hi all,
looking at the nintendo website about what port to NAT for my switch, its not exactly helpful at all as its basically all of them?!?!?!
i was just wondering if any of you have a switch and done this before?
https://en-americas-support.nintendo.com/app/answers/detail/a_id/22272/~/how-to-set-up-a-routers-port-forwarding-for-a-nintendo-switch-console
cheers,
rob
Your better option it to have at least one dedicated VLAN for IoT devices. Having it on your LAN is a security risk.
The information in the link basically tells you in the clear that it's rather poor security to make it work
QuoteImportant:
While Nintendo provides this information for our consumers' use, it is up to each consumer to determine what security needs they have for their own networks, and to decide how best to configure their network settings to meet those needs.
do you mean have a new VLAN ie DMZ and on the DMZ network enable upnp
i have no idea what ports the nintendo switch needs, i did monitor via (interfaces > diagnostics > packet capture) and created a rule for the ports specified but it didnt work
im not going to allow the full range on my LAN as your right massive security hole
think i need to do this -
https://digiex.net/threads/pfsense-step-by-step-guide-to-multiple-xbox-ones-open-nat-play-together-2-3-x.15094/
"Within the port range, enter the starting port and the ending port to forward. For the Nintendo Switch console, this is port 1 through 65535."
AB-SO-LUTE-LY cool! Must have on my network 8-o)
____
As a starter:
https://www.reddit.com/r/NintendoSwitch/comments/6qjhjy/i_have_figured_out_the_actual_range_of_ports_to/
https://forum.netgate.com/topic/112631/nintendo-switch-needs-static-port-on-its-outbound-nat
All in. Or perhaps "all out". 8)
Cheers,
Franco
i didnt have to do a port-forward/NAT at all
all i have done is as follows -
add a new network called DMZ on my opnsense firewall
put my wireless access point on the DMZ
connect my switch to my wap
reserve the switch's IP on the DHCP server so its static
create a manual outbound NAT for my switches IP but make sure you check "static port"
after that i got a NAT score of B and not D anymore so i can now play online
if i didnt create an outbound NAT rule and just put it on the DMZ i still got a NAT score of D
Congrats, that's a better approach for sure.
If at all possible though use a VLAN assigned to the IoT WLAN which has the Nintendo, and at least another VLAN/WLAN pair which has more sensitive devices, like phones etc.
Last but not least, at the very minimum have a Deny ANY Source IoT Net - Dest LAN/other VLANs set of rules. Basically make sure the Nintendo only goes out to the internet and nothing more.