topic Re: Nat type 2 , type 3 with playstation and xbox in General Topics

Nat type 2 , type 3 with playstation and xbox

ASU-NetworkTeam — Tue, 04 Feb 2014 19:29:52 GMT

Hello Everyone,

I have a problem with NAT that my end users are reporting that I have not been able to get to the bottom of. I am the administrator of a large University and have multiple buildings for on site housing. 2-3k students live on site. Everything production wise is working fine but I keep having repeat tickets from students asking me to fix the nat type so that they can use playstations and xbox from their dorm rooms. I have been playing with the nat rules but have been unable to get them to change from nat type 3 to 2. I am needing some advise on the issue. It is a very simple setup when dealing with our nat. We source nat our users to a pool of IPs and I have included a screenshot.

Here is my security policy for the game consoles

I moved a few of the the game users to our Cisco ASA and they go type 2 with no problems but I can not leave them on our asa. it was for testing mainly to see if the PA was the problem.

This is the issue my end users are telling me they would like us to fix.

PS3™ | Internet Connection Test

http://netnix.org/2011/09/06/understanding-ps3-nat/

Anybody else ran into this problem or know what could be the issue because I am not seeing anything that should be making the systems report type 3.

Re: Nat type 2 , type 3 with playstation and xbox

JimS2 — Wed, 05 Feb 2014 23:45:41 GMT

For all of the functions on a PS3 or XBOX to work properly it is expecting to have ports open to incoming traffic from the Internet. Here is a good article on the different types of NAT for the PS3 NAT Type 2 Tutorial - PlayStation® Community Forums. On home routers this is addressed by utilizing UPnP or setting up the device on the DMZ. You could achieve this on the Palo Alto but it could be a nightmare for management. Basically you would have to assign static addresses to the gaming devices and them create individual NAT policies for each one (each one requiring a public IP address) and allowing inbound connections to those devices on the ports specified.

Re: Nat type 2 , type 3 with playstation and xbox

pulukas — Wed, 05 Feb 2014 23:56:50 GMT

See this thread from last year. They basically created a public vlan for the xbox ports to connect and get a direct address on the internet.

This is really hard to swallow that companies like Sony and MS can build networks that don't work with standard internet nat.

Re: XBOX Live

But I also wonder why Palo Alto can't write an app-id to cover this behavior in some way. Surely they have enough academic clients with piles of these game systems in the dorm that would use the solution.

Re: Nat type 2 , type 3 with playstation and xbox

Phoenix — Thu, 06 Feb 2014 13:44:24 GMT

Hello noore.ghunaym,

Looking at applipedia gives us that the below gaming apps are available,

If the security rule does not have xbox-live it has to be added for the Pan to process traffic. Now considering the NAT question in regards to PS4 or Xbox one and so on they need open ports, static IP and so on per the above docs. Ideally once the application is defined in the security rule PAN would start to open the ports needed while inspecting the APP. Some applications may have a necessity to open dynamic ports and there may be a need to open predict sessions and analyse the ports and open the ports. If there is a change in the xbox behavior or the way they work or they open certain new ports or so we may need to share the scenario with the PAN support so that the app is enhanced.

Per the Xbox Network Ports | Xbox 360 Network Ports | Xbox Live Network Ports - Xbox.com looks like Kinect has a different port number which is not part of the xbox-live.

Thanks

Re: Nat type 2 , type 3 with playstation and xbox

JimS2 — Thu, 06 Feb 2014 15:36:01 GMT

I would recommend that you contact your Sales Engineer and have him open feature request. All of the ideas above seem plausible and doable.

Re: Nat type 2 , type 3 with playstation and xbox

ASU-NetworkTeam — Thu, 06 Feb 2014 15:42:13 GMT

After doing research on how the game systems work and what the consoles are looking for I was able to find a fix. I would like to thank all of you for your responses and being so helpful.

dynamic-ip-and-port NAT was the problem. when this type of NAT is used every connection the game console sends out gets a different ip and port. This will not work because the way the consoles communicate is via UDP and they expect to use the same ip and udp port for 2 way communication. dynamic ip and port on PA seems to rotate the ports and ip aggressively. But on a cisco ASA it seems to use the same ip and ports per source ip as long as the connections stay active. Basically cisco ASA does not rotate the ports and ips as aggressively and attempts to maintain the same ports the client used to for udp communication. Keep in mind I am using dynamic NAT on the cisco ASA meaning I am using a pool of ip addresses.

