Achieving Moderate (Type 2) NAT on PC and Consoles without the use of UPnP or PortForwarding



  • Hi, So, as you may know, playing with strict NAT is always a pain in online multiplayer games, I was able to get moderate NAT on my PC and PS4 by simply using UPnP. (I didn't do anything with Outbound NAT settings either, just left it at Hybrid)
    but, as you may know, UPnP is a security risk, and portforwarding is simply too much of a task, cause every game uses a different port. (often times)
    My question, which I was not able to find an answer for, is :
    How can I achieve the same thing I achieved with UPnP (NAT Type2), without using UPnP?
    the PC and PS4 both have Static IPs, here is a screenshot of my Outbound NAT rules
    https://pasteall.org/media/d/d/dd939d8959637d6847725fb969cf1d61.png


  • LAYER 8 Moderator

    Did you modify outbound NAT for the console IP to be static port? For the PS4 that may or may not be already enough.



  • @JeGr No, as I said I never touched the outbound nat settings for this, but I will try it out
    Can you point me at a guide or something for this? Also, should the rule be on the top?
    What about my PC?
    Thanks for your time


  • LAYER 8 Moderator

    Ah then changing them to hybrid (or manual) would be the first step.

    Then add a rule above all others and create it like:

    • Interface: your WAN
    • Protocol: any
    • Source: <your PS4 IP>
    • Destination: any
    • Address: Interface Address
    • static Port: checkmark

    After saving it should look the same as your other NAT rules and only differ in "Source" (single IP instead of x.y.z.a/24) and Static Port (a ✔ instead of the 🔀).

    Save and test on your console what the internet testing shows. Perhaps that's already enought to get Type 2. Static Port is a key for that.

    If it's not enough, one can think about uPNP with restrictions. E.g. you can restrict uPNP to one or more single IPs instead of the whole network. You can also restrict it to the ports or port ranges that can be requested from the console. Last thing one can think about is putting the playing things (console, play-pc) into a separate VLAN/network segment to keep them separated and your other boxes safe. That's how I do it. Consoles are in a separate segment (media) and have uPNP running for their IPs only (no other device may request it besides the consoles).



  • @JeGr there is a problem, It won't allow me to input a single IP address as the source by the looks of it
    my options are : Any, Network, This Firewall (self).
    EDIT : it seems like I outsmarted pfsense by using an alias, and looks like its working, i'll test more and report back


  • LAYER 8 Moderator

    You can use "network", use the IP and just select /32 (which is essentially the single IP) :)



  • @JeGr thanks, looks like this is working on my PS4, one last question, can I just add my other gaming devices to that single alias and use it with that one outbound nat rule?
    or I need to a create separate outbound nat rule for each device?


  • LAYER 8 Moderator

    If you were using an alias, then sure just add another IP to that Alias and you should be fine.



  • @JeGr thanks!. it works on my PS4 by the looks of it, but some games on my PC will outright refuse to work, looks like I have to use restricted UPnP for my PC I guess
    Default deny is on, I dislike UPnP, but it is what it is
    but my PS4 is fine, thanks again!


  • LAYER 8 Moderator

    Actually my PCs are working fine but that always depends on the game I suppose. Don't play much P2P based things that have bad netcode that won't work with NAT.


Log in to reply