Hello,
I've been a network engineer for over 20 years. I've designed and configured networks that cost several millions of dollars. I've configured Cisco blade switches, routers, PIX firewalls, ASA devices, set up networks that run voice on different VLANs with dozens of remote sites, I've set up tunnels of all different types ... yet I can't seem to get OpenWRT to give Call of Duty an OPEN NAT Type, and I'm hoping someone in here will have more knowledge than I do about this issue and can hopefully help me get this problem solved.
I'm running a stock release of OpenWRT (19.07.2) on a Netgear R7800. My XBox One X is connected via Ethernet (I don't run it on WiFi), and just to make sure the problem was not with my service provider, I connected the XBox directly to the cable modem and verified that COD Modern Warfare received an OPEN NAT Type and indeed it did.
Of course in the Xbox settings screen, it says that it's NAT Type is OPEN, but that's because the consoles connection to Xbox live is happening over the single port UDP tunnel that the Xbox manages via UPnP. Why Call of Duty doesn't follow the same design spec is beyond me. Self-managed UDP tunnels would make this headache go away for the majority of their customers.
Among the dozens of discussions I've read on this issue, which all basically say the same thing which is, just forward the right ports and everything works ... except that's not the case for me. Forwarding ports is one of the most basic things you can do with a firewall ... it's not rocket science.
This is the last discussion I read on the topic (my nat type is always moderate), and of course, I tried what worked for the OP but it did not work for me: OpenWrt + Xbox Live always a moderate NAT
Here is my /etc/config/firewall file. Perhaps a second opinion from someone who understands OpenWRT better than I do might see what's wrong with it (etc/firewall.user is empty, it only has comment lines in it):
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option drop_invalid '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
config rule
option src_port '22'
option src 'lan'
option name 'Allow SSH'
option dest 'lan'
option target 'ACCEPT'
option dest_port '22'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config redirect
option target 'DNAT'
option name 'COD-53'
option src 'wan'
option src_dport '53'
option dest 'lan'
option dest_ip '10.10.10.99'
option src_port '53'
option dest_port '53'
config redirect
option target 'DNAT'
option name 'COD-80'
list proto 'tcp'
option src 'wan'
option src_dport '80'
option dest 'lan'
option dest_ip '10.10.10.99'
option src_port '80'
option dest_port '80'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '88'
option dest 'lan'
option dest_ip '10.10.10.99'
option name 'COD-88'
list proto 'udp'
option src_port '88'
option dest_port '88'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '500'
option dest 'lan'
option dest_ip '10.10.10.99'
option name 'COD-500'
list proto 'udp'
option src_port '500'
option dest_port '500'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '3074'
option dest 'lan'
option dest_ip '10.10.10.99'
option name 'COD-3074'
option src_port '3074'
option dest_port '3074'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option dest_ip '10.10.10.99'
option src_dport '3074'
option name 'COD-3075'
list proto 'udp'
option src_port '3075'
option dest_port '3075'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '3544'
option dest 'lan'
option dest_ip '10.10.10.99'
option name 'COD-3544'
list proto 'udp'
option src_port '3544'
option dest_port '3544'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '4500'
option dest 'lan'
option dest_ip '10.10.10.99'
option name 'COD-4500'
list proto 'udp'
option src_port '4500'
option dest_port '4500'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '52635'
option dest 'lan'
option dest_ip '10.10.10.99'
option name 'COD-52635'
list proto 'udp'
option src_port '52635'
option dest_port '52635'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '53044'
option dest 'lan'
option dest_ip '10.10.10.99'
option name 'COD-53044'
list proto 'udp'
option src_port '53044'
option dest_port '53044'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '54680'
option dest 'lan'
option dest_ip '10.10.10.99'
option name 'COD-54680'
list proto 'udp'
option src_port '54680'
option dest_port '54680'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '54271'
option dest 'lan'
option dest_ip '10.10.10.99'
option name 'COD-54271'
list proto 'udp'
option src_port '54271'
option dest_port '54271'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '53862'
option dest 'lan'
option dest_ip '10.10.10.99'
option name 'COD-53862'
list proto 'udp'
option src_port '53862'
option dest_port '53862'
config redirect
option target 'DNAT'
option src 'wan'
option src_dport '53453'
option dest 'lan'
option dest_ip '10.10.10.99'
option name 'COD-53453'
list proto 'udp'
option src_port '53453'
option dest_port '53453'
I even tried removing the section config include 'miniupnpd', followed by a router reboot and an Xbox reboot, but that didn't change anything, nat type is still Moderate. BUT, just to be thorough, here is the firewall.include file from the miniupnpd include config block:
#!/bin/sh
# miniupnpd integration for firewall3
IPTABLES=/usr/sbin/iptables
IP6TABLES=/usr/sbin/ip6tables
$IPTABLES -t filter -N MINIUPNPD 2>/dev/null
$IPTABLES -t nat -N MINIUPNPD 2>/dev/null
$IPTABLES -t nat -N MINIUPNPD-POSTROUTING 2>/dev/null
[ -x $IP6TABLES ] && $IP6TABLES -t filter -N MINIUPNPD 2>/dev/null
. /lib/functions/network.sh
# helper to insert in chain as penultimate
iptables_prepend_rule() {
local iptables="$1"
local table="$2"
local chain="$3"
local target="$4"
$iptables -t "$table" -I "$chain" $($iptables -t "$table" --line-numbers -nL "$chain" | \
sed -ne '$s/[^0-9].*//p') -j "$target"
}
ADDED=0
add_extzone_rules() {
local ext_zone="$1"
[ -z "$ext_zone" ] && return
# IPv4 - due to NAT, need to add both to nat and filter table
# need to insert as penultimate rule for forward & postrouting since final rule might be a fw3 REJECT
iptables_prepend_rule "$IPTABLES" filter "zone_${ext_zone}_forward" MINIUPNPD
$IPTABLES -t nat -A "zone_${ext_zone}_prerouting" -j MINIUPNPD
iptables_prepend_rule "$IPTABLES" nat "zone_${ext_zone}_postrouting" MINIUPNPD-POSTROUTING
# IPv6 if available - filter only
[ -x $IP6TABLES ] && {
iptables_prepend_rule "$IP6TABLES" filter "zone_${ext_zone}_forward" MINIUPNPD
}
ADDED=$(($ADDED + 1))
}
# By default, user configuration is king.
for ext_iface in $(uci -q get upnpd.config.external_iface); do
add_extzone_rules $(fw3 -q network "$ext_iface")
done
add_extzone_rules $(uci -q get upnpd.config.external_zone)
[ "$ADDED" -ne 0 ] && exit 0
# If really nothing is available, resort to network_find_wan{,6} and
# assume external interfaces all have same firewall zone.
# (This heuristic may fail horribly, in case of e.g. multihoming, so
# please set external_zone in that case!)
network_find_wan wan_iface
network_find_wan6 wan6_iface
for ext_iface in $wan_iface $wan6_iface; do
# fw3 -q network fails on sub-interfaces => map to device first
network_get_device ext_device $ext_iface
add_extzone_rules $(fw3 -q device "$ext_device")
done
I appreciate any help anyone can offer.
Thank you,
Mike