PS4 NAT Type Failed

turbopuer

My PS3 doesn't have any issues  and always has reported NAT type 2 which is expected.

The PS4 on the other hand just reports failed. I have tried port forwarding, 1:1 NAT, setting up a DMZ on a different port and forwarding all ports in and out to that PS4's IP Address, all other tricks in the book and still nothing. The only way I have gotten it to work is by plugging it directly into the cable modem which needless to say isn't really a solution.

After first I thought there was an issue with UPnP on my pfsense box, but after digging through some packet captures and comparing it to the working PS3 that doesn't appear to be the case. The PS4 is able to talk to miniupnp, map a port and use it. My PFSense box sees that upnp request, maps the port and allows the traffic per the logs (confirmed with a tcpdump).

However, after comparing a packet capture of a network test from the PS3 and PS4 I do notice a subtle difference between stages where the systems attempt to transverse the NAT using CLASSIC STUN. I captured the traffic from both the WAN side and the LAN side of the PFsense and am wondering if this squarely points an issue on the PS4/upsteam server responsible for NAT transversal setup or if my PFsense could still be causing issues.

I doubt Sony will do anything on their end if its some sort of weird bug but I would just like to pull my PFsense out of the possible causes category.

Additional Info:

PFsense 2.1 running on NetGate Device
UPnP Enable
No extra NAT rules and automatic outbound NAT rule generation is on
Both PS3 and XBOX 360 have zero issues with this setup currently.

I have attached captures showing the NAT Transversal setup from both the LAN and WAN sides of a PS3 and PS4 network test (pcap format).
PS3-NAT-TRANS-LAN.pcap.txt
PS3-NAT-TRANS-WAN.pcap.txt
PS4-NAT-TRANS-LAN.pcap.txt
PS4-NAT-TRANS-WAN.pcap.txt

izala

I can verify that I am having the exact same issue: PS4 reports NAT Type: Failed, I am unable to connect to multiplayer games or utilize the party chat feature at all.

I have UPNP enabled, and my PS3 attached to the same pfsense device works without any issues.

AhnHEL

Can you post a screenshot of your UPnP settings page?  Setup Manual Outbound NAT (Advanced Outbound NAT) and above your LAN entry, create a duplicate rule using your PS4's IP as Source and select Static Port.

turbopuer

I had tried that setup before as well and still no go. However, I went through the steps again, just to be sure and still failed. The automatic rule generation should take care of this though. Granted it may not set the entry it creates as static, but I would assume that if both my PS3 and XBOX have no issues under the settings I normally run (UPnP Enabled, automatic outbound NAT rule generation, no port forwards). Then I would assume the PS4 to have no issues as well.

Screenshots attached.


AhnHEL

The AON rules are handled top to bottom and it looks like your rule that you posted is at the very bottom.  It needs to be above your LAN rule.  Once done, shut off your PS4, clear your states, restart the UPnP service and then turn on PS4 again.  Give that a shot plz.

turbopuer

There we go! – THANKS!!!!

Put it at the top of the ruleset and it worked. However I have a bunch of openVPN bridges and stuff on this firewall and there are alot of rules that I may have to manage now. Is there a way to add an oubound rule with also maintaining my automatic status? Or perhaps on option in the advanced settings/tunables that allow me to make automatic generation set the rule for the LAN that is generated to static?

AhnHEL

@turbopuer:

There we go! – THANKS!!!!

Put it at the top of the ruleset and it worked. However I have a bunch of openVPN bridges and stuff on this firewall and there are alot of rules that I may have to manage now. Is there a way to add an oubound rule with also maintaining my automatic status?

You're very welcome.

I feel you on the "a lot of rules that I may have to manage now."  You need the Static Port option that Advanced Outbound NAT gives you to make UPnP work with gaming consoles and NAT Type.  Personally I have 11 AON rules and it looks daunting but still rather easy to setup because for the most part the entries are repetitive.

Nothing written in the Docs about any tunables for static port that I know of.

https://doc.pfsense.org/index.php/Static_Port

turbopuer

Yeah I have 25 now. Not a huge deal just one more thing I will have to remember to keep an eye on when adding things later.

I wonder if its possible to modify the rule form the command line. The Auto rule creation does make a rule for the LAN network to WAN just doesn't set static. If you could use pfctl to change that autocreated rule from static=no to static=yes I supposed you can use cron to enforce it.

