UPnP Fix for multiple clients/consoles playing the same game

jimp

Thanks to analysis by @encrypt1d we were able to determine the last piece of the puzzle to solve NAT issues with multiple UPnP clients using the same game.

Redmine Issue: https://redmine.pfsense.org/issues/7727

There were multiple components necessary here:

• miniupnpd needed the ability to add the correct outbound NAT rules corresponding to the ports it used for inbound port forwards
• The firewall ruleset needed NAT anchors to ensure that the rules from UPnP would be matched before automatic outbound NAT or manual outbound NAT rules

The version of miniupnpd in current releases of pfSense Plus and CE software adds the NAT rules, but a patch is required to setup the appropriate NAT anchors:

diff --git a/src/etc/inc/filter.inc b/src/etc/inc/filter.inc
index d36d6df2e2..5a7c21bc2a 100644
--- a/src/etc/inc/filter.inc
+++ b/src/etc/inc/filter.inc
@@ -2091,6 +2091,8 @@ function filter_nat_rules_generate() {
 
        $natrules = "no nat proto carp\n";
        $natrules .= "no rdr proto carp\n";
+       $natrules .= "binat-anchor \"miniupnpd\"\n";
+       $natrules .= "nat-anchor \"miniupnpd\"\n";
        $natrules .= "nat-anchor \"natearly/*\"\n";
 
        $natrules .= "nat-anchor \"natrules/*\"\n\n";

That patch can be applied using the System Patches package. Create a new entry and either use commit id 3b50f7656967fbb4daa869a7ae6d18bc5ab6eec3 OR paste in the diff, then save and apply changes.

After applying the fix, either reboot the firewall OR trigger a filter reload (Status > Filter Reload) and then reset the state table (Diagnostics > States).

It was too late for this change to be included in pfSense Plus 22.01 or CE 2.6.0, but it will be in the next release. The fix has been merged into development branches and will be in snapshots soon.

The patch is also available on Github and on the Redmine issue.

Static port manual or hybrid outbound NAT rules are NOT required with this fix in place, provided the game in question uses UPnP. Such rules can be removed in many cases as they are no longer necessary.

Anyone running a build with the fix included, whether it is a development snapshot or the patch applied to 22.01/2.6.0 or even 21.05/2.5.2 is welcome to provide feedback.

Thanks!

Please keep this thread on topic and only post about whether or not the fix worked including information about the platform(s) and game(s) involved. This isn't a thread for commentary, discussing development, or anything else, only for test results. Unrelated comments will be removed.

DonZalmrol

@jimp & @encrypt1d fantastic!
I have applied the patch and will test it out this week.

JeGr

@jimp said in UPnP Fix for multiple clients/consoles playing the same game:

The version of miniupnpd in current releases of pfSense Plus and CE software adds the NAT rules, but a patch is required to setup the appropriate NAT anchors:

Current means CE 2.5.2 as well as CE 2.6 (and 21.05 as well as 22.01)? Just to check :)

jimp

@jegr said in UPnP Fix for multiple clients/consoles playing the same game:

@jimp said in UPnP Fix for multiple clients/consoles playing the same game:

The version of miniupnpd in current releases of pfSense Plus and CE software adds the NAT rules, but a patch is required to setup the appropriate NAT anchors:

Current means CE 2.5.2 as well as CE 2.6 (and 21.05 as well as 22.01)? Just to check :)

Yes, the fix was discovered too late to include it in 22.01/2.6.0, so those need patched as well.

It will be in whatever the next release is after (e.g. 22.05) but until then the patch is required.

DonZalmrol

Had moment to test, unfortunately not working for Anno 1800.

Computer A:

Computer B:

however it improved a bit, I now get nat type open/moderate instead of both strict.

If you tell me which logs you need, I'll happily test again and provide them.

PS: It seems that the UPnP & NAT-PMP status stays empty now, no sessions are logged.

pcross616

I have applied the patch to 2.5.2 and have tested without any Hybrid port mappings. I have 6 console and 4 PC all receiving OPEN nat. Apex, Sea Of Thieves all are working as expected. I will continue to test and see if anything that was failing previously has any issues. So far looking good.

