OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: NemoEht on September 13, 2015, 05:24:38 am
-
I have enabled UPnP for the range of IPs that my game consoles sit in, but when I check the status page for UPnP there is nothing there. I would think it should have the IPs and ports and translations going out to the internet of my game consoles. I have two PS4s and we aren't able to play online really well without UPnP and I feel like I might be missing something here.
-
What is your build? What does your PS4 report NAT type 2 or? How did you configure it? did you manually configure UPnP or did you just enable it? My PS3 and 360s work with just UPnP enabled I did not manually configure anything.
-
Two PlayStations or Xbox's one the same public IP address is almost impossible to get working properly.
Both consoles use the same ports, and you can only port forward to one of them at a time.
I only have one PS4, and don't use UPnP, but needed to have Outbound NAT set to static port mapping for the consoles IP address. Which without running the opnsense-devel is limited to network, not network address.
That's the only way I can get NAT Type 2.
-
What is your build? What does your PS4 report NAT type 2 or? How did you configure it? did you manually configure UPnP or did you just enable it? My PS3 and 360s work with just UPnP enabled I did not manually configure anything.
My build is 15.7.12. My ps4 shows nat type 2, because I set up a outbound nat rule that says anything in the range on my consoles ip address (Ex. 192.168.1.200/29) have static ports for translation and I left everything else going to or coming from as any. That allowed me to get nat type 2. I then went an enabled UPnP and I got nothing so I put something under "User specified permissions 1" and it says "allow 1-65535 192.168.1.200/29 1-65535" but I still get nothing.
-
I allow multicast (224.0.0.0/4 and 240.0.0.0/4) in my LAN firewall rules for LAN-net devices and set my consoles to a specific range of IP's.
(I also allow access to UPNP (2189) and PMP ports (5351), via created an Alias for all LAN net, maybe redundant because of defaults created by activating UPNP service? but it doesn't hurt either)
All my consoles are ranged within CDIR 192.168.0.80/29.
So I create a Hybrid rule.
Hybrid Outbound NAT rule generation
(Automatic Outbound NAT + rules below)
With mappings 192.168.0.80/29 to be static.
With the UPNP service I set my consoles to:
By default deny access to UPnP & NAT-PMP? active YES !!!! (important!!!)
User specified permissions 1: allow 88-65535 192.168.0.80/29 88-65535 (Consoles, DHCP MAC assigned, udp 88 lowest port for xbox/xboxone)
User specified permissions 2: allow 1024-65535 192.168.0.0/24 1024-65535 (other PC's and laptops, only 1024 and higher)
-
I allow multicast (224.0.0.0/4 and 240.0.0.0/4) in my LAN firewall rules for LAN-net devices and set my consoles to a specific range of IP's.
(I also allow access to UPNP (2189) and PMP ports (5351), via created an Alias for all LAN net, maybe redundant because of defaults created by activating UPNP service? but it doesn't hurt either)
All my consoles are ranged within CDIR 192.168.0.80/29.
So I create a Hybrid rule.
Hybrid Outbound NAT rule generation
(Automatic Outbound NAT + rules below)
With mappings 192.168.0.80/29 to be static.
With the UPNP service I set my consoles to:
By default deny access to UPnP & NAT-PMP? active YES !!!! (important!!!)
User specified permissions 1: allow 88-65535 192.168.0.80/29 88-65535 (Consoles, DHCP MAC assigned, udp 88 lowest port for xbox/xboxone)
User specified permissions 2: allow 1024-65535 192.168.0.0/24 1024-65535 (other PC's and laptops, only 1024 and higher)
I will have to check this out when I get time. I saw something kinda like this in a forum about pfsense I just wasn't sure how to implement it correctly in opnsense. Thanks for the recommendation I will post later if it works.
-
I have make working my Wii U with NAT below and i think i will do the same thing for my PS4.
Firewall --> NAT -->Outbound --> Hybrid Outbound NAT
Make a new mapping :
- Interface : WAN
- Source : IP address of your PS4 or Wii U (need a reservation)
- Static-port : checked
That's all, after that no problem.
-
I have make working my PS4 with the same configuration today.
Before with only automatic nat outbound my PS4 NAT is in type 3.
After with Hybrid automatic nat outbound and a mapping static port that work.
I hope this can help somebody.
-
Interesting. I use inbound port forwarding as well, using the list from Sony and Destiny.
USB headset is a special one that is needed by the PlayStation. Bit odd, but it works.
Do you play online games, or just single player?
-
Platoon on Wii U, Assassin Creed Unity on PS4.
