Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

UPnP - Multiple Xbox One Gaming Consoles & NAT

Discussion in 'Asuswrt-Merlin' started by BiggShooter, Oct 21, 2016.

  1. strangeluck

    strangeluck Occasional Visitor

    Joined:
    Aug 11, 2015
    Messages:
    47
    I'm in the alpha ring, but it should trickle down to beta maybe next week and then the delta and omega rings following that. It's part of the Fall Creators' Update, which will be available to everyone in October.
     
  2. e38BimmerFN

    e38BimmerFN Senior Member

    Joined:
    May 25, 2012
    Messages:
    400
    Location:
    USA
    Ok I didn't know there were multiple levels LOL. wow. Ok, I'll look to again and I presume maybe it might be there next update. Can you post a picture of this new feature? Curious to see what it looks like is all.
     
  3. strangeluck

    strangeluck Occasional Visitor

    Joined:
    Aug 11, 2015
    Messages:
    47
    Took a bit more work than i expected getting screenshots off this device, but i think this gives you a good idea of the options available...

    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
     
  4. e38BimmerFN

    e38BimmerFN Senior Member

    Joined:
    May 25, 2012
    Messages:
    400
    Location:
    USA
    Kewl. Thank you very much. Will be on the look out for this. Will be very interesting to test with two consoles and two games when this arrives.
     
  5. Vexira

    Vexira Very Senior Member

    Joined:
    Jan 20, 2017
    Messages:
    905
    Location:
    Australia
    It is a bad thing, it affects your ability for match making, also if it's not open you can't host games, that are P2p
     
  6. Vexira

    Vexira Very Senior Member

    Joined:
    Jan 20, 2017
    Messages:
    905
    Location:
    Australia
    I would rather have symmetric-nat than the one I have now, at least least symmetric is secure, and with masquerade rules multiple consoles should work or with the new xbox one feature for choosing port numbers.
     
  7. Vexira

    Vexira Very Senior Member

    Joined:
    Jan 20, 2017
    Messages:
    905
    Location:
    Australia
    just wondering, I wonder wat the nat reading is if I set internal port range to one and set secure mode to no, hmmm I wonder just as a test if it would give full cone
     
  8. Vexira

    Vexira Very Senior Member

    Joined:
    Jan 20, 2017
    Messages:
    905
    Location:
    Australia
    I think the commands are missing some thing, that why their not working, what does this mean, is there an accept command I for got to set.
    "Using iptables, I set all policies to "ACCEPT" and I was able to setup two kinds of NAT"

    Also I found this supposed to be for symmetric nat
    https://www.larrysalibra.com/symmetric-cone-nat-using-linux-iptables/

    eth1 = public ip
    eth0 = lan ip

    echo "1" > /proc/sys/net/ipv4/ip_forward
    /sbin/iptables --flush
    /sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE --random
    /sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    /sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT


    from what ive read here
    https://lists.gt.net/iptables/user/66147
    U can setup that symmetric as follow:

    iptables -t nat -A POSTROUTING -p udp -s x.x.x.x --sport aaaa -d
    y.y.y.y --dport bbbb -j snat --to-source z.z.z.z
    iptables -t nat -A POSTROUTING -p udp -s x.x.x.x --sport aaaa -d
    0.0.0.0 --dport bbbb -j MASQUERADE

    So in theory it can be done with ip tables, I'm not sure if nat helper modules have a hand in it.
    Though in the lists.gt.net link one poster said
    "AFAIK, you cannot do "restricted cone NAT" nor "port restricted cone
    > NAT" with the stock Netfilter/iptables. It would require dedicated
    > conntrack and NAT helper modules.
    At least with the version of Iptables I have (1.3.0), I can implement
    "Port Restricted Cone NAT" with just one rule and I can implement an
    "hardcoded" "Restricted Cone NAT" (I say it's hardcoded because It only
    works for one host behind NAT)".
     
    Last edited: Aug 12, 2017
  9. FreshJR

    FreshJR Regular Contributor

    Joined:
    Oct 8, 2016
    Messages:
    177
    Default upnp on this router gets you NAT2/moderate. This is what is supposed to be. What is the issue?

