UPnP on EdgeRouter

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › UPnP on EdgeRouter

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#288217 14-Jun-2021 18:08

I have an EdgeRouter Lite, and have never been able to get UPnP working for my games consoles. Decided to give it another crack now that I have PS5 and XBSX, but still no joy.

With UPnP disabled I get type 2 NAT on PS5 and moderate NAT on Xbox (along with the message "UPnP unsuccessful").

But when I enabling it on the router (using the below) doesn't make any difference (where 192.168.1.50 and 192.168.1.51 are the IPs of my consoles, eth1 is the LAN port, and pppoe0 is the Internet):

show service upnp2
acl {
rule 10 {
action allow
description "Allow Xbox UPnP"
external-port 1024-65535
local-port 0-65535
subnet 192.168.1.50/32
}
rule 20 {
action allow
description "Allow PS5 UPnP"
external-port 1024-65535
local-port 0-65535
subnet 192.168.1.51/32
}
rule 1000 {
action deny
description DENY
external-port 0-65535
local-port 0-65535
subnet 0.0.0.0/0
}
}
listen-on eth1
nat-pmp enable
secure-mode enable
wan pppoe0

Where am I going wrong?

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2728634 14-Jun-2021 18:41

OK, part of the problem was the LOCAL firewall blocking the UPnP requests. Changing this has the Xbox now showing open NAT, but PS5 is still NAT type 2.

Shouldn't UPnP make the PS5 NAT type 1?

Lias

5655 posts

Uber Geek
+1 received by user: 3978

ID Verified

Trusted

Lifetime subscriber

#2728984 15-Jun-2021 10:19

Don't have a PS5 but this works for me for other things. I've never tried locking it down to specific devices with ACL's, have you tested it before trying to lock it down like that?

service {
upnp {
listen-on eth1 {
outbound-interface <wan interface>
}
listen-on eth2 {
outbound-interface <wan interface>
}
}
upnp2 {
listen-on <lan1>
listen-on <lan2>
nat-pmp enable
secure-mode enable
wan <wan interface>
}
}

I'm a geek, a gamer, a dad, a Quic user, and an IT Professional. I have a full rack home lab, size 15 feet, an epic beard and Asperger's. I'm a bit of a Cypherpunk, who believes information wants to be free and the Net interprets censorship as damage and routes around it. If you use my Quic signup you can also use the code R570394EKGIZ8 for free setup. Opinions are my own and not the views of my employer.

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2729000 15-Jun-2021 10:50

Lias:

Don't have a PS5 but this works for me for other things. I've never tried locking it down to specific devices with ACL's, have you tested it before trying to lock it down like that?

service {
upnp {
listen-on eth1 {
outbound-interface <wan interface>
}
listen-on eth2 {
outbound-interface <wan interface>
}
}
upnp2 {
listen-on <lan1>
listen-on <lan2>
nat-pmp enable
secure-mode enable
wan <wan interface>
}
}

Thanks @Lias my UPnP2 config was fine, but my LAN_LOCAL policy was preventing the clients from making the request (I lock things down really tight, pretty much just because).

From what I can tell, only UPnP2 is required for Xbox as that's now working and giving me open NAT (without the original UPnP enabled). I confirmed that the ACLs for UPnP2 are working. So Xbox is sorted.

Did a little research, and PS5 seems to be broken and never gives NAT type 1. I tested this by briefly putting PS5 in DMZ. I verified it was completely exposed to the the Internet by pinging my public IP from outside and getting a reply from PS5 (ping replies when PS5 powered on, no reply when powered off). But the PS5 still reported NAT type 2.

What I'm not sure about is whether the PS5 gets any benefit by being allowed UPnP now since it reports NAT type 2 either way. I.e. I'm not sure if it's getting the benefits, but just incorrectly reporting NAT type 2.

I'm not a huge fan of open port forwards into the LAN, so I think I'll put the consoles in their own VLAN.

I'd be interested to know if UPnP continues to work for everything you need it for with only UPnP2 (i.e. delete service UPnP)?

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2729617 16-Jun-2021 13:04

Is there a way to list all the current port forwards that have been created by UPnP on an EdgeRouter Lite?