Thanks!

rivageeza

Updated from 2.5.2 to 2.6.0 then to plus 22.01.

Tested with Warzone, PS5 and PC, both wanting to use port 3074 and it worked. Son and I can play in the same game, it's brilliant. Issue resolved for me.

Marc05

@donzalmrol That's certainly odd. Try rebooting the computers/pfSense and then test again. Make sure to remove any manually added Outbound NAT rules.

whiteshadow

No fix here.

playing COLD WAR or VANGURD. Both PC players. Applied the patch and restarted pfsense box. Shows open for one and the other pc gets connecting to finally, unable to connect. I collected tcpdump collected will review

Tried on my Sons pc as well and same issue.

Trace shows conversation over port 3074 so it "seems" like it worked but doesn't always show under "status > upnp" or under states (see rst pckt so expect state to be clear).

Settings:
running: 2.6.0

System > Advanced > Firewall & NAT >
"NAT Reflection mode for port forwards" : Pure NAT
Enable automatic outbound NAT for Reflection : checked
Enable NAT Reflection for 1:1 NAT : unchecked

Nothing in "port Forwarding" for these pcs just my "calibre and minecraft server"

Firewall > NAT > Outbound
Hybrid : set
Mappings: alias name for my PC's set to static port <-- is this what is killing me?

Snip:
https://drive.google.com/drive/folders/1rPumILNl6trWzYoMOh_d-Id1dJ8_O2pC?usp=sharing

plug my netgear router and no issues.

update:
Error for Cold War: Negative 345 Blazing Gator | Which leads to port forwarding and all that

Interesting I use to see COD try and open other ports, but I no longer see that behaviour. A

update 2: Disabled and rebooted :
Firewall > NAT > Outbound > Mappings: alias name for my PC's set to static port

get strict now

m0nji

@whiteshadow
as far as i know: "static port mapping" does NOT work with multiple players on the same game, even with applied patch. you should delete this manual created outbound nat rule.

for me right now, cod warzone tells me "open nat" so far so good. with anno 1800 i still get "strict nat" but possible matchmaking. i think there is somehing else wrong with anno 1800.

whiteshadow

@m0nji
I have already moved the static port option in my "Firewall > NAT > Outbound"

This didnt resolve per update 2. just get strict on every game and pc now. Making things worse

so create a output mapping rule for every pc (for games)for ports 3074?
So we are saying UpNp is opening allowing in (even though nothing in UpNp Or states to say that is working" but im not allowing it to go out?

Anyone who has any COD game what are your settings to get both to show open? did u have to create outbound rules for each PC and if so and u didnt use static what is your NAT port?
I thought having "pure NAT" and "Enable automatic outbound NAT for Reflection" would create the outboud rule?

NOTE: removing my static rules for my PC's and now all games are strict, vs one being open and one being strict.. and nothing in UpNp anymore either and no states.

@pcross616 : what are your settings at that everything is showing as open?

In Thread: https://redmine.pfsense.org/issues/7727

@Jon8RFC . : Did you have to create outbound rules?

whiteshadow

Looking into game "Pummel Party" u can hoist and choose a port to use. So I went ahead and launched game on both pc's and tried creating a match. It only worked on pc and teh nother never saw the state for the port show or in UpNP.

If I go to game and change port from 14242 to 14243 then both pcs show up. It seems it wont allow to clients using the same ports. It seems like the same issue as before, not sure what fixed but none of my games can we have more than 1 person playing at a time.

Please share how your configs are that allow multiple games using the same port to work?

both pc's using same port:

Telling the another pc to use another port for same game (game thankfully gives me this option) :

@rivageeza : I see you tested with COD and it uses the smae port 3074, what does your UpNP status show when both are running and showing open? What is your config look like? are you using "pure NAT" ?

