OPNsense Forum
Archive => 22.7 Legacy Series => Topic started by: effex on December 28, 2022, 04:27:31 pm
-
EDIT:
It appears to me based on a lot of research that static port mapping on hybrid outbound NAT with UPnP enabled with two PCs on LAN results in packets not being routed properly and potentially being dropped on the firewall.
This thread on netgate forum shows that it was an issue with FreeBSD based systems and miniupnpd:
https://forum.netgate.com/topic/169837/upnp-fix-for-multiple-clients-consoles-playing-the-same-game
My question is how can I apply this patch to OPNsense or is the only option to move to PFSense to leverage this code?
-
EDIT: See above post
-
Maybe try setting up your firewall rules like this:
https://digiex.net/threads/pfsense-step-by-step-guide-to-multiple-xbox-ones-open-nat-play-together-2-3-x.15094/ (https://digiex.net/threads/pfsense-step-by-step-guide-to-multiple-xbox-ones-open-nat-play-together-2-3-x.15094/)
From a high level they seems to be doing something similar to what you are doing but using firewalls with upnp.
Sorry I can't be of more help, I copied some firewall rules from a pfsense post previously to get COD game to be open, but that's it.
I doubt that you can just patch the code for opnsense with whatever they have on pfsense (everything has changed to much I believe).
Cheers,
-
Thanks for the reply but unfortunately when you set static port mapping with UPnP, the routing isn't getting done correctly.
If I remove static port mapping you go back to STRICT NAT.
Apparently the pfsense team has worked with the developer of miniupnp and come up with the code fix that will make the nat translation work and not need static port mapping at all.
-
I have read about upnp earlier on this forum. With users describing a upnp plugin solution and a outbound (non upnp plugin) solution. I have done the last one, and so far not seen any problems.
Short Version:
Give your XB1 (or PS4, same process required) a static IP
Install/Enable UPNP
Set "User Specified Permissions" to "allow 88-65535 10.1.1.x/32 88-65535", where 10.1.1.x is the static ip of the XB1/PS4
Firewall>NAT>Outbound - Set to Hybrid/Manual rule generation
Create a rule with the following set: "Source Address - Single Host or network - 10.1.1.x" & "Static Port - Checked"
Do a hard-reboot of your XB1/PS4 (shutting it down and pulling the power for 2 mins will do"
You should now have a NAT Type of Moderate (XB1), or Type 2 (PS4).
and the outbound
There are good reasons to not want to use UPnP IMO but what option is the best I wont comment further on. I will however add how it is possible to get the same result (NAT type 2) without installing UPnP via Hybrid outbound NAT.
Change IP to static on Xbox/Playstation
Firewall -> NAT -> Outbound: Set Mode to Hybrid outbound NAT rule generation
Add a new rule just below (See attached screenshot for options)
Make sure the Xbox/Playstation is allowed to communicate on the interface it is connected to (likely LAN).
That's it.
see here: https://forum.opnsense.org/index.php?topic=8812.0 (https://forum.opnsense.org/index.php?topic=8812.0)
and another here: https://forum.opnsense.org/index.php?topic=17499.msg79601#msg79601 (https://forum.opnsense.org/index.php?topic=17499.msg79601#msg79601)
-
There are good reasons to not want to use UPnP IMO but what option is the best I wont comment further on. I will however add how it is possible to get the same result (NAT type 2) without installing UPnP via Hybrid outbound NAT.
Change IP to static on Xbox/Playstation
Firewall -> NAT -> Outbound: Set Mode to Hybrid outbound NAT rule generation
Add a new rule just below (See attached screenshot for options)
Make sure the Xbox/Playstation is allowed to communicate on the interface it is connected to (likely LAN).
When I do this, I'm only able to set a subnet in the single host or network field - after saving it shows 1.0 instead of the intended 1.20 and shows the netmask.
I do have the upnp service enabled and it doesn't seem to do anything. Its exceptions do work though. Only 8 rules there from what I can tell...
-
I made an alias with the static ip's of the game boxes, and than Source address: [your alias]
-
I appreciate the responses but I've done literally everything you can do in OPNsense to fix this issue.
If you have TWO or more PCs on Destiny 2, it appears that the UPnP service makes the port reservations. The problem is referenced in the netgate forum. I believe OPNsense is not creating these rules which allow the traffic to get routed back in:
+ $natrules .= "binat-anchor \"miniupnpd\"\n";
+ $natrules .= "nat-anchor \"miniupnpd\"\n";
I didn't actually notice the issues until we tried PvP. Whether in a private match with just the two of us or a match with other p2p connections, it doesn't work correctly.
To note, I'm able to get OPEN NAT. That's not the issue. The issue is something to do with miniupnpd and freebsd and it not working properly.
The problem is referenced here:
"miniupnpd needed the ability to add the correct outbound NAT rules corresponding to the ports it used for inbound port forwards"
Destiny 2 will take UDP 3097 on the first PC and UDP 3098 on the second PC. With static port mapping on the entire subnet 192.168.1.0/24, this causes some sort of issue.
From what I understand, if UPnP is working properly, static port mapping won't be required. As the patch on netgate forum allows you to only enable UPnP and disable all other rules.
I can prove this is a bug/issue if anyone wants me to provide more information but I've done enough research that I can tell something is wrong with the implementation and it appears that the folks on the pfsense forum were seeing the same thing.
-
I think the fastest way is to sent a bug report here: https://github.com/opnsense/core/issues/ (https://github.com/opnsense/core/issues/)
-
Thanks for the reply!
Looks like it's a known issue:
https://github.com/opnsense/plugins/commit/1781291d7f0627883cd01383a18931ce2977587c
-
Good to know. Thanks for sharing.
-
I have just installed upnp and gone through the basic setup through the gui. There is a lot of conflicting information as to the correct setup for upnp. Could someone please confirm the correct procedure for setting this up correctly. I have attached a screen shot of the recommendations that finishes after the install of upnp.
-
Is there a way to use UPNP in the meantime? I cant use multiplayer on 3 xboxes without it.