Games

UPnP / NAT Types for Consoles on pfsense

Short Version

Give the console a reservation/static IP – /services_dhcp.php
Enable UPnP – /pkg_edit.php?xml=miniupnpd.xml
Create an outbound NAT (change to hybrid if needed) for the IP – /firewall_nat_out.php

Why?

If you’re having connection or matchmaking issues in games you might be in strict NAT mode. Most consoles (and some PC games) recommend UPnP. There are some security risks involved with this. You can search and weigh those out for yourself, that’s not what this post is about. Most home routers you can click a checkbox and it’s done. I had to do some looking to get it working with my pfsense setup. Here are the steps.

Set a reservation/static IP for the device

Setting a static IP will be different for each device. Creating a DHCP reservation is probably the best way to do this.

If you’re using a pfsense for your DHCP server go to Status > DHCP Leases

Find the device on the DHCP Leases table. Click the + box on the left side to create a static mapping.

Give the device an IP address. You can also assign it a hostname, different gateway and DNS servers, etc. if you’d like. Remember the IP and click Save at the bottom of the page.

Enable UPnP

Go to Services > UPnP & NAT-PMP in the web interface.

Check the checkboxes for Enable UPnP & NAT-PMP, Allow UPnP Port Mapping and Allow NAT-PMP Port Mapping. I don’t know if you need Allow NAT-PMP Port Mapping enabled for most games/consoles. I enabled it anyways.

Click Save at the bottom.

Create an outbound NAT

Go to Firewall > NAT in the web interface.

Click the Outbound tab in the NAT Port Forward page.

Click Hybrid Outbound NAT rule generation. if not already set. Click Save.

Click either Add button below the mappings table. Your mappings table might be different than the screenshot below.

Change Address Family to IPv4 and source to the reserved/static IP set above.

Check the Static Port checkbox in the Translation section. Click Save to save the rule.

Click Apply Changes to apply changes.

You may need to reboot your device to get the new IP if you did not reserve the IP it already had from the DHCP server.

This has been tested on PS3 PS4 Nintendo Switch and some newer PC games (Destiny 2, Call of Duty, etc.).