Gaming with Full Cone vs Symmetric NAT Routers

Where to discus how to best use a modem
User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Wed Aug 09, 2017 12:25 am

Reason for making this post is that for the gaming community, gamers have had a historical problems with gaming with single consoles/PCs or two or more consoles/PCs and getting OPEN NAT in the console/PC networking NAT status and in games for those games which support there own display of NAT status shown to the gamers, i.e. CoD, BattleField and some Halo games. This NAT status effects mostly online gaming with others around the world and with local game environments which may have two or more consoles/PCs connected to one router and gaming all at the same time. This issue usually isn't seen for local gaming or single game console/PC gaming if the network conditions are right.

I'd like to start this thread with a list of Mfr and Model # routers that support Full Cone NAT vs routers that only support Symmetric NAT type. I've come into some information that these two types of NAT programs embedded in router FW along with the uPnP program can and does have a bad configuration behavior on game consoles and PCs and with certain games being played.

History:
Full Cone NAT:
"A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address."
http://www.think-like-a-computer.com/20 ... es-of-nat/

Restricted Cone NAT (Dynamic NAT)
A restricted cone NAT works in the same way as a full cone NAT but applies additional restrictions based on an IP address. The internal client must first have sent packets to IP address (X) before it can receive packets from X. In terms of restrictions the only requirement is that packets come in on the mapped port and from an IP address that the internal client has sent packets to.
http://www.think-like-a-computer.com/20 ... es-of-nat/

Port Restricted Cone NAT (Dynamic NAT)
A port restricted cone NAT acts in exactly the same way as a restricted cone NAT but applies restrictions to ports also. Where a restricted cone NAT will accept connections from any source port a port restricted cone NAT restricts this further by only accepting connections from the IP address and port it sent the outbound request to.
http://www.think-like-a-computer.com/20 ... es-of-nat/

Symmetric NAT:
"A symmetric NAT applies restrictions exactly the same way as a port restricted cone NAT but handles the NAT translation differently. All types of NAT discussed so far don’t change the source port when NATing connections. For example when a client accesses the Internet using IP 192.168.0.1 and source port 56723 NAT changes the source IP to say 56.35.67.35 but keeps the port number the same; this is known as port preservation. A symmetric NAT NATs ports to new randomly generated ones. This even applies to connections from the same client to different destinations. It's said that Symmetric NAT is more secure."
http://www.think-like-a-computer.com/20 ... etric-nat/

Want to see what kind of NAT your router uses? Try this handy tool:
http://nattest.net.in.tum.de
To see what a Xbox 1 is seeing connected to a router, follow this on the console:
1. Go into Settings, Network Settings.
2. Click on ‘Test Multiplayer Connection’
3. After the connection runs, and before selecting the button to continue, simultaneously press both bumpers and both triggers on the controller, then release. A more detailed test will then run and the detailed NAT type description will be shown.
NOTE: This only gives a "cone" nat information when seen and doesn't fully display exact NAT kind information. Please run the NAT Test tool from a PC using the FF ESR browser at the link below to get more exact NAT kind being used on the router.
Suggested Browser: http://ftp.mozilla.org/pub/firefox/releases/52.4.1esr/
Use FireFox (ESR) x32 versions should work well since some browsers are not supportive of Java. Don't use the x64 platform. Also ensure that Java x32 is loaded as well, don't use Java x64. This NAT test seems to not work at all on x64 browsers or Java x64. In order for the tool to work you also need to add the NAT test website URL address as an exception in the Security configuration panel of Java.
Example of NAT TEST tool:
Image

NAT Test completed results:
Image
STUN Results is what will give what exact NAT kind your router is using.

uPnP: "Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other's presence on the network and establish functional network services for data sharing, communications, and entertainment. UPnP is intended primarily for residential networks without enterprise-class devices."

Single game consoles main need the main gaming port for OPEN NAT conditions and gaming services, i.e. 3074 for MS XBox Live. Now, one first connected console/PC can only connect and occupy the one port at a time. Having two or more consoles/PCs can't occupy the 3074 port at the same time as it's already being connected to by the first console/PC. This is where uPnP comes in to play. After the first console/PC connects to port 3074, then the next console/PC connects and requests to connect port 3074, uPnP comes in and says, ok, however that port is already being used, lets find you a virtual port to use and set this up for the 2nd device and any follow on connecting devices.
UPDATE:
MS mentioned that there is some improvements coming:
"Some under-the-hood UPnP improvements: We've been improving and optimizing the UPnP port mapping process, and this release contains some further enhancements to make the port mapping process even more resilient and streamlined."

Gaming Network Conditions:
Single NAT and Double NAT networking conditions for gaming configurations.

Single NAT is where either a modem/router device or a modem only and a external router, where either the modem/router or external router handles all routing and NAT traffic and is the main host router for all connected devices including game consoles and PCs. The ISP public IP address is translated from the ISP modem to the gaming device seamlessly. WAN to LAN. WAN side ISP public IP address ##.##.###.### to a LAN side IP address of 192.168.#.#. The WAN side ISP public IP address ##.##.###.### is correctly translated to game consoles/PCs by just the external router handling the NAT traffic.
This configuration is ideal and what works best for gaming configurations and should be configured as such and is the "golden" configuration for general home networking and gaming environments.

Double NAT is where we have a modem/router combo unit connected with another external Mfr router, i.e. D-LInk, Asus, Netgear and so on. And the game consoles/PCs are connected to the external router. Both Modem/router and external router are handling NAT traffic at the same time, thus this is called a double NAT condition. This configuration is not recommended and is very problematic for gamers and applications which depend on having a single NAT condition. WAN side ISP public IP address ##.##.###.### to a LAN side IP address of modem/router to a LAN side IP address of 192.168.1.# on the modem router. This is where the public IP address translation stops. Then the LAN side IP address 192.168.1.### of the modem/router is going to the WAN side IP address of 192.168.0.### of the external router then game consoles and PCs are getting a LAN side IP address of 192.168.0.### from the external router. In this configuration, the translation of the public IP address does not get to this point. This is called a double NAT condition as the two routers are trying to handle NAT traffic, however when it gets to the external router, NATs already been handled by the ISP modem/router and game consoles/PCs have a hard time getting the required ports opened.
This configuration is not recommended and causes problems in getting game consoles/PCs connected to gaming services and in game lobbies. This configuration should be avoided.

