UPnP - Multiple Xbox One Gaming Consoles & NAT

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Vexira

Part of the Furniture
Are we referring to Sonys NAT or MS NAT naming conventions? Sony and MS differ on this I presume everyone is aware of.
Sony their confusing as hell, Microsoft has a simple naming convention open is the best upnp worked, every thing is perfect, but Sony no they have to be cryptic.
 

Vexira

Part of the Furniture
You guys should stop throwing commands at the router without any understanding of what they do or how they interact with what is already there. :rolleyes:

That said, amongst all the rubbish that's been posted there was this little gem (-j MASQUERADE --random) which might help you with your obsession with Symmetric NAT. :D [This assumes you do not have a 6in4 tunnel enabled]

Code:
iptables -t nat -D POSTROUTING ! -s $(nvram get wan0_ipaddr) -o $(nvram get wan0_ifname) -j MASQUERADE
iptables -t nat -A POSTROUTING ! -s $(nvram get wan0_ipaddr) -o $(nvram get wan0_ifname) -j MASQUERADE --random
View attachment 10086
I don't have a tunnel for ipv4 to 6, also symmetric is the most secure nat from my research it should relax any one who's worried about security and silence their concerns if something has an issue just add a masquerade rule like the guys did on miniupnp forums to fix multiple consoles nat errors. Also thnx for the commands.
But it doesn't seem to work either, seems like id have to put this in a script and reboot the router with it. in order to get it to function correctly.
 
Last edited:

Vexira

Part of the Furniture
I'm speaking from actual first hand results.

After I ran the java test, I did not see any UPnP port forwards present in webUI.
My torrent client DID open a UPnP port forward in WEBUI. This opened UPnP port acts like a regular port forward (very similar to Full Cone Nat behavior, except I do not have to initiate any connection first with a port forward).

In my test WAN:7575 was UPnP mapped to LANCLIENT:7575 and exhibited full regular port forward behavior <-- this is what matters to me

This means that the UPnP forward will NOT drop any unsolicited incoming connections and instead route them to the LAN device that requested the forward. I can host any server on this ports knowing that my device will receive all incoming connections on that port without any rejection.

The NAT2/NAT1 name is arbitrary, my NAT2 behavior is the same as NAT1.

How can there be more ideal behavior? What is the actual issue at hand besides people wanting to see NAT1 arbitrary text on their screens?

I can safely say that I trust in being able to
-reboot my pc
-reboot my router
-open my torrent client, so it initiates the UPnP port open
-close my torrent client
-host a counter strike server on the same port the torrent client requested
-give you my WANIP+PORT
-you and everyone else will be able to connect.

Everything works as intended.

---

if you are talking as to what the NAT behavior is for non-forwarded ports. I really don't care, I would hope it is very restrictive since to me if it is not forwarded then it is unsolicited incoming traffic.
Doesn't the stun test tell you the typical NAT behavior experienced with non-forwarded ports?
Speaking of port forwards not appearing in upnp, I sem to have that issue with battle born on pc it throws up moderate nat but no ports are present in upnp which is odd.
 

sm00thpapa

Very Senior Member
What I don't understand is that on an Xbox One with Moderate NAT I have issues joining people and talking. But on the PS4 with a Type 2 NAT which is the best I can get I have no issues at all while gaming. And this coming from Sony is if you are using a router connected to a modem you will always get a Type 2 NAT which in 99% of the cases you will have no issues. Now they say if you plug into a modem directly that is the only way to get a Type 1 NAT. I am going to have to test this and see what NAT type I get.
 