Going to disable "hybrid" and try "automatic". Rebooted after this change and still every pc is STRICT..

rivageeza

Had already tested the patch with Call of Duty Warzone, PC and PS5. Post patch we both get open NAT, can join the same lobby and play in the same game. Both platforms are using port 3074.

Saw some people having difficulty with PC and PC, I've just finished testing and happy to report the fix is working for this configuration too.

2 PC's on the same LAN, both playing warzone using 2 different battle.net accounts, both open NAT and was successfully able to start a duo and loaded into a game together. Again, both PC's used port 3074.

whiteshadow

@rivageeza : What are your settings?

jimp

If it's not working for someone, first check that the patch is actually applied. This is what it should look like in the system patches package:

Next, check the ruleset and make sure the nat anchor is there:

$ grep miniupnpd /tmp/rules.debug
binat-anchor "miniupnpd"
nat-anchor "miniupnpd"
rdr-anchor "miniupnpd"
anchor "miniupnpd"

If you have more than one WAN, make sure UPnP is using the same WAN the clients exit.

whiteshadow

@jimp : Only one WAN

iculookn

Not related to multiple devices/games, but I applied the patch, removed static port mappings and changed outbound mode to automatic and I can still get open NAT on XBOX.

well done to all involved.

whiteshadow

@iculookn : what are your setting for this:
System > Advanced > Firewall & NAT:
NAT Reflection mode for port forwards ?
Enable NAT Reflection for 1:1 NAT ?
Enable automatic outbound NAT for Reflection?

iculookn

@whiteshadow
System > Advanced > Firewall & NAT:
NAT Reflection mode for port forwards ? DISABLED

Enable NAT Reflection for 1:1 NAT ? UNCHECKED

Enable automatic outbound NAT for Reflection? UNCHECKED

whiteshadow

@iculookn :

Thank you for posting those settings. I went ahead and applied them and rebooted pfsense, and boom it all works all is open.

Currently NAT is set to automatic and then the above settings iculookn pointed out. With those set it seems this patch fixes the issue.

thank you for the fix, and think this piece should be documented. Even though it sounds like a bug to me, when "pure NAT" enabled upnp doesnt work as expected.

"pure nat" disabled and it works perfectly.

DonZalmrol

@marc05 said in UPnP Fix for multiple clients/consoles playing the same game:

@donzalmrol That's certainly odd. Try rebooting the computers/pfSense and then test again. Make sure to remove any manually added Outbound NAT rules.

It seems that I have now a different issue when I upgrade to v2.6.0
https://forum.netgate.com/topic/169884/after-upgrade-inter-v-lan-communication-is-very-slow-on-hyper-v-for-others-wan-speed-is-affected/16?loggedin=true

So I'll test the UPNP again once my main issue is resolved for Hyper-V.

whiteshadow

Yea there be some oddness going on. As we switched from Cold War to Vanguard and all the upnp went away for our PC's and we are all strict again. If we switch to Cold War again we are strict.

rebooted pfsense box again and all 3 PC's and still all strict.. Really strange switching game types breas it and then after everything rebooting.. still no resolve. really odd

@DonZalmrol : What are your outboud settings like? automatic or hybrid? what is :
System > Advanced > Firewall & NAT:
NAT Reflection mode for port forwards ?
Enable NAT Reflection for 1:1 NAT ?
Enable automatic outbound NAT for Reflection?

my settings:

whiteshadow

Upgraded to 22.01: rebooted, reinstalled the patch and rebooted after install.

Seems to have resolved my issue.

rivageeza

@whiteshadow My settings are as follows.

coraze

@whiteshadow said in UPnP Fix for multiple clients/consoles playing the same game:

@iculookn :

Thank you for posting those settings. I went ahead and applied them and rebooted pfsense, and boom it all works all is open.

Currently NAT is set to automatic and then the above settings iculookn pointed out. With those set it seems this patch fixes the issue.

thank you for the fix, and think this piece should be documented. Even though it sounds like a bug to me, when "pure NAT" enabled upnp doesnt work as expected.