A work around for double NAT if the ISP modem/router supports either FULL modem bridging or the use of the DMZ feature on the modem/router.
http://www.practicallynetworked.com/net ... le_nat.htm
http://computer.howstuffworks.com/nat.htm
See also Modems and Routers FAQ


Tested Gaming Configurations. I found that with some routers the following simple router and console configuration as resulted in seeing OPEN NAT across two or more game consoles running the same game at the same time!
Defaults:
1. ISP modem stand alone only, no built in router in modem. Cable ISP tested. See linked list of modems to avoid using: app.php/badmodems
2. External router with just IP address reservations ON the router for game consoles or PCs. uPnP enabled, QoS enabled and configured. NO Port Forwarding enabled.
3. Game consoles or PCs LAN wired to the back of the router directly. Can use Gb switches if needed. Direct to router was tested. Wireless can be used however can also be problematic as well. I recommend starting and testing with LAN Cable first, CAT6 while testing and configuring the router, consoles and PCs.
4. For MS Xbox One consoles there is a known issue with a power management feature call Instant ON. This feature has been causing networking and connection problems since it came out. To fix this, disable Instant ON and set the XB1 power features to POWER Save on ALL game consoles. I don't know if Sony PS consoles has any features like this or if they are causing problems as well. Try either way for Sony consoles.
5. Hard Power OFF with all game consoles or reboot PCs fully to ensure IP addresses and uPnP port configurations are clean and ready to go. Start with all devices OFF after each device has a IP reservation set ON the router. Do not use Static IP addresses ON the devices. Hard powering OFF the consoles clears all network caches and ports set up on the consoles as there has been a known issue with game consoles not handling networking configurations correctly. Hard powering off helps with this.

6. Power one the first game console/PC. Do not power on all consoles/PCs at the same time. This must be done in sequence. Check networking dash board settings for IP address configurations and NAT status and that the console connected to the XBL gaming service with your account. Should be OPEN NAT. Load the same game. BO3 tested. Takes a bit. Navigate into the team death match first lobby where NAT status is displayed. Should be OPEN NAT. Leave this console at this screen for now and turn the the next game console/PC. Repeat step 6 for the 2nd and 3rd console/PC.
Update 8/31/2017: Started testing Activisions Infinite Warfare as well with the D-Link DGL-5500. :violence-uzi:

Using the above default configuration has been testing on the following routers with OPEN NAT being seen on ALL game console network dash board and in game NAT status for two and three game consoles (XB1) while all two and three consoles playing the same game at the same time, CoD Black OPS 3 which these routers below support or simulate supporting of FULL CONE NAT type:

Older Generation Routers: What I have tested.
Apple Airport Extreme (3rd Generation)

D-Link DIR-655 Rev A, B and Rev C*, DIR-825 Rev B, DIR-835, DIR-657,827 and 857, DGL-4500

NetGear WNR2000 v2

Older generation routers, at least ones I have and tested with above configuration, work well in allowing two or more game consoles with the same game being played to achieve OPEN NAT on the network dashboard of the console and in all same games being played at the same time. NetGear has one newer generation router that I have tested and found to support FULL CONE NAT which also works.


Using the above configuration, The following older and newer generation routers don't seem to support FULL CONE NAT and has Restricted Cone NAT (Dynamic NAT), Port Restricted Cone NAT (Dynamic NAT) or Symmetric NAT and getting OPEN NAT on two or more game consoles/PCs in game is very problematic and at most, MODERATE NAT is only seen in game on the second and follow-on consoles. Only OPEN NAT will be seen on the first game console/PC, dash board and in game, that is turned on first and the game loaded.

Older Generation Routers: What I have tested.
D-Link DIR-645 Address Restricted Cone NAT, DIR-836L Address Restricted Cone NAT..


Newer Generation Routers: What I have tested.
RT-AC66U It is reported that Port Address Restricted Nat is seen on this model router with OEM FW. http://nattest.net.in.tum.de/individua ... 91bc6ef32f
Merlin/JohnsFork Support ASUS Routers: https://www.snbforums.com/threads/asusw ... ters.7846/
Working to see if I can get FULL CONE NAT or
OPEN NAT on both consoles...work in progress.
This model router doesn't include any advanced QoS or NAT Filter features so both OEM and Merlin FW don't seem to allow for any configurations to get FULL CONE NAT.

RT-AC88U It is reported that Port Address Restricted Nat is seen on this model router, however user has 3rd party MERLIN FW (v380.68) loaded and they report that the use of "GAME" mode with in the FW enables FULL CONE NAT and OPEN NAT is seen in both same games while connected to this router.
Merlin Support ASUS Routers: https://www.snbforums.com/threads/asusw ... ters.7846/

ASUS RT-3100 Port Address Restricted Cone NAT and OEM FW. Fails to support OPEN NAT on 2nd xbox with BO3 and IW same game running with Moderate NAT seen on 2nd in game status. Will load Merlin 3rd party FW and test for NAT and game status.
UPDATE: I got Merlin v380.68 loaded on it and Vexira said to use the following configuration:
Game Mode selected. Adaptive QoS enabled and selected, Bandwidth set to Manual and input ISP speeds. 200/10 for mine. Queue Discipline set to FQ_Codel, WAN packet overhead selected for Cable Docsis and it put a value of 18 for my Cable modem service. uPnP enabled is all. No Port Forwarding/Triggering. OPEN NAT seen on both BO3 game consoles same time running. Looks like Merlin FW and this configuration works for ASUS routers that support Merlin FW. :dance: Also using the default Adaptive QoS and Game mode configuration also works so Vexiras configration may not be needed.
NOTE: RMerlin had helped his FW by correcting multiple console NAT IPTables issue that was fixed in v380.66. So users will need to load this version of FW or later if you have two or more same game consoles on there ASUS routers.
ASUS model supported routers: https://www.snbforums.com/threads/asusw ... ters.7846/

ASUS GT-AC5300 Port Address Restricted Cone NAT, and RT-AC5300 (Biggshooter reported that Merlin loaded on his RT-AC5300 is "Restricted Cone NAT". However OPEN NAT is seen in two same game consoles.) (Merlin FW may have a solution for the RT-AC5300.) (Current 3rd party FW is not supported on the GT-AC5300 this includes Merlin as well.)
https://www.snbforums.com/threads/asusw ... 86u.49623/

D-Link DGL-5500 Port Address Restricted Cone NAT Fails with Moderate NAT on 2nd xbox with BO3 and IW same game running. 3rd party FW is supported on this model router: http://forums.dlink.com/index.php?topic=64561.0

D-Link DIR-868L Port Address Restricted Cone NAT with most recent version of FW, v1.12. However going back to v1.00 initial release FW, FULL CONE NAT can be achieved with changing the NAT Filter UI feature from Port and Address Restricted to Endpoint Independent. NOTE: The NAT Filter UI feature from the FW thus hard coding and limiting the router to Port Address Restricted NAT in recent versions of FW.
Looks like FW v1.02 supports FULL CONE NAT, however any FW versions after that are all Port Address Restricted NAT.

