Gaming with Full Cone vs Symmetric NAT Routers

Where to discus how to best use a modem
Post Reply
e38BimmerFN
Posts: 14
Joined: Sun Jul 23, 2017 7:15 pm

Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Wed Aug 09, 2017 12:25 am

Reason for making this post is that for the gaming community, gamers have had a historical problems with gaming with single consoles/PCs or two or more consoles/PCs and getting OPEN NAT in the console/PC networking NAT status and in games for those games which support there own display of NAT status shown to the gamers, i.e. CoD, BattleField and some Halo games. This NAT status effects mostly online gaming with others around the world and with local game environments which may have two or more consoles/PCs connected to one router and gaming all at the same time. This issue usually isn't seen for local gaming or single game console/PC gaming if the network conditions are right.

I'd like to start this thread with a list of Mfr and Model # routers that support Full Cone NAT vs routers that only support Symmetric NAT type. I've come into some information that these two types of NAT programs embedded in router FW along with the uPnP program can and does have a bad configuration behavior on game consoles and PCs and with certain games being played.

History:
Full Cone NAT:
"A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address."
http://www.think-like-a-computer.com/20 ... es-of-nat/

Restricted Cone NAT (Dynamic NAT)
A restricted cone NAT works in the same way as a full cone NAT but applies additional restrictions based on an IP address. The internal client must first have sent packets to IP address (X) before it can receive packets from X. In terms of restrictions the only requirement is that packets come in on the mapped port and from an IP address that the internal client has sent packets to.
http://www.think-like-a-computer.com/20 ... es-of-nat/

Port Restricted Cone NAT (Dynamic NAT)
A port restricted cone NAT acts in exactly the same way as a restricted cone NAT but applies restrictions to ports also. Where a restricted cone NAT will accept connections from any source port a port restricted cone NAT restricts this further by only accepting connections from the IP address and port it sent the outbound request to.
http://www.think-like-a-computer.com/20 ... es-of-nat/

Symmetric NAT:
"A symmetric NAT applies restrictions exactly the same way as a port restricted cone NAT but handles the NAT translation differently. All types of NAT discussed so far don’t change the source port when NATing connections. For example when a client accesses the Internet using IP 192.168.0.1 and source port 56723 NAT changes the source IP to say 56.35.67.35 but keeps the port number the same; this is known as port preservation. A symmetric NAT NATs ports to new randomly generated ones. This even applies to connections from the same client to different destinations. It's said that Symmetric NAT is more secure."
http://www.think-like-a-computer.com/20 ... etric-nat/

Want to see what kind of NAT your router uses? Try this handy tool:
http://nattest.net.in.tum.de
To see what a Xbox 1 is seeing connected to a router, follow this on the console:
1. Go into Settings, Network Settings.
2. Click on ‘Test Multiplayer Connection’
3. After the connection runs, and before selecting the button to continue, simultaneously press both bumpers and both triggers on the controller, then release. A more detailed test will then run and the detailed NAT type description will be shown.
NOTE: This only gives a "cone" nat information when seen and doesn't fully display exact NAT kind information. Please run the NAT Test tool from a PC using the FF ESR browser at the link below to get more exact NAT kind being used on the router.
Suggested Browser: http://ftp.mozilla.org/pub/firefox/releases/52.4.1esr/
Use FireFox (ESR) x32 versions should work well since some browsers are not supportive of Java. Don't use the x64 platform. Also ensure that Java x32 is loaded as well, don't use Java x64. This NAT test seems to not work at all on x64 browsers or Java x64.
Example of NAT TEST tool:
Image

NAT Test completed results:
Image
STUN Results is what will give what exact NAT kind your router is using.

uPnP: "Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise-class devices."

