this post was submitted on 03 Aug 2023
12 points (100.0% liked)

homelab

6656 readers
28 users here now

founded 4 years ago
MODERATORS
 

It's been a while since I've played any games online with my Nintendo switch, and I quickly remembered the issues with NAT types on the Switch.

When I checked, I had a NAT type of F, which will not allow online gaming. I found the guides on setting up the Hybrid NAT rules in Pfsense, but my type was still F. I then loosened up my outgoing port rules for that VLAN, and got a NAT type of B.

After tightening them back up a bit and looking online, it looks like the UDP range 1024 through 65535 is expected for outgoing UDP traffic. Is that right? That is a ton of ports, and possibly no better than just enabling uPnP.

Do I really need such a wide range to be able to maintain this NAT type B?

all 16 comments
sorted by: hot top controversial new old
[–] [email protected] 11 points 1 year ago (1 children)

Yeah, that's just basically every unregistered UDP port... Not much you can do about it since Nintendo has struggled to understand the internet and its uses since the Famicom.

And no, for the love of God don't enable uPnP. It's still pretty much the worst thing you can do.

[–] WeirdGoesPro 4 points 1 year ago (3 children)

Why is uPnP the worst thing you can do?

[–] slazer2au 10 points 1 year ago

In normal operation a router or firewall running NAT will allow you to access the internet and receive traffic you requested and drop any unsolicited traffic originating from the internet.

If you were to access google, your PC will try to access google.com on port 443 with your PC being the source of port 5673 (any number between 1024 and 65000ish). Any traffic from Google to you will be permitted provided they are using the correct port pairings. If google then decides I am going to send you traffic on port 5677 your router/firewall will drop the traffic as it is unsolicited.

Now for the problem. Upnp allows a piece of software running somewhere in your house to register itself with your router and say "hey, if you see traffic destined for port 5555 from anywhere on the internet forward it to me, even if I didn't start the conversation". Considering how bad software is written this can give a threat actor a beachhead into your LAN to then vomit as much traffic back out as it wants, it could be a DDoS a mining not or just regular traffic sniffing.

[–] [email protected] 0 points 1 year ago

While you're opening most outbound UDP ports for just the switch, a uPnP vulnerability has the possibility of letting an attacker open ports, especially inbound registered ports (SSH, RDP, etc), for all devices.

If you do everything right (wifi client isolation, if your WAP has that option) opening the port for the switch is "essentially" as safe as it can be. The safest being Nintendo listing their public IPs but I think switch games use P2P which is why they don't.

[–] [email protected] 5 points 1 year ago

As far as I remember the Switch doesn't actually use uPnP. The only thing that I had to do to achieve NAT Type B was an outgoing NAT with static port enabled. If I understood right, NAT Type A can only be achieved if your device literally had a WAN address.

[–] [email protected] 3 points 1 year ago

I put my Nintendo Switch into a DMZ/own vlan. It was simpler and so I can get a NAT type A on it.

[–] BrownianMotion 3 points 1 year ago* (last edited 1 year ago) (1 children)

the biggest issue with N.switch is that it requires static outgoing ports.

i have not used pf in years (opnsense here so should be same) but what you need to do is set hybrid outgoing NAT, designate a static IP to the switch, and then tell outgoing NAT for that IP to use static ports, outgoing.

by default pf\opn randomises the outgoing NAT port and that messes up the Nswitch royally. (especially online like MK8deluxe)

most of what is being posted about uPNP and N.switch is not correct. As long as your firewall rules allow the switch to get out (lock ports if you want to, but its a console, so ... why?)

Nintendo servers simply do not like you joining a game lobby on outgoing 34567, and then starting the game on 23456, and then turning a corner on lap 2 switching to outgoing port 18845.

[–] computergeek125 1 points 1 year ago* (last edited 1 year ago)

Can confirm that also works on OPN

Static outbound is a feature I wish more firewalls had because it requires the targeted device to send outbound once before it accepts incoming (or at least that's my understanding)

[–] GrayBoltWolf 3 points 1 year ago

My best advice would be to make sure you enable static port mapping on your NAT rules. That usually helps a lot of NAT traversal things like games.

And no, Nintendo doesn’t understand networking in the slightest and asking people to forward every single port is BS.

[–] [email protected] 2 points 1 year ago (1 children)

Holy shit they are actually suggesting to put their console in DMZ??? https://en-americas-support.nintendo.com/app/answers/detail/a_id/22272 https://en-americas-support.nintendo.com/app/answers/detail/a_id/22489

There was nobody in the company that said "but wait"?

If someone has more than a console per household needs to get another internet connection in order to online play?

[–] root 1 points 1 year ago

Networking isn't their strong suite, lol