The DIR-868L Rev A supports 3rd party FW:
DD-WRT FW reports Port Restricted Cone NAT:
http://nattest.net.in.tum.de/individual ... b5cb70d360
WIll see if NAT can be changed. Work in progress.
Update: 11/26/2017
After loading DD-WRT on my DIR-868L Rev A, testing default settings. 2nd same game running only gets Moderate NAT. Same goes with configuring Port Range Forwarding and adding new IPTables configuration via telnet:
https://serverfault.com/questions/85298 ... ction-type

I presume that if DD-WRT code and miniupnp packages could be modified like RMerlin did, this would help getting OPEN NAT on 2nd same game console when a D-Link DIR series model router uses DD-WRT since this is a working solution for Merlin FW on ASUS routers:
https://github.com/RMerl/asuswrt-merlin ... d0df5b921f
https://github.com/RMerl/asuswrt-merlin ... 48a1a6a126
https://www.snbforums.com/threads/upnp- ... 24/page-14
https://serverfault.com/questions/85298 ... ction-type

D-Link DIR-880L Port Address Restricted Cone NAT, DIR-890L and COVR-3902 Port Address Restricted Cone NAT. DIR-822, 878, 882 all have Symmetric NAT

Linksys WRT1900AC v1 Not tested yet for any Linksys Symmetric NAT supporting only routers at this time.

Linksys WRT32x Port Address Restricted Cone NAT http://nattest.net.in.tum.de/individual ... 3521e1fdbc
Fails with Moderate NAT on BOTH xbox consoles with BO3 and IW same game running. OPEN NAT seen on dash board Networking however.

Linksys WRT32xb To be tested when one becomes available.

NetDuma R1 Port Address Restricted Cone NAT, v1.03.6g (New NetDuma OS is being reported in development. Possible resolution when that comes out APR 2018 est.)

NetGear R7000 - LastKnight reports that his NetGear R7000 has Port Restricted Cone NAT and Fails to support OPEN NAT one 2nd xbox with BO3 same game running. NOTE: LastKnight mentions to me that he found the feature NAT FILTERING set to SECURE would not allow OPEN NAT on 2nd console, however after setting it to OPEN, he now gets OPEN NAT in same game on both consoles. Even with OPEN NAT Filtering selected, the NAT test tool reported Port Address Restricted Cone NAT.
Image

Taken from help icon on router:
"This option determines how the router deals with inbound traffic. The Secured option provides a secured firewall to protect the PCs on LAN from attacks from the Internet, but it may cause some Internet games, point-to-point applications, or multimedia applications not to work. The Open option, on the other hand, provides a much less secured firewall, while it allows almost all Internet applications to work."

NetGear R7800 - Two XB1 consoles with BO3 at the same time. (Sm00thpapa also reported to me that 2 PS4's, 1 Xbox One,2 Xbox 360's and 1 PS3 gaming online some times at the same time with a R7800 works well.) This router has a NAT Filter UI Feature which it enables FULL CONE NAT. This model router also supports Port Address Restricted NAT if the NAT Filter feature is set for SECURE. When set to OPEN, the router reports FULL CONE NAT when tested.

NetGear XR450/XR500/XR700 NetDumaOS gaming routers.
The XR450/XR500 has same NAT Filter options as other NetGear routers, Secure and Open. :clap: This gives users and gamers the flexibility to control NAT types which help in two or more same game console configurations.
Secure NAT Filter:
Address Restricted NAT
http://nattest.net.in.tum.de/individual ... 69e46ba161

Open NAT Filter: FULL Cone NAT :dance:
http://nattest.net.in.tum.de/individual ... 691091adf6
This router will support Full Cone NAT and help in those multi game console households. :clap:

NetGear Orbi 40/50 Series WiFi Systems.
Port Address Restricted NAT if the NAT Filter feature is set for SECURE. When set to OPEN, the router reports FULL CONE NAT when tested. FW v2.1.3.x or beyond needed.

TP-Link Archer C5400X
Port Address Restricted NAT
http://nattest.net.in.tum.de/individual ... 24040e7575
This router is new and I'm still testing it out. I don't see any UI feature indication of the router supporting FULL CONE NAT. I'm still testing and fiddling with it. I'll see about making contact with TP-Link support and finding out about any chances for FULL CONE NAT. I presume there may not be. I'll update this when I get some more information.


:arrow: This list is dynamic and can change at any time. New additions will be added as users are encouraged and can let me know what to add after confirming NAT status with OPEN NAT across the board with the above testing criteria. Most routers tested are with OEM FW. Testing results from users testing 3rd party FW welcome.

Conclusions:
MS and Sony may have not fully tested two or more game console/PC and same or different game environments. Current marketing perspective maybe thinking of one household, one game console. uPnP code handling between the consoles and games are problematic. Router Mfr use of Symmetric NAT type only inhibits good NAT handling for two or more game consoles/PCs, where FULL CONE NAT handles two or more game consoles/PCs playing the same game at the same time correctly. Also games may have specific problems in handling of NAT when being played on routers with Symmetric NAT as well which should be looked at for multiple game environments by game developers. There also could be a problem with Symmetric NAT in itself as well which should be looked at. Can Symmetric NAT handle two or more game consoles? Again, all these considerations are only seen when using two or more game consoles. A mixed of consoles would also be a consideration as well, i.e. Xbox and Play station on the same router online at the same time.

Game Mfrs also have a role to play in this and from what i've seen, some games are not handling uPnP ports and NAT kinds correctly with two or more consoles running same game, which needs to be addressed by game Mfrs which use and give NAT status in there game. I'm seeing that recently that two consoles running the same game are achieving OPEN NAT on Port Address Restricted NAT routers on the consoles network settings with two consoles, however after loading the game, one game console reports OPEN NAT and the other console reports MODERATE NAT. This is with the new MS xbox one port address change feature that was released fully on Oct 17th when it hit my xbox one console. When using a FULL CONE NAT router with two same game running consoles, OPEN NAT is seen across the board and is not an issue.

From what I'm seeing with all router Mfrs, on some older and newer routers, if NAT Filtering UI is a option, i.e. older model routers, and you can set OPEN or Endpoint Independent in the OEM FW UI, this will change the NAT kind from Port Address Restricted NAT to FULL CONE NAT which will and should help attain OPEN NAT for two or more same game consoles. I have older D-Link routers and a newer NetGear R7800. These have NAT Filter features which seem to help. However going forward, for D-Link, they removed the NAT Filter feature in more recent versions of FW thus limiting the NAT kind to only Port Address Restricted. Newer generation routers don't even have NAT Filters features anymore and are now hard coded PAR or Symmetric NAT. From what I'm told, router Mfrs are wanting to go to and maintain PAR or Symmetric NAT kinds since they are more secure than FULL CONE NAT. I presume it would be up to router Mfrs to allow end users to switch between them which I see that NetGear OEM FW still seems to do. D-Link as removed this UI feature in all of there newer generation routers. So until IPv6 becomes more come place, users with two or more same game consoles should look into Mfr routers that support either FULL CONE NAT or have the flexibility with NAT FILTER UI Features that can configure the router for FULL CONE NAT when two or more same game consoles/PC are being used and connected. And again, all of this doesn't apply for single game console/PC users.

