UPnP Gaming Questions and Answers

[weust]

Ofcourse they are not open, but the PlayStation page on firewall settings says to open them, along with others.
A game I play, Destiny, has its own set of ports to open/forward. And better documented then Sony as well.

[Aergan]

I allow multicast (224.0.0.0/4 and 240.0.0.0/4) in my LAN firewall rules for LAN-net devices and set my consoles to a specific range of IP's. 
(I also allow access to UPNP (2189) and PMP ports (5351), via created an Alias for all LAN net, maybe redundant because of defaults created by activating UPNP service? but it doesn't hurt either)

All my consoles are ranged within CDIR 192.168.0.80/29.

So I create a Hybrid rule.
Hybrid Outbound NAT rule generation
(Automatic Outbound NAT + rules below)

With mappings 192.168.0.80/29 to be static.

With the UPNP service I set my consoles to:
By default deny access to UPnP & NAT-PMP? active YES !!!! (important!!!)
User specified permissions 1: allow 88-65535 192.168.0.80/29 88-65535 (Consoles, DHCP MAC assigned, udp 88 lowest port for xbox/xboxone)
User specified permissions 2: allow 1024-65535 192.168.0.0/24 1024-65535 (other PC's and laptops, only 1024 and higher)

Not having a lot of luck with my PS4, it's only creating a single UPNP rule. UPNP Service restarted and PS4 restarted before the below test:

Code: [Select]

Port Protocol Internal IP Int. Port Description
9308 udp    192.168.1.160 9308   192.168.1.160:9308 to 9308 (UDP)
Which results in NAT 2.

Any other advice or can you go in-depth more in-case I've missed something please?

My Xbox 360 seems fine with just UPNP enabled.

[Kuragari]

I don't understand, if you have NAT Type 2 normally that work.

Please find bellow screenshot of my configuration. I assume my PS4 have a static ip address (DHCP reservation or static ip) and an alias in opnsense to this IP address.

Capture1 : the outbound NAT rules, change for Hybrid Outbound NAT rule generation.

Add rule with + button

In this new rule :

Capture 2 : Source you PS4 ip address or alias

Capture 3 : check Static-port

I have the same rule for my Wii U and everything work correctly (if you don't have this rules online gaming failed to connect to other player, other online functionality work).

My configuration is a little complex because i need to use my ISP modem in router mode so i make double NAT like this : OPNSense routeur <-------> ISP modem (DMZ configured to OPNSense WAN adress). So normally with a more simple configuration that work more easily.

[Aergan]

Many thanks for your reply. I've covered everything you've posted and still end up with NAT 2. All I can assume at this point is that Sony's current OS on the PlayStation 4 is not very UPNP compliant. I've tried against a dedicated Netgear based hardware router (both DD-WRT and their default) and got the same result.
Other consoles (Xbox 360 & PlayStation 3) both report open NAT when tested and generate UPNP rules correctly, so I certainly don't think it's OPNsense that's at fault here.

[Kuragari]

Normally PS4 have always NAT2 type.

Here the 3 differents NAT Type for PS4 :
NAT1 : One to One, the PS4 have it own public IP address
NAT2 : in fact PAT, you have a router with one public IP address and many device on your LAN with private IP address
NAT3 : Same thing NAT2 but your routeur don't do static port translation, so when your PS4 send packets the source port is different on the public IP address outside your routeur than the inside source port on the private IP address of your PS4.

In NAT3 you can't play online, internet work for basic services like internet browsing, browse the store, etc. In fact for online gaming your PS4 can connect to other players but others players can't connect to you, so you can't play.

Yes in think PS4 don't like UPNP, and it is exactly the same thing for Wii U and the same solution.

[Tikimotel]

NAT type 1 is basically named wrong, because there is no Network Address Translation that is taking place.
I don't know if this can be achieved by putting the console inside a separate DMZ. (but then you can't do streaming to or from your PC or mediabox)

I believe the old Xbox360, had a better translation of the detected modes, full (NAT type 1), open (NAT type 2) and closed (NAT type 3) (and no connection at all)

Basically NAT type 2, is the best you can get with UPNP.

