Watchguard and Moderate NAT for Consoles xbox, playstation etc

Hi,

Does anyone know if its possible to get Open NAT enabled for consoles through the firebox? Its 'Moderate' by default and this can cause issues for online games.

We constantly have compliants about Moderate NAT and lack of UPnP support.

thanks

--
WatchGuard M4600 (x2 Cluster)
WatchGuard M640 (x2 Cluster)
Firmware : 12.8

Comments

  • UPnP is a security person's nightmare. I disable it everywhere I see it. WatchGuard should never support UPnP because it allows any internal device or software to open outbound ports at will, subverting egress filtering.

    If you have game consoles you need to let unrestricted, can't you just create a packet filter for them and assign IP addresses via DHCP or static on the consoles?

    Gregg Hill

  • edited November 2020

    I gave up! I ended up connecting all the consoles (and TV sets, Bluray players etc) at home to their own VLAN with a packet filter of VLAN to any-external.. I spent nearly a whole year figuring out ports and valid IP addresses to use in policies, and still everything would come down in a heap - even on the TV.. These devices are full of links to marketing and tracking sites that break a game (and the TV) if disconnected - a REAL nightmare..

    Adrian from Australia

  • I've got an equipment VLAN for the same reason.
    I also don't want these things directly connected to my trusted LAN either.

  • edited November 2020

    They are already assigned via DHCP and they are on their own vlan , but that could be shared with 100 other devices , depending on what they want to plug in. (its in a halls of residence). How would a packet filter help? It would still be running through dynamic NAT, unless you are talking about a rule for each device with 1-1 NAT.

    --
    WatchGuard M4600 (x2 Cluster)
    WatchGuard M640 (x2 Cluster)
    Firmware : 12.8

  • @Greggmh123 said:
    UPnP is a security person's nightmare. I disable it everywhere I see it. WatchGuard should never support UPnP because it allows any internal device or software to open outbound ports at will, subverting egress filtering.

    If you have game consoles you need to let unrestricted, can't you just create a packet filter for them and assign IP addresses via DHCP or static on the consoles?

    I Agree, i wouldnt turn on uPnP, even if it was supported.

    --
    WatchGuard M4600 (x2 Cluster)
    WatchGuard M640 (x2 Cluster)
    Firmware : 12.8

  • If the connections are outgoing ones, then Dynamic NAT isn't an issue.

    If you have some outgoing ports closed, then you could set up an Any packet filter for that device's IP addr, which would allow unrestricted outgoing access.
    And you can set up a DHCP reservation, so that you know the IP addr of that device, and use it in the packet filter policy.

  • All devices are registered and reserved and we dont block outbound ports for these devices. So that isnt the issue. I've been through many threads on various sites and the consensus seems to be that Watchguard just wont do OpenNAT. I'm not sure what process the Xbox does to detect the kind of NAT its going through...

    --
    WatchGuard M4600 (x2 Cluster)
    WatchGuard M640 (x2 Cluster)
    Firmware : 12.8

  • If the Xbox app is using TCP port 80, then a HTTP proxy could be causing issues, stripping content etc. - so a packet filter for this port might help.

  • I have seen a few comments indicating that if there are 2 Xbox units behind a router, that one needs to change the Port 3074 (UDP and TCP) to a different port for both to work at the same time.
    With XTM Dynamic NAT, I would not consider this to be an issue, as XTM can support multiple internal devices using the same outgoing port.

    I have not seen any posts which indicate how Xbox identifies NAT = Open, Moderate or Strict.

Sign In to comment.