OpenWrt, XBox, Call of Duty and Open NAT

Hello,

I've been a network engineer for over 20 years. I've designed and configured networks that cost several millions of dollars. I've configured Cisco blade switches, routers, PIX firewalls, ASA devices, set up networks that run voice on different VLANs with dozens of remote sites, I've set up tunnels of all different types ... yet I can't seem to get OpenWRT to give Call of Duty an OPEN NAT Type, and I'm hoping someone in here will have more knowledge than I do about this issue and can hopefully help me get this problem solved.

I'm running a stock release of OpenWRT (19.07.2) on a Netgear R7800. My XBox One X is connected via Ethernet (I don't run it on WiFi), and just to make sure the problem was not with my service provider, I connected the XBox directly to the cable modem and verified that COD Modern Warfare received an OPEN NAT Type and indeed it did.

Of course in the Xbox settings screen, it says that it's NAT Type is OPEN, but that's because the consoles connection to Xbox live is happening over the single port UDP tunnel that the Xbox manages via UPnP. Why Call of Duty doesn't follow the same design spec is beyond me. Self-managed UDP tunnels would make this headache go away for the majority of their customers.

Among the dozens of discussions I've read on this issue, which all basically say the same thing which is, just forward the right ports and everything works ... except that's not the case for me. Forwarding ports is one of the most basic things you can do with a firewall ... it's not rocket science.

This is the last discussion I read on the topic (my nat type is always moderate), and of course, I tried what worked for the OP but it did not work for me: OpenWrt + Xbox Live always a moderate NAT

Here is my /etc/config/firewall file. Perhaps a second opinion from someone who understands OpenWRT better than I do might see what's wrong with it (etc/firewall.user is empty, it only has comment lines in it):


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option drop_invalid '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config rule
	option src_port '22'
	option src 'lan'
	option name 'Allow SSH'
	option dest 'lan'
	option target 'ACCEPT'
	option dest_port '22'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config redirect
	option target 'DNAT'
	option name 'COD-53'
	option src 'wan'
	option src_dport '53'
	option dest 'lan'
	option dest_ip '10.10.10.99'
	option src_port '53'
	option dest_port '53'

config redirect
	option target 'DNAT'
	option name 'COD-80'
	list proto 'tcp'
	option src 'wan'
	option src_dport '80'
	option dest 'lan'
	option dest_ip '10.10.10.99'
	option src_port '80'
	option dest_port '80'

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '88'
	option dest 'lan'
	option dest_ip '10.10.10.99'
	option name 'COD-88'
	list proto 'udp'
	option src_port '88'
	option dest_port '88'

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '500'
	option dest 'lan'
	option dest_ip '10.10.10.99'
	option name 'COD-500'
	list proto 'udp'
	option src_port '500'
	option dest_port '500'

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '3074'
	option dest 'lan'
	option dest_ip '10.10.10.99'
	option name 'COD-3074'
	option src_port '3074'
	option dest_port '3074'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option dest_ip '10.10.10.99'
	option src_dport '3074'
	option name 'COD-3075'
	list proto 'udp'
	option src_port '3075'
	option dest_port '3075'

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '3544'
	option dest 'lan'
	option dest_ip '10.10.10.99'
	option name 'COD-3544'
	list proto 'udp'
	option src_port '3544'
	option dest_port '3544'

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '4500'
	option dest 'lan'
	option dest_ip '10.10.10.99'
	option name 'COD-4500'
	list proto 'udp'
	option src_port '4500'
	option dest_port '4500'

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '52635'
	option dest 'lan'
	option dest_ip '10.10.10.99'
	option name 'COD-52635'
	list proto 'udp'
	option src_port '52635'
	option dest_port '52635'

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '53044'
	option dest 'lan'
	option dest_ip '10.10.10.99'
	option name 'COD-53044'
	list proto 'udp'
	option src_port '53044'
	option dest_port '53044'

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '54680'
	option dest 'lan'
	option dest_ip '10.10.10.99'
	option name 'COD-54680'
	list proto 'udp'
	option src_port '54680'
	option dest_port '54680'

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '54271'
	option dest 'lan'
	option dest_ip '10.10.10.99'
	option name 'COD-54271'
	list proto 'udp'
	option src_port '54271'
	option dest_port '54271'

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '53862'
	option dest 'lan'
	option dest_ip '10.10.10.99'
	option name 'COD-53862'
	list proto 'udp'
	option src_port '53862'
	option dest_port '53862'

config redirect
	option target 'DNAT'
	option src 'wan'
	option src_dport '53453'
	option dest 'lan'
	option dest_ip '10.10.10.99'
	option name 'COD-53453'
	list proto 'udp'
	option src_port '53453'
	option dest_port '53453'