This issue has been on going for MS and Sony gamers for years now:
Links to D-Link, SmallNetBuilder, NetDuma, MS and Sony Forums. Any others.
http://forums.dlink.com/index.php?topic=65732.0
https://www.snbforums.com/threads/upnp- ... nat.35324/
https://community.playstation.com/conte ... -bM2X.html
https://www.bungie.net/en-us/Forums/Post/75409135
http://forum.netduma.com/topic/16898-mu ... -nat-type/
http://www.neogaf.com/forum/showpost.ph ... tcount=118

Additional Resources:
https://tools.ietf.org/html/draft-taked ... aversal-00
https://www.ipv6forum.com/ipv6_enabled/ ... content=US
https://miniupnp.tuxfamily.org/forum/vi ... php?t=1707
http://www.internetsociety.org/deploy36 ... over-ipv6/
https://github.com/kaklakariada/portmapper
http://support.xbox.com/en-AU/xbox-one/ ... r-solution
http://www.joewein.net/info/sw-iptables ... ne-nat.htm

8/8/3017 Interesting development from MS for XB1 game consoles:
https://www.reddit.com/r/xboxone/commen ... g_changes/ :think:
https://www.snbforums.com/threads/upnp- ... ost-340818

Update 9/5/2017:
https://www.reddit.com/r/xboxone/commen ... _settings/

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Fri Sep 29, 2017 4:50 pm

Update 9/29/2017:
Wanted to update everyone. My roommates xbox one received an system update day before yesterday. He noticed the dash board had some changes on it. Of course, not to his liking. I asked him to show me the networking section. Low and behold under Advanced Networking is the Port feature. We only saw virtual ports listed here and not any 3074 ranged ports. I presumed my xbox was not going to see an update however I checked to be sure. Not updated. As soon as I get some time, I'll test to see if this new feature helps with Moderate NAT with some Port Address Restricted NAT kind routers that I have. Not sure if this feature needs to be on just one console or two or more. Will see. :think:

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Sun Oct 01, 2017 10:39 pm

Ok, ran a test today with a D-Link COVR-3902 router (Port Address Restricted NAT kind) with my xbox one thats not updated with the new Port feature and with my roommates xbox one with the new Port feature. Turned mine of first and both dash board and in game BO3 was OPEN NAT.

Turned on the 2nd xbox one with the new feature and dash board was OPEN NAT however in game BO3 was Moderate NAT. I exited the game and set a manual Port to the next available port listed instead of Automatic. Saved settings and continued. Launched BO3 and NAT was still Moderate NAT on 2nd xbox. Will run the test again by hard powering OFF both consoles, rebooting the router then starting the 2nd xbox one first then mine. :roll:

I reversed the order this time. I turned on the roommates XB1 with the Port feature and his was OPEN NAT across the board. I turned my XB1 on with out the port feature and OPEN NAT was seen on dash board and Moderate NAT in game. :(

Seems that some Multi-Player games when two or more game consoles are running the same game need FULL CONE NAT routers to be able to achieve OPEN NAT across the board.

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Thu Oct 19, 2017 7:58 pm

Ok, MS seems to have made the new Port change feature in the XB1 OS available. I got a new system update on Oct 17th and I now have this feature. I was not in the preview program.

I tested CoD:IW NAT status with two consoles running same game on a Port Address Restricted NAT router with just using uPnP. One console reported OPEN NAT while the other reported MODERATE NAT.

I presume the port change feature is handling NAT issues on the MS System side of everything while in game NAT and processes are not being handled correctly by the game when using a Port Address Restricted or Symmetric NAT router. As the port change feature doesn't seem to do anything for the game being played on two or more game consoles at the same time.

Game Mfrs need to review and address this issue for two or more same game running consoles with Port Address Restricted or Symmetric NAT routers besides FULL CONE NAT routers which don't exhibit this problem.

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Sat Oct 21, 2017 11:12 pm

Updated main post with new Linksys WRT32x gaming router. CoD BO3 and IW tested. Not a good fit for two or more same game running consoles. :cry: Again, this maybe more Game Mfr related than router Mfr since two game consoles gain OPEN NAT on the console dash board, however when running the same game on two or more consoles is when we see one console with OPEN NAT while the others will be MODERATE NAT. :(

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Sat Feb 03, 2018 12:38 am

Updated main post to include testing of NetGears new XR500 router. This router has the NAT Filter feature seen on other NetGear routers. Default setting is Secure, Address Restricted NAT is the result. Once set to OPEN. Full Cone NAT is the result. This will be best for two or more same game running consoles behind this router.

I can confirm that two xbox one consoles playing same game (CoD WWII) get OPEN NAT on dashboard and in game on both consoles. As long as you set NAT FILTER feature option from Secure to OPEN on the router.

crawlgsx
Posts: 3
Joined: Sat Feb 10, 2018 2:00 am

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by crawlgsx » Wed Feb 28, 2018 6:33 pm

This thread is fantastic, can't thank you enough. Even with an IT background and having worked in IT for 20+ years now I did not have a full understanding of Full NAT before this. My wife and I often had issues gaming together and throughout the years I had researched it with no luck until this thread.

My wife and I can now happily game together (2 xbox One x's) with Full Open Cone using the XR500. The router has been rock solid for us and with only changing Secure NAT to OPEN we have had gaming bliss!

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Wed Feb 28, 2018 6:36 pm

Great to hear and glad the post is helpful. Just wanted something out there to help users and gamers understand whats really going on with NAT and gaming. It's important.

Enjoy the XR500. It's been a while since there was a great gaming router out there. :dance:

crawlgsx wrote:
Wed Feb 28, 2018 6:33 pm
This thread is fantastic, can't thank you enough. Even with an IT background and having worked in IT for 20+ years now I did not have a full understanding of Full NAT before this. My wife and I often had issues gaming together and throughout the years I had researched it with no luck until this thread.

My wife and I can now happily game together (2 xbox One x's) with Full Open Cone using the XR500. The router has been rock solid for us and with only changing Secure NAT to OPEN we have had gaming bliss!

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Sat Mar 03, 2018 6:51 pm


User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Mon Sep 10, 2018 4:49 pm

FYI: NAT Test Site Use...
Mozilla removed Java support in Firefox ESR 60 unfortunately. You will have to use IE 11 or Safari to use the NAT test site correctly or use Firefox ESR 52.9, last Java supported version. :shifty:

Kenshin9977
Posts: 3
Joined: Mon Sep 17, 2018 8:11 am

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by Kenshin9977 » Wed Sep 19, 2018 12:32 pm

In order for the tool to work you also need to add the website as an exception in the configuration panel of Java.Image

I just tested with the Netgear WNR3500Lv2 and you can enable Full Cone NAT by doing the following on the interface of the router : Image
Test results http://nattest.net.in.tum.de/individual ... f1ce8d3a39

Making it the cheapest router capable of Gigabit ethernet and Full cone NAT of the list, the cheapest being the Netgear WNR2000 but only allows 100 Megabit ethernet which could be an issue if you have more than a 100 Mbit internet connexion.

That said, I was concerned about the security issues about using Full cone nat. I'm a security engineer and I can't manage to assess if the risk is really high for a private user. Do you know something about that ?

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Wed Sep 19, 2018 6:57 pm

Thanks for posting your test results.

The setting for FULL CONE Nat for NetGear routers, was mentioned in the initial post about changing Nat Filter from Secure to Open already.
Thanks for confirming that it works on your model router.