"pure nat" disabled and it works perfectly.

I tried last night without success, but when i disabled "pure NAT" and rebooted firewall. It says open nat in Warzone/PC, but in PS4 it says NAT type 3 and not type 2 for some odd reason.

whiteshadow

@coraze
can you post matching screenshots that I posted above covering settings

whiteshadow

@rivageeza
hmm so u have outbound like i did with alias with static set... Then u have 1:1 with pure NAT while i didnt...

I want to try that, but I have 2 out of 3 PC's showing OPEN. Third always strict... might change to what I had before and add the 1:1 for the pure NAT..

reinstalling on 3rd pc as it was DEV channel windows 11 and couldn't get it working... waiting for small game "cold war" to download to test

-- tested and its working on 3rd pc with "Cold War"

• Haven't changed back to similar settings as @rivageeza : yet

jimp

Interesting the the NAT reflection options appear to make a difference. I wouldn't expect that to be a factor unless there were also port forwards or 1:1 NAT which overlap what UPnP is trying to do. Something in the reflection rules must be redirecting the traffic as it enters the LAN, while the UPnP rules would only translate traffic as it exits a WAN.

Would be nice if we can narrow down which of those options specifically is interfering and if it is related to port forwarding. If there is a potential for conflict there we can add it to whatever docs we make to cover this.

m0nji

This post is deleted!

m0nji

I don't think CoD is the best example to test this. CoD is capable of using multiple udp ports if 3074 is already taken.
If you do Tests with "static Port Mapping", you need Games which need specific Ports like Apex Legends or CS:S (I gues CS:GO too)

Saber

I have multiple Playstation consoles on the same LAN subnet. I've enabled upnp, configured the ACL with the static IP's of the consoles. Whichever console boots up first will get a NAT type 2 (Ideal), the second one to boot up and perform a Test Internet Connection will get a NAT Type 3 (restricted).

I've applied the patch, rebooted the firewall, and removed the static port mapping under Firewall-->NAT-->Outbound.

No Pure NAT, No Nat Reflection etc are currently enabled. So don't think its quite ironed out yet. What logs should I collect?

rivageeza

@m0nji it's a good test for me as prior to the patch, I couldn't play on PC and PS5 at the same time.

Without modifying any other setting and applying the patch, the issue is resolved 100%.

Neither the PC or PS5 failed over to a different port, which ever device booted the game first would work and the 2nd device would fail to connect.

Pre patch we could play PS5 and Xbox Series X as the xbox used port 3075 and PS5 would use 3074.

whiteshadow

@saber : try @rivageeza settings above.

It enables pure nat and reflection and 1:1 and also sets up static ports for gaming pc's/consoles in firewall outbound (easier to do with alias)

Reboot pfsense after and consoles
pc's (shutdown and power up)

test

Saber

@whiteshadow

Per jimp's first post the static port mapping shouldn't need to be enabled:

"Static port manual or hybrid outbound NAT rules are NOT required with this fix in place, provided the game in question uses UPnP. Such rules can be removed in many cases as they are no longer necessary."

I'm testing per suggestions. I'm not even getting to a game yet, just booting up the Playstations and know that it uses Upnp as it logs it in the upnp logs upon bootup to check NAT type.

encrypt1d

For those of you testing. It is super important to reboot the game machine, sometimes even multiple times. I have seen many scenarios where the game client just doesn't even try to use UPnP, and does not send any port programming requests to the firewall. (Detectable only via packet capture or starting the miniupnpd service with debug logs enabled, and tailing /var/log/routing.log)
You also need to make sure that UPnP is enabled on windows (if on a PC), and probably turn off your local firewall software if you have any.

jimp

@encrypt1d said in UPnP Fix for multiple clients/consoles playing the same game:

For those of you testing. It is super important to reboot the game machine, sometimes even multiple times. I have seen many scenarios where the game client just doesn't even try to use UPnP, and does not send any port programming requests to the firewall. (Detectable only via packet capture or starting the miniupnpd service with debug logs enabled, and tailing /var/log/routing.log)
You also need to make sure that UPnP is enabled on windows (if on a PC), and probably turn off your local firewall software if you have any.

