It’s been a while since I’ve played any games online with my Nintendo switch, and I quickly remembered the issues with NAT types on the Switch.
When I checked, I had a NAT type of F, which will not allow online gaming. I found the guides on setting up the Hybrid NAT rules in Pfsense, but my type was still F. I then loosened up my outgoing port rules for that VLAN, and got a NAT type of B.
After tightening them back up a bit and looking online, it looks like the UDP range 1024 through 65535 is expected for outgoing UDP traffic. Is that right? That is a ton of ports, and possibly no better than just enabling uPnP.
Do I really need such a wide range to be able to maintain this NAT type B?
Yeah, that’s just basically every unregistered UDP port… Not much you can do about it since Nintendo has struggled to understand the internet and its uses since the Famicom.
And no, for the love of God don’t enable uPnP. It’s still pretty much the worst thing you can do.
Why is uPnP the worst thing you can do?
In normal operation a router or firewall running NAT will allow you to access the internet and receive traffic you requested and drop any unsolicited traffic originating from the internet.
If you were to access google, your PC will try to access google.com on port 443 with your PC being the source of port 5673 (any number between 1024 and 65000ish). Any traffic from Google to you will be permitted provided they are using the correct port pairings. If google then decides I am going to send you traffic on port 5677 your router/firewall will drop the traffic as it is unsolicited.
Now for the problem. Upnp allows a piece of software running somewhere in your house to register itself with your router and say “hey, if you see traffic destined for port 5555 from anywhere on the internet forward it to me, even if I didn’t start the conversation”. Considering how bad software is written this can give a threat actor a beachhead into your LAN to then vomit as much traffic back out as it wants, it could be a DDoS a mining not or just regular traffic sniffing.
While you’re opening most outbound UDP ports for just the switch, a uPnP vulnerability has the possibility of letting an attacker open ports, especially inbound registered ports (SSH, RDP, etc), for all devices.
If you do everything right (wifi client isolation, if your WAP has that option) opening the port for the switch is “essentially” as safe as it can be. The safest being Nintendo listing their public IPs but I think switch games use P2P which is why they don’t.
deleted by creator
As far as I remember the Switch doesn’t actually use uPnP. The only thing that I had to do to achieve NAT Type B was an outgoing NAT with static port enabled. If I understood right, NAT Type A can only be achieved if your device literally had a WAN address.
My best advice would be to make sure you enable static port mapping on your NAT rules. That usually helps a lot of NAT traversal things like games.
And no, Nintendo doesn’t understand networking in the slightest and asking people to forward every single port is BS.
I put my Nintendo Switch into a DMZ/own vlan. It was simpler and so I can get a NAT type A on it.
Just get a steam deck instead
The real answer
Can I play super smash bros ultimate with my friends? Because that’s all I use handhelds for really :) deck does seem nice though
Yes, you can https://yuzu-emu.org/help/feature/multiplayer/
Holy shit they are actually suggesting to put their console in DMZ??? https://en-americas-support.nintendo.com/app/answers/detail/a_id/22272 https://en-americas-support.nintendo.com/app/answers/detail/a_id/22489
There was nobody in the company that said “but wait”?
If someone has more than a console per household needs to get another internet connection in order to online play?
Networking isn’t their strong suite, lol