I am a heavy user of BSD and linux so after reading that on bsd and linux firewalls you must have the static-port option enabled. I did some thinking and changed the NAT rule to STATIC. I was able to get away with this because our ISP allocates me a /20. I do not think having a /20 helped in any way because I have known of people who have had 10+ console on a single ip and it worked but I did it anyway because I had it available to me. I plan in the near future of just doing away with NAT and doing direct IP assignment.

Here is the FIX that worked for me without special VLANS or opening ports manually or assigning IP addresses directly to clients. I put this into production 24 hours ago and students are reporting they are able to use playstation and xbox consoles now showing nat type 2 and moderate when running connection tests. They also have 2 way voice communication now when playing inside of the games.

Changed NAT from dynamic to static. I assign internal /24 ranges to our LAN network in the buildings so I also assigned a /24 public ip address pool. I also made sure bi-directional was set to yes

Step 2 created a application filter called Game Consoles - I know this was over kill but it included xbox-live and playstation-network.

Step 3 - Create the security rule using the Application Filter and disabled server response inspection

Step 4 - Cleared the NAT tables via SSH

Made a few phone calls to the students and asked them to test the connections and I could tell by the OMG it says type 2 ( playstation users ) and for xbox users it says moderate now instead of strict.

They logged into a few different games and all reports it was working without lag and they were able to communicate via the headsets.

I hope this helps people in the future.

Re: Nat type 2 , type 3 with playstation and xbox

mario11584 — Fri, 13 Jun 2014 16:15:54 GMT

Did you have to use a different Public IP for each of your NAT rules?

Re: Nat type 2 , type 3 with playstation and xbox

ajbool — Fri, 13 Jun 2014 18:56:53 GMT

If it was just down to the PA changing the NAT mappings too frequently; you may have been able to get away with mapping all these connections to a custom application definition with a much higher timeout on the UDP field that normal - e.g, an hour.

Re: Nat type 2 , type 3 with playstation and xbox

mario11584 — Fri, 13 Jun 2014 19:13:18 GMT

How would you go about doing that?

Re: Nat type 2 , type 3 with playstation and xbox

StevenEerdekens — Wed, 20 Jul 2016 09:26:01 GMT

I can confirm the solution of noore.ghunaym works.
In my case I have 1 dynamic IP on the untrust interface.
I placed the static NAT rule above the general hide NAT rule. Also, I had to enter the current official IP hardcoded in the Source-translation field (translated packet tab), since you can only enter a fixed IP or an address object referring to a fixed IP here. (It's not possible to select an object referring to a FQDN here).

Re: Nat type 2 , type 3 with playstation and xbox

kbreit — Thu, 21 Jul 2016 13:19:12 GMT

When you say "Official IP" do you mean public IP?

Re: Nat type 2 , type 3 with playstation and xbox

aosetek — Tue, 12 Sep 2017 22:11:55 GMT

Yessss, one million times thank you.

Re: Nat type 2 , type 3 with playstation and xbox

ASU-NetworkTeam — Wed, 15 Aug 2018 21:39:41 GMT

Has anyone found any solution to this? Several years later and PA still refuses to acknowedge this problem. The solution I posted still works but I still belive we should not have go through with all this considering Cisco Firewalls do not have this issue with dynamic ip and port NAT. I understand PA is a security company but I still have to answer to 4k Univeristy Students. I had to request more IPs and do this for our wireless and wired in the dorms.

I think the root of the problem is PA is trying to do this as a NAT type 1 and we are not asking for that. We are in need of NAT type 2 to work and that does not require open inbound ports.

I saw where someone recommend increasing UDP time out I am going to try that soon. I have to bring a PS4 to work to test this stuff....

Re: Nat type 2 , type 3 with playstation and xbox

jsalmans — Wed, 15 Aug 2018 22:08:03 GMT

@ASU-NetworkTeam

I ended up putting a feature request in for this but there doesn't seem to be a great way to track it. If you check my post history, I added the FR # to the recent post here to collect known FRs.

We came to the same conclusion you did as we also had an ASA previously. The ASA's PAT implementation utilizes "sticky NAT" as well as a best effort to utilize the ports requested by the client.

We had two solutions and I actually ended up getting invited to do a presentation on a Palo Alto webex to present them to a few other universities.