I even tried removing the section config include 'miniupnpd', followed by a router reboot and an Xbox reboot, but that didn't change anything, nat type is still Moderate. BUT, just to be thorough, here is the firewall.include file from the miniupnpd include config block:

#!/bin/sh
# miniupnpd integration for firewall3

IPTABLES=/usr/sbin/iptables
IP6TABLES=/usr/sbin/ip6tables

$IPTABLES -t filter -N MINIUPNPD 2>/dev/null
$IPTABLES -t nat -N MINIUPNPD 2>/dev/null
$IPTABLES -t nat -N MINIUPNPD-POSTROUTING 2>/dev/null

[ -x $IP6TABLES ] && $IP6TABLES -t filter -N MINIUPNPD 2>/dev/null

. /lib/functions/network.sh

# helper to insert in chain as penultimate
iptables_prepend_rule() {
	local iptables="$1"
	local table="$2"
	local chain="$3"
	local target="$4"

	$iptables -t "$table" -I "$chain" $($iptables -t "$table" --line-numbers -nL "$chain" | \
		sed -ne '$s/[^0-9].*//p') -j "$target"
}

ADDED=0

add_extzone_rules() {
    local ext_zone="$1"

    [ -z "$ext_zone" ] && return

    # IPv4 - due to NAT, need to add both to nat and filter table
    # need to insert as penultimate rule for forward & postrouting since final rule might be a fw3 REJECT
    iptables_prepend_rule "$IPTABLES" filter "zone_${ext_zone}_forward" MINIUPNPD
    $IPTABLES -t nat -A "zone_${ext_zone}_prerouting"  -j MINIUPNPD
    iptables_prepend_rule "$IPTABLES" nat "zone_${ext_zone}_postrouting" MINIUPNPD-POSTROUTING

    # IPv6 if available - filter only
    [ -x $IP6TABLES ] && {
	iptables_prepend_rule "$IP6TABLES" filter "zone_${ext_zone}_forward" MINIUPNPD
    }
    ADDED=$(($ADDED + 1))
}

# By default, user configuration is king.

for ext_iface in $(uci -q get upnpd.config.external_iface); do
    add_extzone_rules $(fw3 -q network "$ext_iface")
done

add_extzone_rules $(uci -q get upnpd.config.external_zone)

[ "$ADDED" -ne 0 ] && exit 0

# If really nothing is available, resort to network_find_wan{,6} and
# assume external interfaces all have same firewall zone.

# (This heuristic may fail horribly, in case of e.g. multihoming, so
# please set external_zone in that case!)

network_find_wan wan_iface
network_find_wan6 wan6_iface

for ext_iface in $wan_iface $wan6_iface; do
    # fw3 -q network fails on sub-interfaces => map to device first
    network_get_device ext_device $ext_iface
    add_extzone_rules $(fw3 -q device "$ext_device")
done

I appreciate any help anyone can offer.

Thank you,

Mike

1 Like

I noticed that in all your port forwardings you are using both option src_port and src_dport. You got it wrong there and you only need to use the src_dport, which is the original destination port, before NAT. The other one is the source port, which, as you must know, should not be defined in a matching rule like this.
Other than that, keep in mind that sometimes the consoles need to detect a public IP to report Open NAT/NAT Type 1.

1 Like

I finally figured this out. And I'm not convinced that it won't stop working with a full Xbox reboot (as when you have your Xbox set up to fast start, it doesn't fully shut down when you "power it off").

Here is the method at least that worked for me:

Ignore Activision's list of ports to be forwarded EXCEPT for port 3075 UDP

NOW, here comes the magic: Open your Xbox and go into Settings / Network / Advanced settings, then at the bottom left you'll see an option for 'Alternate Port Selection'. Click on this then write down every number that is on the list. Forward each port UDP only. Once you do this in your router, click Save and Apply, then, fire up Call of Duty (without rebooting your Xbox) and it should come up as OPEN Nat Type. If Call of Duty was the last game you played, make sure you close that app before starting it again, or simply load another game, then go back to the home screen and load COD ... COD needs to have a cold start to pick up the new port forwards.

The first time I did this, I did a full Xbox reboot and it didn't work, but when I looked at the available optional ports in the advanced settings, there was a different port number in the list than I had before the reboot, so my best guess is that when the operating system reboots, it chooses a set of alternate ports based on some criteria that it uses and that may cause those numbers to change between reboots. If your console never needs a reboot then you should be fine for a while ... but just be aware of that potential problem if your nat type ever goes back to Moderate, then go back into advanced network settings and check to make sure that the list of alternate ports didn't change since you first forwarded them in your router.

Personal comment: What a cluster nightmare for something that users should not even have to deal with now that UPnP has been around and is tried and true for home networking.

