UPnP Fix for multiple clients/consoles playing the same game
-
@chief said in UPnP Fix for multiple clients/consoles playing the same game:
https://github.com/automation-stack/nat-discovery
Also a note on using a tool like the automation-stack/nat-discovery link posted above:
Without manual changes, this will never result in anything other than a restricted NAT result if run on a host behind the firewall. The tool does not actually make any UPNP port mapping requests, so its tests will not be NATed as desired or allowed back through the firewall. You can probably add the NAT/FW rules yourself to make that work, however ...
The STUN implementation included in miniupnpd includes a very similar check, which runs directly from the firewall itself when STUN is enabled. Assuming you have the firewall rule to allow the inbound connection attempts directly to the firewall WAN IP, it does in fact report a fully open NAT.
Mar 18 10:05:43 firewall miniupnpd[782]: STUN: Performing with host=stun.sipgate.net and port=3478 ... Mar 18 10:05:43 firewall miniupnpd[782]: resolve_stun_host: stun.sipgate.net:3478 => 217.10.68.152:3478 Mar 18 10:05:43 firewall miniupnpd[782]: perform_stun: local ports 38769 13999 4669 15715 Mar 18 10:05:43 firewall miniupnpd[782]: wait_for_stun_responses: waiting 3 secs and 0 usecs Mar 18 10:05:43 firewall miniupnpd[782]: wait_for_stun_responses: received responses: 1 Mar 18 10:05:43 firewall miniupnpd[782]: wait_for_stun_responses: waiting 3 secs and 0 usecs Mar 18 10:05:43 firewall miniupnpd[782]: wait_for_stun_responses: received responses: 3 Mar 18 10:05:43 firewall miniupnpd[782]: wait_for_stun_responses: waiting 3 secs and 0 usecs Mar 18 10:05:43 firewall miniupnpd[782]: wait_for_stun_responses: received responses: 4 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: Type 0x0101, Length 68, Magic Cookie 2112a442 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: MAPPED-ADDRESS X.X.X.X:38769 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: SOURCE-ADDRESS 217.10.68.152:3478 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: CHANGED-ADDRESS 217.116.122.136:3479 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: XOR-MAPPED-ADDRESS X.X.X.X:38769 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: SOFTWARE Vovida.org 0.96 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: Type 0x0101, Length 68, Magic Cookie 2112a442 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: MAPPED-ADDRESS X.X.X.X:13999 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: SOURCE-ADDRESS 217.10.68.152:3479 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: CHANGED-ADDRESS 217.116.122.136:3479 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: XOR-MAPPED-ADDRESS X.X.X.X:13999 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: SOFTWARE Vovida.org 0.96 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: Type 0x0101, Length 68, Magic Cookie 2112a442 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: MAPPED-ADDRESS X.X.X.X:4669 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: SOURCE-ADDRESS 217.116.122.136:3478 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: CHANGED-ADDRESS 217.116.122.136:3479 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: XOR-MAPPED-ADDRESS X.X.X.X:4669 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: SOFTWARE Vovida.org 0.96 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: Type 0x0101, Length 68, Magic Cookie 2112a442 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: MAPPED-ADDRESS X.X.X.X:15715 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: SOURCE-ADDRESS 217.116.122.136:3479 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: CHANGED-ADDRESS 217.116.122.136:3479 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: XOR-MAPPED-ADDRESS X.X.X.X:15715 Mar 18 10:05:43 firewall miniupnpd[782]: parse_stun_response: SOFTWARE Vovida.org 0.96 Mar 18 10:05:43 firewall miniupnpd[782]: STUN: ext interface igb0 with IP address Y.Y.Y.Y is now behind unrestricted NAT 1:1 with public IP address X.X.X.X: Port forwarding is now enabled
-
@encrypt1d Thanks for your reply. The "Override WAN address" is that for just users that are behind a double NAT? Are you saying that if I run the latest pfsense with only the patch would I be on a full cone NAT? My public IP is on my WAN. I wouldn't need the additional miniupnpd fix then right?
I used to use this site to test my full cone nat http://nattest.net.in.tum.de/
It looks like they brought it down and are building a new test that uses javascript instead of the old one that used Java-Applets https://www.net.in.tum.de/research/software/I found the github test which I now know is not quite the same thing, since it doesn't do upnp port mapping requests. Do you know of any test that does do something like that website that I posted above?
-
@chief said in UPnP Fix for multiple clients/consoles playing the same game:
The "Override WAN address" is that for just users that are behind a double NAT?
