Guide - How to setup Wii U on DMZ port for Multiplayer Gaming



  • First, I've had my pfSense VK-T40E for about six months and I absolutely love it.

    I had my first real challenge this week when the kids wanted to start multiplayer on Wii U. I read many posts, both on the web and in these forums, and none of them would completely get me there. Most were missing one or two key steps (Outbound, Rules for traffic allowance, static port). Simply setting Static Port on my LAN wasn't working for me, so I decided to just DMZ the whole Wii U and plug it into OPT1.

    I don't think this is needed for XBox or PlayStation because they seem to make good use of uPnP, and some simple port forwarding should get you there. Nintendo seems to be a lot more picky and also a lot less helpful with their error messages.

    With respect to the other threads trying to help with this task - I am attempting to capture all of the steps here. This guide is based on pfSense 2.2.2. This guide uses my personal choices (static ip, etc), so you may want to do differently, and of course this isn't the only way. I do not have a lot of networking experience (pfSense is helping me learn) - so hopefully this helps someone else in the same boat.

    First, we enable the DMZ interface.

    • In the menubar, Interfaces, OPT1
      – Select the Enable Interface checkbox
      – Change description to something that helps ("DMZ" or, "Wii U Port") - I will use "DMZ" throughout this guide.
      – Set IPv4 Configuration Type to Static IPv4
      – Under IPv4 address, set your subnet for the DMZ port itself. I wanted this separate for my own clarity.
          In my case, my main LAN subnet is 192.168.2.1/24 (so, 192.168.2.xxx). Therefore I set this port as 192.168.3.1/24.
      – Save these changes
      (See attached image: DMZ.png)

    Second, we need to enable traffic from the WAN to this port. The default allows nothing through.

    • In the menubar, Firewall, Rules
      – Select the LAN tab
      – There should be a rule entitled "Default allow LAN to any rule". Click the plus sign to the right to make a new rule based on this.
      -- Change the Interface on this rule to DMZ, this is the description you chose in the first section
      – Under Source, change the Type from LAN net to DMZ net
      – Save these changes
    • If you were to plug in a laptop to the port now, you should be able to access the WAN (but you will have no firewall - hence DMZ, be careful)
      (See attached image: Firewall - Rules.png)

    Third, we need to set our new device for Static Port. This is covered well on this forum but I will show the steps here.
    It should be noted that I used a static IP for my Wii U - I'm not sure if this is required but I think it makes it easier.

    • In the menubar, Firewall, NAT
    • Select the Outbound tab
    • Select the Manual Outbound NAT rule generation radio button and click Save
    • Now look for the rule entitled "Auto created rule - LAN to WAN". Click the plus sign to the right to make a new rule based on this.
    • Set/verify the following options
      – Interface : WAN
      – Protocol : Any
      – Source:
      --- Type : Network
      –- Address : Set to the Static IP of your Wii U, set the subnet to /32 (mine is 192.168.3.100)
      –- Source Port: Blank
      – Destination
      --- Type: Any
      – Translation:
      --- Static Port : Checked
      – Put something in the description field at the bottom so you remember this is for the Wii U
    • Save the rule
      (See attached image: Firewall - Outbound NAT.png)

    Fourth, move the rule to the top of the list

    • Click the little hand with the left-arrow to the right of the rule. Then click above the top rule in the list to move it.
    • Save all changes
      (See attached image: Firewall - NAT Outbound List.png)

    Even though pfSense does keep some snapshots (30 by default on mine), this makes a good time to save a copy of your configuration.

    • From the menubar, Diagnostics - Backup/Restore
    • In the first section, I chose All and clicked Download Configuration

    After all of these steps, I plugged in the Wii U to the OPT1 port on the pfSense box and the kids were able to play Splatoon and I was a hero. Hopefully this helps someone else.

