UPnP Clash With Duplicate Initial Port

The Call of Duty games use 3074 for acquiring open NAT type to their games. However, when another instance of the game whether that's from a games console or PC, the second instance of the game won't be able to connect to the server on the same port as NAT is 1:1.

From reading on the internet Call of Duty uses the UDP ports range 3070-3080. This means that if UDP 3074 is already occupied on the first console, in theory the second instance of the game should be able to open up a port on the next available one in its range.

I have put this to the test but it's backfiring badly giving me strict NAT on one of my consoles.

These are steps I have taken and I can reproduce this every time:-

  1. If I turn on my PlayStation 3 games console, load up a Call of Duty game and connect to multiplayer I have open NAT type

  2. If I look at the Active UPnP Redirects list I can see my PS3's LAN IP address assigned to UDP 3074 under the Client Port and External Port

  3. If I turn on my PlayStation 4 games console, load up a different Call of Duty game and connect to multiplayer I'm presented with strict NAT type

  4. If I look at the Active UPnP Redirects list the second time round I can see my PS4's LAN IP address assigned UDP to 3074 under Client Port but under External Port it shows as UDP 307*

UPDATE
Here's the screenshot of the PS4 jumping to UDP 3191 but internally connected to UDP 3074

No surprise there, you cannot have 2 devices bound to the same external port. The first device to connect will get the port and the second will be bound to a different external port.

Yes that's exactly what happens except the second games console that initially opens 3074 can't so jumps to the next one which is showing as UDP 3191. However, I'm not getting open NAT and instead going to strict.

