OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: immto on July 04, 2022, 06:25:56 pm
-
Edit 10-20-2022.
The Below setup stopped providing Open NAT Since upgrading to 22.7.6
I got it working again, but with less than ideal circumstances.
You can still follow it. I'll update it below.
Maybe a solution for some with multiple players on the same Network while using UPnP and get Open NAT.
I'm using 22.1.9 (22.7.6 now)
So we've been struggling with this off and on for years. We switched from Xbox to PC and went from two players to now three players on the same network, so I needed to figure this out. To further complicate the issue we have 3 players but 5 machines now we could play from.
The Networking tips list a bunch of ports but not what they are for. It basically says I need to use UPNP if I have multiple people playing on one network, but it doesn't give the most important part of the information, which ports are needed for UPNP to work correctly so I may configure my network for the three players in our house, without opening every port for UPNP.
Also, open NAT would be nice. My Wife and I have been struggling through with the two of us on Strict NAT, and deal with all the errors and server disconnects, etc.
After many hours of research and good old fashion trial and error I made progress.
Bungie lists 3097-3196 as UDP destination ports. But I was finding that when I allowed my UPnP full access to all ports, it was favoring this range, albiet TCP not UDP. So I hypothesized that this must be the range they are using for their UPnP connectivity. As such, I went ahead and configured my UPnP to be allowed on 3097-3196. This solved part of the issue.
Still had strict NAT however. Then I thought about the "allow" part.
Bungie says which ports need to be open, but not which direction... Typically when one says they want open access to port 80 for example, they want internet access. Most firewalls will allow two-way com when you initiate the connection from behind the firewall, so open ports simply means port 80 is open. If it was closed, any com on the network would not be able to obtain internet. One would not typically want their port 80 open from the outside in, under any circumstance, if they care about security at all...
UPnP Should allow two way communication, one would assume, as many do, that when you have allowed UPnP, as Bungie says you must do, to have more than one game running simultaneously, that this would provide the communication. This is why they say never to "assume" (-ass-u-me).
Bunige's UPnP does not seem to work bi-directionally. At least not for me on our network. Normally when we were using UPnP, there would be two ports open up, one in the 3000's range and another in some crazy 15 or 16,000 range (Which is not listed on their ports at all, BTW). This is why I figured we were still having a Strict NAT issue.
I added a rule to allow ports 3097-3196 coming in on my WAN to an Alias group I created for the "GamingMachines"
Edit: The ports 3097-3196 are no longer sufficient. I have had not had time to pin down exactly which one are needed now. So I allowed all to the Gaming Group. This is obviously not secure. So I only enable the rule when we are playing.
That, in addition to the UPnP permission "allow 3097-3196 192.168.x.x/YOURcidr 3097-3196"
Now, I have three machines online, no error codes, Open NAT. BINGO... Bungo.
Edit: You will also need to add a NAT Outbound Rule.
Source alias For GamingGroup. Source and Destination tcp/udp. any. Make it Static.
So in closing, I think (assume, cough cough) that Bungie is using 3097-3196 as the range for their UPnP. I have not found this information anywhere as fact, all I can say is that so far after hours of testing on 5 machines. I almost always get 3097,3098 and 3099 as my UPnP ports when I start three players at once time. That port shows as being connected on my firewall for both incoming and outgoing. And, since I'm using an alias, I have the added benefit of not advertising those ports on the internet as being open on my network. All ports scan as stealth.
Hopefully this helps someone else out out there.
Your welcome.
-
I took the time to create rules for every single port and port range Bungie lists and the best I can get is Moderate Nat. If I open all ports I can get Open Nat. So there must be a port or port range that they are not listing.