Router/NAT settings to strict "fix"

  • Thread starter Thread starter Spuds725
  • 15 comments
  • 16,193 views
Messages
2,451
Messages
Spuds725
I'm not sure how prevalent the above problems have been for people-- was a major pain for me-- I was recently linked to a site that list port forwarding settings for routers and it walks you through how to do this for individual routers as well as gives the settings for XBOX Live and Play Station Networks

Simply follow the following links-- select your router from the list and follow the instructions on how to forward ports on your router--you will have to know your router's password-- the site gives router default passwords (at least for mine) so if your routers password has been changed, you will have to know the new password.

it shows screenies of what you will see when you logon to your router.

PSN-- http://www.portforward.com/english/...yStation_Network/PlayStation_Networkindex.htm

XBL -- http://www.portforward.com/english/applications/port_forwarding/Xbox_Live_360/Xbox_Live_360index.htm

HTH (someone else) -- my gaming experience is alot less frustrating-- I hate it when a good game is about to start (16 player team deathmatch) and I get disconnected as it is about to start.
 
Thought I'd give it a try, Ive gotten used to it dropping my connection every now and then. I will defenately let everyone know if it improves anything.
 
Mine would drop 10-20 times every gaming session-- usually in the lobby waiting to start but a few times in the middle of the game...

After adjusting my router settings I had 2 disconnects in 3 hours the other night.

Please let me know if this helps.

//edit//
Played last night for about 2 hours with only one disconnect....
 
Last edited:
I played GTA4 online, 2 hours and it only dropped my conection once. So yeah seems to have helped. thanks
oh yeah, I'm gonna send you a friend invite later

-PhaPhil-
 
Just a followup on this--

I was still experiencing drops.... I went back on my router and enable UPnP (universal plug n play) and this made my experience now nearly drop free-- this changed my NAT 3 (the worst) to a NAT 2

Just giving those having issues something else to try.

For a completely drop free experience, I run a Cat 5 cable from my modem to my PS3 (gives me a NAT 1-- which is the best)
 
It might be prudent to tell people that by punching holes through NAT they are throwing away a lot of the security of their home networks.

After all it isn't much fun "living on the edge", - unless you know that you are ;)
 
Thanks....I'm a relative router/security noob.... from what I read, UPnP will forward any requested ports... is that internally requested or external??

if like I described in the first post, is forwarding specific ports more "secure".

Would making the network password protected affect that at all and what about each individual PCs security--- is that compromising that??

All the "router speak" is kind of confusing...
 
UPnP is inherently unsafe, - so unsafe that many implementations implement extra security checks (you need to check your router documentation)
It doesn't really matter if you are going to manually forward ports which would have been automatically forwarded by UPnP, but at least you'll know, and what you get is what you asked for (so be sure you know what you're asking).

By forwarding ports to your console (by whatever means), you're essentially turning it into a public server, - which means it is no longer a toy!

Public servers (like webservers) usually undergo thorough security scrutiny (extensive logging, security patches etc.), to keep them safe.
Your gaming console and the games you play on it doesn't. In fact you can safely assume that this aspect is totally ignored by game developers and console makers.

You might think that this is difficult and highly unlikely to be exploited, but it doesn't have to be. All it takes is a small bug (most commonly in the "buffer overflow" category) in the code that handles network traffic.
If such a bug exists (very likely) in code handling traffic on a public port, then anyone can execute code on your console without your knowing!

You might also think that this of limited consequence, - which might be true (they might be able to trash your console and serve warez of your console harddisk, but hardly life threatening. Entering your creditcard details on XBox is a sure sign of braindamage!). But beware if the console can access your PC (or other PC's in your home). You might have a efficient firewall setup (or relying on NAT to block outside access), - but if your console is compromised and does have access to your PC it is worthless.
For instance the XBox has a feature that allows to play music and videos of your PC which requires the PC firewall to be open for the console!

All that being said there's a perfectly safe way to hook up your console to the internet, - it's called NAT (strict!). That ensures that all net access has to orignate from your console and since all apps/games running on console originates from (presumably) trusted sources, it is perfectly safe.

