OpenWrt, XBox, Call of Duty and Open NAT

I can only speak for the PS4 but in my case I have to use UPNP in order to get Open NAT status in several games with two consoles online at the same time.
And to be honest I don't have a bad feeling when using UPNP for my gaming console(s) as long as I restrict UPNP to be only availible for the console(s). On top you can create a seperate interface for the console(s) and work with vlans to seperate them from rest of your main/private LAN for a bit of extra security.

Anyway I agree that UPNP can be a security risk but you can limit that risk to a minimum when taking the right steps to restrict it.

I'm just going to chime in on how I got XBox to have OPEN Nat, along with CoD:MW.

Though there are other ways (see above), here is my go-to cheat-sheet for when I have to reset my router.

NOTE: You need to give your XBox a static IP address. If you later change from wired to WiFi, or reverse, you will need to update your Firewall rules to match!

DHCP - need to give it a static IP
/etc/config/dhcp
Note that this is just a snippet showing the change from default

config host
        option name 'XBoxWired'
        option dns '1'
        option mac 'F0:1D:XX:XX:XX:XX'
        option ip '192.168.0.YYY'

Next you have many port forwardings

/etc/config/firewall
Note that this is just a snippet showing the change from default

config redirect
        option target 'DNAT'
        option src 'wan'
        option src_dport '53'
        option dest 'lan'
        option dest_ip '192.168.0.YYY'
        option name 'XBox Live 53'

config redirect
        option target 'DNAT'
        option name 'XBox Live 88'
        list proto 'udp'
        option src 'wan'
        option src_dport '88'
        option dest 'lan'
        option dest_ip '192.168.0.YYY'

config redirect
        option target 'DNAT'
        option name 'XBox Live 3074'
        option src 'wan'
        option src_dport '3074'
        option dest 'lan'
        option dest_ip '192.168.0.YYY'

config redirect
        option target 'DNAT'
        option name 'XBox Live 80'
        list proto 'tcp'
        option src 'wan'
        option src_dport '80'
        option dest 'lan'
        option dest_ip '192.168.0.YYY'

config redirect
        option target 'DNAT'
        option name 'XBox Live 500'
        list proto 'udp'
        option src 'wan'
        option src_dport '500'
        option dest 'lan'
        option dest_ip '192.168.0.YYY'

config redirect
        option target 'DNAT'
        option name 'XBox Live 3544'
        list proto 'udp'
        option src 'wan'
        option src_dport '3544'
        option dest 'lan'
        option dest_ip '192.168.0.YYY'

config redirect
        option target 'DNAT'
        option name 'XBox Live 4500'
        list proto 'udp'
        option src 'wan'
        option src_dport '4500'
        option dest 'lan'
        option dest_ip '192.168.0.YYY'

config redirect
        option target 'DNAT'
        list proto 'udp'
        option src 'wan'
        option src_dport '3075'
        option dest 'lan'
        option dest_ip '192.168.0.YYY'
        option name 'XBox CoD 3075'

config redirect
        option target 'DNAT'
        option name 'XBox CoD 3544'
        list proto 'udp'
        option src 'wan'
        option src_dport '3544'
        option dest 'lan'
        option dest_ip '192.168.0.YYY'

config redirect
        option target 'DNAT'
        option name 'XBox CoD 4500'
        list proto 'udp'
        option src 'wan'
        option src_dport '4500'
        option dest 'lan'
        option dest_ip '192.168.0.YYY'

Replace the YYY lines with your XBox's IP address, replace the XX lines with your MAC address. Reboot the router, reboot the XBox.

Other formulas will also work, but I thought I'd offer the "full port list" that I use for CoD:MW and regular XBox Live. Remember that your XBox needs a FULL REBOOT whenever you change your network settings, as the NAT test only happens once.

NOW, having said all that, if your ISP offers true IPv6 connectivity, you have better options, but that's for someone else to document. If it does not, consider disabling it. That way, your devices don't make assumptions and run into trouble...

Oh, and disabling your UPnP will increase your security, as you will have to explicitly open ports for your devices... No more "unknown" devices making configurations for you!

Good luck!

Actually DOING that for the average home user ... is pretty much not gonna happen. VLans seem to be difficult enough to discuss with people who are employed within IT ... trying to have those discussions with people who have nothing to do with IT would be a straight up nightmare ... imho.