Single game consoles main need the main gaming port for OPEN NAT conditions and gaming services, i.e. 3074 for MS XBox Live. Now, one first connected console/PC can only connect and occupy the one port at a time. Having two or more consoles/PCs can't occupy the 3074 port at the same time as it's already being connected to by the first console/PC. This is where uPnP comes in to play. After the first console/PC connects to port 3074, then the next console/PC connects and requests to connect port 3074, uPnP comes in and says, ok, however that port is already being used, lets find you a virtual port to use and set this up for the 2nd device and any follow on connecting devices.
UPDATE:
MS mentioned that there is some improvements coming:
"Some under-the-hood UPnP improvements: We've been improving and optimizing the UPnP port mapping process, and this release contains some further enhancements to make the port mapping process even more resilient and streamlined."

Gaming Network Conditions:
Single NAT and Double NAT networking conditions for gaming configurations.

Single NAT is where either a modem/router device or a modem only and a external router, where either the modem/router or external router handles all routing and NAT traffic and is the main host router for all connected devices including game consoles and PCs. The ISP public IP address is translated from the ISP modem to the gaming device seamlessly. WAN to LAN. WAN side ISP public IP address ##.##.###.### to a LAN side IP address of 192.168.#.#. The WAN side ISP public IP address ##.##.###.### is correctly translated to game consoles/PCs by just the external router handling the NAT traffic.
This configuration is ideal and what works best for gaming configurations and should be configured as such and is the "golden" configuration for general home networking and gaming environments.

Double NAT is where we have a modem/router combo unit connected with another external Mfr router, i.e. D-LInk, Asus, Netgear and so on. And the game consoles/PCs are connected to the external router. Both Modem/router and external router are handling NAT traffic at the same time, thus this is called a double NAT condition. This configuration is not recommended and is very problematic for gamers and applications which depend on having a single NAT condition. WAN side ISP public IP address ##.##.###.### to a LAN side IP address of modem/router to a LAN side IP address of 192.168.1.# on the modem router. This is where the public IP address translation stops. Then the LAN side IP address 192.168.1.### of the modem/router is going to the WAN side IP address of 192.168.0.### of the external router then game consoles and PCs are getting a LAN side IP address of 192.168.0.### from the external router. In this configuration, the translation of the public IP address does not get to this point. This is called a double NAT condition as the two routers are trying to handle NAT traffic, however when it gets to the external router, NATs already been handled by the ISP modem/router and game consoles/PCs have a hard time getting the required ports opened.
This configuration is not recommended and causes problems in getting game consoles/PCs connected to gaming services and in game lobbies. This configuration should be avoided.

A work around for double NAT if the ISP modem/router supports either FULL modem bridging or the use of the DMZ feature on the modem/router.
http://www.practicallynetworked.com/net ... le_nat.htm
http://computer.howstuffworks.com/nat.htm

Tested Gaming Configurations. I found that with some routers the following simple router and console configuration as resulted in seeing OPEN NAT across two or more game consoles running the same game at the same time!
Defaults:
1. ISP modem stand alone only, no built in router in modem. Cable ISP tested. See linked list of modems to avoid using: app.php/badmodems
2. External router with just IP address reservations ON the router for game consoles or PCs. uPnP enabled, QoS enabled and configured. NO Port Forwarding enabled.
3. Game consoles or PCs LAN wired to the back of the router directly. Can use Gb switches if needed. Direct to router was tested. Wireless can be used however can also be problematic as well. I recommend starting and testing with LAN Cable first, CAT6 while testing and configuring the router, consoles and PCs.
4. For MS Xbox One consoles there is a known issue with a power management feature call Instant ON. This feature has been causing networking and connection problems since it came out. To fix this, disable Instant ON and set the XB1 power features to POWER Save on ALL game consoles. I don't know if Sony PS consoles has any features like this or if they are causing problems as well. Try either way for Sony consoles.
5. Hard Power OFF with all game consoles or reboot PCs fully to ensure IP addresses and uPnP port configurations are clean and ready to go. Start with all devices OFF after each device has a IP reservation set ON the router. Do not use Static IP addresses ON the devices. Hard powering OFF the consoles clears all network caches and ports set up on the consoles as there has been a known issue with game consoles not handling networking configurations correctly. Hard powering off helps with this.