I did update the information about adding the Nat test site URL to the security tab of Java. ;)

You can review the 3 sections under NAT History in the initial post and follow those links if you wish to see what security concerns are for using Full cone vs the others. I have not been able to ascertain the real reasons behind router Mfr migrating from using it to using the more secure NAT kinds. I presume there was either some flaws or some found abilities to use exploits thru routers with Full Cone Nat vs the other kinds. I presume that the more secure kinds are preventative measures.

The reason for this thread is for mostly gamers and with two or more game consoles/PC running same game at the same time and mostly with multi online games like CoD, BF and other first person shooter online games which, currently, seems to depend upon NAT status and port usage and getting OPEN NAT on the game console/PC and with in the game itself. The handling of all of this is only need in these environments with mutli game PC and consoles/same game running at the same time. I do recommend that for gamers with only 1 game console/PC, to keep NAT Filter to Secure as this kind should work well for getting OPEN NAT for the single game console. Open Nat Filter is only really needed for two or more game consoles/PC all connected at the same time behind a single router.
Kenshin9977 wrote:
Wed Sep 19, 2018 12:32 pm
That said, I was concerned about the security issues about using Full cone nat. I'm a security engineer and I can't manage to assess if the risk is really high for a private user. Do you know something about that ?

Kenshin9977
Posts: 3
Joined: Mon Sep 17, 2018 8:11 am

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by Kenshin9977 » Wed Sep 19, 2018 11:47 pm

Sorry if parts of my precedent post were redundant, I may not have thouroughly re-read your whole post before answering :p
Yes I am way too familiar with the issue surrounding games and NAT types, escpecially for CoD since it's been 7 years I was looking for a solution.
Having the whole family playing a different CoD, though still using the same 3074 UPD and TCP port, some were bound to have a Strict NAT or even to be disconnected from a game when someone is playing and someone else just powers his Xbox 360.
So yeah, thank you for this thread otherwise I might still be looking.

I do understand that this only concerns people with several peripherals playing the same game at the same time, still I told to myself it's no reason to disregard the security issues it may cause.
From the "history" section I did understood it allows inbound connections from any external host, but I don't really see the issue. Concretely, and with an example if you think of one, could you explain to me what could be possible for an external attacker to do to/on a computer (or any vulnerable peripheral) connected to a full cone nat router ?

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Thu Sep 20, 2018 1:56 pm

I've been running Full Cone Nat for a while now. Have seen no issues with it. I have two consoles behind my router and though we don't play much CoD now days, it's still nice to have the ability. Seen no problems from anyone from the outside trying to get in or do bad things. Once the 2nd consoles leaves, I'll probably switch back to a more secure NAT since I'll be the only one gaming at that point in time. :mrgreen:

I don't have any concrete ideas of what malicious users could do if they were to attempt to exploit full cone vs PAR or Symmetric NAT. Maybe try to place malware on the PC or device, could be anything. For the most part if you don't see any thing out of the norm on your network or PC behaving oddly, then I presume your ok to run FC Nat. Keep a eye on things if your concerned about it. Were hoping that once IPv6 becomes the norm, then NAT will be a thing of history. May bring a new set of problems there thought, but who knows. :roll:

I know as far as some router Mfrs they took away users abilities to configure NAT kinds, D-Link is one of them. They used to have an option like NG has. Maybe they were more concerned about security on there products. So which is one reason why I don't recommend D-Link for multi gaming environments. Though there routers are good for all other uses or great for single gamer environments. Linksys doesn't offer any NAT options either the last time I worked with one of there routers. I haven't been back since. ASUS routers don't have the ability on stock FW, to get that you have to load up Merlins 3rd party FW. So far NG/ASUS seems to be the best for multi gaming environments, for now.

Kenshin9977
Posts: 3
Joined: Mon Sep 17, 2018 8:11 am

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by Kenshin9977 » Mon Sep 24, 2018 12:17 am

Me again.
I wanted to try the tool in order to see what NAT my 4G modem-router is capable of.
Well the test just runs for hours and never ends.
Since I managed to make it work for another router IMO the tool just doesn't supports 4G Box.

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Mon Sep 24, 2018 3:42 pm

Something to ask the Developer of the tool to see if there is any more information. Possible that cell service routers are not supported since there routing and NAT may different compared to cable or DSL ISP services.
Kenshin9977 wrote:
Mon Sep 24, 2018 12:17 am
Me again.
I wanted to try the tool in order to see what NAT my 4G modem-router is capable of.
Well the test just runs for hours and never ends.
Since I managed to make it work for another router IMO the tool just doesn't supports 4G Box.

RamGuy
Posts: 8
Joined: Sun Oct 28, 2018 4:58 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by RamGuy » Sun Oct 28, 2018 5:07 pm

Great thread. Do anyone know if there is any x86 software that does provide you with the option of Full Cone NAT? I'm currently using pfSense and as much as I adore pfSense you are stuck with symmetric NAT no matter what you do.

I can create manual outbound NAT rules with static ports but I'm still not able to get this to fully work. Having UPNP enabled and having static outbound NAT rules and I'm still getting this;

PS C:\WINDOWS\system32> netsh interface Teredo show state
Teredo Parameters
---------------------------------------------
Type : natawareclient
Server Name : win1807.ipv6.microsoft.com.
Client Refresh Interval : 20 seconds
Client Port : 60210
State : qualified
Client Type : teredo client
Network : unmanaged
NAT : restricted (port)
NAT Special Behaviour : UPNP: Yes, PortPreserving: Yes
Local Mapping : *MY PRIVATE IP*:60210
External NAT Mapping : *MY PUBLIC IP*:60210


If I remove the outbound NAT rules it will use a random local port and instead of restricted (port) it will be symmetric NAT that's being reported.

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Mon Oct 29, 2018 3:24 pm

When you do any Port Configurations manually, uPnP should be disabled. Though not sure if this will work fully for your needs.

Any kind of NAT is handled by the FW embedded into the HW. If pfSense doesn't allow for changing of NAT kinds or NAT Filters like NetGear does, then you maybe limited by this Mfr. D-Link used to allow of changed of there NATs on there older routers. Then they stopped so it's only PAR on there newer stuff. NetGear is one that does. ASUS doesn't however Using Merlin's 3rd party FW, he's implemented both kinds of NAT in his FW.
RamGuy wrote:
Sun Oct 28, 2018 5:07 pm
Great thread. Do anyone know if there is any x86 software that does provide you with the option of Full Cone NAT? I'm currently using pfSense and as much as I adore pfSense you are stuck with symmetric NAT no matter what you do.