Though to be honest, it would be nice to allow both automatic create and static rules to be defined instead of ignoring them like the gui says it does. This way you can cherry pick rules you need and let the system manage the more mundane/simple rules; and it could put them on top of the auto generated e rule set for you.

Anyways, thank again!

blarnath

Hey guys,

I'm wondering if someone else is having these issues or if it's just me.  I have successfully configured NAT for the PS4 and it reports Type 2 but I'm still having issues with BF4 as well as Netflix that are resolved by moving my PS4 to the provider router.  For Battlefield 4 I can't maintain a connection to EA, at first I thought this was EA but moving to the edge fixes the problem.  The symptoms are that I cannot get server listings in multiplayer, and when I am able to join a quickmatch game I'll be disconnected after a short (but varying) amount of time.  Disconnection does not log anything on the PS4, it just takes me back to the multiplayer menu.

The problem with netflix is that it can't connect to Netflix server 2 and 3 with an error of NW-4-7 which on the PS3 was a DNS error, but I don't this this is the case as I have 4 other devices that do Netflix fine.  Moving the PS4 off of the pfSense router also resolves this.

Another thing that I've noticed is that the network test on the PS4 is reporting extremely low upload rates, the download is normal (~15Mbs) where as I'm getting about 8Kbs reported in the upload while behind pfSense.  I'm running 2.1-RELEASE and I've stripped down my NAT rules to just the 3 that were created by default for testing.  I moved the LAN rule to the top and enabled Static Ports to get type 2 working, but something else is breaking and I'm wondering if it's just me or if others are having similar issues.

I can provide packet captures and any other information if needed.  I'm planning on troubleshooting this more later, but need to get my BF4 fix in and thought I'd just ask first.

Thanks in advance!

blarnath

I should add that the only 2 packages I'm running are Avahi and Darkstat, noticed some Origin problems related to HAVP and wanted to exclude that right off the bat.

thx

AhnHEL

How are you getting NAT Type 2 though?  Port Forward Method or UPnP?  Screenshots of your AON rules and UPnP or Port Forward Settings would help.

svfusion

I am also having these issue and don't really even know where to start..

I have made no special rules,
NAT Outbound is set to,
Automatic outbound NAT rule generation
          (IPsec passthrough included)
Here is a pic of my upnp setup,

AhnHEL

For this to work, you're going to have to use Manual Outbound NAT rule generation, setup a rule for the fixed LAN IP address you have assigned to your PS4 checking the Static Port checkbox.  Save that rule above your default Outbound NAT LAN rule and you should be good to go.

Refer to Turbopuer's screenshots above, just be sure to put the PS4 NAT rule above the LAN rule, unlike in his screenshot.

svfusion

@blarnath:

Hey guys,

I'm wondering if someone else is having these issues or if it's just me.  I have successfully configured NAT for the PS4 and it reports Type 2 but I'm still having issues with BF4 as well as Netflix that are resolved by moving my PS4 to the provider router.  For Battlefield 4 I can't maintain a connection to EA, at first I thought this was EA but moving to the edge fixes the problem.  The symptoms are that I cannot get server listings in multiplayer, and when I am able to join a quickmatch game I'll be disconnected after a short (but varying) amount of time.  Disconnection does not log anything on the PS4, it just takes me back to the multiplayer menu.

The problem with netflix is that it can't connect to Netflix server 2 and 3 with an error of NW-4-7 which on the PS3 was a DNS error, but I don't this this is the case as I have 4 other devices that do Netflix fine.  Moving the PS4 off of the pfSense router also resolves this.

Another thing that I've noticed is that the network test on the PS4 is reporting extremely low upload rates, the download is normal (~15Mbs) where as I'm getting about 8Kbs reported in the upload while behind pfSense.  I'm running 2.1-RELEASE and I've stripped down my NAT rules to just the 3 that were created by default for testing.  I moved the LAN rule to the top and enabled Static Ports to get type 2 working, but something else is breaking and I'm wondering if it's just me or if others are having similar issues.

I can provide packet captures and any other information if needed.  I'm planning on troubleshooting this more later, but need to get my BF4 fix in and thought I'd just ask first.

Thanks in advance!

Did you ever fix this? I configured my Pfsense like the screen shots, reports NAT 2, but still can't play Need for Speed, says it can't connect to EA Servers.