Also connecting a console to a shared connection through NAT must be considered sane and common usage, - games requiring otherwise is broken by design!
(unless intended for LAN parties, - but AFAIK that isn't supported on any platform)

Unfortunately my multiplayer GTA-IV (Xbox) is also somewhat "broken by design", which is pretty annoying. Especially since it's some minor detail with the "Lobby" that frequently causes disconnects (or prevents me entering MP from singleplayer) when I'm not the host.
In a game or if I'm the host in the lobby there's no problem.

I've got strict NAT enforced by my ISP, which has never been an obstacle for multiplayer PC games btw.
 
For instance the XBox has a feature that allows to play music and videos of your PC which requires the PC firewall to be open for the console!
PS3 does that too... need to turn that off.



Do you have any more info on "NAT strict" -- link or something to read up on this.

Do you think I'd be better off turning off UPNP-- and just disconnecting my router and running a wired PS3 to modem--or just turning off all other PCs when the PS3 is in on and enabling the UPnP for gaming sessions...

or maybe something else to try to secure this-- maybe buying a second router for the PS3 only, running a wired connection to the router and turn off the SSID broadcast (if it is a wireless router)and disconnecting one router or the other depending on what I want to do....

Trying to figure out something to secure this up... thanks for the info/insight on this... seems like they purposely make this complicated when it doesn't really have to be....

//edit//
If I turn off UPNP and then just forward specific ports for PSN-- that should be ok right?? as only traffic from PSN will go through the router (if I'm understanding this right).

I started looking around and I think I know why my port forwarding helped me at first but not after--- I don't think I have a static IP address for the PS3-- when I set it up, I forwarded ports to my .5 address (the PS3) -- I just turned the PS3 on and it shows it as .3 now... I hope I can still get a NAT 2 with port forwarding...

Do you think setting the PS3 with a static IP address and forwarding PSN ports will secure this up-- or should I turn off Media sharing on the PS3 also (playing stuff through my network on the PS3).... I rarely use this feature anyway.

It sounds as if forwarding specific ports would be more secure then the UPnP option....

I appreciate your opinions and your time to respond to this...

Thanks.... Spuds...

For anyone looking at this-- this walthrough shows you how to setup the PS3 with a static IP address.. assuming my thinking above is correct.

http://www.pregamelobby.com/forum/sony-reviews-tips/5618-how-get-type-2-open-nat-your-ps3.html you want to set the address high enough so that other things on your network don't get assigned the same IP address when they connect.

///edit #2////

On the 3rd page of the above thread there is mention of an internet cable/phone modem -- this apparently acts as a router also and can affect your ability to get NAT 2....
I was trying to get a NAT type 2 but even though I was setting everything correctly it still wouldn't work. The reason I was having issues was because I have an internet telephone service. The modem that the Catv company gave me has an internal router but it only used for the phone service. What I had to do was get the cable company set my router IP in the DMZ of the cable modem router. Once this was done my NAT changed to type 2 because the router setting could now take effect. I hope this helps some one.

Is there a "routers for dummies" book out there??
 
Last edited:
Do you have any more info on "NAT strict" -- link or something to read up on this.

Not really, but try google. Add "IP masquerading" and/or "connection tracking" to refine the search (that's the nuts & bolts of NAT)
I'm not even sure that "strict NAT" is the proper term, - but what I mean by that is NAT without any forwarded ports.

Do you think I'd be better off turning off UPNP-- and just disconnecting my router and running a wired PS3 to modem--or just turning off all other PCs when the PS3 is in on and enabling the UPnP for gaming sessions...
Disconnecting PC's while using the console (with open public ports), would be a effective method to keep your PC's safe. If you're using UPnP you should toggle the power for the router before switching over (to ensure that there's no dangling open ports)

Trying to figure out something to secure this up... thanks for the info/insight on this... seems like they purposely make this complicated when it doesn't really have to be....
Yes they did make it complicated for the users, if not on purpose then at least by lack of care.
They really should fix this by patching the game, I'm pretty sure it's a minor thing that breaks it.