This is the output of my iptables-save command

root@OpenWrt:~# iptables-save
# Generated by iptables-save v1.8.4 on Tue May 12 11:41:10 2020
*nat
:PREROUTING ACCEPT [275:32479]
:INPUT ACCEPT [43:3319]
:OUTPUT ACCEPT [183:13753]
:POSTROUTING ACCEPT [37:3136]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_admin_rule - [0:0]
:postrouting_guest_rule - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_admin_rule - [0:0]
:prerouting_guest_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_admin_postrouting - [0:0]
:zone_admin_prerouting - [0:0]
:zone_guest_postrouting - [0:0]
:zone_guest_prerouting - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A PREROUTING -i eth0.1 -m comment --comment "!fw3" -j zone_admin_prerouting
-A PREROUTING -i br-guest -m comment --comment "!fw3" -j zone_guest_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A POSTROUTING -o eth0.1 -m comment --comment "!fw3" -j zone_admin_postrouting
-A POSTROUTING -o br-guest -m comment --comment "!fw3" -j zone_guest_postrouting
-A MINIUPNPD -p udp -m udp --dport 3658 -j DNAT --to-destination 192.168.1.17:3658
-A MINIUPNPD -p udp -m udp --dport 3074 -j DNAT --to-destination 192.168.1.17:3074
-A MINIUPNPD -p udp -m udp --dport 9308 -j DNAT --to-destination 192.168.1.18:9308
-A MINIUPNPD -p udp -m udp --dport 3191 -j DNAT --to-destination 192.168.1.18:3074
-A MINIUPNPD-POSTROUTING -s 192.168.1.18/32 -p udp -m udp --sport 3074 -j MASQUERADE --to-ports 3191
-A zone_admin_postrouting -m comment --comment "!fw3: Custom admin postrouting rule chain" -j postrouting_admin_rule
-A zone_admin_prerouting -m comment --comment "!fw3: Custom admin prerouting rule chain" -j prerouting_admin_rule
-A zone_guest_postrouting -m comment --comment "!fw3: Custom guest postrouting rule chain" -j postrouting_guest_rule
-A zone_guest_prerouting -m comment --comment "!fw3: Custom guest prerouting rule chain" -j prerouting_guest_rule
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_lan_prerouting -p tcp -m tcp --dport 53 -m comment --comment "!fw3: Force DNS" -j REDIRECT --to-ports 53
-A zone_lan_prerouting -p udp -m udp --dport 53 -m comment --comment "!fw3: Force DNS" -j REDIRECT --to-ports 53
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Tue May 12 11:41:10 2020
# Generated by iptables-save v1.8.4 on Tue May 12 11:41:10 2020
*raw
:PREROUTING ACCEPT [270904:241657238]
:OUTPUT ACCEPT [13308:3444782]
:zone_admin_helper - [0:0]
:zone_guest_helper - [0:0]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
-A PREROUTING -i eth0.1 -m comment --comment "!fw3: admin CT helper assignment" -j zone_admin_helper
-A PREROUTING -i br-guest -m comment --comment "!fw3: guest CT helper assignment" -j zone_guest_helper
COMMIT
# Completed on Tue May 12 11:41:10 2020
# Generated by iptables-save v1.8.4 on Tue May 12 11:41:10 2020
*mangle
:PREROUTING ACCEPT [270904:241657238]
:INPUT ACCEPT [12930:4893694]
:FORWARD ACCEPT [257941:236722196]
:OUTPUT ACCEPT [13312:3445710]
:POSTROUTING ACCEPT [270995:240163536]
-A PREROUTING -d 192.168.1.18/32 -j DSCP --set-dscp 0x28
-A PREROUTING -s 192.168.1.18/32 -j DSCP --set-dscp 0x28
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Tue May 12 11:41:10 2020
# Generated by iptables-save v1.8.4 on Tue May 12 11:41:10 2020
*filter
:INPUT ACCEPT [3:96]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_admin_rule - [0:0]
:forwarding_guest_rule - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_admin_rule - [0:0]
:input_guest_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_admin_rule - [0:0]
:output_guest_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_admin_dest_ACCEPT - [0:0]
:zone_admin_forward - [0:0]
:zone_admin_input - [0:0]
:zone_admin_output - [0:0]
:zone_admin_src_ACCEPT - [0:0]
:zone_guest_dest_ACCEPT - [0:0]
:zone_guest_forward - [0:0]
:zone_guest_input - [0:0]
:zone_guest_output - [0:0]
:zone_guest_src_ACCEPT - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A INPUT -i eth0.1 -m comment --comment "!fw3" -j zone_admin_input
-A INPUT -i br-guest -m comment --comment "!fw3" -j zone_guest_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -i eth0.1 -m comment --comment "!fw3" -j zone_admin_forward
-A FORWARD -i br-guest -m comment --comment "!fw3" -j zone_guest_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A OUTPUT -o eth0.1 -m comment --comment "!fw3" -j zone_admin_output
-A OUTPUT -o br-guest -m comment --comment "!fw3" -j zone_guest_output
-A MINIUPNPD -d 192.168.1.17/32 -p udp -m udp --dport 3658 -j ACCEPT
-A MINIUPNPD -d 192.168.1.17/32 -p udp -m udp --dport 3074 -j ACCEPT
-A MINIUPNPD -d 192.168.1.18/32 -p udp -m udp --dport 9308 -j ACCEPT
-A MINIUPNPD -d 192.168.1.18/32 -p udp -m udp --dport 3074 -j ACCEPT
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_admin_dest_ACCEPT -o eth0.1 -m comment --comment "!fw3" -j ACCEPT
-A zone_admin_forward -m comment --comment "!fw3: Custom admin forwarding rule chain" -j forwarding_admin_rule
-A zone_admin_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_admin_forward -m comment --comment "!fw3" -j zone_admin_dest_ACCEPT
-A zone_admin_input -m comment --comment "!fw3: Custom admin input rule chain" -j input_admin_rule
-A zone_admin_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_admin_input -m comment --comment "!fw3" -j zone_admin_src_ACCEPT
-A zone_admin_output -m comment --comment "!fw3: Custom admin output rule chain" -j output_admin_rule
-A zone_admin_output -m comment --comment "!fw3" -j zone_admin_dest_ACCEPT
-A zone_admin_src_ACCEPT -i eth0.1 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_guest_dest_ACCEPT -o br-guest -m comment --comment "!fw3" -j ACCEPT
-A zone_guest_forward -m comment --comment "!fw3: Custom guest forwarding rule chain" -j forwarding_guest_rule
-A zone_guest_forward -m comment --comment "!fw3: Zone guest to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_guest_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_guest_forward -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
-A zone_guest_input -m comment --comment "!fw3: Custom guest input rule chain" -j input_guest_rule
-A zone_guest_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_guest_input -m comment --comment "!fw3" -j zone_guest_src_ACCEPT
-A zone_guest_output -m comment --comment "!fw3: Custom guest output rule chain" -j output_guest_rule
-A zone_guest_output -m comment --comment "!fw3" -j zone_guest_dest_ACCEPT
-A zone_guest_src_ACCEPT -i br-guest -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to admin forwarding policy" -j zone_admin_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Tue May 12 11:41:10 2020

Okay I've found the culprit. I had these custom firewall rules assigned to the second games console. However, they should only be affecting the DSCP.