Yes, that is correct. Same goes for the STUN option. You wouldn't need either option or the miniupnpd fix if your setup isn't double NAT. When you asked about full cone NAT, I assumed you meant your ISP was NATing.
Full cone NAT is a term which typically applies to your ISP's upstream router. If they are not NATing anything, then it is fully under your control.
This page has a good write-up on the definition:
https://dh2i.com/kbs/kbs-2961448-understanding-different-nat-types-and-hole-punching/
And they have a tool as well, which should show as "permissive" when you run it (assuming you are defaulting your outbound traffic with static port NATing.)
https://clients.dh2i.com/NatTest/The truth is any NAT test tool you use only tests your existing NAT rules, not what a game will see, because the game will program new NAT/Firewall rules via UPNP that override anything you have configured.
-
I don't know where to find UPnP-related logs, but I had an odd issue with it not working just now (2022-03-20 ~02:15-02:30, for my own reference). COD:Warzone was showing as "strict NAT"
Filter reload and reset states did not resolve it. The firewall had been rebooted earlier in the day when there were internet issues outside my local network (both with my provider as well as with google overall and their DNS servers), on the WAN side, and the intermittent internet connectivity continued for many hours after the reboot. The internet has been fine for many hours now, but for whatever reason, UPnP wasn't functioning as expected with the patch. It was as if the patch wasn't working.
I don't know if a reboot resolved it alone, because I also reverted the patch and re-applied it before rebooting. But, the issue was resolved and UPnP would port forward normally and COD:Warzone showed as "open NAT" again.
It makes me wonder if there was some weird issue where the firewall got confused and stuck in a bad state in one or more of these scenarios:
- whenever there was a valid WAN IP, but no functional connectivity
- when one of the DNS servers was dysfunctional
- when it flip-flopped between 192.168.100.10 WAN IP (local, assigned by the modem when no IP can be retrieved due to internet connectivity issues) and and the real IP once it was retrieved and assigned, as internet connectivity went up and down over a period of many hours
Just wanted to share that if it's something else worth looking at.
-
As soon as I saw this UPnP fix for pfsense, I knew that I wanted to try it out so I just installed a fresh copy of pfsense 2.6 on my HP 730t and applied the patch. After installing the patch and turning UPnP on, I rebooted the firewall and then started up my PS5 and Xbox X. My Xbox immediately returned an Open NAT which was awesome, but my PS5 is getting Moderate NAT (NAT Type 2). I have included some screenshots showing my configuration, and I'm curious if anything looks off? I have no manual Port Forward, 1:1 or Outbound rules set. I have also rebooted the firewall and PS5 several times with no luck. Thanks in advance!
-
You may have to perform your test in the reverse order.
Another tester provided evidence in an earlier post that Sony is not respecting the UPnP protocol RFC. That evidence suggests that the PS tries for the same port indefinitely instead of trying new ones. It was around post 65 above https://forum.netgate.com/topic/169837/upnp-fix-for-multiple-clients-consoles-playing-the-same-game/65
Power down your consoles, then delete your Miniupnpd mappings (you can clear them from the status page). Power up the Playstation first. If it doesn't get Open NAT in this scenario, then there is some other issue. If it does have Open NAT, then power up the Xbox.
You may also want to ensure the following NAT settings are set:
-
-
@encrypt1d I'm not familiar, so I'm asking...
From your testing to solve the upnp problem, does pfsense/miniupnp just drop those packets or reject them?Again, I may really be misunderstanding how a system requests or initiates sending data over a port. Even if Sony doesn't follow the RFC standards, could a workaround be rejecting packets for an occupied port rather than just dropping/discarding them? Would something like that signal devices like sony's to try another port...if the packets aren't already rejected by pfsense/upnp?
-
I don't have a playstation, so it was @Saber that provided the debug info.
It showed the Sony trying for the port (9308), miniupnpd responding with a "port already taken", and then the PS just kept asking for the same port over and over. If it is ever going to work, it needs to ask for a different port when the first one isn't available. It's just stuck in a retry loop that it can never escape. If the PS goes first, it should get the port it needs, and hopefully the xbox implementation will request a new one ... but I suppose we'll see. I'm not even sure if they are asking for the same ports - so @sclawrenc will have to let us know how it goes. -
NAT Type 2 is the best you can get with Playstation unless you directly expose your Playstation to the internet. As an example having the device assigned its own Public IP address. Only in that scenario would you get a NAT Type 1.
Type 2 just lets you know that there is a NAT in place. but is open and will allow for online game play and in-game communication.
What you don't want is a NAT Type 3 which is a restricted NAT.
