Highlighted
New Member
Posts: 11
Registered: ‎02-05-2019
Accepted Solution

Configure Firewall for PS4

Need some help here with the Firewall on EdgeMax 5PoE Router.

 

Configure from scratch with wizard enabling firewall.

 

eth0 is WAN

eth1 is Local Network ( Ubi Switch )

 

Starting up PS4 and checking the Connection. I says NAT 3 ( Strict )

 

Can not play several games and Party seems to be at least "Rocky"

 

Can not understand why it gives me Strict ? Have uPnP enabled.

 

Need a good tutorial or a smart guide on this.


Accepted Solutions
Member
Posts: 1,089
Registered: ‎09-13-2018
Kudos: 231
Solutions: 72

Re: Configure Firewall for PS4

[ Edited ]

In addition to the link posted by @jms33 see this link IPv4 shared address space and the other special use IPv4 addresses

 

100.64.0.0/10 (100.64.0.0 - 100.127.255.255) are reserved for ISP's using CGN (Carrier Grade NAT)

 

If you are paying for a public address, what is returned by ipchicken.com or whatismyipaddress.com should be the same ip address as your "WAN" eth0 interface is getting via the ISP's DHCP server.

 

This is usually based on the MAC address on your router.  If you have changed routers, you will need to let your ISP know what mac address to tie to the public ip address.  Alternatively, you can set the MAC address of the eth0 interface to be identical to what was on the router that worked.  But if you plan to keep the router, I would have the ISP change the MAC address registered to your account.

 

When you call them, they should be able to see what mac address you are connecting from, if you give them the ip address that is associated with your eth0 interface. 

View solution in original post


All Replies
Established Member
Posts: 1,595
Registered: ‎07-07-2014
Kudos: 375
Solutions: 105

Re: Configure Firewall for PS4

Hi @Xenix-44 ,

 

How have you enabled upnp? Are you using upnp2?

Have you double checked that your 'listen-on' and 'wan' interfaces are defined correctly?

Is your Edgerouter receiving a public IP address on eth0 (WAN), or might you be double-natted?

 

Maybe you could post your config for review, too?

New Member
Posts: 11
Registered: ‎02-05-2019

Re: Configure Firewall for PS4

Hi there.

Good to hear from somebody so fast.

As i said, have made no changes to initial setup except :

Enabling uPnP

eth0 is wan

eth1 is local switch

How do i download the settings ?

 

Established Member
Posts: 1,595
Registered: ‎07-07-2014
Kudos: 375
Solutions: 105

Re: Configure Firewall for PS4

Hi @Xenix-44 ,

 

You can follow these instructions to download and extract the configuration from the GUI:

 

https://help.ubnt.com/hc/en-us/articles/360002535514-EdgeRouter-Backup-and-Restore-Configuration

 

Or if you are comfortable with the command line, SSH into the router and run this command:

 

show configuration | no-more

And it'll pipe everything out. You're welcome to alter or hide PUBLIC IP addresses, but please keep the private IPs intact. It's helpful if you use the "Insert Code" button up top to paste it in so it's easily readable.

 

Also, please check your WAN IP address.  You want to make sure it's a publicly routable IP address, not a private IP.  You can safely post the first two numbers of the address if you're unsure (If your address is 12.13.14.15, you can post that it starts "12.13")

New Member
Posts: 11
Registered: ‎02-05-2019

Re: Configure Firewall for PS4

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable

    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            
state {
              established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            
state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
          
description "Allow established/related"
            
state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            
state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        
description Internet
        
duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        
poe {
            output off
        }
        speed auto
    }
    ethernet eth1 {
        address 192.168.1.1/24
        description Local
        duplex auto
        
poe {
            output off
        }
        speed auto
    }
    ethernet eth2 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        
speed auto
    }
    ethernet eth3 {
        description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    ethernet eth4 {
        
description "Local 2"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.2.1/24
        
description "Local 2"
        mtu 1500
        switch-port {
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
           
vlan-aware disable
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    wan-interface eth0
}
service {
    dhcp-server {
        
disabled false
        hostfile-update disable
        shared-network-name LAN1 {
            authoritative enable
            subnet 192.168.1.0/24 {
                
default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    
stop 192.168.1.243
                }
            }
        }
        shared-network-name LAN2 {
            authoritative enable
            
subnet 192.168.2.0/24 {
                default-router 192.168.2.1
                dns-server 192.168.2.1
                lease 86400
                