    Nintendo Error Search Terms
    118-0521
    118-0516
    118-0502


    ![Firewall - Rules.png](/public/imported_attachments/1/Firewall - Rules.png)
    ![Firewall - Rules.png_thumb](/public/imported_attachments/1/Firewall - Rules.png_thumb)
    ![Firewall - Outbound NAT.png](/public/imported_attachments/1/Firewall - Outbound NAT.png)
    ![Firewall - Outbound NAT.png_thumb](/public/imported_attachments/1/Firewall - Outbound NAT.png_thumb)
    ![Firewall - NAT Outbound List.png](/public/imported_attachments/1/Firewall - NAT Outbound List.png)
    ![Firewall - NAT Outbound List.png_thumb](/public/imported_attachments/1/Firewall - NAT Outbound List.png_thumb)



  • It doesnt need to be on a DMZ.  You just need to make static outbound port mapping for it.  All I did was create the list as if my network was subnetted into two, and set all the DHCP leases for the game consoles in the subnet where the outbound is static.  I can take screenshots if you think it'd help.  Not that DMZ wont work, it's just that the way I do it is way simpler.



  • Set up your outbound as shown, and then all you have to do is set your game consoles to static DHCP mappings of 192.168.1.128 or above (or whatever your IP scheme is really).  Anything above 128 will have static outbound port mapping, anything below will be the default setting.  This does not actually subnet your network, so your devices on the whole network will be able to communicate just fine, the list is just written as if they are subnetted.  Note: This also works with the DS and 3DS (probably the Wii as well but I never tested that)




  • I agree that it shouldn't need to be on a DMZ - but I had tried everything you stated and it wouldn't work. I just kept getting the same set of three errors.

    I appreciate the tips though - it is sure to help someone else. I read plenty of posts from folks with the same system that didn't need to do anything to get it to work.



  • Hmm, here's a question:  Do you have uPnP enabled?  While technically a security risk, a lot of games nowadays dont work properly without them, particularly game consoles.  I have it enabled because Nintendo consoles do NOT use standard sets of ports, so it can vary wildly from game to game.  If you really felt like it you could restrict it to work only on the consoles, but I've noticed a few PC games that use it as well.  In a business environment or something you absolutely wouldnt want to, but at home I think it's ok if you manage your devices well.



  • This guy's guide worked for me: https://jakebillo.com/better-mario-kart-8-connectivity-using-pfsense/

    I don't have UPnP enabled.



  • @autotalon:

    Hmm, here's a question:  Do you have uPnP enabled?  While technically a security risk, a lot of games nowadays dont work properly without them, particularly game consoles.  I have it enabled because Nintendo consoles do NOT use standard sets of ports, so it can vary wildly from game to game.  If you really felt like it you could restrict it to work only on the consoles, but I've noticed a few PC games that use it as well.  In a business environment or something you absolutely wouldnt want to, but at home I think it's ok if you manage your devices well.

    UPnP is only a security risk if unexpected things request ports.  You can easily mitigate this, by setting UPnP access to default deny and then allowing it only for specific IPs and specific port ranges (I err on the side of more leniency, so I open it up to non-privileged ports 1024-65535 on my entire subnet, but you could lock it down just to the Wii IP).  The fearmongering from places like GRC is over a decade out of date.

    And UPnP is the correct way to solve all gaming console issues.  For example, Xboxes and Plastations all want to use 3074/udp.  If you do manual port forwarding, you'll only ever be able to get one console online with Open NAT at a time, and switching between consoles means switching rules in your firewall.  But if you allow UPnP, the consoles can walk through their list of known ports and request the next one that's open.  Knowing that list of ports doesn't help you if you don't use UPnP, because the only way the console will listen on anything other than 3074/udp is if it goes through UPnP.  Maybe most people don't care, but I have an Xbox One, a couple of 360s, and a PS3 that I want to all work.  Also, lots of non-game stuff can use UPnP to make your life easier, like Plex, torrent clients, Skype, etc.

    pfSense has a high quality UPnP implementation (miniupnpd) unlike most consumer-grade routers, so it's a shame not to use it.