    To become NAT2 it uses upnp to automatically port forward the ports it needs.
    In the old old days by default you would be on NAT3 unless you forwarded ports manually. Now this happens automatically.

    Apparently sometimes it glitches console side, by not redoing upnp when waking from sleep, getting you stuck in NAT3/restricted. You do not want to be in NAT3/restricted mode. NAT3 means that you will deny any incoming connections unless you are first to talk contact the incoming party. The solution is easy. Disable standby, it's a waste of power, or wait for a fix from the console manufacturer.

    Why are you trying to force NAT1/open? The behavior should be identical to NAT2.
    To achieve NAT1/open you can put the console behind the DMZ but what is wrong with nice upnp forwarding assuming it doesn't glitch. Logically, why would you want a device that is always exposed to the internet instead of being exposed only when it request exposure?

    TLDR

    NAT1/open - all ports always exposed, unsessary security risk
    NAT2/moderate - ports exposed at request, identical function as NAT1 without its drawbacks. Nat2 should NOT yield less connections compared to NAT1
    Nat3/restricted - Barely working, network functions limited due to many rejected incomming connections

    The open in nat1/open is the console letting you know that traffic on ports was already open before it requested any port to be forwarded. To it, it thinks no NAT translation is occurring since the console saw everything was fully exposed before any port open request was performed. Aka behavior exhibited when not using a router or NAT at all. This means there's a 1:1 map with all public WAN ports pointing to the console. This is called this NAT1, but there isn't necessarily superior to NAT2. NAT2 achieves the same EXACT behavior, but the console has to first request the ports it needs.

    The only cause for concern is NAT3.
     
    Last edited: Aug 12, 2017
  10. Vexira

    Vexira Very Senior Member

    Joined:
    Jan 20, 2017
    Messages:
    905
    Location:
    Australia
    Type one is not a security risk, it allows you to host games and no it does not just open ports randomly, type one means when it asks for a port it receives it, you need open nat for better match making and for hosting a lobby. If you actually read the console guides on open nat, any nat type other than open will cause issues, it's as if the port is open in only one direction rather than both or the port number it's requesting is already in use and the router didn't give it a port that it requested or translated the original port on the internal side to an appropriate external port number. In the case of xbox Microsoft guides always state that open nat is the most optimal situation anything else will cause issues with chat and matchmaking also parties. I don't own a playstation console so I'm not that familiar with the interface nor the network system, I have been reading into it so from my understanding type 2 =moderate nat type 1 = open, keep in mind i could be wrong.
    I can see that you have very little understanding about nat and how it affects games and consoles.

    So in short
    Type 1 =open nat every thing will work perfectly intended situation can connect to everybody
    Type 2 = can't host games can only connect to moderate or open, port number issue needs manual port forwarding will be a pain when match making

    Type 3 =can't find matches only can connect to open, there's a serious problem possibly firewall or router.
     
  11. FreshJR

    FreshJR Regular Contributor

    Joined:
    Oct 8, 2016
    Messages:
    177
    No type2 means it's a successfully forwarded port. A FORWARDED port means traffic freely flows in both directions. This includes incoming traffic that was uninitiated by you like a regular port forward. In a port forward, all incomming traffic on that forwarded port will be destined to that forwarded client. Traffic flows in both directions and is never dropped.

    Type3 means traffic flows freely in one direction with an unsolistated incomming traffic dropped. This is not port forwarded behavior, but rather what occurs every time a router does its NAT translation. This is not a network problem but just typical expected closed port behavior.

    So there you have it, it's either forwarded or it's not, SIMPLE.

    So what is Nat1 you may ask? It means that the console received incoming traffic on ports that it didn't yet request to have forwarded. This traffic was tested before the forward was initiated. If this traffic still reached the client, instead of being dropped (typically any NAT would drop these packets) then console assumes that NAT is not being formared or already OPEN/pointing to the console without any forward requests. Once again, the console then assumes that no Network Address Translation is taking place since traffic is reaching the client without requested forwards, which is non typical or OPEN/NAT1 behavior. This is the exact behavior that would happen if it WASN'T behind a router, aka fully open throughout the entire port range, no forwarding required.