start 192.168.2.38 {
                    stop 192.168.2.243
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    
dns {
        forwarding {
            cache-size 150
            listen-on eth1
            listen-on switch0
        }
    }
    
gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            
description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        
port 22
        protocol-version v2
    }
    unms {
        disable
    }
    upnp {
        listen-on eth1 {
            
outbound-interface eth0
        }
        listen-on eth2 {
            outbound-interface eth0
        }
        
listen-on eth3 {
            outbound-interface eth0
        }
        listen-on eth4 {
            
outbound-interface eth0
        }
    }
}
system {
    host-name Maxedge
    login {
        user admin {
            
authentication {
                
encrypted-password XXX
                
plaintext-password ""
            }
            full-name "XXX"
            level admin
        }
        
user ubnt {
            authentication {
                encrypted-password $6$9691F1.eY500FjHu$8nIalnUozu1kVKlHYouUneqJGvzKxfQDqyE5bkUnA5WPHPN.X1dnFJ78NKdWe.COS6wTfYB5aRFnUmSODqWnS1
            }
            
level admin
        }
    }
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        
server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                
level debug
            }
        }
    }
    time-zone UTC
}


/
* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.0.5155284.190104.0701 */
New Member
Posts: 11
Registered: ‎02-05-2019

Re: Configure Firewall for PS4

WAN IP start with 100.124....

Has been working great with a USG20 for 5 years before switching...

Have Camreas and Servers and Alarm that i controlled from www....

Have not port forwarded yet, regarding these thing, will do when i know it work with PS4....

 

Established Member
Posts: 1,595
Registered: ‎07-07-2014
Kudos: 375
Solutions: 105

Re: Configure Firewall for PS4

Thanks! A couple of things:

 

- because you're using the switch0 interface for eth2, eth3, and eth4, use 'switch0' as the interface when referencing any of those ports, they aren't separated anymore, they are a part of switch0.  So your 'listen on' interface for those ports should simply be 'switch0' - but you said your PS3 is on eth1 so that isn't your exact problem here

 

- try setting up upnp2. You can do this through the web interface in the "Config Tree" tab:

On the left, expand "Service"

Then click "upnp2"

Set the listen-on interface to eth1 (and you can click the Add button to add another interface, switch0)

Set nat-pmp to enable

Leave port blank

Set secure mode to disable

Set wan to eth0

 

Save/Apple the change.  Reboot your PS4 so that it tries to open a port through upnp2.

 

From the command line on the router, you can run:

show upnp2 rules

 

 

For example, here's an excerpt of my output:

 

NAT port forwards
 pkts bytes target     prot opt in     out     source               destination
  174 10853 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:13833 to:10.0.33.200:32400
    1   137 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3074 to:10.0.33.110:3074

My xbox (at 10.0.33.110) has opened port 3074, and my Plex server (10.0.33.200) has opened port 32400.

New Member
Posts: 11
Registered: ‎02-05-2019

Re: Configure Firewall for PS4

Did this settings as you said and have pressed "preview" and then "Apply". Now i will start my PS4 and check....
Established Member
Posts: 1,595
Registered: ‎07-07-2014
Kudos: 375
Solutions: 105

Re: Configure Firewall for PS4


@Xenix-44 wrote:

WAN IP start with 100.124....

 

 


 

I have some bad news - that's not a publicly routable IP address.  That's a "Carrier Grade NAT" address.

 

https://en.wikipedia.org/wiki/Carrier-grade_NAT

 

I think you may continue to run into issues even with upnp2 or port forwarding rules.

New Member
Posts: 11
Registered: ‎02-05-2019

Re: Configure Firewall for PS4

Got this from the router :

admin@Maxedge:~$ show upnp2 rules
Firewall pin holes
pkts bytes target prot opt in out source destination
 
 
NAT port forwards
pkts bytes target prot opt in out source destination
 
pkts bytes target prot opt in out source destination
 
------------/
 
Got it after starting the PS4....  Nothing it seems....
And the PS4 is still indicating NAT to Type 3 - Strict.
 
But it has been working for 5 years with the same ISP and a Zyxel USG20 ?
 
Whats the difference now ? 
 
 

 

New Member
Posts: 11
Registered: ‎02-05-2019

Re: Configure Firewall for PS4

And also...

 

I got 4 cameras

I got Alarms

I got "Smart Home"

 

All these is working woth the Zyxel USG and Port Forwarding ????

 

It should not work if i had Carrier Grade NAT.....

 

New Member
Posts: 11
Registered: ‎02-05-2019

Re: Configure Firewall for PS4

Hi again.