But you are spot on ... VLANing and assigning UPnP to just one vlan is one way to guarantee that only the devices you chose get to use UPnP - and it's nice to see people leveraging their technology in advanced ways like this.

I'm not aware of any console being able to be configured for VLAN tagging so I assume you just assigned the VLAN to a specific port on your router?

Mike

The Akami findings appear to be exploits in routers that have been improperly configured where they managed to expose their UPnP services to the Internet. That is unfortunate and by the numbers... alarming!

But you still haven't shown me where someone or some business was caused severe harm with their information being stolen or damaged... although using people's networks for an attacker's personal cloud network is insulting enough for sure... and of course there really is no way to know what kind of information they might have leeched from the networks they exploited although a properly configured business network will record access to its data including the IP address that accessed it. This is important when you have data presented to the Internet for access by IP addresses that you cannot predict. Databases that are meant strictly for employee use should be locked down to private IPs only, and even then the data should be encrypted and only accessible by the applications that use the data. But this is a very brutal configuration and it requires constant maintenance which is an expense a lot of businesses can't justify.

I won't disagree that UPnP needs a major overhaul. It needs a security layer at a minimum where some kind of password is required before a device can map a port. It doesn't seem like that would be too difficult to implement in the specification. Why it hasn't been done already is beyond me as the technology has tremendous advantages for all of us and it's installed in enough devices that the standard should be updated and it should have been updated a long time ago in my opinion.

I have UPnP enabled on my router, and I just now used a web-based service to scan my external IP address for vulnerabilities exposed including UPnP, and it came back with ZERO ports exposed to the Internet (UPnP runs on port 1900), so in my specific case and in the case of any properly configured router, it should be no problem running UPnP ... as long as you only install software from reputable companies and you run current antivirus. I still stand by that ... there is no need to be paranoid as long as you're set up properly and you are diligent in being careful in your computer endeavors.

If and when they ever update UPnP to implement security, at that time it won't be such a big deal anymore.

Don't you have your WiFi and your private LAN bridged? If you do, then you should not need to change the IP address assigned to a device. If you switch the device from ethernet to WiFi, you would only need to either update the DHCP server with the different MAC address or simply assign the same static IP address to the alternate interface in the device itself.

Those port forwards didn't work in my case and it doesn't work for many people. Also, when I did get open nat working for COD:MW, I did not need to forward any port numbers under 1024 ... all those lower ports did not need forwarding for OPEN nat tor work properly.

This is not true ... all you need to do is re-load the game. Getting OPEN NAT in your Xbox's settings screen is not the same thing as getting OPEN Nat in the COD Games ... they are not the same "NAT connections"...

Hopefully no one has any "unknown devices" running on their home network. I am fully aware of every device I have on my network and I think that's the case for most people.

For anyone interested in the UPnP discussion, I found this link describing a UPnP+ standard that apparently implements security features. This document was published back in 2015 and it's up to device makers to implement it in their devices ... I wonder if there is a way to install it in OpenWRT ...

It's a straight up config via the router, not the console itself. In my case I do have a specific interface added on my main OpenWrt router just for the gaming consoles and I do have one specific vlan for them (with two physical ports). I've configured upnp to only run on that interface which includes the console vlan. Btw, for this setup you have to manually edit the upnp config and add the specific console internal_iface (option internal_iface 'XXX'). It might sound a bit complicated to some people but it's actually a pretty straight forward setup and easy to understand.
Vlans via swconfig with OpenWrt is also pretty easy to understand and if someone has trouble with it there are plenty of guides out there and nice and helpfull people within this forum.

Actually DOING that for the average home user ... is pretty much not gonna happen. VLans seem to be difficult enough to discuss with people who are employed within IT ... trying to have those discussions with people who have nothing to do with IT would be a straight up nightmare ... imho.

I would agree that the average home user won't go trough the trouble to understand vlans but I think we can expect this from the average OpenWrt user. The other thing is that most consumer router with stock firmware doesn't even offer the option to limit upnp for specific IP ranges or devices, it's either ON or OFF which is imho quite badly designed. But we are talking about OpenWrt with upnpd and thankfully we do have these options.

Anyway I do think that upnp will always remain a somewhat security risk but as I said you can limit that risk at least to a specific device. In my case I don't use UPNP for anything else than my gaming console(s).

I like it!

