Dmz questions for game consoles



  • Hello, I recently moved to PFsense from IPcop and I'm enjoying the features so far.  One problem i had that wasnt an issue until recently is that my Nintendo WiiU seems to only work properly in a DMZ.  When I had my box down to install PFsense I just DMZ'ed it in my little DD-WRT router and it worked fine.  I've read tutorials for a DMZ, but they are all for 1.2 or 2.0 and I wasnt sure if there would be any differences in 2.1 that i would need to be aware of. Here are the things that would work, in order of most to least ideal.

    1. Pass all DHCP for the WiiU to cable modem and have it get a seperate wan IP.
    2. Create another DHCP pool on a differfent network and create static leases for the game consoles.  This network itself would not be firewalled.
    3. DMZ the consoles individually, by ip.  This would work, however would be more work than the other two options.

    I realize that this is a fairly general question, but I thought that this would be the appropriate forum as I installed 2.1 straight away.  Any comments/suggestions are welcome.



  • The word "DMZ" is used for different concepts, depending on if you're
    1. configuring a typical "home router" or
    2. are talking about "serious (enterprise level) network planning".

    In case 1 ("home router"), the DMZ is a host which gets hit by all the traffic the firewall would normally block. In other word, it bypasses all firewall functions for that machine and makes it look like it's direktly connected to the Internet. No Security, no safeguards.

    In case 2 ("Serious networking"), a DMZ is a separate network segment, which is connected to the Internet via the "outer firewall" (which typically only permits very select traffic) and is connected to the rest of the LAN via the "inner firewall" (which will only permit legitimate traffic between the servers in the DMZ and the machines in the LAN). For example, the DMZ may contain two web servers. The outer firewall will permit (and probably also load-balance) HTTP and HTTPS traffic to the web servers. The inner firewall will only permit database requests from the DMZ servers to the database server8s) in the LAN, and management traffic from the LAN to the DMZ hosts. That way, if the outer firewall or the web servers get hacked, the LAN is still protected by the inner firewall.

    I'd try UPnP first. It's disabled in pfSense by default. Yes, it opens up a potential security hole, if malicious hosts or application manage to get into your LAN. Of course, the "home router DMZ" feature is far more dangerous.

    Or you manually configure NAT Port Forwarding in pfSense. Let's see what Nintenso has to say about the required ports: http://www.nintendo.com/consumer/wfc/en_na/ds/firewall.jsp


  • Rebel Alliance Developer Netgate

    What specifically won't work on your Wii U?

    My Wii U works fine on my home network. I do have UPnP enabled, though I've never thought to check the status while the Wii U is on to see if it's actually using anything there. I don't think we have any online multi-player games at the moment though.

    Nothing on that Nintendo page mentioned inbound connections (e.g. port forwards) only outbound.



  • @jimp:

    What specifically won't work on your Wii U?

    My Wii U works fine on my home network. I do have UPnP enabled, though I've never thought to check the status while the Wii U is on to see if it's actually using anything there. I don't think we have any online multi-player games at the moment though.

    Nothing on that Nintendo page mentioned inbound connections (e.g. port forwards) only outbound.

    Tank Tank Tank wouldnt do anything when it was behind a firewall.  It gave some random error code that I looked up and had to do with firewalls, so i added it and it worked fine.  I can test it on this and see if that was just an issue with the particular router i was using at the time.  From what i could read, third party developer documentation for the WiiU regarding networking actually suggested DMZ as the way to set it up, which seemed a little odd to me.



  • Id also like to add that my 3ds wont connect to mariokart either.  A peek at the 3ds documentation and no surprise, they want all ports forwarded.

    Maybe i can make a 'game console' alias, add the console ips to it, and exempt them all from filtering? What would be the best way to do it in this case?



  • I did some additional testing and discovered what the problem is, at least when it comes to the 3DS.  I tried to connect to some games, and analyzed the firewall logs and it seems that the outbound randomization is causing it a problem.  Here's  the idea I came up with:

    1. Split the 192.168.1.0 network into two subnets
    2. Move the dynamic DHCP pool to 192.168.1.126 and below
    3. Set static leases to 192.168.1.128 and above for the Nintendo consoles
    4. Set the 192.168.127.0 network to have all outbound ports statically mapped and disable all inbound port filtering

    I'll just leave my 360 out of the second network as it works properly and may be used as a media center in the future.  I was unsure as to what settings all pertain to this being set up; What all would I need to change?  And what is the easiest way to exempt them from filtering?  My thought on that was to create a vlan with an address on the second subnet and set it up as a dmz with a physical nic from there.  The only question I had was if the vlan would need to be set up on the DD-WRT switch/ap to work.



  • I think I fixed it.  What i did was set the dynamic dhcp leases to be in the first subnet.  I didnt actually change the networks at all, but since I assigned all the consoles as if they were in the second subnet, I added the outbound nat rule for 192.168.1.128/25 and set all ports to static.  Since I can connect to games, I'm assuming it works as intended.  Are there any problems i could have with this setup?



  • @autotalon:

    Tank Tank Tank wouldnt do anything when it was behind a firewall.
    <snip>third party developer documentation for the WiiU regarding networking actually suggested DMZ as the way to set it up, which seemed a little odd to me.</snip>

    Definitely odd. I wouldn't expect Tanks in a Demilitarized Zone.


Log in to reply