Vexira

Part of the Furniture
What I don't understand is that on an Xbox One with Moderate NAT I have issues joining people and talking. But on the PS4 with a Type 2 NAT which is the best I can get I have no issues at all while gaming. And this coming from Sony is if you are using a router connected to a modem you will always get a Type 2 NAT which in 99% of the cases you will have no issues. Now they say if you plug into a modem directly that is the only way to get a Type 1 NAT. I am going to have to test this and see what NAT type I get.
That's confusing, Sony is not clear it's not like they say type two is open nat behind a router, also is your modem in bridge mode?
My xbox gets open nat both one and 360 consoles. Sony is being confusing about their naming convention, its not very clear.
Also I believe that in the case of Xbox that its directly tied to wether or not the port was forwarded by upnp or not, and I have a theory that its also dependant on the port number the router allowed it to have on both the internal and external ranges, I noticed before merlins masquerade rules if the external port number was different to the internal id get moderate nat, and also I seem to not be in the right port range for game clients, this is in regards to black ops 3, I'm starting to think the same case with xbox if the internal and external ports don't match, you'll have an issue, unless there's a masquerade rule in place to fix the port translation, keep in mind this is just my speculation and experience.
I also believe that the ps4 might be incorrectly detecting nat status, eg, gta v on pc reads moderate nat, yet on my old router it read open nat which makes not sense since the port number is open on both external and internal but reads moderate when it should read open like cod does when the port has been forwarded by upnp.
 
Last edited:

RMerlin

Asuswrt-Merlin dev
Loose NAT security is a duck tape fix. Multi million dollar game companies should figure out how to use UPnP.
Precisely. It's not arcane science to ask through UPnP to forward a port, and then instruct remote clients to use that forwarded port. If a console OS or a game is broken, then it's the one that should be fixed.
 

Vexira

Part of the Furniture
Precisely. It's not arcane science to ask through UPnP to forward a port, and then instruct remote clients to use that forwarded port. If a console OS or a game is broken, then it's the one that should be fixed.
that's only one factor of the over all issue, the other factor is poor upnp support in isp routers which a lot of people have. Also is there any benefit to setting upnp external port to 1024 over the default of 1?
 
Last edited:

sm00thpapa

Very Senior Member
That's confusing, Sony is not clear it's not like they say type two is open nat behind a router, also is your modem in bridge mode?
My xbox gets open nat both one and 360 consoles. Sony is being confusing about their naming convention, its not very clear.
Also I believe that in the case of Xbox that its directly tied to wether or not the port was forwarded by upnp or not, and I have a theory that its also dependant on the port number the router allowed it to have on both the internal and external ranges, I noticed before merlins masquerade rules if the external port number was different to the internal id get moderate nat, and also I seem to not be in the right port range for game clients, this is in regards to black ops 3, I'm starting to think the same case with xbox if the internal and external ports don't match, you'll have an issue, unless there's a masquerade rule in place to fix the port translation, keep in mind this is just my speculation and experience.
I also believe that the ps4 might be incorrectly detecting nat status, eg, gta v on pc reads moderate nat, yet on my old router it read open nat which makes not sense since the port number is open on both external and internal but reads moderate when it should read open like cod does when the port has been forwarded by upnp.
I have my ISP's modem/router combo in bridge mode with the R7800 connected right now. UPNP is enabled.
 

Vexira

Part of the Furniture
No type2 means it's a successfully forwarded port. A FORWARDED port means traffic freely flows in both directions. This includes incoming traffic that was uninitiated by you like a regular port forward. In a port forward, all incomming traffic on that forwarded port will be destined to that forwarded client. Traffic flows in both directions and is never dropped.

Type3 means traffic flows freely in one direction with an unsolistated incomming traffic dropped. This is not port forwarded behavior, but rather what occurs every time a router does its NAT translation. This is not a network problem but just typical expected closed port behavior.

So there you have it, it's either forwarded or it's not, SIMPLE.

So what is Nat1 you may ask? It means that the console received incoming traffic on ports that it didn't yet request to have forwarded. This traffic was tested before the forward was initiated. If this traffic still reached the client, instead of being dropped (typically any NAT would drop these packets) then console assumes that NAT is not being formared or already OPEN/pointing to the console without any forward requests. Once again, the console then assumes that no Network Address Translation is taking place since traffic is reaching the client without requested forwards, which is non typical or OPEN/NAT1 behavior. This is the exact behavior that would happen if it WASN'T behind a router, aka fully open throughout the entire port range, no forwarding required.

If you want this fully open behavior, then it still is achieve this possible while behind a router. You would have to forward all the ports to your console which is exactly what the DMZ does. Now the console won't have to request ports since all of them already point to it so you have NAT1 behavior. This behavior will performed at the expense of all your other clients. Other clients won't able to request any ports since NON will be free.