6. Power one the first game console/PC. Do not power on all consoles/PCs at the same time. This must be done in sequence. Check networking dash board settings for IP address configurations and NAT status and that the console connected to the XBL gaming service with your account. Should be OPEN NAT. Load the same game. BO3 tested. Takes a bit. Navigate into the team death match first lobby where NAT status is displayed. Should be OPEN NAT. Leave this console at this screen for now and turn the the next game console/PC. Repeat step 6 for the 2nd and 3rd console/PC.
Update 8/31/2017: Started testing Activisions Infinite Warfare as well with the D-Link DGL-5500. :violence-uzi:

Using the above default configuration has been testing on the following routers with OPEN NAT being seen on ALL game console network dash board and in game NAT status for two and three game consoles (XB1) while all two and three consoles playing the same game at the same time, CoD Black OPS 3 which these routers below support or simulate supporting of FULL CONE NAT type:
Older Generation Routers: What I have tested.
Apple Airport Extreme (3rd Generation)

D-Link DIR-655 Rev B and Rev C*, DIR-825 Rev B, DIR-835, DIR-857, DGL-4500 (All but DIR-655 Rev C and DIR-835 were tested and found to be Full Cone NAT routers for the NAT test.)

NetGear WNR2000 v2

Newer Generation Routers: What I have tested.
NetGear R7800 Full Cone NAT (Two XB1 consoles with BO3 at the same time. Sm00thpapa also reported to me that 2 PS4's, 1 Xbox One,2 Xbox 360's and 1 PS3 gaming online some times at the same time with a R7800 works well.) This router has a NAT Filter UI Feature which it enables FULL CONE NAT. I presume this model router also supports Port Address Restricted NAT if the NAT Filter feature is set for SECURE. When set to OPEN, the router reports FULL CONE NAT when tested.

Older generation routers, at least ones I have and tested with above configuration, work well in allowing two or more game consoles with the same game being played to achieve OPEN NAT on the network dashboard of the console and in all same games being played at the same time. NetGear has one newer generation router that I have tested and found to support FULL CONE NAT which also works.


Using the above configuration, The following older and newer generation routers don't seem to support FULL CONE NAT and has Restricted Cone NAT (Dynamic NAT), Port Restricted Cone NAT (Dynamic NAT) or Symmetric NAT and getting OPEN NAT on two or more game consoles/PCs in game is very problematic and at most, MODERATE NAT is only seen in game on the second and follow-on consoles. Only OPEN NAT will be seen on the first game console/PC, dash board and in game, that is turned on first and the game loaded:
Old Generation Routers: What I have tested.
D-Link DIR-645 Address Restricted Cone NAT, DIR-836L Address Restricted Cone NAT, DIR-868L RevA Address Restricted Cone NAT.

DIR-868L Rev A using FW v1.00 supports FULL CONE NAT. Some time the support was dropped and changed to Port Address Restricted Cone NAT in later FW versions. :(

Newer Generation Routers: What I have tested.
RT-AC66U It is reported that Port Address Restricted Nat is seen on this model router with OEM FW. http://nattest.net.in.tum.de/individua ... 91bc6ef32f
Merlin/JohnsFork Support ASUS Routers: https://www.snbforums.com/threads/asusw ... ters.7846/
Working to see if I can get FULL CONE NAT or
OPEN NAT on both consoles...work in progress.

