any to any port = 3659 keep state label "EA Tunnel" rtable 0 -> 192.168.1.31 port 3659 rdr pass quick on em0 inet proto udp from any to any port = 3172 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074 rdr pass quick on em0 inet proto udp from any to any port = 3096 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.1.30 port 3074 natearly rules/nat contents: natrules rules/nat contents: openvpn rules/nat contents: tftp-proxy rules/nat contents: userrules rules/nat contents:
It now appears to be working. Tonight we will try it out and see if we can get matchmaking.
-
When playing I get Strict NAT on both devices. Should this be the case with UPnP setup?
-
Under firewall rules, make an IPv4 allow LAN to any rule with the advanced option checked "Allow IP options". Test again after and see what happens.
-
@Marc05 said in Test Request: UPnP Fix for Multiple Consoles playing the same game / static port outbound NAT:
Under firewall rules, make an IPv4 allow LAN to any rule with the advanced option checked "Allow IP options". Test again after and see what happens.
Still STRICT
-
You tried playing the game?
Try following the steps in this guide:
https://www.youtube.com/watch?v=whGPRC9rQYwThen test again, first without the outbound NAT rules, and second with them. Make sure the test involves playing a game, and not just doing a network test in the console.
-
Upgraded today to 2.5.0DEVELOPMENT and getting this error miniupnpd 80987 setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument
After looking at the redmine, it did't look like i needed to update miniupnpd.Any ideas or more info needed?
-
Tested today with a base installation of 2.5.0DEV and two PS4s.
Base config, just UPNP enabled and Pure NAT.
I get NAT Type 2 on one console but always type 3 on the second.
I can see the following:
miniupnpd rules/nat contents: nat log quick on ix0.10 inet proto udp from 10.XX.XX.XX port = 9308 to any keep state label "10.XX.XX.XX:9308 to 9308 (UDP)" rtable 0 -> XX.XX.XX.XX port 9308 rdr pass log quick on ix0.10 inet proto udp from any to any port = 9308 keep state label "10.XX.XX.XX:9308 to 9308 (UDP)" rtable 0 -> 10.XX.XX.XX port 9308
So UPNP seems to be working but for some reason only allowing one console, any additional debugging I should do here?
-
It seems that static ports on outbound NAT is still necessary. Make sure to create that rule as well.
-
@Marc05 static port NAT is a workaround, and not a nice one.
The implementation we hope for is that two or more consoles work with only UPNP without any other special rules (similar to consumer grade routers)
The output above proves that upnp is working, I guess now the challenge is figuring out why only for one device/console. -
In my previous test earlier in the thread, I had tested with the patch provided in the redmine bug entry. I believe I had tested without the outbound rule enable, and just the patch. The results I posted seem to have UPnP working as intended for multiple consoles. After removing that patch and updating to the latest dev version of pfSense with the miniupnp RC version, the outbound rule was required.
@jimp
Did the code change from your patch make it into the miniupnp RC version provided in the latest dev release of pfSense? -
It wasn't my code/patch, I had just posted a compiled version of the code from miniupnpd. The latest RC code should be what's in snapshots now.