I can create manual outbound NAT rules with static ports but I'm still not able to get this to fully work. Having UPNP enabled and having static outbound NAT rules and I'm still getting this;

PS C:\WINDOWS\system32> netsh interface Teredo show state
Teredo Parameters
---------------------------------------------
Type : natawareclient
Server Name : win1807.ipv6.microsoft.com.
Client Refresh Interval : 20 seconds
Client Port : 60210
State : qualified
Client Type : teredo client
Network : unmanaged
NAT : restricted (port)
NAT Special Behaviour : UPNP: Yes, PortPreserving: Yes
Local Mapping : *MY PRIVATE IP*:60210
External NAT Mapping : *MY PUBLIC IP*:60210


If I remove the outbound NAT rules it will use a random local port and instead of restricted (port) it will be symmetric NAT that's being reported.

RamGuy
Posts: 8
Joined: Sun Oct 28, 2018 4:58 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by RamGuy » Mon Oct 29, 2018 8:13 pm

There doesn't seem to be any way to get pfSense to not do symmetric og port restricted NAT. When applying static outbound rules it just goes from being symmetric NAT into becoming port restricted NAT. Only way around it is to use 1:1 NAT mapping but as this is a home solution I don't have access to multiple public IP-addresses so it's impossible to 1:1 mappings.

I also have Google WiFi, Asus RT-AC68U and Asus RT-AC5300 laying around so I decided to test with them and none of them seems to be doing Full Cone NAT. The Google WiFi is really inconsistent, with UPNP enabled it seems like it's normally resulting in port restricted NAT but sometimes it's actually reported as being CONE.

Both the Asus RT-AC68U and AC5300 is giving the same results. With default configuration they are both symmetric NAT but upon activating Game Mode under QoS and disabling Spanning-Tree-Protocol it's switching to port restricted NAT. This is with the latest Asus Merlin 384.7_2 firmware on both.

Asus Merlin himself lists Full-Cone-NAT support only for the RT-AC86U so it might seem like something have happened in the codebase after 384.x that has changed how NAT behaves so it's no longer possible to get Full Cone NAT unless you have the RT-AC86U where you supposedly are able to pick it manually in the settings.


I will try to get hold on the Netgear XR500 to do some more testing. This is a really sad situation to be in as these NAT issues are impossible to solve in most scenarios and it creates some really frustrating situations.

Especially when you start having multiple gaming consoles, desktop PC's used for gaming etc.. You are bound to run into issues. It's not like you will only see these issues if you have multiple clients trying to use the same ports as many of the services seems to rely heavily on the use of UPNP and it seems like UPNP combined with stricter NAT Filtering just throws you for a loop as the consoles triggers UPNP to open the NAT only for it to not fully work because the symmetric NAT / port restricted NAT will drop incoming packets that are not sent by the same IP as your console was reaching. As these gaming services have packets flowing from various sources the UPNP is just making it so that you believe it should be working as you have the NAT mapping in place but the incoming traffic is still being dropped because not all incoming traffic with come from the IP allowed by the symmetric NAT / port restricted NAT.


For those who do not have a Java NAPI capable browser in order to use the tool described in the first post can easily test this on Windows 10 by using the Settings -- Gaming -- Xbox Networking. Start the NAT test while also having a Powershell with the following command; netsh interface Teredo show state

It will list your computer's local and external NAT mapping for the teredo service on your computer which is the very same service used on the Xbox One for inbound connections. Here you will see if it's using UPNP, if it has PortPreserving, and it will tell what kind of NAT Type that is currently being recognized. It's really handy while testing.

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Tue Oct 30, 2018 1:58 pm

Ya, NAT is something hard coded into FW so what ever the Mfr does there, it's hard to change.

When you were testing the Asus router, you had them in place of the pFsence device? Meaning you remove it while using the other routers?

The 5300 should do FULL CONE NAT if you had Merlin loaded on it and I believe configured GAME mode. I know I was able to get FULL CONE NAT on the one I demo'd back then. A friend of mine has the 5300 and has Merlin loaded, though I don't know what version of FW.
You might try going back to v380.68 of his FW as a test.
You might ask Merlin about FULL CONE NAT on the 5300 to see if theres a problem in newer FW. Could be that ASUS closed this down or made his change incompatible for the 5300. :think:

The XR routers can do FULL CONE NAT when you change the NAT Filter from Secure to OPEN. I see this on my XR450 and all NG routers have this NAT Filter feature. I wish other router mfrs would allow this. However I presume there more worried about security and want there router more secure then before. :shifty: All the problems in router vulnerabilities has probably lead to this. :doh:
RamGuy wrote:
Mon Oct 29, 2018 8:13 pm
There doesn't seem to be any way to get pfSense to not do symmetric og port restricted NAT. When applying static outbound rules it just goes from being symmetric NAT into becoming port restricted NAT. Only way around it is to use 1:1 NAT mapping but as this is a home solution I don't have access to multiple public IP-addresses so it's impossible to 1:1 mappings.

I also have Google WiFi, Asus RT-AC68U and Asus RT-AC5300 laying around so I decided to test with them and none of them seems to be doing Full Cone NAT. The Google WiFi is really inconsistent, with UPNP enabled it seems like it's normally resulting in port restricted NAT but sometimes it's actually reported as being CONE.

Both the Asus RT-AC68U and AC5300 is giving the same results. With default configuration they are both symmetric NAT but upon activating Game Mode under QoS and disabling Spanning-Tree-Protocol it's switching to port restricted NAT. This is with the latest Asus Merlin 384.7_2 firmware on both.

Asus Merlin himself lists Full-Cone-NAT support only for the RT-AC86U so it might seem like something have happened in the codebase after 384.x that has changed how NAT behaves so it's no longer possible to get Full Cone NAT unless you have the RT-AC86U where you supposedly are able to pick it manually in the settings.


I will try to get hold on the Netgear XR500 to do some more testing. This is a really sad situation to be in as these NAT issues are impossible to solve in most scenarios and it creates some really frustrating situations.

Especially when you start having multiple gaming consoles, desktop PC's used for gaming etc.. You are bound to run into issues. It's not like you will only see these issues if you have multiple clients trying to use the same ports as many of the services seems to rely heavily on the use of UPNP and it seems like UPNP combined with stricter NAT Filtering just throws you for a loop as the consoles triggers UPNP to open the NAT only for it to not fully work because the symmetric NAT / port restricted NAT will drop incoming packets that are not sent by the same IP as your console was reaching. As these gaming services have packets flowing from various sources the UPNP is just making it so that you believe it should be working as you have the NAT mapping in place but the incoming traffic is still being dropped because not all incoming traffic with come from the IP allowed by the symmetric NAT / port restricted NAT.


For those who do not have a Java NAPI capable browser in order to use the tool described in the first post can easily test this on Windows 10 by using the Settings -- Gaming -- Xbox Networking. Start the NAT test while also having a Powershell with the following command; netsh interface Teredo show state

It will list your computer's local and external NAT mapping for the teredo service on your computer which is the very same service used on the Xbox One for inbound connections. Here you will see if it's using UPNP, if it has PortPreserving, and it will tell what kind of NAT Type that is currently being recognized. It's really handy while testing.