Thank you,

Mike

Often you do not need to forward these ports. 53 is DNS, 80 is web, 88 is kerberos, etc. Typically these are the destination ports on other servers. If you actually need to setup port forwarding on a router, it is usually a constant port for all consoles and doesn't change from session to session. Or, alternatively, it might leverage upnp for this purpose (upnp has its own security considerations -- many people don't like upnp because devices can setup port forwarding without the knowledge/consent of the owner/network-administrator, and it happens silently so there is no way to know what is being transferred and why).

Unfortunately, the documentation for many services from Activision and other game vendors, as well as Sony and Microsoft for the consoles is both sparse and sometimes misleading, causing people to start opening ports and even chasing their tails trying to figure out why the active ports keep changing and/or why the port scans don't reveal open ports even after they have performed the router level forwarding configuration.

I'd like to ask you to consider the following: Are you having real game-play issues or unable to host a server where inbound connections are necessary such that other users can connect to your system? If you aren't having actual in-game problems, don't start messing with port forwarding. The whole "open NAT" and "Strict NAT" and other labels from the console/game-level network testing often leads to a lot of unnecessary (and often futile) efforts to fix something that isn't broken in the first place. I have seen people go to extremes trying to 'fix' this only to end up wasting a ton of time and energy for literally a negative gain situation (i.e. causing themselves problems that never would have come up if they had just left their router/firewall alone, and nothing was ever gained from the configuration changes, either).

3 Likes

I have been dealing with the same issue a while back. I still don't know why it always selects the alternate ports, but for me it seems to be connected with the use of Openwrt, as I never experienced this with any ISP router.

Note: you also need 3076 for some CoD games...

@TheHellSite, It was your final solution that led me to figuring out how to make this work with Xbox One. I actually copied the firewall config you posted and pasted it into my /etc/config/firewall and it didn't work... then when I read your post more carefully, that's when I saw that you mentioned looking in advanced settings under alternate ports and when I did that I noticed that my alternates were different than yours, and one of my alternate ports changed to a different number after a full reboot of the console.

I am curious, have you ever done a full reboot on your Xbox since implementing your find and if so, did you lose open nat on COD? Just curious...

And just for some contrast, here are the port numbers that are listed under my alternate ports:

49966, 51378, 53638, 55050, 55898, 57310

Yours:

52635, 53044, 53453, 53862, 54271, 54680

Doesn't look like any of them are the same, so it would be impossible to tell other users which ports to forward, only how to find the ports that need to be forwarded.

It really is an odd problem with an odder solution. COD must somehow rely on an operating system level tunnel which would be set up on an alternate port. And it makes sense that without forwarding the port, the connection to and from that port would still work, only it would kind of be half a connection since the server at the other end would not be able to initiate a packet session to the Xbox, it would only be able to use the packet session that the Xbox initiated to the server which - depending on how they code their games, might make certain features happening in the game to be slightly delayed, which is why the port redirect back to the console from the Internet is important ... but again, they could have easily managed this with UPnPP... and in spite of peoples fears concerning UPnP, I think the game makers should utilize it if it's available on someones router. The Xbox will use it by default to open up the port it uses for the UDP tunnel to the Xbox Live network... Why COD hasn't implemented UPnP is beyond me. Seems like a no brainer thing to do, because if a user disables UPnP on their router, then they would just have to manually forward the port, but for the majority of users, theirs would just work properly without even needing to think about it.

But thank you for the time you put in to solving this problem and for taking the time to post the solution. That was much appreciated. :slight_smile:

Mike

1 Like

@psherman

Often you do not need to forward these ports. 53 is DNS, 80 is web, 88 is kerberos, etc.

This is true, but they were listed on Activision's web site as ports that need to be forwarded, so I included them just to be thorough. I did, however, go back and I removed all port numbers under 1024, and the connection still works properly. Then I changed all of the remaining ports to UDP only and the NAT Type remained OPEN. So I don't know why they say to forward those ports, but it's good that it works without forwarding them.

it is usually a constant port for all consoles and doesn't change from session to session

I think you misunderstood what I was saying when I mentioned the ports changing between console reboots.... let me see if I can clarify this:

On the Xbox One, under Settings / Network / Advanced settings, there is a drop-down box where the user can select alternate ports to use for the Xbox to connect to the Xbox Live network. We aren't exactly sure why Microsoft provided a list of alternate ports for Live connections, but one theory is that if you have more than one Xbox on the same network, each will need their own unique port, which the user would need to manually select, but I don't know for sure at the moment why they are there.

