uPNP or NAT-PMP?

Yes, and it has been discussed at length for YEARS.  And the result is "Oh, Heck no!"

In all seriousness, there are several problems with implimenting something like this.

First, the security aspects of it are just too much to overcome.  There is no way to secure a router with these things enabled.  Your first bit of malware will take down your network.  Also, there is no way to stop bittorrent, which is a problem for both business and shared home users.

But even if we tried to add it as an optional extra, it would be hard to work around the traffic shaping tools, that are even more important to most gamers.


That all said, I would love to come up with something.  I would love to have a NAT wizard or template for XBox, or PS4, or whatever.  But right now there are other needs taking all of the time the developers have. (I keep trying to update ez-ip update, and still haven't finished!)  But if you want to take a pass at it...  It could even just be a guide on the website in how to set up the NAT rules for different things.  Fame and fortune could be yours!  (Well, fame anyway...)

Disabling port remapping for the device in question seems to work quite well in achieving 'open' NAT on the consoles for the most part. And I think forwarding port 3074 is helpful for at least the Xbox 360. But of course that doesn't help much if you have multiple consoles on the same router - as far as I'm aware there's no way to achieve open NAT on two Xbox 360 consoles without uPnP, but I've never tried it myself. If port 3074 is unusable (i.e. used by the other console), I think the process is to dynamically choose another port and forward it with uPnP.

However I've found PC gaming is much more of a pain in terms of port forwarding and there are a couple of games I've never managed to achieve 'open' NAT on without uPnP despite wasting hours on uselessly trying the stupidly-large port ranges recommended in their FAQ pages (as I ranted about in the other thread).

IMHO a 'good' compromise, at least from an end-user's perspective, is being able to allow only uPnP to only certain devices. I of course understand that doesn't fix the seemingly unfixable security mess, but with some hardening rules it could be made such that NAT and firewall entries can only be made/altered for the device in question. I'm not sure if that's what's currently done on pfSense?

Also I'm not sure how much bloat uPnP would add to the image? I'm a big fan of keeping it as minimal as possible. Maybe keep the uPnP in a separate image?

Unfortunately, Nintendo (at least) is unwilling to write better code. I have a Nintendo Switch, and tried to play in the server test for Splatoon 2 yesterday and Friday. I was unable to connect to a game, with the system telling me it was a NAT problem.

Not even a joke, in absence of UPNP, Nintendo advises users to forward UDP ports 1 - 65535 to their console! en-americas-support.nintendo.com/app/answers/detail/a_id/651/~/how-to-set-up-port-forwarding This is absurd!

Worse, it didn't work. I think what led me to make this thread in the first place was Splatoon 1 on Wii U, but that was sort of fixed once I told SmallWall not to remap outbound ports... but that didn't work for Splatoon 2 / Switch.

I watched firewall logs and ended up forwarding ports 30000-65535, but still was unable to connect. It seems to also hit port 137, but that might be something else.

Sadly, I don't see this situation changing anytime soon, and only getting worse. I don't know if I know enough to add something like this to SmallWall, but maybe I can figure it out. I imagine a checkbox to enable UPNP/NAT-PMP in the first place, and then maybe a list of MAC addresses that are allowed to do it...? I'll start looking into it when I can find some free time.

Quick question:

When the "avoid port remapping" option is set for a specific IP, what should it look like in the log?

I see, as an example: Green arrow, time, If (WAN), Source (200.125.105.105, port 59609), Destination (192.168.1.92 [static IP of my Wii U], port 33858), Proto (UDP)

-- should the Source and Destination ports match? I'm on the 1.8.4b11 build.

Well, that's good, at least.  Just checking my assumptions before I go crazy trying to figure this out.

As it stands, Splatoon on Wii U can't connect to another game. There's no definitive "list" of ports, since it just uses whatever it darn well pleases... I'm not sure what to do to get it working.

I've tried making a firewall rule that says "source = Wii U IP, proto & destination = any: allow", but I still see things getting blocked in the log with the source IP that should be "allowing all". I feel like I'm missing something...

Edit:// Weirder: I put the rule under the WAN interface, but that doesn't make sense since packets coming from my LAN won't be coming from my WAN Interface.

What is weird, though, is that the firewall is logging blocked packets from LAN as the source. The destination is TCP port 443... why would outbound 443 be blocked by the firewall? The only LAN interface rule is to allow everything.

Got it. I didn't realize that the "Enable Advanced Outbound NAT" box had to be checked for the static outbound NAT settings to take effect. Eesh, that was frustrating... Credit where credit's due: I found it on an old m0n0wall post: m0n0.ch/wall/list/showmsg.php?id=353/15

I set a static mapping to be [Wii U IP]/32 with the "avoid remapping" option set, but then the Wii U was the only device with Internet. Thinking back to Lee's comment earlier about only doing it for whole networks, I changed the setting to 192.168.1.0/24 with "avoid remapping", and all devices are happy.

Sooooo.... what are the implications of my whole network "avoiding remapping"? Is there a way to say "Devices 1, 2, and 3 should avoid remapping, but any other device can"?

Ahhh, gotchya... okay, yeah, I'll just not remap for the whole network. Thanks for the insight!