Solution #1 was to create a EDL for game consoles after we reserved their IP in DHCP. The EDL was used in a Dynamic IP NAT translation which seems more forgiving than DIPP. This was time consuming as students had to call in and let us know they were having issues for us to add them to the list. Furthermore, it didn't solve the issue for every game... Ubisoft games especially seem to have a horrible network stack implementation and there are lots of complaints about it on their forums. Combine that with that at least some of their recent AAA titles have been basically peer-to-peer and it gets even worse.

Solution #2 is what we are currently using. We ended up purchasing Infoblox to do DHCP fingerprinting on game consoles and gaming PCs and created superscopes for each residence hall that contained two scopes: one with private addresses and one with some of or publics. Each scope has filters applied to deny consoles the private IPs but allow them to get the publics. Combine that with multinet configuration on our Cisco router for each SVI and we have game devices that pull public IP addresses with no need to do VLAN switching (which can be troublesome for the client even with COA from RADIUS).

That solution seems a bit controversial.... some admins I've talked to said they dislike the idea of handing out public IP addresses but we have them and we don't need all the ones we have for anything else right now. I don't believe we're in a position to lease or sell them so why not. Our firewall blocks all inbound connections to them so it isn't like they can run a web-available server.

The end result is the consoles don't need to NAT and actually usually show Type 1 Open now with some individual game network tests showing Type 2 Moderate. Ubisoft games still aren't always 100% but I can't fix bad programming. My only regret is that my current address space setup doesn't allow me to simply give a public IP to every resident device... they all just work so much better. Maybe IPv6 will help when we get a NAC solution that supports it.

Re: Nat type 2 , type 3 with playstation and xbox

ASU-NetworkTeam — Thu, 16 Aug 2018 00:42:25 GMT

I have put in more feature requests via our old rep and they are ignored. I will go look them up and post them later. We now have a new sales rep and sales SE as of last month. Slowly restoring my faith in PA customer support.

I have also opened another ticket with PA support and asking them to solve this or provide a solution... we will see what happens.

We have the same situation you are in. I ended up using our packetfence 802.1X to solve the issue for now.
We have 2 wireless SSID. One for SECURE 802.1X access to the network and the other is unencrypted using MAC auth via a user device registration portal.

If they register a gaming console, it puts them in a special Gaming VLAN in each dorm that gets a public ip with all INBOUND blocked. Works like a charm but teaching students how to use the thing is a problem every semester. We provide instructions but nobody reads now days......

I requests a new /20 from our ISP and waiting on a response. If they approve it I am going to just route WAN ip directly to the users and do away with NAT all together. Like you said all inbound will be blocked and if we set the lease time to 4hours for example it will keep rotating IPs because we have our DHCP set to never hand the device the same IP on renewal to avoid botnets or servers etc.

Re: Nat type 2 , type 3 with playstation and xbox

ASU-NetworkTeam — Sun, 19 Aug 2018 20:43:36 GMT

Working with PA support on NAT DIPP oversubscription , We might have stumbled across a solution.

I come from a cisco ASA background and always have used nat pool or many to many NAT. Recently we hit a NAT DIPP problem and as a result I personally had to get PA support to explain to me what was going on. After a detailed explanation and each model has a hardware limitation. PA support advised I shrink (use a /25 or smaller ) or stop using NAT pool and just NAT our customer behind a single IP. At first I was very against this idea but after PA support explained for them this is a best practice and because they are confident in how they block botnet and other malware, I broke down and did it. After a hour I notice a HUGE increase in traffic and as a result we went out and started testing our self. We found that things improved overall Latency / packet loss / etc. Also the warnings about NAT on commit went away about downgrading to 1x oversubscription.

I then had several XBOX and PS4 users redo network test and this resulted in OPEN or TYPE 2 NAT depending on the console.

I will confirm on Monday when I take my own PS4 and XBOX to work to test in the office, but I think avoiding NAT pool oversubscription might have fixed this issue. along with the firewall rules I posted early on to open the traffic to XBOX LIVE and Playstation Network.

Also we use secure works to watch our outgoing traffic and after 48hours and no notifications of botnet / malware from our RESNET. I was really worried going down to smaller subnet or single IP would have made us more vulnerable. I am guessing with us blocking incoming and the PA security features / protections this might be fine, but I am going to wait a full week before I make a final decision.

End result for the NAT was I mapped /22 to /21 for each building WiFi to a single ip. We have a large subnet to use thanks to our ISP. As a result I used a different IP for each building to avoid major oversubscription. for LAN users I am still using 1 to 1 NAT /24 to /24

I will report more as we move along but I think this might be a solution. Welcome to feedback sense this has been a very deep discussions with PA support.