AhnHEL

This might not be a pfSense issue at all.

http://answers.ea.com/t5/Madden-NFL-Football-25/Cannot-log-into-EA-servers-Madden-25-PS4/td-p/1847549

If you google "ps4 cant connect to EA server," there are posts for all sorts of games with the same error all related to EA.

gamer

After following the instructions in this thread I managed to get my ps4 to report NAT type 2. The problem is that I still can't connect to it with remote play. I have forwarded the correct ports 9295,9296 and 9297. My vita connected to LTE fails to find my ps4.

Has anyone gotten remote play to work without upnp?

eshield

@gamer:

After following the instructions in this thread I managed to get my ps4 to report NAT type 2. The problem is that I still can't connect to it with remote play. I have forwarded the correct ports 9295,9296 and 9297. My vita connected to LTE fails to find my ps4.

Has anyone gotten remote play to work without upnp?

TCP 9295, UDP 9296-9297? If yes then take a look in firewall logs to locate the problem. Turn on logging for those 2 rules which you made for forwarding. Turn on logging for connections blocked by default rules.

---

I think, the following should be added to gui and wiki:
Static Port ON = NAT Type 2
Static Port OFF = NAT Type 3

gamer

I have 9295 TCP an 9296-9297 UDP.

I enabled logging and found that no packets from my vita even reach pfsense. Its as if Sony can't find my ps4. I have tried reactivating my ps4 and reconnecting my PS vita. Nothing seems to help.

RobertR728

Thank you so much AhnHEL. I am a noob to pfsense and it took me a while to understand what exactly i was supposed to do. Once i was able to figure it out it works here too im now NAT2 on my PS4.

A question though you stated that the rule needs to go above the outbound lan rule. I do not have any outbound lan rule. Its working so im going to assume its his setup that has that and its different and more advanced than mine thus i dont need that rule. Is this correct?

Also if there is 2 or more PS4 in the house a rule like the one i created would have to be done for each one?

Again thank you for your help.

AhnHEL

When you went from Automatic Outbound NAT to Manual Outbound NAT, a default LAN NAT rule should have been created.  Your Firewall: NAT: Outbound page should look something like below for multiple consoles, of course with different IP addresses matching your LAN subnet and DHCP mappings for your consoles.

Firewall: NAT: Outbound

WAN  	 192.168.1.17/32	 *	 *	 *	 WAN address              *	            YES	      1XBox AON 	

WAN  	 192.168.1.18/32	 *	 *	 *	 WAN address     	  *	            YES	      2XBox AON 	

WAN  	 192.168.1.19/32	 *	 *	 *	 WAN address     	  *	            YES	      1PS3 AON 	

WAN  	 192.168.1.20/32	 *	 *	 *	 WAN address     	  *	            YES	      2PS3 AON 	

WAN  	 192.168.1.0/24 	 *	 *	 *	 WAN address     	  *	            NO	      LAN AON

WAN  	 127.0.0.0/8	         *	 *	 *	 WAN address          1024:65535            NO	      Localhost AON
``` 

I would also recommend that rather than enable UPnP and leave it wide open, that in the UPnP settings page, check on the "By Default, deny access to UPnP and NAT-PMP."  You would then enter a User Specified Permission to allow your console DHCP mappings access to UPnP while the rest of your network is effectively blocked from UPnP.
Each UPnP User Specified Permission should look like the below matching your LAN subnet and DHCP mappings of your consoles.

**UPnP**

User specified permissions 1              allow 88-65535 192.168.1.17/32 88-65535
User specified permissions 2              allow 88-65535 192.168.1.18/32 88-65535
User specified permissions 3              allow 88-65535 192.168.1.19/32 88-65535
User specified permissions 4              allow 88-65535 192.168.1.20/32 88-65535

**For more advanced users:** If you need more space for additional UPnP rules, then the above can be simplified with one rule instead of four with some network masking.  Be aware that with this masking, the subnet ID and broadcast address for your mask should not be used by DHCP Server or DHCP static mappings.

**UPnP**

User specified permissions 1              allow 88-65535 192.168.1.16/29 88-65535

**Firewall: NAT: Outbound**

WAN  192.168.1.16/29 * * * WAN address      *             YES       Game Consoles AON

WAN  192.168.1.0/24 * * * WAN address      *             NO       LAN AON

WAN  127.0.0.0/8         * * * WAN address          1024:65535            NO       Localhost AON