I use to use DD-WRT until I got this Netgear R7800 and DD-WRT would not allow me to connect via WiFi at speeds over like 200 megabits or some ridiculous number like that. So I decided to try OpenWRT and I'm lovin' it ... I even made a couple of attempts at compiling a custom firmware ... but it's a grueling process and after a few failed attempts, I put that project on the back burner for now ... I'll get back to it soon though cause I love the idea of having the firmware with only what I need in it... that's very appealing to me.

Thanks for sharing your implementation of UPnP.

Good Morning,

I apologize for just seeing this, since I resolved this issue for Destiny 2.

TLDR for those who do not want an explaination:
Under UPnP settings, make sure you have "Enable IGDv1 mode" checkbox checked.
Save and Apply
System -> Startup -> miniupnpd -> Restart (miniupnpd doesn't activate settings until it is manually restarted)

Explaination:
Activision games all use the same UPnP implementation, called Demonware.
This software is not UPnP+ compliant.
Currently OpenWRT compiles miniupnpd to advertise itself as a UPnP version 1.1 compliant service.
However IGDv2 is a UPnP version 2.0 service.
This mismatch causes Demonware to fail to even try requesting ports, because it ONLY works with IGDv1 services.

If you compile miniupnpd as a UPnP version 2.0 compliant service, and have IGDv2 enabled, Xbox works fine, but Windows sees it as a generic device and not a router.
If you change to IGDv1, Xbox breaks entirely because now you have a version 2.0 server reporting it only allows version 1.0 services.

IGDv2 is what allows cool things like IPv6 pinhole requests, but we cannot enable it because pretty much all UPnP software clients fail when it is enabled.

In the end, the OpenWRT package should probably ship with IGDv1 mode enabled by default.

Has anyone had any luck using DNAT to gain open NAT type on a second Xbox/PS4 whilst both games consoles are simultaneously on the same game?

Sorry for the late post, i would do something like this with miniupnpd using 19.07.7

config upnpd config
	option enabled		1
	option enable_natpmp	1
	option enable_upnp	1
	option secure_mode	1
	option log_output	0
	option download		1024
	option upload		512
	option external_iface	wan
	option internal_iface	lan
	option port		5000
	option upnp_lease_file	/var/run/miniupnpd.leases
	option igdv1		1
	option ext_ip_reserved_ignore '1'

config perm_rule
	option action		allow
	option ext_ports	3074-3075
	option int_ports	3074-3075
	option int_addr		192.168.3.253
	option comment		"Xbox"

config perm_rule
	option action		allow
	option int_ports	3076-3077
	option ext_ports	3076-3077
	option int_addr		192.168.3.252
	option comment		"PS4 for Call Of Duty"


config perm_rule
	option action		allow
	option int_ports	3478-3480
	option ext_ports	3478-3480
	option int_addr		192.168.3.252
	option comment		"PS4 PSN"

config perm_rule
	option action		deny
	option ext_ports	0-65535
	option int_addr		0.0.0.0/0
	option int_ports	0-65535
	option comment		"Deny Others"

In xbox change in network settings the port that xbox Will use... Then Open this port in portforward.

God, this thread is so long and you are the only one trying to push openwrt to the correct direction. Why would anyone, who just want to play a game behind a router, and been noticed that his nat type is not that open as he directly connecting to the cable, which would prevent many p2p connections from even establishing, to be bothered so much rather that just make the firewall works like fullcone nat.

For those who would pull out the “WhAt Is FuLlCoNe NaT?!! I dOnT rEcOgNiZe ThAt TeRm UnLeSs YoU pUlL oUt ThE rFc!! AnD iT bEtTeR bE tHe LaTeSt OnE!!” test again and again, search for “full cone” here: https://www.ietf.org/rfc/rfc3489.txt or search for “Endpoint-Independent” here: https://www.ietf.org/rfc/rfc4787.txt

Even the RFC has already told us the reason why we need this kind of transparency. It’s a shame that OpenWRT is not supporting this rule by 2022 where most of the bigger cities’ ISP is moving to ipv6.

Come on, UPnP is not safe as OpenWRT wiki alerted and manual port forwarding like this thread did suck if not impossible. While making UPnP obsoleted, give your user base a decent choice.

Edit: I just found who said he doesn’t know that “full cone nat” is and asked and criticizing people who teach him again and again https://github.com/openwrt/openwrt/issues/9248#issuecomment-1056900562

Edit 2: For 4 years. DAM. https://github.com/openwrt/openwrt/issues/7021#issuecomment-1040297034