RT-AC88U It is reported that Port Address Restricted Nat is seen on this model router, however user has 3rd party MERLIN FW (v380.68) loaded and they report that the use of "GAME" mode with in the FW enables FULL CONE NAT and OPEN NAT is seen in both same games while connected to this router.
Merlin Support ASUS Routers: https://www.snbforums.com/threads/asusw ... ters.7846/

ASUS RT-3100 Port Address Restricted Cone NAT and OEM FW. Fails to support OPEN NAT on 2nd xbox with BO3 and IW same game running with Moderate NAT seen on 2nd in game status. Will load Merlin 3rd party FW and test for NAT and game status.
UPDATE: I got Merlin v380.68 loaded on it and Vexira said to use the following configuration:
Game Mode selected. Adaptive QoS enabled and selected, Bandwidth set to Manual and input ISP speeds. 200/10 for mine. Queue Discipline set to FQ_Codel, WAN packet overhead selected for Cable Docsis and it put a value of 18 for my Cable modem service. uPnP enabled is all. No Port Forwarding/Triggering. OPEN NAT seen on both BO3 game consoles same time running. Looks like Merlin FW and this configuration works for ASUS routers that support Merlin FW. :dance: Also using the default Adaptive QoS and Game mode configuration also works so Vexiras configration may not be needed.
NOTE: RMerlin had helped his FW by correcting multiple console NAT IPTables issue that was fixed in v380.66. So users will need to load this version of FW or later if you have two or more same game consoles on there ASUS routers.
ASUS model supported routers: https://www.snbforums.com/threads/asusw ... ters.7846/

ASUS GT-AC5300 Port Address Restricted Cone NAT, and RT-AC5300 (Biggshooter reported that Merlin loaded on his RT-AC5300 is "Restricted Cone NAT".) (However Merlin FW may have a solution for the RT-AC5300) Current 3rd party FW is not supported on the GT-AC5300.)

D-Link DGL-5500 Port Address Restricted Cone NAT Fails with Moderate NAT on 2nd xbox with BO3 and IW same game running. 3rd party FW is supported on this model router: http://forums.dlink.com/index.php?topic=64561.0

D-Link DIR-868L Port Address Restricted Cone NAT with most recent version of FW, v1.12. However going back to v1.00 initial release FW, FULL CONE NAT can be achieved with changing the NAT Filter UI feature from Port and Address Restricted to Endpoint Independent. NOTE: The NAT Filter UI feature from the FW thus hard coding and limiting the router to Port Address Restricted NAT in recent versions of FW. The DIR-868L Rev A supports 3rd party FW:
DD-WRT FW reports Port Restricted Cone NAT:
http://nattest.net.in.tum.de/individual ... b5cb70d360
WIll see if NAT can be changed. Work in progress.
Update: 11/26/2017
After loading DD-WRT on my DIR-868L Rev A, testing default settings. 2nd same game running only gets Moderate NAT. Same goes with configuring Port Range Forwarding and adding new IPTables configuration via telnet:
https://serverfault.com/questions/85298 ... ction-type

I presume that if DD-WRT code and miniupnp packages could be modified like RMerlin did, this would help getting OPEN NAT on 2nd same game console when a router uses DD-WRT since this is a working solution for Merlin FW on ASUS routers:
https://github.com/RMerl/asuswrt-merlin ... d0df5b921f
https://github.com/RMerl/asuswrt-merlin ... 48a1a6a126
https://www.snbforums.com/threads/upnp- ... 24/page-14
https://serverfault.com/questions/85298 ... ction-type

D-Link DIR-880L Port Address Restricted Cone NAT, DIR-890L and COVR-3902 Port Address Restricted Cone NAT. DIR- 822, 878, 882 all have Symmetric NAT

Linksys WRT1900AC v1 Not tested yet for any Linksys Symmetric NAT supporting only routers at this time.

Linksys WRT32x Port Address Restricted Cone NAT http://nattest.net.in.tum.de/individual ... 3521e1fdbc
Fails with Moderate NAT on BOTH xbox consoles with BO3 and IW same game running. OPEN NAT seen on dash board Networking however.

NetDuma R1 Port Address Restricted Cone NAT, v1.03.6g (New NetDuma OS is being reported in development. Possible resolution when that comes out.)