    If you want this fully open behavior, then it still is achieve this possible while behind a router. You would have to forward all the ports to your console which is exactly what the DMZ does. Now the console won't have to request ports since all of them already point to it so you have NAT1 behavior. This behavior will performed at the expense of all your other clients. Other clients won't able to request any ports since NON will be free.

    Otherwise, instead of forwarding all ports with DMZ, you can permanently forward a limited range of ports to your console by using static port forwarding. This will make so the console does not have to request the ports itself. It will act like NAT1 on predefined ports. This is a pseudo NAT1 since its not open on the entire range.

    Now explain to me how a NAT1 system is better than NAT2? With NAT2, the console requests what it needs and it is granted if it's available. The grant is FULL two way traffic. Gone are the days where you are stuck on NAT3 until you manually forward. The only way I see where NAT1 would be better in the situation where the console is actually pushing traffic on ports that it DID NOT request to open. This is improper behavior on the console side, should be fixed console side, and should of never been exhibited in the first place. Only work around is a static port forward for this occurance, while it is patched.


    In the bigger picture you only have 1 PUBLIC ip which is why you are doing NAT in the first place. Any incomming connection on a public WAN port has to be forwarded to a single device or dropped. Port forwards do NOT drop any incoming questions. Non-port forward traffic is typically dropped if not intiated/triggered by the client in accordance to the 4 types discussed (Cone,Symettric, Etc) In reality, you CANNOT have two consoles be NAT1. The text is arbitrary

    **IPV6 changes this entire scenario**
    With IPV6 it is not needed to perform NAT due to the increased public addresses pool.
    With IPV6 you no longer have 1 public IP, but enough to issue each device can receive a public IP.
    Since all ports per IP point only to that one device, no NATting is nessecary
     
    Last edited: Aug 12, 2017
  12. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    4,007
    Location:
    UK
    You guys should stop throwing commands at the router without any understanding of what they do or how they interact with what is already there. :rolleyes:

    That said, amongst all the rubbish that's been posted there was this little gem (-j MASQUERADE --random) which might help you with your obsession with Symmetric NAT. :D [This assumes you do not have a 6in4 tunnel enabled]

    Code:
    iptables -t nat -D POSTROUTING ! -s $(nvram get wan0_ipaddr) -o $(nvram get wan0_ifname) -j MASQUERADE
    iptables -t nat -A POSTROUTING ! -s $(nvram get wan0_ipaddr) -o $(nvram get wan0_ifname) -j MASQUERADE --random


    Untitled.png
     
    Last edited: Aug 12, 2017
  13. FreshJR

    FreshJR Regular Contributor

    Joined:
    Oct 8, 2016
    Messages:
    177
    Okay so I read up on the issue since I was feeling a little out of the conversion.



    I used this video to concisely and simply explain

    -full cone nat
    -restricted cone
    -port restricted cone

    All three of these cone nats are the SAME principle just the latter two have a way tighter grip in reguards to security behavior for new incoming connections that are originating from different servers or even different source ports from the same server. That different behavior is more dropped connection (NAT3 console speak).

    My interpretation of a full cone nat is that it behaves EXACTLY like I would expect a static port forward to behave. Aka, all unsolicited incoming incoming to that port will be accepted/forwarded to the defined device only AFTER that any connection is initiated on that port (so NAT3 that turns to NAT2 after any connection). This happen behavior WITHOUT port forwards being explicitly open but only after the console first establishes a connection on that port.

    My interpretation of "restricted port cone" is of (NAT3 on console) behavior. Aka only incoming connections are allowed from the established server ip/port combinations that were initiated by you and are in the NAT connection tracker. All others are blocked. This means that any unsolicited incoming connections on that port, that are already not established by you initiating will get dropped. This is terrible for gaming or anything service wise.

    Full cone vs restricted does NOT matter with correct port forwards. Those are correct behavior FULL TIME.

    Running the java NAT detector, it said my upnp ports are of "port restricted cone" type. Now this cannot be true when looking at the actual behavior of UPNP port forwards. **What it actually meant is that all NON port forwarded ports have "port restricted cone" behavior.**


    --- This is what needs clarification


    There is a BIG difference between the java test upnp port mapping behavior and the upnp forwards present from my PS4 and torrent client requests.

