Netgate SG-1000 microFirewall

Author Topic: pfSense in DMZ, 1 Public IP, Multiple PS4/PlayStation 4 Strict NAT, UPnP Enabled  (Read 92 times)

0 Members and 1 Guest are viewing this topic.

Offline PauluzzNL

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Dear Community,

Step by step I came closer to tame the monster PS4. Unfortunately, I've been stuck at the last step. The TL;DR is that I cannot get multiple PlayStation 4's to get a NAT Type 2 using the same public IP and using UPnP. Perhaps this is not even possible, so I hoped to get some experiences from fellow pfSense users.

Let me first describe my network set-up shortly:

ISP ---- ISP Router (DMZ) ---> pfSense  --- VLAN X ---- Playstation 1/2/3/4

So there is a router from the ISP, and a router for the network. The pfSense router is set as DMZ from the ISP router.
All gaming consoles are in a seperate VLAN, but this should not really matter.

The configuration:
Services -> UPnP
- Enabled
- Allow UPnP Port Mapping Enabled
- Allow NAT-PMP Port Mapping Enabled
- External Interface WAN
- Interfaces (VLAN X selected)
- Override WAN address: WAN adres of ISP router
- Default Deny Enabled
- ACL Entries: lines of:
allow 1024-65535 172.20.6.x/32 1024-65535

Something Works! :)
If I check one PS4 console, test it network settings, it'll say "NAT Type 2". In the UPnP & NAT-PMP status table I'll see:
Port / Protocol / Internal IP / Int Port / Description
 9308    udp    172.20.6.x    9308 to 9308 (UDP)

So far so good.

The Problem:
As soon as I try to use the second, third, whatever x ps4 console and use the same test, it'll show NAT Type 3. When I shortly disconnect the first PS4 and retest, the firstly connected console will have a Type of 2, and a corresponding rule in the UPnP status table.

As such it appears that the entries get overridden and I can only use one console at a time for these online services.

Is this a common problem? Are there ways around this issue without needing to have multiple IP's? I'm specifically talking about the NAT Type issue, it is not a problem to let multiple consoles to internet at the same time.