NetGear R7000 - LastKnight reports that his NetGear R7000 has Port Restricted Cone NAT and Fails to support OPEN NAT one 2nd xbox with BO3 same game running. NOTE: LastKnight mentions to me that he found the feature NAT FILTERING set to SECURE would not allow OPEN NAT on 2nd console, however after setting it to OPEN, he now gets OPEN NAT in same game on both consoles. Even with OPEN NAT Filtering selected, the NAT test tool reported Port Address Restricted Cone NAT.
Image


This list is dynamic and can change at any time. New additions will be added as users are encouraged and can let me know what to add after confirming NAT status with OPEN NAT across the board with the above testing criteria. Most routers tested are with OEM FW. Testing results from users testing 3rd party FW welcome.

Conclusions:
MS and Sony may have not fully tested two or more game console/PC and same or different game environments. Current marketing perspective maybe thinking of one household, one game console. uPnP code handling between the consoles and games are problematic. Router Mfr use of Symmetric NAT type only inhibits good NAT handling for two or more game consoles/PCs, where FULL CONE NAT handles two or more game consoles/PCs playing the same game at the same time correctly. Also games may have specific problems in handling of NAT when being played on routers with Symmetric NAT as well which should be looked at for multiple game environments by game developers. There also could be a problem with Symmetric NAT in itself as well which should be looked at. Can Symmetric NAT handle two or more game consoles? Again, all these considerations are only seen when using two or more game consoles. A mixed of consoles would also be a consideration as well, i.e. Xbox and Play station on the same router online at the same time.

Game Mfrs also have a role to play in this and from what i've seen, some games are not handling uPnP ports and NAT kinds correctly with two or more consoles running same game, which needs to be addressed by game Mfrs which use and give NAT status in there game. I'm seeing that recently that two consoles running the same game are achieving OPEN NAT on Port Address Restricted NAT routers on the consoles network settings with two consoles, however after loading the game, one game console reports OPEN NAT and the other console reports MODERATE NAT. This is with the new MS xbox one port address change feature that was released fully on Oct 17th when it hit my xbox one console. When using a FULL CONE NAT router with two same game running consoles, OPEN NAT is seen across the board and is not an issue.

From what I'm seeing with all router Mfrs, on some older and newer routers, if NAT Filtering UI is a option, i.e. older model routers, and you can set OPEN or Endpoint Independent in the OEM FW UI, this will change the NAT kind from Port Address Restrict NAT to FULL CONE NAT which will and should help attain OPEN NAT for two or more same game consoles. I have older D-Link routers and a newer NetGear R7800. These have NAT Filter features which seem to help. However going forward, for D-Link, they removed the NAT Filter feature in more recent versions of FW thus limiting the NAT kind to only Port Address Restricted. Newer generation routers don't even have NAT Filters features anymore and are now hard coded PAR or Symmetric NAT. From what I'm told, router Mfrs are wanting to go to and maintain PAR or Symmetric NAT kinds since they are more secure than FULL CONE NAT. I presume it would be up to router Mfrs to allow end users to switch between them which I see that NetGear OEM FW still seems to do. D-Link as removed this UI feature in all of there newer generation routers. So until IPv6 becomes more come place, users with two or more same game consoles should look into Mfr routers that support either FULL CONE NAT or have the flexibility with NAT FILTER UI Features that can configure the router for FULL CONE NAT when two or more same game consoles/PC are being used and connected. And again, all of this doesn't apply for single game console/PC users.

This issue has been on going for MS and Sony gamers for years now:
Links to D-Link, SmallNetBuilder, NetDuma, MS and Sony Forums. Any others.
http://forums.dlink.com/index.php?topic=65732.0
https://www.snbforums.com/threads/upnp- ... nat.35324/
https://community.playstation.com/conte ... -bM2X.html
https://www.bungie.net/en-us/Forums/Post/75409135
http://forum.netduma.com/topic/16898-mu ... -nat-type/
http://www.neogaf.com/forum/showpost.ph ... tcount=118