Re: Nat type 2 , type 3 with playstation and xbox

jsalmans — Mon, 20 Aug 2018 13:44:08 GMT

@ASU-NetworkTeam I'll definitely be interested to hear the outcome of your tests. I did a ton of troubleshooting with them and I'm not sure we every tried a single IP. I'm actually currently running active/active firewalls and each firewall has access to the same /30 pool of IPs for NAT for each building. It's overkill at this point but I was re-doing our NAT space when we configured these and figured I'd plan in some growth.

I could probably reduce these so each firewall had 1 except if we have a failover scenario the other firewall wouldn't be able to accept the return traffic from the Internet that was originally destined for the downed firewall.

We're looking at a potential hardware upgrade in January and may move to an active/standby deployment. This solution, if it works, might be more feasible to try out at that point.

That being said, I have to say that using our public IP addresses for the students seems to make a lot of it easier. We've even talked about investigating whether we might have enough just to hand out a public IP for everything in ResNet.

Re: Nat type 2 , type 3 with playstation and xbox

ASU-NetworkTeam — Mon, 20 Aug 2018 14:09:30 GMT

Yes we stop doing the active / active due to budget. PA has some really outrageous pricing for active / active. It basically doubles the bill and not worth it in my opinion. You would be better off upgrading to a more powerful unit and doing active standby for budget reasons from what I have seen.

We have Active Standby and use LACP to a cisco 4500X routers. It works great and you also have the option to have the standby unit in no shut to keep routing protocol active if needed for faster fail over. Unless you have a need for the active / active because of usage, you are fine changing to active / passive. You know your network better than anyone so don’t just take my word, but it is worth researching it.

We have also found that the newer units are much more powerful than our older 5020 and the renewals are much LESS but the upfront purchase cost is ridiculous. I guess PA going to make $$$ somehow. You would think for the amount of money we pay we could at least get USA support 100%. I get so sick of calling and spending an hour or more getting passed the language barrier and then the technical explanation, or someone in India who really does not care and trying to just get the ticket closed.

So I test everything this morning XBOX and ps4. Xbox reports OPEN and ps4 is type 2 and working. The students are happy so far. Also issues with facetime quality and other things are gone. Using NAT pool apparently is a bad idea in palo alto world.

So yes down to two options. Route public WAN addresses to the clients or NAT each subnet to a different WAN address to avoid oversubscription.

I will post screenshots here in a few of what we did

Re: Nat type 2 , type 3 with playstation and xbox

jsalmans — Mon, 20 Aug 2018 14:17:21 GMT

Wow your setup sounds a lot llike mine. We've got two 5060 unit currently with two Cisco 4500-X in VSS to serve as routers for some of the networks and as fiber aggregation since the 5060s are limited on 10g port count.

We've actually had a lot of issues with the 4500-X stack, mainly because our current (and admittedly old) network design involves using policy based routing to push all traffic through the firewall for security and access control. We're also using VRF... VRF + PBR + no ip redirects = PBR failing. Cisco says the config isn't supported on that platform when using VRFs...

Our active/active was mostly for having dual homed 10gb connectivity to AREON. The former Network Services manager wanted to make as much use of the firewalls as possible... I agree although we honestly don't push enough traffic to saturate even one of those 10g connections. If we go with the 5200 series we were looking at one that will do at least 20gb with app and threat turned on and that would pretty much eliminate the last reason not to go with active/standby. It's going to simply our network design too as I've had all sorts of issues trying to get ECMP working with PBR on our older Cisco hardware.

Re: Nat type 2 , type 3 with playstation and xbox

ASU-NetworkTeam — Mon, 20 Aug 2018 14:33:35 GMT

I updated our cisco 4500X to the latest gold star and gained route map ability and started using that. In the latest gold star release you do not need a enterprise license to do a lot of things.

Our setup used to look like yours but I got sick of it and change lots of it to route maps and ACL because troubleshooting turned into a pain in the rear and also TAC kept saying the same thing to us. SIMPLE is better. You should really look at Nessus and do netflows etc to it for security and scans. Take some of the load off that FW and save $$$. Also we use packetfence for 802.1X with a Suricata box we mirror all traffic to. They work together and trigger violations to keep problem users off the network. also it is free.... we are also going to intergrate nessus into our packetfence security once we get the licenses for nesses to do end user devices.

We are looking to change from 5020 to 3260 for budget reasons. the renewal is 60% less a year