Without static port Wii U and PS4 failed to connect to other player, with static port all is ok :)
-
Static port is indeed needed.
But can players connect to you too, or do you connect to others?
-
Both work, i can connect to other and other can connect to me.
The problem of static ports is know for pfsense and other router.
-
I knew the static port part, but was expecting the need for other incoming ports too.
Except the port 80 and 443. I refuse to open those for a console. Its a gaming console, not a webserver.
-
in fact 443 and 80 are not the problem, it is the specific online gaming port the problem.
The other solution could be forward specific online gaming port to the right ip address on the lan. But need to know these ports. I will be some search to find them (not very difficult, sony and nintendo provide online documentions) and make tests.
-
I have think to one think, there is no problem for 80 and 443 TCP ports because static port open source port for PS4 to have the ability to receive the answers.
80 and 443 ports are destinations ports so there are not open on your router/firewall.
-
Ofcourse they are not open, but the PlayStation page on firewall settings says to open them, along with others.
A game I play, Destiny, has its own set of ports to open/forward. And better documented then Sony as well.
-
I allow multicast (224.0.0.0/4 and 240.0.0.0/4) in my LAN firewall rules for LAN-net devices and set my consoles to a specific range of IP's.
(I also allow access to UPNP (2189) and PMP ports (5351), via created an Alias for all LAN net, maybe redundant because of defaults created by activating UPNP service? but it doesn't hurt either)
All my consoles are ranged within CDIR 192.168.0.80/29.
So I create a Hybrid rule.
Hybrid Outbound NAT rule generation
(Automatic Outbound NAT + rules below)
With mappings 192.168.0.80/29 to be static.
With the UPNP service I set my consoles to:
By default deny access to UPnP & NAT-PMP? active YES !!!! (important!!!)
User specified permissions 1: allow 88-65535 192.168.0.80/29 88-65535 (Consoles, DHCP MAC assigned, udp 88 lowest port for xbox/xboxone)
User specified permissions 2: allow 1024-65535 192.168.0.0/24 1024-65535 (other PC's and laptops, only 1024 and higher)
Not having a lot of luck with my PS4, it's only creating a single UPNP rule. UPNP Service restarted and PS4 restarted before the below test:
Port Protocol Internal IP Int. Port Description
9308 udp 192.168.1.160 9308 192.168.1.160:9308 to 9308 (UDP)
Which results in NAT 2.
Any other advice or can you go in-depth more in-case I've missed something please?
My Xbox 360 seems fine with just UPNP enabled.
-
I don't understand, if you have NAT Type 2 normally that work.
Please find bellow screenshot of my configuration. I assume my PS4 have a static ip address (DHCP reservation or static ip) and an alias in opnsense to this IP address.
Capture1 : the outbound NAT rules, change for Hybrid Outbound NAT rule generation.
Add rule with + button
In this new rule :
Capture 2 : Source you PS4 ip address or alias
Capture 3 : check Static-port
I have the same rule for my Wii U and everything work correctly (if you don't have this rules online gaming failed to connect to other player, other online functionality work).
My configuration is a little complex because i need to use my ISP modem in router mode so i make double NAT like this : OPNSense routeur <-------> ISP modem (DMZ configured to OPNSense WAN adress). So normally with a more simple configuration that work more easily.
-
Many thanks for your reply. I've covered everything you've posted and still end up with NAT 2. All I can assume at this point is that Sony's current OS on the PlayStation 4 is not very UPNP compliant. I've tried against a dedicated Netgear based hardware router (both DD-WRT and their default) and got the same result.
Other consoles (Xbox 360 & PlayStation 3) both report open NAT when tested and generate UPNP rules correctly, so I certainly don't think it's OPNsense that's at fault here.
-
Normally PS4 have always NAT2 type.
Here the 3 differents NAT Type for PS4 :
NAT1 : One to One, the PS4 have it own public IP address
NAT2 : in fact PAT, you have a router with one public IP address and many device on your LAN with private IP address
NAT3 : Same thing NAT2 but your routeur don't do static port translation, so when your PS4 send packets the source port is different on the public IP address outside your routeur than the inside source port on the private IP address of your PS4.
In NAT3 you can't play online, internet work for basic services like internet browsing, browse the store, etc. In fact for online gaming your PS4 can connect to other players but others players can't connect to you, so you can't play.
Yes in think PS4 don't like UPNP, and it is exactly the same thing for Wii U and the same solution.
-
NAT type 1 is basically named wrong, because there is no Network Address Translation that is taking place.