None-the-less, It is that list of alternate ports that must be forward in the router before the game will connect with an "Open NAT Type". And what I witnessed was that when I told my Xbox to do a cold reboot, that list of alternate ports was slightly different than they were before the cold reboot. But when you "Shut Down" your Xbox by telling it to power off, it doesn't actually shut down the operating system. It remains booted and running in a semi-sleep mode. The Xbox can and does wake itself up from time to time to look for updates etc. So when you go to shut down your Xbox, you have an option there to do a reboot. And a reboot will completely unload the operating system from memory and then perform a cold boot. But most users will never need to do that so their operating system will remain running without being rebooted potentially for many years and in those cases, those alternate port numbers would never change - that's my theory ... but if the Xbox is ever rebooted, I believe some of those port numbers will change (because I saw mine change when I performed a cold reboot) and my theory is that the Xbox operating system uses some kind of criteria to choose those alternate ports during the boot process of the operating system, and the ports it selects does not persist between reboots.

I hope that makes sense ...

upnp has its own security considerations -- many people don't like upnp because devices can setup port forwarding without the knowledge/consent of the owner/network-administrator, and it happens silently so there is no way to know what is being transferred and why

I call this IRRATIONAL FEAR... just because something is possible, doesn't mean it's going to happen, and if a commercial outfit like Microsoft or Activision started using UPnP for malicious deeds, they would be hammered by their users and flogged in the streets ... it would never happen ... Now you say, "well, some other software, or a virus on your computer might look for UPnP and start opening ports to do sinister things..." - and I say, YES, that is certainly possible, but not very likely. My response to such a concern would be either, "Fine, understand your router enough to manage it manually, or don't buy software from people you don't trust and run anti-virus software that is always up to date" ... and with those 'best practices' happening, you've essentially mitigated that possibility and made it so remote that it's not even worth being concerned about.

But the chance that Microsoft or Activision would invade your privacy by exposing your network to the Internet on various ports? Not a snowball's chance in hell that would EVER happen. And I would argue that if they did manage their own port forwarding via UPnP, they could even make sure that the open ports are only open to specific IP addresses. thereby protecting their customers better than they are now when they just open up ports to the entire planet. And if those IP addresses ever changed, they could push the change out in one of their game updates and the user would be none the wiser, but still happy that things work and without needing to become network admins in order to make them work.

Are you having real game-play issues or unable to host a server where inbound connections are necessary such that other users can connect to your system?

Having Call of Duty running on OPEN NAT vs. Moderate NAT could mean the difference between getting shot or being the victor in a head to head shoot out ... it's important to people who want to make sure that the timing of events is as accurate as possible and that the consoles get the proper response time of the user when they push that fire button...

Can I play the game without OPEN NAT type ... sure I can ... but I prefer to have it OPEN as that is the best possible setup one can have for that particular game.

Mike

1 Like

I understood it completely, you didn't need to re-explain.

This could make a lot of sense. But it should not change when the system is completely rebooted.

This all depends... how frequently does a particular person's power go out (some localities have rock solid grid power, other places have outages frequently, some users have UPSs connected, many do not). How often is the device physically powered down by the users for all sorts of other reasons (anything from an enforced cap on game time by parents to moving the device between different TVs)? how often does an OS update force a reboot? If any or all of these things that cause a power cycle/reboot result in changing ports, that would be an extremely frustrating experience for the user and terrible software design practice for a consumer product.

First -- no need to yell here. I didn't say that you shouldn't use it, I just simply said that some people have concerns about the security implications.

Yes, of course. Although they are not free from reproach, it's not these companies you have to worry about. It is the smaller companies who might not have product security as a top priority and have limited experiences/resources to build appropriate security into their designs. Or maybe a company that doesn't have bad intensions but mines and sells your data without your knowledge or consent (not a UPNP issue, but several 3rd party weather apps were tracking and selling precision location data). Or worse yet, a malicious application that is intentionally crafted to use UPNP as an exploit to do various nefarious things -- i.e. a virus or other malware. Such malware could originate from small time hackers to state sponsored agencies and could be relatively benign in its effect or could cause serious problems in so many different vectors.

Yes, but also no. I am very careful about the software I install, I am up to date on software, firmware, and security patches. I have pretty advanced networking knowledge.... I presume you are similar in this regard. But not everybody else in the world is (in fact, most people probably don't know much about this stuff -- ask your neighbors how many VLANs they use and how each one is configured and you'll probably get a blank stare).

You have to realize why upnp exists -- it was developed to automatically forward ports to make the experience easier for the average consumer... i.e. the one who doesn't know how to (or doesn't want to) adjust the settings on their router. It is not a stretch to say that many of these users will not be consistently up to date, and that they may install apps that are not always from reputable sources.