EDIT: my google failed me for about 30min, then right after posting I found the answer: show upnp2 rules

michaelmurfy

meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator

ID Verified

Trusted

Lifetime subscriber

#2729666 16-Jun-2021 14:41

I've removed your other thread - we'll just discuss here.

I have NAT Type 2 on my PS5 and UPnP enabled to it from my Mikrotik. IIRC it was the same on my Edgerouter back in the day with my PS4.

Type 2 is what you want as this simply means a firewall is in-front of the PS5. Open is actually a security risk and zero-days do exist.

NAT Type 1 (Open) – You are either NOT behind a router/firewall OR you have already DMZ enabled. You shouldn’t run into any issues whilst gaming, but this may cause security issues.
NAT Type 2 (Moderate) –Your PS3/PS4 is connected properly and you shouldn’t run into any issues.
NAT Type 3 (Strict) – You may be able to connect to the PSN and perform downloads/updates other functions may not work as intended.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

hio77

'That VDSL Cat'
13036 posts

Uber Geek
+1 received by user: 3896

ID Verified

Trusted

Lizard Networks

Subscriber

#2729682 16-Jun-2021 15:11

michaelmurfy:

I've removed your other thread - we'll just discuss here.

I have NAT Type 2 on my PS5 and UPnP enabled to it from my Mikrotik. IIRC it was the same on my Edgerouter back in the day with my PS4.

Type 2 is what you want as this simply means a firewall is in-front of the PS5. Open is actually a security risk and zero-days do exist.

NAT Type 1 (Open) – You are either NOT behind a router/firewall OR you have already DMZ enabled. You shouldn’t run into any issues whilst gaming, but this may cause security issues.
NAT Type 2 (Moderate) –Your PS3/PS4 is connected properly and you shouldn’t run into any issues.
NAT Type 3 (Strict) – You may be able to connect to the PSN and perform downloads/updates other functions may not work as intended.

This is where the whole concept of nat type as driven so many people do open unneeded holes in their network!

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

HP

Shop now for HP laptops and other devices (affiliate link).

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2729711 16-Jun-2021 16:57

michaelmurfy:

I've removed your other thread - we'll just discuss here.

I have NAT Type 2 on my PS5 and UPnP enabled to it from my Mikrotik. IIRC it was the same on my Edgerouter back in the day with my PS4.

Type 2 is what you want as this simply means a firewall is in-front of the PS5. Open is actually a security risk and zero-days do exist.

NAT Type 1 (Open) – You are either NOT behind a router/firewall OR you have already DMZ enabled. You shouldn’t run into any issues whilst gaming, but this may cause security issues.
NAT Type 2 (Moderate) –Your PS3/PS4 is connected properly and you shouldn’t run into any issues.
NAT Type 3 (Strict) – You may be able to connect to the PSN and perform downloads/updates other functions may not work as intended.

Yeah, I get all that and wouldn't consider DMZing other than as a test. Even enabling UPnP I've VLANed my consoles off my main network since I don't like the idea of clients being able to request port forwards.

My question was really about the fact that I couldn't get NAT type 1 even when I did (temporarily) DMZ it. I could ping my PS5 from the Internet, but it still reported NAT type 2.

It reports NAT type 2 for me whether UPnP is enabled or not (but it takes longer to determine the NAT type without UPnP enabled - so it seems to be doing something). By contrast the Xbox Series X reports open NAT (Type 1) as soon as I enable UPnP.

From a theoretical standpoint; if DMZing the PS5 doesn't give NAT type 1, what would?

Paul1977

5171 posts

Uber Geek
+1 received by user: 2192

#2729979 17-Jun-2021 09:31

Well UPnP is definitely functioning for PS5, as I can see the rules it's creating. So regardless of what NAT type it's reporting, it all seems to be working.

I have to say UPnP seems to be implemented better on the Xbox though (at least with my EdgeRouter), for the below reason:

Xbox appears to tell the router to close the ports when no longer required (e.g. when it enters rest mode), PS5 doesn't so they stay in place. Not a big deal, just not as tidy as Xbox.