Help with UPnP Setup - Cannot Achieve Open NAT Status in Games

ngr2001

I am trying to get "Open" NAT status in COD. I had this 100% successfully working in OPNSense but cannot preproduce the same success in pfSense+. When I check the UPnP status page I see no clients listed, please help.

In terms of basic house keeping its very simple flat network for right now. The gaming PC that needs UPnP working has a static IP reserved via DHCP. Outbound NAT was set to Hybrid, I rebooted the firewall and client many times after setting up and tweaking to ensure there were no stale states, still no success.

My setup is below:

ngr2001

So I am getting a little closer but the results do not make much sense to me and do not work properly.

Following another guide I added a NAT Port Forward rule to the mix. Now I get "OPEN" status in COD but in pfSense the UPnP status is not showing any sessions. So I am confused on if what I did is a good idea or not. End goal is to have multiple gaming pcs able to leverage UPnP to dynamically pick their inbound port for games such as COD, this way both pcs have "Open" status. Again worked fine in OPNSense not sure what could be wrong here.

Checking further with this config the second pc cannot even launch COD, it gets a network error, probably its trying to map the first port of choice 3074 on each box at the same time. With proper UPnP working the client would pick the next highest port in the list, 3075 for example and map via UPnP, which is not happening.

Nothing listed....

ngr2001

@ngr2001

I am also seeing some blocked traffic when I launch COD but not sure why.

ngr2001

@ngr2001 This one is now fixed and solved. Ill post what I had to do, it was actually very simple, I feel like there is no good write up on this one so perhaps I can give back with a well documented how to.

Gblenn

@ngr2001 I have had no issues getting Open NAT on any and all CoD titles that I play, even MW2 (2009).

What version of pfsense are you running? I don't recognize the title UPnP IGD & PCP, although the rest looks the same?

Anyway, the UPnP settings look but you shouldn't need all those ports for CoD. I only have 3074-3076 plus 28960-28963 in the ACL rules. And Outbount NAT static is fine even if it isn't necessary. It may give you slightly quicker set up times with some of the games.

But the rules you have put in for the two PC's... what do you expect those to do for you? They do nothing as you can see from the 0/0 B to the left of them.
Also the Port Forwards should not be needed when you have UPnP enabled. You have opened up far too many ports towards those PC's btw...

ngr2001

@Gblenn

I did get it working. I removed the Firewall LAN rules and the NAT Outbound rules and reverted the other NAT setting back to stock. The only thing I needed to configure on the PFSense side was the UPnP module nothing else. The issue I had was that PFSense was trying to perform a UPnP discovery on my local clients which was getting blocked by the Windows firewall. Once I opened up those ports on my clients, UPnP via PFSense worked perfectly. Yes I agree, I have way more ports open that what is needed, currently playing COD Black OPS 6. I will reduce the port range when I have a second.

This was on PFSense+ 24.11-RELEASE

Here is my current config:

I needed to add the following firewall rules on my Windows Gaming PC's, port requirements came from PFSense document so I added all 3.

As mentioned now I get "Open" NAT in BOPS6 on both PC's at the same time !

2 Clients, Same Game Lobby:

Gblenn

@ngr2001 said in Help with UPnP Setup - Cannot Achieve Open NAT Status in Games:

UPnP discovery on my local clients which was getting blocked by the Windows firewall

Yes, that would certainly do it...

BO6, and all the other version, will all get Open NAT with UPnP turned on. And as I mentioned, the ONLY ports that need to be in that ACL list for all of the CoD titles, are 3074-3075 (possibly up to 3076) plus 28960-28961 (possibly up to 28963).
The more PC's you have on your LAN, the more ports you need to add to the range basically. Since they will need "their own"... And having Static Port on Outbound NAT can help out

You need two separate listings per PC on that ACL list... so it looks like this:

ngr2001

@Gblenn

2 PCs 1 Firewall: :)

Being COD picked 3191 for external, wouldn't one need to increase their port scope range to what you have listed above ?

Gblenn

@ngr2001 Yes 2 PC's 2 different ports...

Being COD picked 3191 for external, wouldn't one need to increase their port scope range to what you have listed above?

You shouldn't have to... But I'd go ahead and start testing, that's the only way to know for sure. I think if you limit it to 3074-3076 in your ACL, you would see 3074 and one of the other being used instead...
You could even try and set one of them to 3074 and the other 3075 only, and see what happens...