Otherwise, instead of forwarding all ports with DMZ, you can permanently forward a limited range of ports to your console by using static port forwarding. This will make so the console does not have to request the ports itself. It will act like NAT1 on predefined ports. This is a pseudo NAT1 since its not open on the entire range.

Now explain to me how a NAT1 system is better than NAT2? With NAT2, the console requests what it needs and it is granted if it's available. The grant is FULL two way traffic. Gone are the days where you are stuck on NAT3 until you manually forward. The only way I see where NAT1 would be better in the situation where the console is actually pushing traffic on ports that it DID NOT request to open. This is improper behavior on the console side, should be fixed console side, and should of never been exhibited in the first place. Only work around is a static port forward for this occurance, while it is patched.


In the bigger picture you only have 1 PUBLIC ip which is why you are doing NAT in the first place. Any incomming connection on a public WAN port has to be forwarded to a single device or dropped. Port forwards do NOT drop any incoming questions. Non-port forward traffic is typically dropped if not intiated/triggered by the client in accordance to the 4 types discussed (Cone,Symettric, Etc) In reality, you CANNOT have two consoles be NAT1. The text is arbitrary

**IPV6 changes this entire scenario**
With IPV6 it is not needed to perform NAT due to the increased public addresses pool.
With IPV6 you no longer have 1 public IP, but enough to issue each device can receive a public IP.
Since all ports per IP point only to that one device, no NATting is nessecary
actually I beg to differ its not as simple as your understanding leads you to believe, type 2 nat if its equivalent moderate can indicate an issue with port translation, ive seen this behaviour in cod black ops 3 on pc, as in if the game client gets 3074 internal >3076 external with out a masquerade rule for proper translation you get moderate nat therefore inducing connection issues.
like a stated before I have no dmz or port forwarding rules just pure upnp with the masquerade rules merlin set in place, and I get open nat on both my steam copes of black ops 3 infinite warfare and modern warfare remastered. I have never had any "security issues" open nat . as merlin stated before if a rogue program wanted to exploit upnp, its already game over, my network is toast.
 
Last edited:

Vexira

Part of the Furniture
I always get Open NAT with secured checked.
ahh I see they changed it, must have fixed nat filtering, my r8000 even with open got moderate nat after a firmware update, then it stopped loading webpages properly, net gear replaced it then I have the same issue with the replacement unit so I returned them got a refund then I got an 88u. That was the 3rd net gear unit I had with nat issues I had a wnr1000v2 used to give me strict nat, and a d6300 before that.
 

Vexira

Part of the Furniture
@FreshJR , I think I now understand what you mean about PlayStation nat type, disregard my previous ranting, this makes more sense to me, I think what you were trying to say was that nat is still open behind type 2 but the console is behind a private ip, like I said still confusing, I still whish they used the standard convention.

Type 1: PS4 is connected directly to the internet (public IP address / No NAT)
Type 2: PS4 is connected to a router (private IP address / NAT)
Type 3: Same as type 2, but due to firewall or other restrictions, you may have issues
https://www.reddit.com/r/PS4/comments/2bl9ec/why_cant_i_get_an_open_nat_type_1/
 

e38BimmerFN

Very Senior Member
Yes, don't know why MS and Sony can't use same kind of naming convention, would be a bit easier for every one. Sony has been like this since the beginning.

Sony their confusing as hell, Microsoft has a simple naming convention open is the best upnp worked, every thing is perfect, but Sony no they have to be cryptic.
 
Last edited:

e38BimmerFN

Very Senior Member
Sony has been like this since the beginning with this naming convention. Something different and it's confusing.
NAT 2 will be always behind a router thats connected to the ISP modem for SONY.

Test this out by connecting your game console directly to the ISP Modem.

What I don't understand is that on an Xbox One with Moderate NAT I have issues joining people and talking. But on the PS4 with a Type 2 NAT which is the best I can get I have no issues at all while gaming. And this coming from Sony is if you are using a router connected to a modem you will always get a Type 2 NAT which in 99% of the cases you will have no issues. Now they say if you plug into a modem directly that is the only way to get a Type 1 NAT. I am going to have to test this and see what NAT type I get.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top