Guide - How to setup Wii U on DMZ port for Multiplayer Gaming

autotalon

Hmm, here's a question:  Do you have uPnP enabled?  While technically a security risk, a lot of games nowadays dont work properly without them, particularly game consoles.  I have it enabled because Nintendo consoles do NOT use standard sets of ports, so it can vary wildly from game to game.  If you really felt like it you could restrict it to work only on the consoles, but I've noticed a few PC games that use it as well.  In a business environment or something you absolutely wouldnt want to, but at home I think it's ok if you manage your devices well.

MarkVLK

This guy's guide worked for me: https://jakebillo.com/better-mario-kart-8-connectivity-using-pfsense/

I don't have UPnP enabled.

toddos

@autotalon:

Hmm, here's a question:  Do you have uPnP enabled?  While technically a security risk, a lot of games nowadays dont work properly without them, particularly game consoles.  I have it enabled because Nintendo consoles do NOT use standard sets of ports, so it can vary wildly from game to game.  If you really felt like it you could restrict it to work only on the consoles, but I've noticed a few PC games that use it as well.  In a business environment or something you absolutely wouldnt want to, but at home I think it's ok if you manage your devices well.

UPnP is only a security risk if unexpected things request ports.  You can easily mitigate this, by setting UPnP access to default deny and then allowing it only for specific IPs and specific port ranges (I err on the side of more leniency, so I open it up to non-privileged ports 1024-65535 on my entire subnet, but you could lock it down just to the Wii IP).  The fearmongering from places like GRC is over a decade out of date.

And UPnP is the correct way to solve all gaming console issues.  For example, Xboxes and Plastations all want to use 3074/udp.  If you do manual port forwarding, you'll only ever be able to get one console online with Open NAT at a time, and switching between consoles means switching rules in your firewall.  But if you allow UPnP, the consoles can walk through their list of known ports and request the next one that's open.  Knowing that list of ports doesn't help you if you don't use UPnP, because the only way the console will listen on anything other than 3074/udp is if it goes through UPnP.  Maybe most people don't care, but I have an Xbox One, a couple of 360s, and a PS3 that I want to all work.  Also, lots of non-game stuff can use UPnP to make your life easier, like Plex, torrent clients, Skype, etc.

pfSense has a high quality UPnP implementation (miniupnpd) unlike most consumer-grade routers, so it's a shame not to use it.

doktornotor

@toddos:

UPnP is only a security risk if unexpected things request ports.  You can easily mitigate this, by setting UPnP access to default deny and then allowing it only for specific IPs and specific port ranges

Easier said than done; the limited GUI is not really helping.

@toddos:

Also, lots of non-game stuff can use UPnP to make your life easier, like Plex, torrent clients, Skype, etc.

Yeah, and also completely broken things like Windows Media Player which forwards port 443.  ::)

toddos

@doktornotor:

Easier said than done; the limited GUI is not really helping.

Sure, but you can do it yourself.  The syntax isn't too complex.  "allow 1024-65535 192.168.0.0/24 1024-65535" in the first custom config box, and check the "deny by default" checkbox above it.

@doktornotor:

Yeah, and also completely broken things like Windows Media Player which forwards port 443.  ::)

I've never seen wmplayer try to forward 443.  But even if it did, the default deny with allow for non-privileged ports should prevent that.  For example, I have a stupid webcam that tries to forward 80 and its setting option to disable UPnP doesn't work, but my custom non-privileged ports rule takes care of it easily enough.

doktornotor

@toddos:

The syntax isn't too complex.  "allow 1024-65535 192.168.0.0/24 1024-65535" in the first custom config box, and check the "deny by default" checkbox above it.

That's not the problem. The problem is that there are 4 fields to input something, and that's it.

https://redmine.pfsense.org/projects/pfsense/repository/revisions/085136fe60d9a60d5a3e2f04e45ba2568b592b6f
https://redmine.pfsense.org/projects/pfsense/repository/revisions/04a893de744d23f3c4e28ee3f1d1a1ca34c2cfc7
https://redmine.pfsense.org/projects/pfsense/repository/revisions/a95867a2ffb6c94b2dd0508ef4db35ad752aca29

toddos

Fair enough, but I don't see how that's an issue here.  OP wants to set up a Wii U, so he can use one of those four rows to specifically allow only the Wii U access to UPnP.  Or if he wants to expand it to generally cover his LAN, he can set it up for the entire LAN, again only using one row.

I get that having a more flexible GUI would be useful for the paranoid who want to explicitly allow each host individually.  But at least IMHO, that's overkill.  A nice-to-have feature, but not a reason to forego using UPnP entirely, especially since it's the most elegant solution to his problem.

kcmichaelm

I tried uPnP. The problem here is more specific to the Wii U. It doesn't forward all the ports it needs. The basic ones are covered, but Nintendo fails here at requesting everything it needs during active multiplayer matches. The match will try to begin, but you never get the connections you need from the other peers. This is a widely documented issue across many Wii U games.

The first reply stating I'm wrong and just needed to do a static outbound mapping to it technically was right, but for some stupid reason it flat would not work. I messed with it for a week.

Given that Nintendo's own answer to this question of "why won't uPnP work for multiplayer matches" is "you need to provide DMZ level access", that's basically what I implemented.

I also just wanted to build a guide that listed every possible step, since every guide I had seen left out bits and pieces.

Ryu945

You may want to look at this:  https://forum.pfsense.org/index.php?topic=99161.0

Also, what about your set up makes this a DMZ.  I must be missing it from reading your guide.  All I see is you naming an interface to DMZ but what did you actually change to make it a DMZ?

kcmichaelm

@Ryu945:

You may want to look at this:  https://forum.pfsense.org/index.php?topic=99161.0

Also, what about your set up makes this a DMZ.  I must be missing it from reading your guide.  All I see is you naming an interface to DMZ but what did you actually change to make it a DMZ?

I'm good, thanks. What you basically did is create a static route. I mentioned several times that this didn't work for my setup. I have no idea why - I agree it should have. What I wanted to do was plug my device into the OPT1 port ("why" isn't important).

It's a DMZ because of the section labeled "Second", where I pass all traffic.