-
@encrypt1d said in UPnP Fix for multiple clients/consoles playing the same game:
Power down your consoles, then delete your Miniupnpd mappings (you can clear them from the status page). Power up the Playstation first. If it doesn't get Open NAT in this scenario, then there is some other issue.
Thanks for your response. Unfortunately, I still only see NAT Type 2 trying this with and without the Pure NAT and Enable auto outbound NAT for Reflection selected.
@saber said in UPnP Fix for multiple clients/consoles playing the same game:
NAT Type 2 is the best you can get with Playstation unless you directly expose your Playstation to the internet.
Thanks for your feedback. I'm going to have to look into this further since I "think" NAT Type 1 is possible without fully exposing the PS5. Maybe UPnP along with some port forwards for the PS5 would do the trick?
Another question I have is whether or not this works or even needs to work with my IPv6 network. I have both IPv4 and IPv6 running on pfsense.
-
It's not possible, I've tried. The ONLY way I got it show as NAT Type 1 was with ddwrt WAY back in the day with the "DMZ" mode. MY ISP allows for the purchase of 3 static IPs for some services I run. If I assign one of those IP's to the Playstation it will show a NAT Type 1. Outside of that I have never gotten Playstation to show a NAT Type 1 and other Playstation gamers have said the same thing. Regardless online gaming will work just fine with NAT 2 type as that's what I game online with, without a problem.
NAT Types defined is a really good guide for NAT types for XBox and Playstation:
https://portforward.com/nat-types/
-
@saber well, I learned something new today. Thanks for letting me know about this as I might have tried to get NAT Type 1 for days before figuring this out. Strange thing is, I think my PS4 had NAT Type 1, but I can't be certain since I don't have it anymore.
So based on my initial and brief testing, the UPnP patch works as expected! Great job to all who helped make this a reality! This new UPnP functionality was a deciding factor for me to come back to the pfsense world. :)
-
I had this fix enabled and later added another interface to pfSense (ah yes, the wonders of virtualization) and that interface was not shown in the upnp webui.
I then disabled this patch, rebooted pfSense and now it is shown.
Just to let you know (22.01-RELEASE) -
@bob-dig said in UPnP Fix for multiple clients/consoles playing the same game:
I had this fix enabled and later added another interface to pfSense (ah yes, the wonders of virtualization) and that interface was not shown in the upnp webui.
I then disabled this patch, rebooted pfSense and now it is shown.
Just to let you know (22.01-RELEASE)That is completely unrelated to this patch. It only touches the NAT rules and there is no way it could interfere with anything like that.
-
@jimp Your right, had no success now in recreating this problem.
-
@encrypt1d @Saber
I can't find any official channel to report a PS5 bug. The only thing I found is their bounty program. However, if it's worded properly (which I couldn't do or understand), they may pass it along to whoever needs to fix the problem. I even looked on linkedin to find someone specific that I could contact directly, and found nobody useful.I couldn't find the appropriate RFC to reference, so I couldn't mention that when I attempted making a report and reference the post of the logs, which I decided against.
You both seem to know what's going on with hands-on experience with the UPnP problem in general, and with Sony devices, so I hope you'll consider sending a report and mention that there's no appropriate venue to report this issue:
https://hackerone.com/playstation/reports/new?type=team&report_type=vulnerability -
how can i implement this network wise. it has been so long that i don't remember how?
-
I believe this is the RFC, and I have linked the relevant section. I am not a UPNP expert :)
https://datatracker.ietf.org/doc/html/rfc6970#section-5.6.2
It shows that when the UPNP client asks for a port that is already taken, the protocol dictates that it should respond with error 718 / ConflictInMappingEntry and then proceed to try another port.
The evidence @Saber collected showed it continuing to try the same port every time, which is where their problem likely is.
I don't have any playstations, so I would not be able to help further.
-
@encrypt1d I have tested the patch with two PlayStation 3's (OS also based on FreeBSD) and see the same behaviour as @Saber i.e. the first booted PS gets NAT type 2 and shows up in the UPnP & NAT-PMP status section, but the second PS does not and gets NAT type 3 assigned.
Is there any other way to setup both PlayStations with NAT type 2 i.e. "open"?
-
@argon-0 Yeah, just configure the normal gaming setup for PFSense which is to setup an Outbound static port rule:
https://docs.netgate.com/pfsense/en/latest/nat/outbound.html#nat-staticport
I configured that to get both my playstations on at the same time with NAT type 2. Network wise the behavior remains the exact same with second powered up playstation requesting the same damn port, but for whatever reason gets a Type 2 NAT with the outbound static port configuration.
-
-