NAT Outbound rules, static ports and game consoles

Started by Forceflow, December 21, 2024, 01:04:06 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 21, 2024, 01:04:06 PM
Hey everyone,

I'm trying to replace my old trusty Edgemax Edgerouter ERP-5 (because Unifi does not care about these Edgerouters any more, it seems) with a new shiny OPNSense device from Protectli. It's going well, but I've got one thing that puzzles me. First, my network topology:

(internet) -> ISP modem/router (192.168.0.1) -> OPNsense with static WAN IP (192.168.0.220) -> My LAN and all my devices (192.168.1.x)

  • I'm stuck with that ISP modem/router that I cannot put into bridge mode. The only thing I can do is DMZ to a fixed IP (192.168.0.220). I've made my peace with this double NAT, it's the way it is - this is not the issue at hand. Don't worry, I've disabled the standard blocking of traffic from RFC1918 networks, otherwise the setup wouldn't work :)
  • I've managed to replicate almost all functionality from the Edgerouter I want: static leases, port forwards, DNS redirect to Pihole, et cetera. Devices can contact the internet and eachother.

There is just one thing that's bugging me: I'm an avid gamer, and when I use my Edgerouter, all my consoles / PC games report NAT type 2 (moderate). When I use my new OPNSense box, that reverts to NAT type 3 (strict).

The initial reaction would be: just start configuring UPNP, but here's the thing: on my Edgerouter I could get to NAT Type 2 without having to resort to UPNP (simply not configured), and I'd like to replicate that exact behavior. I want a baseline to start from that is identical to what i had :).

I figured out it probably has something to do with outbound NAT rules, and the port selection. OPNSense, by default, randomizes the outbound port during the translation, for security reasons, if I am correct. I think my Edgerouter, by default, uses static ports mapping for outbound NAT (no randomization) for EVERY LAN CLIENT, and that makes everything "just work" to get to NAT Type 2.

In order to replicate this behavior in OPNSense, I've set Outbound NAT to Hybrid mode, copied the default auto-generated outbound rule to this section and just enabled the static port setting. For all traffic and clients, because most of the clients on my network use some online game functionality (laptops, consoles, ...). This change does indeed result in all consoles and game PC's reporting NAT Type 2 / Moderate behavior. Hurray.

Here's my questions:
  • Do you think I've diagnosed the problem correctly and that is indeed the default Edgerouter behavior, and that I replicated this correctly? I know UPNP is the "correct" way of solving this, but I don't want to get into more configuration hell, and I was fine with the way the Edgerouter did it.
  • Is there any downside to doing this? I know theoretically I can have issues when ports collide, let's say two XBOXes on my network try to connect to the same game server using the exact same port, and it is unclear for who the returning packet is meant. I've got to stress that I did not encounter any of those issues in doing it like this for 5 years on that Edgerouter, so this might be a non-issue.

Thank you for reading this, and happy holidays to you all.

December 21, 2024, 01:22:38 PM #1
You are basically correct,

Out of the BOX the NAT rules on OPNsense use static port only for IPSEC. All other traffic doesn't use this feature. This is as well the reason why you see a lower grade of NAT type reported by the console services.

Personally I would avoid uPnP as it opens ports per need per application/host, it can wreck havoc and from essence something that opens ports as it likes is never good security wise.

In a small network setup chance that two ports would collide in regards of Static port feature is low. Yet it can occur. You can create a NAT rule to only match a specific Alias, e.g devices that that will hit the NAT rule with static port turned on.

Overall I rather prefer static port NAT rule than uPnP.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
December 21, 2024, 01:28:33 PM #2
Thank you. And the reason I did not encounter any problems with the Edgerouter setup is because I don't have, let's say, two XBOXes trying to play on the same game server at the same time, right?

Because the problem technically would occur when you have this situation:

(XBOX 1) 192.168.1.240:12345 -> (map to WAN IP, keep port) WAN IP:12345 -> (same XBOX GAME SERVER IP)
(XBOX 2) 192.168.1.241:12345 -> (map to WAN IP, keep port) WAN IP:12345 -> (same XBOX GAME SERVER IP)

And then there is ambiguity of what to do with return packets.
December 21, 2024, 01:48:53 PM #3 Last Edit: December 21, 2024, 01:51:21 PM by Seimus
Correct,

The Static port, prevents PNAT of the source port

https://docs.opnsense.org/manual/nat.html

QuoteStatic-port
Prevents pf(4) from modifying the source port on TCP and UDP packets.

But keep in mind usually the the Source ports of the Source IP are dynamic, So even for two different hosts in LAN to choose the same Source port is very low. There are services that need a specific Source port to Specific Destination port. But for Service like online gaming, multiplayer etc. this usually is not the case.

That is as well the reason why Of the shelf routers run with Static port option hardcoded.

Regards,
S.

Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
December 21, 2024, 01:57:30 PM #4
True, most devices to port randomization themselves, but it seems some (P2P, I think?) game clients and consoles really only work on specific ports, that they need a specific reply to.

Anyway, I'm glad my diagnosis seems correct - I've learned A LOT about NAT in the past days. That's what you get from upgrading to enterprise solutions, I guess.
December 21, 2024, 05:01:08 PM #5
Quote from: Seimus on December 21, 2024, 01:22:38 PMOverall I rather prefer static port NAT rule than uPnP.
I would do both for a game-centric subnet. :)
December 21, 2024, 07:16:14 PM #6
Quote from: Bob.Dig on December 21, 2024, 05:01:08 PM
Quote from: Seimus on December 21, 2024, 01:22:38 PMOverall I rather prefer static port NAT rule than uPnP.
I would do both for a game-centric subnet. :)
Doesn't that conflict with eachother? Or is UPNP just inbound port forwarding, and nothing to do with the outbound NAT?
December 21, 2024, 09:15:07 PM #7
uPnP tends to open ports (Port forwarding If I am not wrong), and that it is its major benefit as well negative.
Back in the past there was some goofy behavior caused by uPnP like not closing the ports etc. (you can search thru the forum). But for some time I didnt heard anything weird about it.

uPnP plugin offers you certain configuration in OPNsense, like specify which host can use it.

By using "game-centric subnet" is that if you use VLAN isolation and have a specific network/VLAN just for game devices you can potentially limit the cascade of impact in case you miss-configure uPnP.

Anyway, if you do not require uPnP just configure the NAT in Port-static mode. As mention that should work without problems.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
Print
Go Up Pages1
User actions