UPnP on a Large LAN

  • Hello,  I'm the network manager of a good size LAN at a 4 year College.  I have about 1700 students spread out between a dozen buildings that are subnetted into about 200 or so hosts per LAN.  Each of these subnets have a nortel core router specified as their default gateway, and from there, the nortel router has a pfsense box as it's default gateway.  The pfSense box uses a 12 different outbound NAT rules to give each of these buildings it's own public IP.  The DHCP that these hosts use is coming from a separate box since we use our own home-grown DHCP registration system.

    The problem is I get a lot of complaints on campus about gaming.  I have tried my best to get games working, but this XBOX live has been especially difficult.  Most people complain about the "strict" NAT talked about many times before.  I am playing with the idea of upgrading from 1.0 embedded to 1.2RC4 embedded in order to get the UPnP functionality.  What I am wondering is whether or not this is a good idea, if it even works at all.  My understanding of UPnP after a good amount of reading is still hazy, and I don't know if the UPnP will work for hosts that (a) don't have pfSense as their default gateway and (b) don't get DHCP from the pfSense box.  I also don't know if this is LAN is too large to even attempt to do this.

    Short of trying to get 2000 public IP's so that these games work without NAT, is there anything more I can do?  I have tried giving anything NATed over the XBox ports it's own IP so fewer traffic goes through that IP, but no go.  Anyone out there working for a campus that has solved this problem?

  • I would never enable UPnP on such a large network. Besides that I don't think it works across routed subnets anyway. Unfortunately I don't have a solution for you either  :(

  • It looks like UPnP is broadcast based:


    So, subnets will be a problem.  You might find that putting a UPnP capable gateway on each subnet will help, you may not.

  • Thanks Guys.

    I had a feeling, but had to confirm it.  I don't think i can do what I want to do with NAT.  I don't think I'll be able to get 1700 public IP's either. :(

  • I don't think upnp would be an option for so many clients anyway. What will happen if all those xboxes request the same port? Also a UPnP-Cascade (UPnP-Router behind UPnP-Router) would work as the first router (seen from the xbox point of view) would only open and forword ports on itself but not make an upstream UPnP-router aware of that portforwarding. I guess what you would need is some kind of transparent proxy that understands the xbox live network and accepts all these connections and divides all the sessions to distribute it to all the clients. I don't think something like this exists. On the other hand it's just a designproblem of the xbox live network imo. It's like SIP (which has problems behind NAT as well) and IAX which runs fine behind all kinds of NAT. It's bad design.

  • At George Mason University when you first connect a computer who's MAC address is unknown into a dorm jack it looks to use a captive portal to redirect you. After verifying the anti-vrius software is installed it gives you the choice of a public or private IP. From then on out you are not prompted again. Each semester they clear out the database. It seems that something like this would give you the best of both worlds. Most users would just accept the default of the private IP anyway. I know this isn't as easy to implement as it sounds.

    The only way I could see UPnP working would be if you have several pfSense boxes each with a public IP spread out throughout the network. I know xbox will try to map an alternative port if the one it wants is taken. As long as you only have 10 or so people playing at a time it should work. The main issue is that xbox doesn't request the port mapping to be removed when you turn the console off. This would have to be resolved somehow in the UPnP code. Maybe a feature to remove port mappings after X time. Although you have to be careful not to remove active ones, which is the issue as I'm not sure how to determine that. Maybe a ping to the device?

  • Maybe a ping to the device?

    or maybe ask pf if it has an active state for such a rule?!

  • From my experience, Xbox 360s will not respond to ping requests.  Very inconvenient!

Log in to reply