I don't know if this can be achieved by putting the console inside a separate DMZ. (but then you can't do streaming to or from your PC or mediabox)
I believe the old Xbox360, had a better translation of the detected modes, full (NAT type 1), open (NAT type 2) and closed (NAT type 3) (and no connection at all)
Basically NAT type 2, is the best you can get with UPNP.
Other types of connection requires manual (or scripting) efforts opening and closing ports (udp and tcp) to and from the console IP. You have to lookup the specific port numbers on a game wiki and manually open the ports in the firewall each time you want to use that particular game. And you have to trust the wiki editor. Did they manage to get all the correct ports?
The port(s) you need to open, can be very different between games and can vary between in-game modes (coop and simple multiplayer).
-
I have a PS4 and I can confirm that UPNP is working as intended. I've been playing the new Call of Duty Black Ops III that was just released. In Call of Duty it says I have an open nat. I'm attaching 4 screenshots from my OPNsense firewall.
Image of my Firewall:Nat:Outbound settings
Image of how I configured my Firewall:Nat:Outbound settings
Image of my UPNP settings
Image of my UPNP status page showing it's working
So to sum things up to get your PS4 working like a champ you need to make sure you have done the following:
In OPNsense give your PS4 a static IP address.
In OPNsense make sure to setup your PS4 outbound NAT settings to have static port mapping.
In OPNsense enable UPNP server with the settings I'm using. (obviously change the IP)
I'm not sure if I could have added port 80 and port 443 and the rest of the ports all on the same line under the UPNP server settings. If someone knows how to do that let me know.
(http://i63.tinypic.com/9vgr6a.jpg)
(http://i66.tinypic.com/29279l4.jpg)
(http://i67.tinypic.com/33vn2u1.jpg)
(http://i67.tinypic.com/sm3xtz.jpg)
-
In my opinion and experience so far, ports 80 and 443 are not needed for incoming traffic.
-
Was having issues downloading content from the PlayStation store when i was using m0n0wall. Had to forward port 80 otherwise I couldn't download or purchase from the store. 443 not sure about.
-
Thanks for the responses and great information.
PS4 reporting NAT2 seems absolutely fine with actual games and they do seem to be opening the ports fine via UPNP (although Sony's actual test doesn't open the typical PSN ones like the PS3 does). I guess I was more thrown my the behavioural change between the two platforms, thus I was thinking something was wrong.
I didn't really need to do the latter but out of (in)sanity, I tested the following:
- I've tried DMZ'ing the PS4 (UPNP disabled, reboots all around) as a test and it still reports NAT2
- If I connect it and set up a PPPoE connection through it directly, then it reports NAT1 / OpenNAT)
I've put everything back using UPNP, DHCP reservation, Outbound NAT + static port - all OK
-
Thanks for everyone helping out here. I'm marking this solved to help newbies find this solution quicker. Feel free to keep posting. :)
Better yet, I'll make this a sticky post.
-
I wanted to use this guide but the screenshots are broken links now. anyone have them? Thank you
-
None of this seems to be working for me. I have a NAT rule with static port mapping and UPNP enabled, but my PS4 still shows as NAT Type 3 and no ports opened in UPNP.
Tried everything.
-
I allow multicast (224.0.0.0/4 and 240.0.0.0/4) in my LAN firewall rules for LAN-net devices and set my consoles to a specific range of IP's.
(I also allow access to UPNP (2189) and PMP ports (5351), via created an Alias for all LAN net, maybe redundant because of defaults created by activating UPNP service? but it doesn't hurt either)
All my consoles are ranged within CDIR 192.168.0.80/29.
So I create a Hybrid rule.
Hybrid Outbound NAT rule generation
(Automatic Outbound NAT + rules below)
With mappings 192.168.0.80/29 to be static.
With the UPNP service I set my consoles to:
By default deny access to UPnP & NAT-PMP? active YES !!!! (important!!!)
User specified permissions 1: allow 88-65535 192.168.0.80/29 88-65535 (Consoles, DHCP MAC assigned, udp 88 lowest port for xbox/xboxone)
User specified permissions 2: allow 1024-65535 192.168.0.0/24 1024-65535 (other PC's and laptops, only 1024 and higher)
I have not got it to work fully with the guide above. Just getting my XBOX one to open up one port and stays on strict. I wonder about the above post that you can allow multicast (224.0.0.0/4 and 240.0.0.0/4).
How do I allow multicast (224.0.0.0/4 and 240.0.0.0/4)?
Regards
Jim
-
Thanks for everyone.
-
Working for me but didn't need UPnP setting. :)