    The PS4 and torrent unpn port forwards showed up listed permanently under the port forwarding section under system log tab in the UI.​

    The upnp ports from the java test did not! This means the java test did NOT create port forwards. It just queried the ability too. All non forwarded ports will exhibited the default nat behavior that the router uses.​

    So understand there are two different types of port mappings.

    There are temporary mapping, these do not use UPnP to perform port forward. The the java test performs this mapping. These temporary NAT mappings will exhibit NAT3 like behavior on our routers since we what a port restricted NAT.​

    AND

    There are permanent mapping, these use UPnP to perform a port forward and show up in the webUI. These will exhibit NAT2 like behavior. These have behavior exactly what you would expect from any regular manually defined port forward. These defiantly can be using for server hosting without limiting any connections.​


    To confirm this behavior, I port scanned my WAN IP on a port and that was forwarded by a torrent upnp request. That port was OPEN and ACCESSIBLE to a random device (my phone) that scanned the port no prior established connection.

    Do not getting fixated on the semantics of NAT1, NAT2, or NAT3, just confirm actual behavior, is what you would expect.

    TLDR:

    Nat3 = restricted cone NAT behavior. (This is present on our routers without port forwarding)
    Nat2 = full come NAT behavior, if NAT is "restricted cone" type then a port forward needs to be created to acheive NAT2 behavior. (This is present on our routers after a port forward is created, either UPnP or manually. Active port forwards will be listed in the webUI).
    Nat1 = No nat behavior or pseudo nat behavior. Console did not need upnp port forward since traffic was already open.

    Either way, my experiments confirms that NAT2 is exhibited for ports when UPNP forwards the ports correctly. NAT2 status is the most ideal for hosting and completely equivalent to NAT1.

    Since we have port forwarding being performed, NAT types (full, restricted, symmetric) do NOT matter.

    Only time NAT1, and by lesser extension "full cone nat" provides superior results is when/IF UPnP glitches and does not open ports in use and needed to be opened.

    The non-opening port behavior is incorrect behavior console side. You shouldn't want to introduce NAT1 or a "full cone nat" due to a console bug. Find a fix for the bug or manually define port forwards.
     
    Last edited: Aug 12, 2017
    BiggShooter likes this.
  14. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    4,007
    Location:
    UK
    Are you sure or are you getting confused with the STUN test which is a something different?

    Untitled.png
     
  15. FreshJR

    FreshJR Regular Contributor

    Joined:
    Oct 8, 2016
    Messages:
    177
    I'm speaking from actual first hand results.

    After I ran the java test, I did not see any UPnP port forwards present in webUI.
    My torrent client DID open a UPnP port forward in WEBUI. This opened UPnP port acts like a regular port forward (very similar to Full Cone Nat behavior, except I do not have to initiate any connection first with a port forward).

    In my test WAN:7575 was UPnP mapped to LANCLIENT:7575 and exhibited full regular port forward behavior <-- this is what matters to me

    This means that the UPnP forward will NOT drop any unsolicited incoming connections and instead route them to the LAN device that requested the forward. I can host any server on this ports knowing that my device will receive all incoming connections on that port without any rejection.

    The NAT2/NAT1 name is arbitrary, my NAT2 behavior is the same as NAT1.

    How can there be more ideal behavior? What is the actual issue at hand besides people wanting to see NAT1 arbitrary text on their screens?

    I can safely say that I trust in being able to
    -reboot my pc
    -reboot my router
    -open my torrent client, so it initiates the UPnP port open
    -close my torrent client
    -host a counter strike server on the same port the torrent client requested
    -give you my WANIP+PORT
    -you and everyone else will be able to connect.

    Everything works as intended.

    ---

    if you are talking as to what the NAT behavior is for non-forwarded ports. I really don't care, I would hope it is very restrictive since to me if it is not forwarded then it is unsolicited incoming traffic.
    Doesn't the stun test tell you the typical NAT behavior experienced with non-forwarded ports?
     
    Last edited: Aug 12, 2017
  16. e38BimmerFN

    e38BimmerFN Senior Member

    Joined:
    May 25, 2012
    Messages:
    400
    Location:
    USA
    From my testing yesterday on a ASUS GT5300 and BiggShooter testing his RT-AC5300, the GT has OEM FW and is reported that Port Address Restricted Cone NAT was seen on the GT and BiggShooters RT-AC5300 loaded with 3rd party Merlin FW. All of my testing was with just a wired PC connected to the router and the router connected directly behind the ISP Modem. ALL other devices were disconnected including wireless.
     