The first generation of upnp actually allowed a given host to forward ports to any host on the network. So a nefarious app on one machine could use upnp to forward ports to another machine entirely -- potentially opening up serious holes that might include file sharing protocols, remote administration, and other things, even though the malware had not even infected the target machine. upnp2 fixed that... but even still, many people don't trust upnp2 either, because things happen silently and behind the scenes. Who's to say that that IoT connected air filter isn't syphoning off information about your network (I'm not saying it actually is, just that it could -- this is why security minded people often setup an IoT network for the myriad of 'untrusted' devices they may begin to accumulate on their network).

I'm not paranoid and I actually see good use for upnp sometimes, but I always provide the context of the potential security vulnerability because I do not want to provide advice for someone that ends up compromising their machine/network (after all, I have no idea how well they keep up to date and follow best practices with security).

So please, next time you decide to yell about this being an "IRRATIONAL FEAR" -- think about all the other users in the world and the fact that their knowledge of computers and networking and their threat profiles/tolerance/models are not necessarily the same as yours.

1 Like

Heres what i did for Open NAT for my Xbox One without UPnP, Keep in mind that Call of Duty modern warfare/warzone 2019 dosnt need to be port forwarded as they relay on dedicated servers however the old call of duty between 2003-2018 will relay on P2P (Person to Person)

1st - Setup a DHCP for Xbox One

/etc/config/dhcp

config host
option mac '50:1A:C5:XX:XX:XX'
option name 'XboxOne'
option dns '1'
option ip '192.168.1.100'

2nd - Port forward 3074/UDP to the Xbox One

/etc/config/firewall

config redirect
option dest_port '3074'
option src 'wan'
option name 'XboxOne'
option src_dport '3074'
option target 'DNAT'
option dest_ip '192.168.1.100'
option dest 'lan'
list proto 'udp'

Reboot both Xbox One and OpenWrt

When your xbox one dashboard is loaded, Hit the middle button > Go to the cogs > settings > network settings > Test NAT type

Then why did you say, " If you actually need to setup port forwarding on a router, it is usually a constant port for all consoles and doesn't change from session to session." - if that was not in reference to my comment that the port changed after a reboot?

And your logic in that statement is ... what ... exactly? I know for a fact that they can change because I witnessed it myself. Why does that seem unlikely or not feasible to you? Also, my port numbers were completely different than @TheHellSite's port numbers that he listed in his post... so clearly they are not the same even from one xbox to the next...

Doesn't matter if the power goes out, it will still boot up in the same state it was in when the power went out ... I assume they use a snapshot of some kind as standard Windows does when you hibernate your laptop... or even put it to sleep, you can pull the power and the battery and it will still turn on with the operating system still running ... not re-booted. That's been around for at least 15 years now.

I've been a network engineer since about 1996 ... I know why UPnP exists and I believe it became a published standard sometime around 2007-ish... I remember thinking when I read about it that it was going to be a great thing for home users ... a business wouldn't be caught dead running it on their firewalls. Their threat isn't sinister software ... it's the employees.

I fully understand that people have a tendency to be fear-driven in life. That is entirely their choice to live like that and I have no qualms with it. But if someone asks me for my professional opinion on the matter, I tell them to enable UPnP and buy software from reputable companies and run current anti-virus ... besides ... in the almost 15 years that UPnP has been around, I can't recall a single incident where it was ever used for sinister reasons by a software company nor even a virus... And if any such company did that and they were bound by US laws and regulations ... better believe they would be held to the fire for violating the privacy of their customers. Opening ports in a firewall exposes the inside network to the Internet ... that would technically be an invasion of privacy if it were not done for the accepted reasons which would be strictly for the proper functioning of their software... anything other than that, they could face criminal charges.

Remember the first famous case where a "hacker" was sent to federal prison for violating the privacy of the users of a bank I believe it was ... and all he did was look at the URL when he was logged into their site and thought "hmm ... what happens if I increase my account number in this URL by 1. Well, when he did that, he saw the personal data for a different customer ... and he took that experiment further and ran a whole series of numbers in the URL and saw the data from hundreds or maybe thousands of different customers ... when he pointed out what he found and took it to the bank so that they could correct their improperly configured web and SQL server, they called the cops on him and the feds got involved and he ended up serving I think 10 years in federal prison ... all because he basically opened an unlocked door and looked inside... they didn't hold the bank accountable for not securing their client's data, they held him accountable for having the audacity to be curious.

Back then there were only some very minor laws on the books for cybercrime ... today that's not the case.

Yet, having just purchased Modern Warfare on my Xbox One last week, I could not get open nat to work without forwarding the ports as I outlined in the third comment of this thread. If you Google the problem, you will see MANY users being unable to get open NAT with the latest Call of Duty game on Xbox One ... Even Activision on their web site says that you need to forward ports for Call of Duty Modern Warfare / Warzone ... so I'm not sure what compels you to say this...