RamGuy
Posts: 8
Joined: Sun Oct 28, 2018 4:58 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by RamGuy » Tue Oct 30, 2018 7:20 pm

I suppose it was something with the codebase after the SDK update with the 384.x release branch or something. It's hard to say. Asus doesn't have any official documentation on this either so it's a rather fishy solution to go for as there is no guarantees for it to be working and for how long.

I much prefer to go with the Netgear XR500 with official support for enabling Full Cone Nat compared to relying on hardware that doesn't have this documented or officially supported. Merlin lists only the RT-AC86U with Full Cone NAT support and I guess it's for a reason and even on that device it seems like something he had to do himself so it's not like the device is supporting it by default.

I have always prefered Asus for out of all the home routers due to Asus Merlin firmware so it feels strange to test out the Netgear XR500 but it seems to be the overall best choice if I want to ensure I get Full Cone Nat for gaming.

Preferably I would not want to run any of these weaker and insecure devices. I prefer to run my own server with pfSense (pfSense is a fully open source x86 and x86-64 software based on BSD that can be installed on server hardware or in a virtual environment), I also have a Palo Alto PA-220 Enterprise Firewall which also is great but as almost all enterprise solutions in lacks support for UPNP and offers only symmetric NAT. pfSense do offer UPNP but sadly it's only capable of doing either symmetric NAT or port restricted NAT.

I will need to have a enterprise solution in order to have site-to-site IPsec tunnel for work, but I supposed I will run my Palo Alto PA-220 behind the Netgear XR500 and just do manual IP routing so traffic towards my office will go through the PA-220 and use it's tunnel for the site-to-site traffic while all the other traffic is going straight through the Netgear.


My testing was done with the Asus RT-AC68U, RT-AC5300 and Google WiFi connected directly to my GPON Fiber Huawei HG8245 running in bridge mode so they all had the public IP feeded directly to the WAN port.

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Tue Oct 30, 2018 7:59 pm

Yes Asus default stock FW does not support Full Cone NAT and yes, Merlin added I believe some FW coding for support of FULL CONE NAT on his FW.

Well, for full cone nat, it's only needed for two or more game consoles on same network playing same game and mostly having to do with any multiplayer or CoD games. if your a single console or PC gaming house hold, FULL CONE isn't needed...

I might get in touch with Merlin and ask him about the 5300... :think:
Where did you see this information about the 5300 not supporing FULL CONE NAT? Was it on SNB?
RamGuy wrote:
Tue Oct 30, 2018 7:20 pm
I suppose it was something with the codebase after the SDK update with the 384.x release branch or something. It's hard to say. Asus doesn't have any official documentation on this either so it's a rather fishy solution to go for as there is no guarantees for it to be working and for how long.

I much prefer to go with the Netgear XR500 with official support for enabling Full Cone Nat compared to relying on hardware that doesn't have this documented or officially supported. Merlin lists only the RT-AC86U with Full Cone NAT support and I guess it's for a reason and even on that device it seems like something he had to do himself so it's not like the device is supporting it by default.

I have always prefered Asus for out of all the home routers due to Asus Merlin firmware so it feels strange to test out the Netgear XR500 but it seems to be the overall best choice if I want to ensure I get Full Cone Nat for gaming.

Preferably I would not want to run any of these weaker and insecure devices. I prefer to run my own server with pfSense (pfSense is a fully open source x86 and x86-64 software based on BSD that can be installed on server hardware or in a virtual environment), I also have a Palo Alto PA-220 Enterprise Firewall which also is great but as almost all enterprise solutions in lacks support for UPNP and offers only symmetric NAT. pfSense do offer UPNP but sadly it's only capable of doing either symmetric NAT or port restricted NAT.

I will need to have a enterprise solution in order to have site-to-site IPsec tunnel for work, but I supposed I will run my Palo Alto PA-220 behind the Netgear XR500 and just do manual IP routing so traffic towards my office will go through the PA-220 and use it's tunnel for the site-to-site traffic while all the other traffic is going straight through the Netgear.


My testing was done with the Asus RT-AC68U, RT-AC5300 and Google WiFi connected directly to my GPON Fiber Huawei HG8245 running in bridge mode so they all had the public IP feeded directly to the WAN port.

RamGuy
Posts: 8
Joined: Sun Oct 28, 2018 4:58 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by RamGuy » Tue Oct 30, 2018 8:23 pm

It's not only game consoles that seems to enjoy Full Cone NAT, same goes for Xbox Networking on Windows 10 when playing games through the Windows Store and Call of Duty is perhaps the worst game in existence as they rely on 3074 for every single game no matter platform so it's impossible to get it to work if you have two or more systems playing the game from the same network without having UPNP with Full Cone NAT support.

I have three gaming PC's on my network all trying to play Black Ops 4 at the same time and it's a real shitshow to say the least. It's impossible to ensure Open NAT for everyone and what's even worse is that when I do a manual port forward to one system and a static outbound NAT so at least one system gets Open NAT the other two can't even start the game for some reason. Then they'll start to get "negative 345 sky wolf" error when starting the game as their systems are suddenly to capable of doing the outbound connections towards the servers as its being occupied by the system with Open NAT.... It's like the game is trying to do outbound traffic on port 3074, oh someone else is already using it? Well I (the game) give up...

It seems like the only way to get it to work is by only using UPNP and not do any manual NAT neither inbound or outbound as that's the only official way in order to get the game to connect using randomised ports. But of course this won't work unless you have Full Cone NAT as systems with symmetric or port restricted NAT will drop incoming connections coming from other IP-addresses than the one initiated by the client on your network.


So as I have Xbox One X, PlayStation 4 Pro, Nintendo Wii:U, Nintendo Switch and three Windows 10 gaming systems running and battling for connections and Open NAT it might seem like going UPNP with Full Cone NAT is the only feasible way to get this to work. At least when my ISP don't offer IPv6 so I can't really avoid NAT. In a perfect world I would just have IPv6 and every game company would fully support IPv6 and we wouldn't have to deal with this at all. But the world is far from perfect.


Asus Merlin has his own list of features for his firmware where he lists;

Asuswrt-Merlin most of the features from the original stock Asus firmware. In addition, the following features have been added or enhanced:

System:
Various bugfixes
Performance optimizations to some CPU-bound components like OpenVPN
Some components were updated to their latest versions, for improved stability and security
User scripts that run on specific events such as firewall restart
Cron jobs for scheduled tasks
Customizable config files for router services
Third party software through Entware, with an easy setup script
SNMP support
Nano text editor (for more user-friendly script edition)


Disk sharing:
Optionally use shorter share names (folder name only)
Disk spindown after user-configurable inactivity timeout
NFS exporting of USB drives
Allow or disable WAN access to the FTP server
Updated Samba version (3.6), with SMB2.0 support
TLS support for the FTP server