Additional Resources:
https://tools.ietf.org/html/draft-taked ... aversal-00
https://www.ipv6forum.com/ipv6_enabled/ ... content=US
https://miniupnp.tuxfamily.org/forum/vi ... php?t=1707
http://www.internetsociety.org/deploy36 ... over-ipv6/
https://github.com/kaklakariada/portmapper
http://support.xbox.com/en-AU/xbox-one/ ... r-solution
http://www.joewein.net/info/sw-iptables ... ne-nat.htm

8/8/3017 Interesting development from MS for XB1 game consoles:
https://www.reddit.com/r/xboxone/commen ... g_changes/ :think:
https://www.snbforums.com/threads/upnp- ... ost-340818

Update 9/5/2017:
https://www.reddit.com/r/xboxone/commen ... _settings/
:auto-sportbike: :character-smurfpapa:
:violence-smack:

e38BimmerFN
Posts: 14
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Fri Sep 29, 2017 4:50 pm

Update 9/29/2017:
Wanted to update everyone. My roommates xbox one received an system update day before yesterday. He noticed the dash board had some changes on it. Of course, not to his liking. I asked him to show me the networking section. Low and behold under Advanced Networking is the Port feature. We only saw virtual ports listed here and not any 3074 ranged ports. I presumed my xbox was not going to see an update however I checked to be sure. Not updated. As soon as I get some time, I'll test to see if this new feature helps with Moderate NAT with some Port Address Restricted NAT kind routers that I have. Not sure if this feature needs to be on just one console or two or more. Will see. :think:
:auto-sportbike: :character-smurfpapa:
:violence-smack:

e38BimmerFN
Posts: 14
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Sun Oct 01, 2017 10:39 pm

Ok, ran a test today with a D-Link COVR-3902 router (Port Address Restricted NAT kind) with my xbox one thats not updated with the new Port feature and with my roommates xbox one with the new Port feature. Turned mine of first and both dash board and in game BO3 was OPEN NAT.

Turned on the 2nd xbox one with the new feature and dash board was OPEN NAT however in game BO3 was Moderate NAT. I exited the game and set a manual Port to the next available port listed instead of Automatic. Saved settings and continued. Launched BO3 and NAT was still Moderate NAT on 2nd xbox. Will run the test again by hard powering OFF both consoles, rebooting the router then starting the 2nd xbox one first then mine. :roll:

I reversed the order this time. I turned on the roommates XB1 with the Port feature and his was OPEN NAT across the board. I turned my XB1 on with out the port feature and OPEN NAT was seen on dash board and Moderate NAT in game. :(

Seems that some Multi-Player games when two or more game consoles are running the same game need FULL CONE NAT routers to be able to achieve OPEN NAT across the board.
:auto-sportbike: :character-smurfpapa:
:violence-smack:

e38BimmerFN
Posts: 14
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Thu Oct 19, 2017 7:58 pm

Ok, MS seems to have made the new Port change feature in the XB1 OS available. I got a new system update on Oct 17th and I now have this feature. I was not in the preview program.

I tested CoD:IW NAT status with two consoles running same game on a Port Address Restricted NAT router with just using uPnP. One console reported OPEN NAT while the other reported MODERATE NAT.

I presume the port change feature is handling NAT issues on the MS System side of everything while in game NAT and processes are not being handled correctly by the game when using a Port Address Restricted or Symmetric NAT router. As the port change feature doesn't seem to do anything for the game being played on two or more game consoles at the same time.

Game Mfrs need to review and address this issue for two or more same game running consoles with Port Address Restricted or Symmetric NAT routers besides FULL CONE NAT routers which don't exhibit this problem.
:auto-sportbike: :character-smurfpapa:
:violence-smack:

e38BimmerFN
Posts: 14
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Sat Oct 21, 2017 11:12 pm

Updated main post with new Linksys WRT32x gaming router. CoD BO3 and IW tested. Not good for two or more same game running consoles. :cry:
:auto-sportbike: :character-smurfpapa:
:violence-smack:

Post Reply