AH! NOW I understand ... the NAT type in the Xbox settings is the NAT Type for the connection to the XBox Live network ... the Call of Duty game uses additional servers ... it does not strictly use XBox live... When you load the game and go into multiplayer, on the screen where you chose what kind of match you want, on the bottom of the screen it will show your NAT Type which is the NAT Type that the game itself is seeing ... not your Xbox operating system.

So like my case, as is the case with many others ... the Xbox settings will say OPEN NAT but the game will say STRICT or MODERATE nat ... and that's the problem people are needing to resolve.

Mike

Call of Duty likes to use port 3075 for it's gaming instead of the default 3074 on xbox.
Usually all you need is 3074 port forwarding for most games.

I don't use port forwarding rules for any of these ports 53, 88, 500, 3544, 4500 and get Open NAT usually.

Which I specifically noted in the third comment of this thread...

So, I disabled all port forwarding in OpenWRT, but left UPnP enabled. This is what my Xbox Network Settings screen looks like:

And without making any changes in the router what so ever, this is what the Call of Duty Modern Warfare / Warzone screen shows:

When I re-enable port forwarding rules as I describe in the third comment in this thread, this is what the Call of Duty screen shows:

... just for some reference for you so that you can better see the problem.

Mike

I said that because, I understood what you said, but I find it unusual. And if port forwards of this dynamic nature are actually necessary, it represents really poor poor UX design... For incoming connections (that would require port forwarding), I've never seen a system use a dynamic set of port numbers if wasn't also leveraging UPnP -- it would place extra burden on the user, increases confusion (no simple list of ports that can be published on a support website), and makes the back-end software design more complicated. That is also why I said that you often don't need to open all of the ports... for example, you said port 53 was on that list -- why would you need to port forward DNS? Are they really making your system into a DNS server that needs to accept inbound connections from the internet to make the game work properly??

Which one is it? Define booting? You said that the ports may change between reboots. Now you're saying it isn't rebooted when you power cycle the entire unit? Sure, a stateful snapshot is a different beast, but you didn't say anything about that earlier. And starting from a powered off state still requires booting, even if into a snapshot.

Really? Are you sure about that? How about this?

If you've been in the field for almost 25 years, I'm surprised that you are not more conservative on security. I'm not sure I would be so quick to enable (or recommend) UPnP without also noting that there are some risks -- especially on a forum where the additional information could be useful now and in the future. I am not driven by fear or paranoia in this situation (in fact, IIRC, I have UPnP enabled on my router), I just feel that it is the responsible thing to do to mention that UPnP is one of those technologies that represents a compromise between security and convenience, like many things in life. I never said that it shouldn't be used (nor did I say it should be) -- I mentioned it as a technical solution may or may not be appropriate for every situation.

For reputable companies that are based in, or do official business in areas that have real privacy and security laws, sure. But there are many entities -- from lone hackers to organized teams to actual government agencies -- that either don't care about, or are not subject to the privacy laws you're mentioning. To be US-centric for a moment, do you think that the Russian government is going to take action against someone who hacks US interests or individual citizens? Do you think that their government cyber-warfare teams care about US laws? Do you think that the US and Israel cared about the fact that they were likely violating Iranian laws when they developed Stuxnet? I'm not trying to be political here, but rather to point out that people and organizations that have nefarious intent and either aren't deterred by or are outside the reach of the respective law enforcement agencies are not bound by such security and privacy laws.

My original point in posting earlier was to say that people often make things harder for themselves when they start opening all sorts of ports for these games -- many of which turn out to be unnecessary and even counterproductive. I didn't intend to get into an argument and my apologies if it initially sounded like I was trying to be unfriendly. However, @EasyGoing1, your responses were remarkably abrasive and in some cases either factually wrong or irrelevant. I felt that it was necessary to point out the technically problematic elements for the benefit of future readers. I suspect you'll probably write a rebuttal, but I'll probably not respond -- instead, I'll bow out now as I don't see wasting any more time on this topic.

You're in luck, the Xbox One tries to use UPnP by default ... this is not a configurable option. If UPnP is not enabled in your router, then when you look at Network Settings on the Xbox, a message will come up saying UPnP Failed! telling the user that they either need to enable it in their router or simply forward the port number on the screen next to the failed message.

Those lower port numbers were Activision's port list, not Microsofts, and I have NO IDEA why they list those ports, as I've proven they are not necessary to forward in order to get open nat type. It might be possible that Activision is listing those ports in an expected bi-directional open rule ... as in they assume the user is going to open those ports in both directions. IF that is the case, then I get it because certainly, the Xbox will need to query DNS and access web servers in order for the game to function fully (in app purchases are done via HTTPs etc.) but if that is the case, they certainly do not specify the direction of traffic for each listed port.

I just took this screenshot straight from Activision's web site. They say the info was current as of March of this year (2020).

