Configuring pfSense Software for Online Gaming¶

This page provides information on using pfSense® software with online games.

NAT Types ¶

Game consoles attempt to simplify NAT troubleshooting for players by referring to different NAT scenarios with alternative terminology. Later portions of this recipe may use or refer to these terms.

These terms generally fall into the following categories:

All external connections are passed through to the gaming device. For example, by use of UPnP or a 1:1 NAT rule on the WAN IP address pointing to a game console and a firewall rule allowing all traffic inbound to the console.

This is the least secure option and should rarely be necessary. However, this is the most compatible type of NAT for gaming, allowing connections from any other NAT type.

Danger

Allowing all traffic to a gaming console is a significant security concern. Should this be necessary, consider isolating the console on its own network segment and preventing it from communicating with any other internal host.

Moderate / Type 2 / Type B ¶

When a local client initiates an outbound connection, NAT maintains the source port for subsequent connections. This can mean NAT uses whichever port the client chose (e.g. Static Port NAT), or that the firewall uses the same random external port for all client connections from a given source port (e.g. Port Restricted Cone NAT).

In this mode, when a client initiates a UDP connection outbound to a host, return traffic from that host coming back to the same port will pass through because of the existing connection state. By taking advantage of this behavior, peers can communicate directly without sending all traffic through the server. The server informs peers about the IP address and port number of other peers, those peers then initiate packets to each other using the supplied IP addresses and ports. Because the source port is known and does not change between connections, once those connection states are established the peers can communicate directly as their packets will match the states in the table. This behavior relies on all peers having moderate NAT or Open NAT.

Strict / Type 3 / Type C or D ¶

When a local client initiates a connection, NAT uses a random source port and/or IP address. This is the default behavior of outbound NAT on pfSense software. Clients behind strict NAT can typically only connect to peers with Open NAT, as the connections from the client will not use known or predictable source ports.

General Recommendations ¶

Many consoles, online services, and games require the use of Static Port NAT, Port Restricted Cone NAT, and/or UPnP IGD & PCP.

Static Port ¶

Some games require at least Moderate NAT to facilitate direct peer communication, and one common way to achieve that is by using Static Port NAT. If there is only one game console on the local network, static port NAT may be sufficient. With static port, multiple consoles can conflict if they both attempt to use the same source port when communicating with the same server.

If a game has problems establishing a connection and there is only one local game console, try configuring static port for traffic coming from that console as described in Static Port.

Endpoint-independent Port Restricted Cone NAT ¶

Port Restricted Cone NAT is another method to achieve Moderate NAT to facilitate direct peer communication. This method is more likely to be compatible with multiple local game consoles as NAT randomizes the external port but still maintains that same external port between subsequent remote connections.

If a game has problems establishing a connection and there are multiple local consoles, try configuring Port Restricted Cone NAT for traffic coming from the consoles as described in Endpoint-independent Port Restricted Cone NAT.

Note

Support for this type of NAT is still considered experimental.

Multiple players or devices behind one NAT device ¶

Some games have issues where multiple players or devices are behind a single NAT device. These issues are specific to NAT in general, not pfSense software.

In particular, games which require moderate NAT may have issues using static port NAT. Port Restricted Cone NAT is much more likely to be compatible with multiple local consoles, except in cases where a game requires clients to use a specific source port number.

Multiple games and consoles which support UPnP generally work as expected, except in the case of Playstation. See the note below in Playstation for details.

Overcome NAT issues with UPnP IGD & PCP ¶

Some games and consoles support Universal Plug-and-Play (UPnP IGD) and/or Port Control Protocol (PCP) to automatically configure NAT port forwards and firewall rules which allow inbound game traffic. Enabling UPnP IGD & PCP on pfSense software will typically allow these games to work with little or no intervention. However, allowing local devices to open ports in this way is also a significant security risk.

Specific Game Consoles ¶

This section contains recommendations for specific consoles types and games. If a game or console requires special handling but is not listed here, please submit a documentation update. Include a link to manufacturer documentation when possible.

Note

What works to make a single console/device work from behind a firewall may not work for multiple consoles/devices behind the same firewall.

What works to allow a client to play an online game may not work for hosting an online game.

Hosting an online game and connecting a client to the same online game from behind the same firewall may not work, but as with everything else, it varies by game/console.

Nintendo Switch and Switch 2 ¶

Nintendo Switch and Switch 2 consoles require either a Static Port NAT or Port Restricted Cone NAT setup for IPv4 NAT.

Static Port and Port Restricted Cone NAT both allow the console to achieve NAT type B and work with most games. Port Restricted Cone NAT is more likely to work with multiple consoles behind the same router, but results may vary by game.

Nintendo Switch 2 also supports IPv6, but how well that works depends on the game and whether peers also have IPv6 connectivity.

Tip

While the official game servers for older Nintendo consoles such as Nintendo Wii, Wii U, and 3DS/2DS have been shut down, there are third-party services which work similarly. These services generally require the same type of setup as Nintendo Switch and Switch 2 consoles.

Steam / Steam Deck ¶

Varies by game, but typically UPnP IGD & PCP or manual port forwards are sufficient. Some games may require Static Port or Port Restricted Cone NAT.

Xbox ¶

Modern Xbox consoles, including multiple consoles, work well with UPnP IGD & PCP in many cases.

Some games or situations may require Static Port or Port Restricted Cone NAT.

Playstation ¶

Single consoles work well with UPnP IGD & PCP though multiple consoles can be problematic. When multiple consoles are on the same network, Playstation devices do not automatically attempt to use a different port if they cannot use their preferred port.

Tip

In a mixed environment with Playstation and other console types, start the game on Playstation first so it can get the port it wants, then start other clients which will properly notice the port is in use and shift to alternate ports.

Some games or situations may require Static Port or Port Restricted Cone NAT