P2P gaming between two computers behind OPNSense

Started by fornax, May 25, 2026, 06:59:27 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 25, 2026, 06:59:27 AM
Hi all. I recently replaced my basic home wifi router with an OPNSense box. Things went mostly smoothly, but I quickly found out that certain online multiplayer games that use a P2P model (particularly GTA Online) were not happy. After a bit of research, I made a static port NAT rule for our two gaming computers and set up os-upnp, and that seemed to work. Both are able to play online simultaneously with other players, but the one thing we can't do is actually play together. When either of us attempts to join the other, it fails with a generic "Unable to connect to session".

In our setup, our ISP's provided router gives out private addresses (10.0.0.x), so that's what OPNSense's WAN interface gets. This is the same situation as the previous wifi router, which worked fine, so I know this is possible without changing the ISP router. I'm still fairly new getting into the nuts and bolts of NAT (and UPnP), so I'm not really sure how to troubleshoot this. I can say though that if one of us connects directly to the ISP router (bypassing OPNSense), we're able to play together successfully. Obviously that's not ideal.

The first of the two things I've changed is switching Outbound NAT to Hybrid and adding a rule for each machine:
Interface: WAN
Source: 192.168.1.x/32
NAT Address: WAN address
Static Port: Yes

The second thing was installing and configuring os-upnp (miniupnpd). Here's /var/etc/miniupnpd.conf. Note that the ext_allow_private_ipv4 line was added manually (and the service restarted) since it's not available in the UI. I think this was the last change that made online play work initially.

ext_ifname=igc1
ext_allow_private_ipv4=yes
http_port=2189
listening_ip=vlan06
ext_perform_stun=allow-filtered
ext_stun_host=stun.l.google.com
ext_stun_port=19302
secure_mode=yes
pcp_allow_thirdparty=no
ipv6_disable=yes
presentation_url=https://192.168.1.1/
friendly_name=OPNsense UPnP IGD & PCP
uuid=<uuid>
serial=60732055
model_number=26.1.8_5
allow 1024-65535 192.168.1.<x>/32 1024-65535
allow 1024-65535 192.168.1.<y>/32 1024-65535
deny 1-65535 0.0.0.0/0 1-65535
enable_upnp=yes
enable_pcp_pmp=yes
force_igd_desc_v1=yes
lease_file=/var/run/miniupnpd.leases
lease_file6=/var/run/miniupnpd.leases-ipv6

I haven't manually added any firewall rules for this. The only rules outside of the built-in rules for this internal interface are to drop IPv6, allow full access to the internet, and allow DNS, DHCP, and NTP to the OPNSense interface. If anyone can point me in a direction, it would be greatly appreciated.
May 25, 2026, 11:26:32 PM #1 Last Edit: May 25, 2026, 11:29:59 PM by nero355
Quote from: fornax on May 25, 2026, 06:59:27 AMIn our setup, our ISP's provided router gives out private addresses (10.0.0.x), so that's what OPNSense's WAN interface gets.

I can say though that if one of us connects directly to the ISP router (bypassing OPNSense), we're able to play together successfully.
Obviously that's not ideal.
Does your network have Managed Switches that can handle VLAN Tagging ?

If so, then just create a VLAN in which you connect the ISP Router as a Untagged Device and forward it also Untagged to the LAN Ports of the two Gaming PC's and you are DONE! :)

QuoteThis is the same situation as the previous wifi router, which worked fine, so I know this is possible without changing the ISP router. I'm still fairly new getting into the nuts and bolts of NAT (and UPnP), so I'm not really sure how to troubleshoot this.
You only need UPNP if you want to have Automatic Port Forwards for your Clients so their NAT Status is OPEN instead of Moderate or Strict.

- Default OPNsense configuration = Strict NAT
The Client Port and WAN Port are different in this case : LAN Port 34976 becomes WAN Port 54298 for example for one Client.

- When you configure Outbound NAT (In the future Source NAT) to Hybrid and create a Static-port NAT Rule with an Alias that contains all your Clients that require 1:1 Port Mapping during NAT = Moderate NAT
The Client Port and WAN Port are the same in this case : LAN Port 34976 stays WAN Port 34976 for example for one Client.

- When you Enable UPNP or create Port Forwards (Destination NAT Rules) then you open your network to anyone connecting from the Internet to it either temporary (UPNP) or permanently (Port Forward) and expose services and hosts on your LAN this way = OPEN NAT
The Client Port and WAN Port are the same in this case : LAN Port 34976 stays WAN Port 34976 for example for one Client.
And added to that is the fact that ANYONE can connect to them at any time instead of only when you initiate the connection !!



Now to get to the silly Gaming P2P stuff for any game that needs it :

IMHO you should keep things at Moderate NAT since this will connect you with more than enough fellow gamers out there.

To give you an idea of what is possible :
- OPEN NAT can connect to EVERYONE.
- Moderate NAT can connect to OPEN NAT.
- Moderate NAT can connect to Moderate NAT.
- Moderate NAT can NOT connect to Strict NAT.
- Strict NAT can ONLY connect to OPEN NAT.



I hope this cleared up some stuff for you when it comes to NAT behaviour and Games that use P2P Networking instead of Dedicated Servers like they should ;)
Weird guy who likes everything Linux and *BSD on PC/Laptop/Tablet/Mobile and funny little ARM based boards :)
Print
Go Up Pages1
User actions