UPnP Gaming Questions and Answers

[NemoEht]

I have enabled UPnP for the range of IPs that my game consoles sit in, but when I check the status page for UPnP there is nothing there. I would think it should have the IPs and ports and translations going out to the internet of my game consoles. I have two PS4s and we aren't able to play online really well without UPnP and I feel like I might be missing something here.

[Solaris17]

What is your build? What does your PS4 report NAT type 2 or? How did you configure it? did you manually configure UPnP or did you just enable it? My PS3 and 360s work with just UPnP enabled I did not manually configure anything.

[weust]

Two PlayStations or Xbox's one the same public IP address is almost impossible to get working properly.
Both consoles use the same ports, and you can only port forward to one of them at a time.

I only have one PS4, and don't use UPnP, but needed to have Outbound NAT set to static port mapping for the consoles IP address. Which without running the opnsense-devel is limited to network, not network address.
That's the only way I can get NAT Type 2.

[NemoEht]

What is your build? What does your PS4 report NAT type 2 or? How did you configure it? did you manually configure UPnP or did you just enable it? My PS3 and 360s work with just UPnP enabled I did not manually configure anything.

My build is 15.7.12. My ps4 shows nat type 2, because I set up a outbound nat rule that says anything in the range on my consoles ip address (Ex. 192.168.1.200/29)  have static ports for translation and I left everything else going to or coming from as any. That allowed me to get nat type 2. I then went an enabled UPnP and I got nothing so I put something under "User specified permissions 1" and it says "allow 1-65535 192.168.1.200/29 1-65535" but I still get nothing.

[Tikimotel]

I allow multicast (224.0.0.0/4 and 240.0.0.0/4) in my LAN firewall rules for LAN-net devices and set my consoles to a specific range of IP's. 
(I also allow access to UPNP (2189) and PMP ports (5351), via created an Alias for all LAN net, maybe redundant because of defaults created by activating UPNP service? but it doesn't hurt either)

All my consoles are ranged within CDIR 192.168.0.80/29.

So I create a Hybrid rule.
Hybrid Outbound NAT rule generation
(Automatic Outbound NAT + rules below)

With mappings 192.168.0.80/29 to be static.

With the UPNP service I set my consoles to:
By default deny access to UPnP & NAT-PMP? active YES !!!! (important!!!)
User specified permissions 1: allow 88-65535 192.168.0.80/29 88-65535 (Consoles, DHCP MAC assigned, udp 88 lowest port for xbox/xboxone)
User specified permissions 2: allow 1024-65535 192.168.0.0/24 1024-65535 (other PC's and laptops, only 1024 and higher)

[NemoEht]

I allow multicast (224.0.0.0/4 and 240.0.0.0/4) in my LAN firewall rules for LAN-net devices and set my consoles to a specific range of IP's. 
(I also allow access to UPNP (2189) and PMP ports (5351), via created an Alias for all LAN net, maybe redundant because of defaults created by activating UPNP service? but it doesn't hurt either)

All my consoles are ranged within CDIR 192.168.0.80/29.

So I create a Hybrid rule.
Hybrid Outbound NAT rule generation
(Automatic Outbound NAT + rules below)

With mappings 192.168.0.80/29 to be static.

With the UPNP service I set my consoles to:
By default deny access to UPnP & NAT-PMP? active YES !!!! (important!!!)
User specified permissions 1: allow 88-65535 192.168.0.80/29 88-65535 (Consoles, DHCP MAC assigned, udp 88 lowest port for xbox/xboxone)
User specified permissions 2: allow 1024-65535 192.168.0.0/24 1024-65535 (other PC's and laptops, only 1024 and higher)

I will have to check this out when I get time. I saw something kinda like this in a forum about pfsense I just wasn't sure how to implement it correctly in opnsense. Thanks for the recommendation I will post later if it works.

[Kuragari]

I have make working my Wii U with NAT below and i think i will do the same thing for my PS4.

Firewall --> NAT -->Outbound --> Hybrid Outbound NAT

Make a new mapping :
- Interface : WAN
- Source : IP address of your PS4 or Wii U (need a reservation)
- Static-port : checked

That's all, after that no problem.

[Kuragari]

I have make working my PS4 with the same configuration today.

Before with only automatic nat outbound my PS4 NAT is in type 3.

After with Hybrid automatic nat outbound and a mapping static port that work.

I hope this can help somebody.
 

[weust]

Interesting. I use inbound port forwarding as well, using the list from Sony and Destiny.
USB headset is a special one that is needed by the PlayStation. Bit odd, but it works.

Do you play online games, or just single player?

[Kuragari]

Platoon on Wii U, Assassin Creed Unity on PS4.

Without static port Wii U and PS4 failed to connect to other player, with static port all is ok

[weust]

Static port is indeed needed.
But can players connect to you too, or do you connect to others?

[Kuragari]

Both work, i can connect to other and other can connect to me.

The problem of static ports is know for pfsense and other router.

[weust]

I knew the static port part, but was expecting the need for other incoming ports too.
Except the port 80 and 443. I refuse to open those for a console. Its a gaming console, not a webserver.

[Kuragari]

in fact 443 and 80 are not the problem, it is the specific online gaming port the problem.

The other solution could be forward specific online gaming port to the right ip address on the lan. But need to know these ports. I will be some search to find them (not very difficult, sony and nintendo provide online documentions) and make tests.

[Kuragari]

I have think to one think, there is no problem for 80 and 443 TCP ports because static port open source port for PS4 to have the ability to receive the answers.

80 and 443 ports are destinations ports so there are not open on your router/firewall.