  • Banned

    @toddos:

    UPnP is only a security risk if unexpected things request ports.  You can easily mitigate this, by setting UPnP access to default deny and then allowing it only for specific IPs and specific port ranges

    Easier said than done; the limited GUI is not really helping.

    @toddos:

    Also, lots of non-game stuff can use UPnP to make your life easier, like Plex, torrent clients, Skype, etc.

    Yeah, and also completely broken things like Windows Media Player which forwards port 443.  ::)



  • @doktornotor:

    Easier said than done; the limited GUI is not really helping.

    Sure, but you can do it yourself.  The syntax isn't too complex.  "allow 1024-65535 192.168.0.0/24 1024-65535" in the first custom config box, and check the "deny by default" checkbox above it.

    @doktornotor:

    Yeah, and also completely broken things like Windows Media Player which forwards port 443.  ::)

    I've never seen wmplayer try to forward 443.  But even if it did, the default deny with allow for non-privileged ports should prevent that.  For example, I have a stupid webcam that tries to forward 80 and its setting option to disable UPnP doesn't work, but my custom non-privileged ports rule takes care of it easily enough.


  • Banned

    @toddos:

    The syntax isn't too complex.  "allow 1024-65535 192.168.0.0/24 1024-65535" in the first custom config box, and check the "deny by default" checkbox above it.

    That's not the problem. The problem is that there are 4 fields to input something, and that's it.

    https://redmine.pfsense.org/projects/pfsense/repository/revisions/085136fe60d9a60d5a3e2f04e45ba2568b592b6f
    https://redmine.pfsense.org/projects/pfsense/repository/revisions/04a893de744d23f3c4e28ee3f1d1a1ca34c2cfc7
    https://redmine.pfsense.org/projects/pfsense/repository/revisions/a95867a2ffb6c94b2dd0508ef4db35ad752aca29



  • Fair enough, but I don't see how that's an issue here.  OP wants to set up a Wii U, so he can use one of those four rows to specifically allow only the Wii U access to UPnP.  Or if he wants to expand it to generally cover his LAN, he can set it up for the entire LAN, again only using one row.

    I get that having a more flexible GUI would be useful for the paranoid who want to explicitly allow each host individually.  But at least IMHO, that's overkill.  A nice-to-have feature, but not a reason to forego using UPnP entirely, especially since it's the most elegant solution to his problem.



  • I tried uPnP. The problem here is more specific to the Wii U. It doesn't forward all the ports it needs. The basic ones are covered, but Nintendo fails here at requesting everything it needs during active multiplayer matches. The match will try to begin, but you never get the connections you need from the other peers. This is a widely documented issue across many Wii U games.

    The first reply stating I'm wrong and just needed to do a static outbound mapping to it technically was right, but for some stupid reason it flat would not work. I messed with it for a week.

    Given that Nintendo's own answer to this question of "why won't uPnP work for multiplayer matches" is "you need to provide DMZ level access", that's basically what I implemented.

    I also just wanted to build a guide that listed every possible step, since every guide I had seen left out bits and pieces.



  • You may want to look at this:  https://forum.pfsense.org/index.php?topic=99161.0

    Also, what about your set up makes this a DMZ.  I must be missing it from reading your guide.  All I see is you naming an interface to DMZ but what did you actually change to make it a DMZ?



  • @Ryu945:

    You may want to look at this:  https://forum.pfsense.org/index.php?topic=99161.0

    Also, what about your set up makes this a DMZ.  I must be missing it from reading your guide.  All I see is you naming an interface to DMZ but what did you actually change to make it a DMZ?

    I'm good, thanks. What you basically did is create a static route. I mentioned several times that this didn't work for my setup. I have no idea why - I agree it should have. What I wanted to do was plug my device into the OPT1 port ("why" isn't important).

    It's a DMZ because of the section labeled "Second", where I pass all traffic.