Client complains he is unable to play online, message he gets is something about “Strict NAT”
But what does this actually mean? Certain ports being blocked?
If memory serves, games in question are COD and Rainbow 6.
Maybe this brings us into another related topic, about “opening ports”. From time to time I’m asked to “open port” xxxx.
From my knowledge, someone sitting bethind cone NAT will not benefit from simply “opening a port”, i.e. allowing a certain incoming port to pass the firewall, it also has to be DST-NATed to the correct internal IP. Or am I wrong?
Is this topic somehow related to the “Strict NAT” concept?
Firstly, I got a little scared that your account was hacked and the link was a virus, but opened on phone, all ok
From the article:
"To make the firewall/router from strict to open, actually Microsoft′s devices looking for three UDP ports to be properly routed. If you can add following ports to the NAT rules on the router, it will be considered open:
UDP port 5060;
UDP port 5061;
UDP port 3074;"
So what do they mean by “properly routed”, and what am I supposed to setup in /ip firewall?
Well, if you enable UPnP (be sure you know what you’re doing before opening that door) then the XBoxes will be able to open ports themselves w/o needing a static internal IP address.
If this router sits in front of multiple tenants, then they may fight over the port numbers, so ymmv.
At the very least - if you do use UPnP, make absolutely certain that the service is configured not to listen on the WAN interface(s).
EDIT: The port to block is udp 1900 and tcp 1900 - make INPUT chain rules in the filter table that drop this port when in-interface=wan
I am running CapsMan on the site in question, with separate networks for employees and users (children).
Is it possible to configure UPnP using CapsMan? I mean add the capsman bridge as internal interface?
UPnP is configured on the router, not the APs.
Your APs will be bridging two different SSIDs to two different VLANs on your router that each are doing NAT to outside,
and you can enable UPnP just on the VLAN where you want it to work.
Note that UPnP is a gaping security hole so you want it only on “guest-type” networks, not where employee workstations live.