What may be happening in some of these cases is that if a client or game is already running and miniupnpd restarts, the existing mappings are gone. The client may not request to open the ports again because it thinks they're still open, but the restart of miniupnpd cleared them out. So any time you restart UPnP on the firewall whatever UPnP clients are on the network also need a bump to make sure both sides agree on the state of UPnP mappings.

Saber

@jimp

So do we need to do the static port mappings? I had it there previously to get both Playstation consoles to get a NAT type 2, but couldn't play the same game due to the UPnP limitation there previously.

I have NOT enabled Pure NAT, NAT Reflection, and have removed the static port mappings.

Is that an improper configuration? I see @rivageeza configuration settings above, but was of the understanding that UPnP should work now without the additional steps / configurations as well as static port mappings?

As an update, I did reboot both Playstations after clearing the UPnP settings and whichever one boots up first gets NAT Type 2, while the other is Type 3.

jimp

@saber said in UPnP Fix for multiple clients/consoles playing the same game:

So do we need to do the static port mappings? I had it there previously to get both Playstation consoles to get a NAT type 2, but couldn't play the same game due to the UPnP limitation there previously.

You do not need any outbound NAT settings at all. No static port, no 1:1, no hybrid or manual outbound NAT, no port forwards. Nada. Not unless you use them for other things unrelated to games, naturally.

Saber

@jimp said in UPnP Fix for multiple clients/consoles playing the same game:

@saber said in UPnP Fix for multiple clients/consoles playing the same game:

So do we need to do the static port mappings? I had it there previously to get both Playstation consoles to get a NAT type 2, but couldn't play the same game due to the UPnP limitation there previously.

You do not need any outbound NAT settings at all. No static port, no 1:1, no hybrid or manual outbound NAT, no port forwards. Nada. Not unless you use them for other things unrelated to games, naturally.

Thanks for the confirmation that I shouldn't need those settings in place to get this to work as expected. I'm still testing, not having much luck as the Playstations appear to get the UDP 9308 port depending on who boots up and gets network connectivity first. I'm not technically into game play yet as I can't get both to have a NAT type of 2 with the recommendations so far.

I'm more than happy to test and provide logs to help get this resolved.

Saber

So I just took a packet capture, and I see the Playstation attempt an HTTP post regarding the port that it would like UPnP to map:

Playstation Sends this to Firewall (POST)

POST /ctl/IPConn HTTP/1.1
HOST: 10.0.0.254:2189
Content-Length: 636
Content-Type: text/xml; charset="utf-8"
SOAPACTION: "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">
<NewRemoteHost></NewRemoteHost>
<NewExternalPort>9308</NewExternalPort>
<NewProtocol>UDP</NewProtocol>
<NewInternalPort>9308</NewInternalPort>
<NewInternalClient>10.0.0.18</NewInternalClient>
<NewEnabled>1</NewEnabled>
<NewPortMappingDescription>10.0.0.18:9308 to 9308 (UDP)</NewPortMappingDescription>
<NewLeaseDuration>0</NewLeaseDuration>
</u:AddPortMapping>
</s:Body>
</s:Envelope>

Firewall Responds: Http 500 Internal Server Error to a port conflict as port 9308 has already been mapped by the other Playstation on the network.

HTTP/1.1 500 Internal Server Error
Content-Type: text/xml; charset="utf-8"
Connection: close
Content-Length: 406
Server: FreeBSD/12.3-STABLE UPnP/1.1 MiniUPnPd/2.2.1
Ext:

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><s:Fault><faultcode>s:Client</faultcode><faultstring>UPnPError</faultstring><detail><UPnPError xmlns="urn:schemas-upnp-org:control-1-0"><errorCode>718</errorCode><errorDescription>ConflictInMappingEntry</errorDescription></UPnPError></detail></s:Fault></s:Body></s:Envelope>

This is repeated until it gives up: