NAT Type 3 on PS4 - I've tried everything I can think of
-
Perfect! Did just that. Thanks.
-
Great. Enjoy.
-
Clarification. Make a rule for the 192.168.1.3/32 with a static port
Then below that add a rule for the 192.168.1.0/24 without static port.
[/quoteWhy?
Make 192.168.1.0/24 static port, that way it is done for any future Consoles or P2P apps, then no need to make more rules for each new console/app/device and such, there is practically no reason not to have static port today, except to further break P2P.
Also Why tell Op to switch to hybrid then negate that with a rule covering the /24, a rule which is already in place due to hybrid?
-
Because there is no need to make the entire /24 static.
Also, I can tell by the lack of mistakes that he can do this again for another device any time he likes. He isn't lost at all.
I'd be really surprised if a automatic rule trumped his manual rule in hybrid mode, but if it did, I'd say thats a bug.
-
Because there is no need to make the entire /24 static.
There is also no (real) reason not to, and again takes care of any futures consoles/P2P apps that have issues with randomized ports.
I'd be really surprised if a automatic rule trumped his manual rule in hybrid mode, but if it did, I'd say that's a bug.
No I was saying YOU told him to use hybrid mode vs manual, then also told them to make a /24 rule (in addition to the /32)… there was no point to the 2nd /24 rule since you had them do hybrid, that /24 was already made.
-
You may be right about the last part. Won't hurt anything, but you may be right that it isn't necessary.
BTW - I can't tell anyone to do anything… Can't even make my dog sit. haha
-
Just as long as it isn't opening my network up to China, I'm happy. I think I'll do 192.168.1.0/24 static, and hybrid. That covers everything, right?
-
Just as long as it isn't opening my network up to China, I'm happy. I think I'll do 192.168.1.0/24 static, and hybrid. That covers everything, right?
https://doc.pfsense.org/index.php/Static_Port
That shows why they're doing it by default. But even it states those are very unlikely and not really useful attacks in today's world.
It's how I have my network setup I don't use hybrid I use manual but effectively how you're doing it it doesn't exactly matter.
-
You would only need the entire /24 set with static outbound if you had no idea what the IP of your PS4 was going to be or if its IP changed often.
Since you have a static IP, there is no need to assign more than a /32 as static. In other words, only the one device that needs it.Will it break anything to make the entire /24 static? No. But it does neutralize source port randomization for your entire network.
Feel free to do whichever way sounds better and more secure to you. I think most of the people who run this site would recommend only assigning a /32 static though.
-
You would only need the entire /24 set with static outbound if you had no idea what the IP of your PS4 was going to be or if its IP changed often.
Since you have a static IP, there is no need to assign more than a /32 as static. In other words, only the one device that needs it.Will it break anything to make the entire /24 static? No. But it does neutralize source port randomization for your entire network.
Feel free to do whichever way sounds better and more secure to you. I think most of the people who run this site would recommend only assigning a /32 static though.
"Security" through obscurity AKA More ways for NAT (NAPT Really) to break stuff/mangle traffic. Unless you are running a really old OS or DNS server/client, it breaks way more then it "secures"/helps.
-
I find that disabling the firewall completely makes everything work very well.
-
I find that disabling the firewall completely makes everything work very well.
NAT/NAPT is not a Firewall. It's a hack as is, and having it futher mangle traffic/break stuff (by randomizing ports), is backwards, especially for the extreamly tiny tiny "benifit" it provides if you are even being targeted by such attack vs the Apps/Services/Devices (Consoles/Games, VoIP, P2P) it causes issues with, which are in the scheme of things are still small but still much much much bigger then what it helps. Again it's not security, it's obscurity.
Nice straw man argument though.
Can't wait for legacy IP and its associated NAPT and the thinking that comes with it to be gone, or atleast in the minority, not going to be able to rely on that crutch with IPv6.
Edit: Added "(by randomizing ports)" for clarification.
-
I'd never argue with a straw man (-;
On that, I totally agree. NAT is a huge PITA. I'm a huge fan of IPV6. Can't' wait for IPV4 to become mostly extinct so that all these broken connection problems disappear. I run IPV6 and it solves so many problems, particularly for servers.
-
Do you guys have any great BASIC "firewall rules" places to start? I'm going absolutely bonkers with my pfblockNG enabled because a whole bunch of stuff just doesn't work.
First it was my Bumble dating app…had to go through and create 4 different rules for that (seems like I can only allow one destination IP at a time in each rule?), so that was fun. And now this morning it is my BBC News app...I'm at 9 rules for that (they have a range of servers that the app calls out to, like 212.58.246.110-112)! I can't figure out how to input ranges in my firewall rules, and even then, I feel like this is going to be an epic struggle for the rest of my life (fighting against myself) when say, BBC decides to change the IP ranges on their end; in other words, this solution is temporary and great for learning, but not exactly the sort of robustness I would expect in a corporate environment. Any suggestions or tips?
Thanks (by the way, I have about 1000 other issues ranging from VPN speeds to certificates to proxy server feature sucking, but I'm trying to keep it limited to the issues we were talking about).
-
Under Services/UPnP & NAT-PMP turn on
-Enable UPnP & NAT-PMP
-Allow UPnP Port Mapping
-Allow NAT-PMP Port Mapping
Goto PS4 settings and run the network test you'll see NAT now is Type 2(Not sure if you need both NAT-PMP and UPnP)
-
I also can't seem to get this to work. I attached screenshots of my UPNP setting and outbound NAT settings. My Box has 3 nic's (1 not used), WAN is an external IP, LAN is in 10.0.0.0 range. PS4 has an alias to 10.0.0.3. The PS4 has a static IP set on the PS4. Kindly let me know if I missed something.
Thanks a lot!
Rick
-
Looks good except for one checkbox:
In your UPnP settings, put a checkmark into "Default Deny"
@Jespar
Enabling NAT-PMP is not necessary for PS4, we're using UPnP. -
PS4 is reporting a Type 3 NAT which is restrictive. I've tried what I thought would fix it, and I've looked up many threads with similar issues and I cannot seem to resolve this.
I've tried it with NAT and Port Forwarding and with Aliases. Anyone have any ideas?
I have tried many consoles in many different configurations. What I found is that NAT type isn't so important as different consoles will rate your NAT as II or III depending on how they are programmed. What matters is does it work. This is what I used to make it work.
1) No port forwarding at all.
2) Set to static port for that particular console.
3) Don't use VPN. (Not sure if PIA port forwarding servers would work though).
4) You don't need to do anything else so clear out any other settings you changed for it. No DMZ zone, upnp or anything is needed. Leave things at default.
This is all you have to do and it will work. I also find you.
Disclamer: I haven't tested this on Xboxes.
-
Take a look at this new post:
https://forum.netgate.com/topic/131695/solution-for-playstation-3-and-4-to-address-nat-3-mode
-
@PickleSlice ...
This might help...https://www.reddit.com/r/OPNsenseFirewall/comments/ux5h43/the_definitive_guide_to_enabling_sony_playstation/?rdt=52258