You can answer if you have the time, but i looked at my ISP invoice, and i am paying for "public IP" with them because of my server i access at home. So no problems there...

 

God i need this fixed.... Man Sad

Established Member
Posts: 1,595
Registered: ‎07-07-2014
Kudos: 375
Solutions: 105

Re: Configure Firewall for PS4


@Xenix-44 wrote:

Hi again.

You can answer if you have the time, but i looked at my ISP invoice, and i am paying for "public IP" with them because of my server i access at home. So no problems there...

 

God i need this fixed.... Man Sad


But the address you posted is not a public address.  If you go to http://www.ipchicken.com, does it show the same address? I think it will not.

 

What's the device in front of the Edgerouter? A modem? Maybe it needs to be reconfigured for the Edgerouter to give it a real public address?

Member
Posts: 1,089
Registered: ‎09-13-2018
Kudos: 231
Solutions: 72

Re: Configure Firewall for PS4

[ Edited ]

In addition to the link posted by @jms33 see this link IPv4 shared address space and the other special use IPv4 addresses

 

100.64.0.0/10 (100.64.0.0 - 100.127.255.255) are reserved for ISP's using CGN (Carrier Grade NAT)

 

If you are paying for a public address, what is returned by ipchicken.com or whatismyipaddress.com should be the same ip address as your "WAN" eth0 interface is getting via the ISP's DHCP server.

 

This is usually based on the MAC address on your router.  If you have changed routers, you will need to let your ISP know what mac address to tie to the public ip address.  Alternatively, you can set the MAC address of the eth0 interface to be identical to what was on the router that worked.  But if you plan to keep the router, I would have the ISP change the MAC address registered to your account.

 

When you call them, they should be able to see what mac address you are connecting from, if you give them the ip address that is associated with your eth0 interface. 

New Member
Posts: 11
Registered: ‎02-05-2019

Re: Configure Firewall for PS4

Hello.

Did this yesterday evening, and after restart i now have an public IP starting with 37.xxx.xxx.xxx Man Happy

Did not have the possibility to test PS4 or port forwarding yesterday, but will try it out tonight.

Thank so far, update and results will soon be posted.

Regular Member
Posts: 570
Registered: ‎11-13-2017
Kudos: 157
Solutions: 13

Re: Configure Firewall for PS4

[ Edited ]

Hi

 

ignore this if it was answered, no time to read all posts but I did exactly what you need so there are just 2 simple steps:

 

1. Services - your DHCP server - Static mapping - Create new mapping, and give your PS4 a static IP. Remember wifi has different MAC address as LAN port, but as true player you're of course using LAN cable..

2. Firewall/NAT - Port forwarding - forward ports 80-20000 to the static IP address of your PS4, both TCP&UDP

 

PS4 uses many different ports, usually all ports are forwarded but if I remember correctly that range 80-20000 is ok, if you need some other ports on your public IP for other devices, as you wrote (IP cam etc).

 

**REMEMBER** checking network status via Settings - Network in PS4's menu is NOT OK, there is always NAT Type 2 no matter if you have public IP or not (that is what you need (from your ISP) - public IP). The best method to check your network status correctly is a Call of Duty game in multiplayer menu, there you can see

 

Open (public IP)

Moderate (no public IP)

Strict (unable to NAT to internet).

 

br

New Member
Posts: 11
Registered: ‎02-05-2019

Re: Configure Firewall for PS4

Thanks.

Will test later and et back.

Only connected by cable.

Play only COD, so the suggestions you had is easy to test.

Must get this working beforde League Play starts! Man Happy

 

Comp Master since BO2... Man Happy

Regular Member
Posts: 570
Registered: ‎11-13-2017
Kudos: 157
Solutions: 13

Re: Configure Firewall for PS4

I guess you bought EdgeRouter because of SmartQoS function? to keep your ping low even when your internet connection is fully used? So I will repeat:

to test your "Bufferbloat" go here http://www.dslreports.com/speedtest, start the test, REMEMBER don't switch to other tabs in browser when test is running (non-active tabs have low priority of CPU). That speedtest is performing a speedtest and measure ping during that time. After the test check Bufferbloat, you want the A or A+. If you don't have it turn on Smart QoS.

 

New Member
Posts: 11
Registered: ‎02-05-2019

Re: Configure Firewall for PS4

All is working really good!

Enabled UPNP2 on Router, and then surfed to my ISP, and asked for a public adress. My old routers MAC adress was listed there... After that, everything Worked 100% 👍🏻

 

Thanks for helping out!