  17. e38BimmerFN

    e38BimmerFN Senior Member

    Joined:
    May 25, 2012
    Messages:
    400
    Location:
    USA
    Are we referring to Sonys NAT or MS NAT naming conventions? Sony and MS differ on this I presume everyone is aware of.

     
  18. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    4,007
    Location:
    UK
    Well you actually said "this java NAT detector and it said" which is why I queried it.

    Yes I noticed that as well. So I turned on debugging in miniupnpd and can see that the Java test does not do any port mapping it just queries the miniupnpd daemon for some basic information. (So not much of a test really)

    Indeed, and the mapping can be controlled by the application which is why it's always better to use UPnP when possible.

    Yes.
     
    Last edited: Aug 12, 2017
  19. FreshJR

    FreshJR Regular Contributor

    Joined:
    Oct 8, 2016
    Messages:
    177
    In my posts I used them interchangeably

    Open(Xbox) = Nat1(Sony)
    Moderate(Xbox) = Nat2(Sony)
    Restricted(Xbox)=Nat3(Sony)

    @Vexira, let me clarify this.

    Type1 - CORRECT, but this setup has drawbacks for other devices on the router. Only 1 device can really be Type1.
    We can later return to the pseudo type1 due to the iptables commands.

    Type2 - Partially Incorrect
    Type2 due to a proper UPnP port forward means you CAN host a games/server and accept ALL incoming connections. A manual port forward should not be necessary since the device is supposed to request a UPnP and perform it automatically. If this does not happen its a problem with the software/device code!

    Type2 due "Full Cone Nat" should really be called type 2.5. It temporarily restricts incoming connections until you initiate at least one connection on that port. After your initiated connection, that connections port will be in the routers connection tracker and behave like port forward. This is a "pseudo-port forward" behavior without the use of UPnP. You shouldn't rely this behavior and decreasing your security with a "Full Cone NAT" just because your device is not handling UPnP properly. Fix the UPnP issue or create a manual entry!​

    Type3 - Your type2 description should actually be a type3 description. You cannot host games and since you will miss out connections. You should figure out why a UPnP port was not created/working. It's NOT a serious problem, it is just typical secure "restricted NAT" behavior since no port forwards are present. Fix UPnP again.

    Bottom line, if UPnP is working then the routers NAT implementation is irrelevant to server performance. I would prefer to have a more secure NAT implementation vs a loose NAT to mask UPnP issues.

    Loose NAT security is a duck tape fix. Multi million dollar game companies should figure out how to use UPnP.
     
    Last edited: Aug 12, 2017
    BiggShooter likes this.
  20. Vexira

    Vexira Very Senior Member

    Joined:
    Jan 20, 2017
    Messages:
    905
    Location:
    Australia
    My point is that if type 2 is if equivalent to moderate nat, there will be issues, I don't understand why Sony doesn't use the standard convention for naming nat status, it's confusing, they need to clarify exactly what they mean, its almost like they are writing two was of saying open nat, one is equivalent to dmz the other is just a upnp opening.
    You should be able to achieve type 1 nat via upnp, since all it means is that the port was forwarded successfully or should since on xbox one I get open nat and I also get open nat on my xbox 360 with both of them on, this leads me to believe that the console has an issue with the accuracy of reading nat type correctly, even though the console should read type one its reading as type 2 because of a bug in the net code

    The only games where nat will have an issue are the peer to peer games like call of duty, this would not be an issue if they had dedicated servers, also console are affected by it as well nat issues can cause problems with party chat and other things.

    I personally would prefer a hybrid solution, I want to see an implementation that's both secure and allows everything to work as it should.

    All importantly regardless of NAT implementation if the port has been forwarded correctly the nat reading should be open regardless. From my research symmetric NAT is the most secure hence why I wouldn't mind using it. I understand where your coming form about security but if your that paranoid you might as well disable upnp altogether.


    Also read this
    http://support.xbox.com/en-AU/xbox-one/networking/nat-error-solution
     
    Last edited: Aug 13, 2017

Share This Page