Other types of connection requires manual (or scripting) efforts opening and closing ports (udp and tcp) to and from the console IP. You have to lookup the specific port numbers on a  game wiki and manually open the ports in the firewall each time you want to use that particular game. And you have to trust the wiki editor. Did they manage to get all the correct ports?
The port(s) you need to open, can be very different between games and  can vary between in-game modes (coop and simple multiplayer).

[packet loss]

I have a PS4 and I can confirm that UPNP is working as intended. I've been playing the new Call of Duty Black Ops III that was just released. In Call of Duty it says I have an open nat. I'm attaching 4 screenshots from my OPNsense firewall.

Image of my Firewall:Nat:Outbound settings
Image of how I configured my Firewall:Nat:Outbound settings
Image of my UPNP settings
Image of my UPNP status page showing it's working

So to sum things up to get your PS4 working like a champ you need to make sure you have done the following:

In OPNsense give your PS4 a static IP address.
In OPNsense make sure to setup your PS4 outbound NAT settings to have static port mapping.
In OPNsense enable UPNP server with the settings I'm using. (obviously change the IP)

I'm not sure if I could have added port 80 and port 443 and the rest of the ports all on the same line under the UPNP server settings. If someone knows how to do that let me know.

[weust]

In my opinion and experience so far, ports 80 and 443 are not needed for incoming traffic.

[packet loss]

Was having issues downloading content from the PlayStation store when i was using m0n0wall. Had to forward port 80 otherwise I couldn't download or purchase from the store. 443 not sure about.

[Aergan]

Thanks for the responses and great information.
PS4 reporting NAT2 seems absolutely fine with actual games and they do seem to be opening the ports fine via UPNP (although Sony's actual test doesn't open the typical PSN ones like the PS3 does). I guess I was more thrown my the behavioural change between the two platforms, thus I was thinking something was wrong.

I didn't really need to do the latter but out of (in)sanity, I tested the following:

• I've tried DMZ'ing the PS4 (UPNP disabled, reboots all around) as a test and it still reports NAT2
• If I connect it and set up a PPPoE connection through it directly, then it reports NAT1 / OpenNAT)

I've put everything back using UPNP, DHCP reservation, Outbound NAT + static port - all OK

[franco]

Thanks for everyone helping out here. I'm marking this solved to help newbies find this solution quicker. Feel free to keep posting.

Better yet, I'll make this a sticky post.

[Nnyan]

I wanted to use this guide but the screenshots are broken links now.  anyone have them?  Thank you

[cryptochrome]

None of this seems to be working for me. I have a NAT rule with static port mapping and UPNP enabled, but my PS4 still shows as NAT Type 3 and no ports opened in UPNP.

Tried everything.

[JHGBaouns]

I allow multicast (224.0.0.0/4 and 240.0.0.0/4) in my LAN firewall rules for LAN-net devices and set my consoles to a specific range of IP's. 
(I also allow access to UPNP (2189) and PMP ports (5351), via created an Alias for all LAN net, maybe redundant because of defaults created by activating UPNP service? but it doesn't hurt either)

All my consoles are ranged within CDIR 192.168.0.80/29.

So I create a Hybrid rule.
Hybrid Outbound NAT rule generation
(Automatic Outbound NAT + rules below)

With mappings 192.168.0.80/29 to be static.

With the UPNP service I set my consoles to:
By default deny access to UPnP & NAT-PMP? active YES !!!! (important!!!)
User specified permissions 1: allow 88-65535 192.168.0.80/29 88-65535 (Consoles, DHCP MAC assigned, udp 88 lowest port for xbox/xboxone)
User specified permissions 2: allow 1024-65535 192.168.0.0/24 1024-65535 (other PC's and laptops, only 1024 and higher)

I have not got it to work fully with the guide above. Just getting my XBOX one to open up one port and stays on strict. I wonder about the above post that you can allow multicast (224.0.0.0/4 and 240.0.0.0/4).

How do I allow multicast  (224.0.0.0/4 and 240.0.0.0/4)?

Regards
Jim

[Mikepimai]

Thanks for everyone.