And here is the Activision URL if you're interested.

If you go back and read what I posted, I specifically mentioned that there are two options when you press the home button on your controller to actuate a shutdown event:

  1. They list the Power Off option which if your Xbox is configured for "Fast power-up", this option only puts the Xbox into a sleep state. This is the default config from the factory.

  2. The other option is Reboot Xbox, which is a complete and full cold boot ... that option is the same as clicking on Start, Shutdown, Restart in Windows.

It is option 2 that can cause those 'alternate port' numbers to change. Using option 1 will NOT change those numbers because when you turn your Xbox back on, the operating system does not boot ... it simply continues running from a sleep state.

That link describes a known vulnerability in the UPnP service. It does NOT list any specific incidences where someone used the exploit to their sinister advantage... so the analogy of what that link is saying is something like this... "We discovered that when people use a sledgehammer on specific doorknobs, they can break it in half and enter your home! Here is a list of known doorknobs that have proven to be vulnerable to sledgehammer attacks."

That link does NOT say "And this company was harmed by the weak door locks when a band of thugs broke into their business around 2AM on this date..."

What I specifically said and I stand by it... is that for all of the "security problems" that exist with UPnP, in 15 years, no one that I am aware of has ever exploited UPnP for sinister reasons ...

In short: No user has ever been harmed by UPnP in 15 years running now ...

I'd say that's a pretty interesting fact that stands against the "be afraid of this" mentality ... yes, it's a potential threat and NO ... no one is harming people by taking advantage of those problems in UPnP.

I predict that what will happen with UPnP is that they will implement a security code in the standard so that you just use a web browser and open up your routers home page and find the UPnP code after putting in your password, then you tell a device such as your Xbox what that code is, and that will give Xbox the ability to map ports, but no other devices on your network would be able to map ports until you give them the code.

Stay tuned ... I'll bet that's where the next version of UPnP ends up... just a hunch :wink:

When I am consulting for a business, I often end up getting the email asking to dial back security protocols because they are too cumbersome and they make the user experience too difficult... and those protocols are always different from one business to the next. What I will not compromise, however, is my standards on user passwords... I require minimum of 9 characters with an array of upper, lower, numbers and symbols. I train the users to think of a phrase that they will remember then I teach them how to substitute symbols and numbers for letters, and I also tell them to make up a random set of three or more symbols like %*@ and to throw one or two of those into the phrase somewhere that makes sense to them ... and to use the numbers on those keys as the easy to remember trigger ... so let's say that someone is going to use the phrase 'I love visiting Paris France' ... I would tell them to pick a month and a day that they particularly like then leet some of the letters and do something like this -

!L0v3P@r!sFranc3On)%/@@

That one reads: I Love Paris France On 05/22

These kinds of passwords are not difficult to make up and use, but they more than qualify in the "impossible to unHash" department using brute force or even dictionary attacks.

But when it comes to things like ... Logging idle users out of the Network after 10 minutes of idle time ... I have no problem dialing back on that and going to like 30 minutes ... I can see how sometimes users will be typing their password maybe dozens of times each day ... but I start hardened and I dial back when it hurts ... lol

Now, HOME USERS ... if they are asking me about UPnP then they have already been told of the security risks and are seeking my advice as a professional ... they would not be asking me otherwise ... and we always have that discussion ... and based on the history of using UPnP and the fact that no one has ever been taken advantage of to my knowledge ... making it statistically reliable and secure, but then adding to that ... telling them to only buy reputable companies software and run a current anti-virus ... I am totally confident that if they follow what I say, then they can open up UPnP without having to worry about being exploited. I have the statistics on my side and certainly the 'best practices' on my side.

Someone might argue with me and say "But it's still a RISK!" ... and I'll tell them ... "So is driving to work every day ... or getting on an airplane ... or even swimming in a lake... life is full of risks, you simply have to make informed choices and mitigate your risks in a manner that is reasonable and not inconvenient ... if you end up getting exploited ... I suppose the absolute worse that can happen would be something like ransomware ... which to me is no different than having your hard drive formatted ... but other than that ... what's the worse that can happen? They could maybe get some credit card numbers? Some passwords? Your bank account info? Your Social Security Number? Well ... here in the United States, we have recourse for all of that and we are not accountable for the loss incurred by a thief ... and since UPnP has never caused anyone to be exploited in that way - why not? Because there are far easier ways for crooks to exploit people and get their personal information - NOT using two-factor authentication is a big deal and far more risky than UPnP - statistically speaking and looking at the track record ... companies not being properly secured and their databases get hacked and downloaded ... and their user's data was never encrypted ... THAT has been a HUGE security risk for all of us ... in contrast ... UPnP is no threat at all!