Networking:
Act as a SMB Master Browser
Act as a WINS server
SSHD support for key-based authentication
Allows tweaking TCP/UDP connection tracking timeouts
CIFS client support (for mounting remote SMB share on the router)
User-defined options for WAN DHCP requests (required by some ISPs)
Advanced OpenVPN client and server, based on code originally written by Keith Moyer for Tomato and reused with his permission.
Support for new OpenVPN 2.4 features like NCP and LZ4
Netfilter ipset module, for efficient blacklist implementation
Wireless site survey page
DNS-based Filtering, enforcing a specific DNS server, can be applied globally or per client
Custom DDNS (through a user script)
TOR support, individual client access control
Policy-based routing for OpenVPN clients (based on source or destination IPs), sometimes referred to as "selective routing", or "split tunneling")
DNSSEC support
fq_codel queue discipline for QoS (ARM-based models only)
Full cone NAT support (RT-AC86U only)
Detailed wireless troubleshooting information (RT-AC86U only)
IPSEC server on additional models
Modern DDNS client (In-a-Dyn), with https support

Web interface:
Performance improvements
Optionally save traffic stats to disk (USB or JFFS partition)
Enhanced traffic monitoring: adding graphical charts, and traffic monitoring per client IP
Hostname field on the DHCP reservation list and Wireless ACL list
System info summary page
Wifi icon reports the state of both radios
Display the Ethernet port states
Wireless site survey
Advanced Wireless client list display, including automated refresh
Redesigned layout of the various System Log sections
Editable entries (on some pages)
User-provided SSL certificate


Some features first debuted in Asuswrt-Merlin have since been integrated/enabled in the official firmware:

HTTPS configuration interface
Persistent JFFS partition
LED control - put your router in Stealth Mode by turning off all LEDs
Turning WPS button into a radio on/off toggle
Clicking on the MAC address of an unidentified client will do a lookup in the OUI database.
WakeOnLan web interface (with pre-configured targets)
Display active/tracked network connections
VPN Status page
DualWAN and Repeater mode (while it was still under development by Asus)
Basic OpenVPN (client and server) support
Configurable IPv6 firewall
Improved compatibility with 3TB+ and Advanced Format HDDs
SSH access

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Tue Oct 30, 2018 9:32 pm

Ya we know, you need uPnP and FULL CONE NAT for two or more consoles or PCs. Been talk about that game Mfrs needs to find other ways of handling this. They have been one track minded since the beginning. So some of this is on there part. I think there still some what oblivious or careless about it. Even with BO4, still needs FULL CONE NAT for OPEN NAT in game on our two consoles. And of course the router i'm currently using, NG broke the NAT FILTER OPEN Feature thus it doesn't work at all. I'm currently beta testing for them so this seems to be on going for now. Glad the XR450 works.

All this of course would probably go away once IPv6 is the norm and no NAT is needed. Will see. For now, we have to deal as best as we can.

I asked merlin, he says he's never supported full cone NAT on the 5300. I may have forgotten. I had demo'd the RT-3100 back then. Which after his change on v380.66, did work for FULL CONE NAT. I remembered that the one RT-5300 I got from Amazon, was a bum unit and did not work at all out of the box. I can't remember if I tired another or not. I don't think I did. However my buddy who had one said he got OPEN NAT on his after loading Merlin FW so I think v380.66 and afterwards I think it was working. I'm having my buddy find out what version of FW is on his. He's been testing other routers has now has the XR500 as well.

Well, seems like you need some router configurations to keep your gaming stuff going while having some business stuff protected too. Maybe set up the XR router as you main router, then connect the pfSence appliance behind the XR router and put the pfSense in the DMZ of the XR router since you wouldn't need the XR firewall or routing features, use the DMZ and let the pfSense handle your firewall needs for your business side of the network. In effect you would have two LANs. Connect all gaming devices to the XR router, and everything else to the firewall device. A suggestion is all. :doh:

RamGuy
Posts: 8
Joined: Sun Oct 28, 2018 4:58 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by RamGuy » Wed Oct 31, 2018 1:58 pm

I made a post over at smallnetbuilders and it seems like Full Cone NAT is available in the kernel of newest Asus devices. Its not there by default, so you have to use Merlin firmware to get access to the option but looks like Asus is aiming for having Full Cone NAT in the future.

I'll drop the Netgear XR500 and just go with the Asus RT-AC86U instead as I prefer to have access to Merlin's firmware and know the AsusWRT webui already.

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Wed Oct 31, 2018 3:49 pm

Sounds good, seems that Full Cone is still being supported. Merlin said that his changes I was thinking of were miniupnpd stuff to help with getting OPEN NAT. I like the XR however I think it's fallen into getting bad FW as of late. Seeing alot of users posting about it on NG and Duma forums. :roll:

Good Luck.
RamGuy wrote:
Wed Oct 31, 2018 1:58 pm
I made a post over at smallnetbuilders and it seems like Full Cone NAT is available in the kernel of newest Asus devices. Its not there by default, so you have to use Merlin firmware to get access to the option but looks like Asus is aiming for having Full Cone NAT in the future.

I'll drop the Netgear XR500 and just go with the Asus RT-AC86U instead as I prefer to have access to Merlin's firmware and know the AsusWRT webui already.

RamGuy
Posts: 8
Joined: Sun Oct 28, 2018 4:58 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by RamGuy » Fri Nov 02, 2018 7:30 pm

I tried the R7800, X500 and RT-AC86U and so far I have to say that both of the Netgear's feel really limited. No local DNS support, like really? You can't even point to a separate dedicated DNS server as the DHCP server won't let you specific DNS? Horrible...

I ended up with keeping the Asus RT-AC86U and might be replacing it with the RT-AX88U if Merlin is able to confirm Full Cone NAT support for it within my 60 day return period. Will do some testing over the weekend to see if Full Cone NAT might be just what I need to get Open NAT on all consoles and clients.

User avatar
e38BimmerFN
Posts: 114
Joined: Sun Jul 23, 2017 7:15 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by e38BimmerFN » Fri Nov 02, 2018 9:10 pm

I'm able to set custom DNS on my NG routers. ALL of them. I'm currently using 1.1.1.1 and 9.9.9.9.
I know that for NG and Linksys, DNS Relay or Proxy is always enabled thus even if you set a different DNS, clients only see the routers IP for DNS. :roll: One thing I like about D-Link routers, you can disable DNS Relay. :mrgreen:

RamGuy
Posts: 8
Joined: Sun Oct 28, 2018 4:58 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by RamGuy » Fri Nov 02, 2018 9:38 pm

I think you are misunderstanding me. You are able to custom EXTERNAL DNS servers, you cannot set custom INTERNAL DNS servers. I'm basing all my local configuration on hostnames, so I need local hostname resolution and that is completely impossible with both the Netgear R7800 and XR500. It's rather awkward as the Netgear firmware is based on the same linux demons as most other routers so it should be capable but clearly not.

RamGuy
Posts: 8
Joined: Sun Oct 28, 2018 4:58 pm

Re: Gaming with Full Cone vs Symmetric NAT Routers

Post by RamGuy » Sun Nov 04, 2018 9:34 am

Got the RT-AC86U configured today and UPNP + Full Cone NAT and finally I have Open NAT on all Windows 10 clients, in CoD: Black Ops 4 on all clients while playing the game at the same time and on all the consoles!

Post Reply