Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [Solved] Need help to figure out Port Forward/Outbound NAT vs UPnP

    NAT
    2
    4
    506
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      Gblenn
      last edited by Gblenn

      After considerable testing with a goal of being able to turn off UPnP whilst maintaining "Open NAT" for all games, I am still not able to find a setting that works...

      Here's what I have found and the settings I'm using:

      Port forward 3074 > Gaming PC
      Outbound NAT, Hybrid mode port 3074 - Gaming PC Static port

      With this simple setting I get Open NAT on most games except MW2 (2009 version)...

      This game is also using port 28960 but no matter what I do here, I can't get anything but Strict NAT. I have tried opening up a whole lot of other ports as well, listed by Activision and others but that doesn't help.

      On the other hand, when using UPnP (and only Automatic Outbound rules and no port forwards) I get Open NAT on every single game. And I notice that games typically initiates much quicker, especially if I have NAT-PMP activated.

      On the UPnP status page I can see the following listed for MW2:

      560a17b6-23d9-4076-ac9f-8580a39b252a-image.png

      Experimenting further, I took an EdgeRouterX (with UPnP activated) and placed it between my PC and pfsense => Double NAT'ed.

      And now I'm able to get Open NAT on MW2 and the other games without any further changes. In fact I can get Open NAT on MW2 and Moderate NAT on others, without Port forwarding 3074, as long as I maintain Outbound NAT Static ports (for the EdgeRouterX this time).

      I have tried to mimic what I see in Status / UPnP in different ways, setting e.g. 28960-28963 as source and 28960 as internal destination port, but that doesn't help.

      abd3b6c2-e85c-4665-a45c-e7653b353849-image.png

      Any ideas on how to solve this? Or are there things that UPnP does that simple can't be replaced through port forwarding and other rules?

      Bob.DigB 1 Reply Last reply Reply Quote 0
      • Bob.DigB
        Bob.Dig LAYER 8 @Gblenn
        last edited by Bob.Dig

        @Gblenn I say stick with UPnP if it works for you. Just make it available only on the networks or hosts that need it and you are good.

        G 1 Reply Last reply Reply Quote 0
        • G
          Gblenn @Bob.Dig
          last edited by Gblenn

          @Bob-Dig You are not wrong, and I suppose that is the simple and even the best solution. And it is how I have had it set up for a long long time...

          But now I have started digging and I'm a bit to much of a curious mind to stop now... ๐Ÿ˜€

          I mean I have really done some extensive testing (if you ask me) with all kinds of settings and trying out all different suggestions on which ports to forward etc. Which has led me to this minimal configuration that almost works... except this one game... ๐Ÿ˜ต

          Isn't it strange that I can't get anything but Strict NAT on MW2, except when using UPnP... yet, when placing a UPnP device between pfsense and the PC, that game just works!!
          And that is with UPnP turned off in pfsense, no gaming ports forwarded and Outbound NAT automatic... It's suddenly like it was no more complicated than a web browser...

          Yet, when UPnP is turned on in pfsense, and it also works, it shows in Status / UPnP that MW2 does ask for port 28960. And here it is when having EdgeRouterX in between even... It looks exactly the same...

          5ef15466-db1a-4d57-a856-45aaaf5372e9-image.png

          All the while, any games depending on Port 3074 must have ports forwarded or UPnP activated, to get Open NAT. The difference being that they also work with only Port Forward and static ports.

          Perhaps the information is hidden somewhere in some logs... I'm thinking there is more going on than what UPnP is showing in the status page?
          Do all consumer grade routers have UPnP? All instructions list ports to forward, even from Activision and Infinity Ward themselves, so why is that not enough? Would pfsense really be any different in that regard?

          G 1 Reply Last reply Reply Quote 0
          • G
            Gblenn @Gblenn
            last edited by Gblenn

            I wanted to give an update to this since I have been going back to this problem and believe I have finally found a working solution.

            My experimenting has involved a few different firewalls and setups, and all the time I have been able to get Open NAT on MW2 (2009 version) only when the game has been "seeing" UPnP. Regardless if there has been a second firewall upstream that only had "traditional" port forwarding set up.

            I'm writing "seeing" UPnP as I recently did some packet capture and started noticing some similarities between the scenarios with and without UPnP active. When not having UPnP I have manually set up port forwards for 28960-63, which are the ports showing up in the UPnP status page when this game is running.

            What I found was that regardless if the game reports Open or Strict NAT, I always have the following "pattern" showing up in the pcap data:

            e61ff4f5-1a6b-42dc-83ca-5e20cf7109ae-image.png

            The only difference when UPnP is active, is that before this communication starts, I also see the following nat-pmp request and response sequence.

            15bbeb55-5dac-409a-bf01-8988f2e68b0e-image.png

            So I started thinking that the communication actually seems to be working on port 28960 and the game's reporting of Strict NAT might not be accurate? So I got some help from my friends to do some further testing and sure enough, I am able to host a game as well as connect to any other party hosting a game without issues!

            So, I'm guessing that this particular game is actually reporting NAT status solely based on getting a response on it's nat-pmp request, and not based on actually doing a communication test... which in my case is giving me incorrect information and has had me chasing a nonexistent problem for quite a while... ๐Ÿ˜ฒ

            So all I have now are ports 3074-79 and 28960-63 opened towards my game PC... And for port 3074 I have to make sure to use static port.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.