#iptables -t mangle -A PREROUTING -p all --dst 192.168.1.18 -j DSCP --set-dscp-class CS5
#iptables -t mangle -A PREROUTING -p all --src 192.168.1.18 -j DSCP --set-dscp-class CS5

I've commented them out and I have open NAT on both consoles.

1 Like

I would tell you to limit the ports that these devices are allowed to open, but if you sorted it out even better.

Please mark this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

I statically assign most of my LAN devices and you can see from the posts above the PS3 and PS4 are next to each other. You said there a way to limit the ports the devices open. Would you mind sharing the iptable example please?

Could it then be applied to a specific IP address range? Obviously if the range of addresses migrated and I want a few IP that weren't in the IP range I could use ipset couldn't I?

In regards to original problem I have uncommented the iptables, clicked save an re-repeated my steps. Both devices are on open NAT type. Can you explain this odd behaviour of custom iptables? Basically turning the custom iptables off and back on has fixed it. However, my real question is will it stay fixed...

This is not important.

Just create a new ACL in MiniUPnP. Currently you have only one allowing everyone to use from 1024-65535.

1 Like

How can I simulate UDP port 3074 being in use so that my game redirects to another external port?

I've trying to block UDP port 3074 externally so that my game and games console will realise that the external port isn't reachable and will jump to the next available port.

Currently UPnP handles this well and I can replicate it each time by loading one game on one console and then loading the same game on a different console. I've tried blocking the port using LuCI traffic rules on port 3074. I have no idea if I'm doing it correctly and even if I am, I am quite certain that miniupnpd kicks in before my rules.

It does this if I connect one games console

Unless you can configure the console directly, you cannot. The OS in the console will see port 3074 not utilized by any other application and bind to that.

I cannot comment as I don't know the fallback mechanism of the game.

Flows which use DNAT could be allowed before any drop rules you have configured.
You can check that with:
iptables-save -t filter | grep wan_forward

I've been reading this thread intently...and wondering something...which I never understood when people try to open 2 consoles at the same time...

How does CoD (and all the peers if you're the host) know you're not using 3074???

Not necessarily...in fact PS4 seems to have different ports on a few CoD games:

Please verify for us.

miniupnpd has only ever opened UDP 3074 for me. In fact in the Modern Warfare Remastered options it does state this:-

Seen in a screenshot further up the thread which I've posted a cropped version below, you can see 192.168.1.18 being my PS4 redirects from UDP 3074 to 3191 as my PS3 on the IP address 192.168.1.17 is already using the port.

Both my PS3 and PS4 achieved Open NAT type. This has always been in possible in the past on ISP provided routers when a friend brought their games console over and both tried to play together on the same game. OpenWrt and miniupnpd seems to be handling this a lot better.

For a test I may disable the UPnP temporarily and try redirecting UDP port 3074 internally to one of the random ports miniupnpd opened up and see if I can still achieve open NAT.

I was just hoping that by either blocking UDP 3074 or manually mapping it to a LAN device one games console, when a second games console was introduced and has access to UPnP it would jump over to the next available on.

1 Like

I have Open NAT on all consoles at the same time in Network Settings and Call of Duty.

I have MiniUPnP and MiniUPnP ACLs configured this way so that only Consoles can open ports and no one else, I use these static IP addresses "192.168.1.8" to "192.168.1.11" on the Consoles. (Network -> DHCP and DNS -> Static leases)

I use this page to know the CIDR Address Range:

About UPnP:

4 Likes

I didn't think of using CIDR set an IP address range :+1:

I have setup a mask of /29 and assigned two games consoles in the IP range with static IP addresses. Because the way DHCP works by assigning IP addresses to clients, is there a way I can ensure DHCP doesn't pick the extra IP addresses when there isn't a device assigned to it; something like a DHCP exclude list?

By default the DHCP in OpenWrt assigns an IP between 100 to 249, so you can use the IP addresses from 192.168.1.2 to 192.168.1.99 on your Consoles and in MiniUPnP ACLs, these IP addresses will never be used unless you write them manually on your devices or be used through Static leases in OpenWrt.

Network -> Interfaces -> LAN (Click in Edit) -> DHCP Server Tab -> General Setup Tab

Limit 150 means 100-249.

3 Likes