UPnP settings for successful OPEN NAT on Destiny 2 (new multi-user settings)
-
Re: Destiny 2 Strict NAT regardless of what I do
Went randomly searching for how to make an OPEN NAT type in pfsense for Destiny 2, some old settings and suggestions didn't work for me, but I did manage to get it working with UPnP.
Firewall -> NAT -> port Forward -> nothing for Destiny
Firewall -> NAT -> Outbound -> Auto
Services -> UPnP -> check Enable UPnP & NAT-PMP
check Allow UPnP Port Mapping
External interface is your WAN
Interfaces are your internal LANs you want to access the UPnP servicePretty sure for better security:
Services -> UPnP -> UPnP Access Control Lists -> check Deny access to UPnP & NAT-PMP by default
Make an ACL entry:
allow 3074-3097 xxx.xxx.xxx.xxx 3074-3097 where x is your internal IP for the Destiny PC. Add entries if you have multiple PCs that need access to the service, make sure to include the port ranges. You could also use /24 etc. nomenclature in the area for the IP address, should you want to limit the number ACL entries for example (maybe not always the BEST security practice).Good hunting, Guardians.
-
@herozero This worked great for one device, but there were some additional steps I had to take to be able to get Destiny working with two players on the same fireteam on different devices in our network (PC and Xbox). Now, it's possible that the settings I had to change are the defaults now; I'd been tinkering with NAT and UPNP for a long time to try to get things working and as you mentioned there are a lot of guides out there which are elaborate and outdated.
This thread was the missing piece, and particularly @iculookn 's description of some additional needed settings:
System > Advanced > Firewall & NAT: NAT Reflection mode for port forwards ? DISABLED Enable NAT Reflection for 1:1 NAT ? UNCHECKED Enable automatic outbound NAT for Reflection? UNCHECKED
(For those who look at that thread, ignore all of the stuff about patching in the earlier messages... the changes shipped long ago and are in current releases)
Your settings plus making these changes and rebooting fully resolved my longstanding issues, enabling my daughter and I to finally play together. We're going to tackle the Final Shape legendary campaign together. Thank you!
-
@reborndata That's outstanding, I'm the only Guardian in the house so I never had the need or ability to get it working with two devices at once, but it's great to know it is working and we got it! I've read a lot about people having issues with multiple users on the same home network, I'm really happy this nailed it.
Feels almost as good as finishing a raid. lol
-
cool! i think so too
-
@cameliablossom @herozero I spoke too soon. Although it worked the first day, I'm back to "Moderate" NAT on the PC and no ability to play multiplayer. I'm suspecting either the PC or the firewall is keeping some state around longer than it should... when I restart Destiny on the PC I see no SSDP packets via Wireshark on the PC or with packet capture on the firewall, so I need to do some experimentation to try to narrow down the conditions in which it works and when it doesn't. I suspect this is a Bungie problem; we have no problems with other multiplayer games.
-
@reborndata I don't play Destiny but it seems to use pretty much the same ports as most other games I have seen.
I honestly don't know if the settings you referred to from iculookin's comments will actually have any impact. I have always kept them at Pure NAT and Automatic outbound NAT active, which is how I have seen most people having it set.
And so far I have not had one single problem with any of the games played in the house, related to UPnP at least. It would be quite surprising if Destiny is any different, especially since bungy clearly states that you need UPnP for multiple players in the same household to work.What do your ACL rules have in terms of ports allowed for the PC and Xbox respectively? Is it only as the first post here states, or do you include port 88 which is also listed for Xbox 360. And a whole list of other ports if you have Xbox ONE.
(help.bungy.net)However, the one port that should be needed for a PC to get Open NAT is 3074. And if your PC is alone, and the first one starting a game, there is no reason you should be getting Moderate NAT.
What DNS server is your PC using? If you do ipconfig /all, what do you see? I noticed while testing recently that my AdGuard DNS server was failing and I ended up with Moderate NAT even with a known working setup. Only when setting a different DNS server for my PC (like 1.1.1.1), did it start working again. And now it works after resolving the issue with AdGuard.
Another thing that might create problems, is if you have IPS (Suricata/snort) and it blocks something related to the game.
I'm kind of assuming you have static IP's on your gaming PC's and Xboxes, but in case anything has changed there, you might run into trouble. Both with the ACL rules of course, but also since UPnP does not seem to release the ports mapping when the game closes or the device shuts down.
-
@reborndata Same, ipconfig /flushdns, reset states on pfsense and/or clearing states on my ATT gateway/modem ("pure IP-passthrough my butt") makes it work again, but yeah it seems like a crapshoot whether it uses an old state or a new one? If it is the culprit maybe there's a way to automate a state reset, or at least kill the old ones?
-
This should be fixed in 24.08, its actually an issue with miniupnpd from what i understand, and they have fixed it. Its fixed in the latest dev version of pfsense because they updated the packages,
If you want states to time out like they should, then you will need to manually update the package on your pfsense box.
run the update pfense to get the latest repos, and then run
pkg upgrade miniupnpd
from shell. this will update miniupnpd to the latest version, and should fix the states never timing out problem.
I would also restart the miniupnpd service just to make sure you are using the updated package if you take this route.
If not, it should be fixed in the future release.