I suppose that would depend entirely on which system the Russian hacker exploited ... Your network ... my home network? NOPE! But a Pentagon network? That hacker would be dead inside a month... it really depends ...

What is more important than this pie in the sky scenario is common sense: In order for a Russian hacker to exploit your home router via UPnP, they need to get their software inside your network FIRST, and it needs to be running. Tell me ... how are they going to manage that when you are being diligent and only installing software from reputable companies?

Second, what do you have that they even care about? You're not that important and neither am I.

Third, I default back to the history of UPnP implementation and the fact that no one has ever been harmed by UPnP to date ... so the paranoia over its use is unwarranted ... literally...

Please quote me where I have been factually wrong or irrelevant ... and I do apologize for sounding abrasive ... I did initially feel as though you were challenging me on these topics but I realize that all we needed was some clarification ... I still think you misunderstood what I was saying about the Xbox reboots and the ports changing ... hopefully, this post clarifies that for you.

And if you think I'm abrasive, then this forum must be very friendly overall ... most technical forums include people responding with straight-up insults and rudeness on levels that shock me ... I always say ... if you won't say it to their face, then don't say it in electronic communication ... treat these communication methods as though they were face to face conversations, and you'll be fine ... you won't have the regret after send syndrome :slight_smile:

I understand that and I sincerely appreciate anyone who cares about people enough to put the right information out there... seriously ... this conversation kind of spiraled and the two topics that inspired me to write responses were the changing ports... because I didn't want people to think that those ports in the Xbox will be the same for everyone ... I can see it now ... people posting how to fix the call of duty open nat issue by listing the ports that they opened for their Xbox when that would be the WRONG thing to say to someone ... because every Xbox's alternate ports will be different ... and that needed to be clarified ... and on the UPnP issue ... I have a personal problem with people thinking that they need to lock down their network like Fort Knocks and never use UPnP... there simply has not been any real-world hacking going on with the protocol so the heightened paranoia is unwarranted ... your front door can be opened with a sledgehammer ... do you just not use normal door locks because there is a potential threat to your home? And I get it that hackers are at a distance ... but not always unfindable and again ... they need to be inside your network FIRST before they can exploit UPnP and if they get into your network, they got in because you let them in and I don't care if you have UPnP enabled or not ... if malicious code gets inside your network .. you already have problems - UPnP or no UPnP ... so the fears are simply unjustified in my professional opinion. and I stand by that opinion with balanced logic and history as foundation to the logic...

I only wish more companies like Activision would use UPnP and stop threads like this from ever happening in the first place :wink:

I have no hard feelings towards you ... if I did I would never spend this much time writing responses ... I love it when people get involved in their technology ... nothing makes me happier than that. :slight_smile:

Well ... except maybe lasagna ...

Mike

Wow a lot to read. I have just a cent if I'm allowed to do. :smiley:

I remember the time as dedicated server were dropped in favor of matchmaking and hosting on "client-side". The guy who was becoming the host had a huge advantage over all others when it came to pings. Sure they introduced things like a delay and/or ping compensation but that did not vanish the advantage for the hosting machine. In the beginning this was very relayable to test on PC in particular if you had a high-end machine with like 4 cores (which was not common at this time). For console machines the hardware advantage does not exist (as well for PC nowdays I would say).
So everybody tries to de-NAT the network to become host in order to gain/get the ping advantage. That is the motivation for ppl open their network. And it is comprehensible imo.

But I do not really understand why the want port 53 or 80 for simple matchmaking nowdays. Maybe to make it easier to reconnect for clients? I remember in past it was not possible to rejoin a match if you had a DC. What was really an issue!

In general I would avoid upnp also because I think it can be really dangerous. Any software your kids/guests or whoever can open any port on your router. Sure in theory it is bound to the client initiated but I would not bet on client side security. I remember that U.S. Homeland Security gave the advise to disable upnp a few years ago because of a big security flaw in libupnp. Attackers had the possibility to gain easy control over your whole network and clients. https://www.kb.cert.org/vuls/id/922681 ... At that time botnets were very popular.
Upnp is used for discovery network devices also. Especially printers like to announce themself to the internet using upnp. Not necessary to talk about their ancient embedded software if it comes to their lifetime. SmartTV's and IoT also. After a few years they will never see any security update. I would consider them as untrusted.

2 Likes

Thanks. And I agree :slight_smile: We can make this a constructive conversation/debate without it getting personal.

I still disagree with your assertion that UPnP has not been actively exploited. Can you take a look at these articles (1 and 2 appear to be talking about the same issue, 3, 4,5)... these appear, by all accounts, to be active exploits found in the wild (not just CVEs and 'theoretical' vectors for attack). Am I mistaken here?

hahaha tell him about the CableHaunt one man that one is great.