If I turn off UPNP and then just forward specific ports for PSN-- that should be ok right?? as only traffic from PSN will go through the router (if I'm understanding this right).
No!, - if you open ports (by whatever means), then they're not only open to PSN/XBL, they're open to everyone!
The only way to restrict access would be by a firewall in your router as I doubt very much that the console has a firewall.
Assuming that your router has a firewall (unlikely), you would have to set that up to only allow access to the open ports from IP's controlled by PSN/XBL.
Obtaining those IP's would be a b*tch, and I don't think it would solve the problem with IV.
Since it works fine without forwarded ports while I'm the host, I would suspect that the "offending" traffic originates from the game host not XBL.
 
Thank you very much for letting me pick your brain... I've learned alot (somethings I didn't want to know-- ignorance is bliss ;) )

My router does have a firewall...not sure how good it is... a netgear WGR614V5 --

One last question -- if I have port forwarding enabled for selected ports, and the port forwarding is only forwarding ports to the static IP address of the PS3 (assuming I set this as static)-- that should only let any traffic to the PS3 right... when I go through the port forwarding walkthru for my router for PSN it has me forward them to one IP address

http://www.portforward.com/english/routers/port_forwarding/Netgear/WGR614v5/PlayStation_Network.htm

The above is assuming I don't have the PS3 configured to connect to other PCs on the network (media sharing) as this could provide a route...

The manual for my router says it has a firewall... I have recently did a firmware update on it also...

http://www.engin.umich.edu/labs/EAST/@home/Project/Wireless/wgr614v5_ref_manual.pdf

A Powerful, True Firewall with Content Filtering
Unlike simple Internet sharing NAT routers, the WGR614 v5 is a true firewall, using stateful
packet inspection to defend against hacker attacks. Its firewall features include:
• Denial of Service (DoS) protection.
Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND
Attack, and IP Spoofing.
• Blocks unwanted traffic from the Internet to your LAN.
• Blocks access from your LAN to Internet locations or services that you specify as off-limits.
Reference Manual for the 54 Mbps Wireless Router WGR614 v5
Introduction 2-3
June 2004 202-10036-01
• Logs security incidents.
The WGR614 v5 will log security events such as blocked incoming traffic, port scans, attacks,
and administrator logins. You can configure the router to E-mail the log to you at specified
intervals. You can also configure the router to send immediate alert messages to your E-mail
address or E-mail pager whenever a significant event occurs.
• The WGR614 v5 prevents objectionable content from reaching your computers. The router
allows you to control access to Internet content by screening for keywords within Web
addresses. You can configure the router to log and report attempts to access objectionable
Internet sites.
Security
The WGR614 v5 router is equipped with several features designed to maintain security, as
described in this section.
• Computers Hidden by NAT
NAT opens a temporary path to the Internet for requests originating from the local network.
Requests originating from outside the LAN are discarded, preventing users outside the LAN
from finding and directly accessing the computers on the LAN.
• Port Forwarding with NAT
Although NAT prevents Internet locations from directly accessing the computers on the LAN,
the router allows you to direct incoming traffic to specific computers based on the service port
number of the incoming request, or to one designated “DMZ” host computer. You can specify
forwarding of single ports or ranges of ports.

//edit//

I was just reading through my router manual and it sounds like port triggering is more secure...

Port Triggering is an advanced feature that can be used to easily enable gaming and other internet
applications. Port Forwarding is typically used to enable similar functionality, but it is static and
has some limitations.
Note: If you use applications such as multi-player gaming, peer-to-peer connections, real time
communications such as instant messaging, or remote assistance (a feature in Windows XP), you
should also enable UPnP according to the instructions at “Using Universal Plug and Play (UPnP)“
on page 7-17.
Port Triggering opens an incoming port temporarily and does not require the server on the internet
to track your IP address if it is changed by DHCP, for example.
Port Triggering monitors outbound traffic. When the router detects traffic on the specified
outbound port, it remembers the IP address of the computer that sent the data and triggers the
incoming port. Incoming traffic on the triggered port is then forwarded to the triggering computer.
Using the Port Triggering page, you can make local computers or servers available to the Internet
for different services (for example, FTP or HTTP), to play Internet games (like Quake III), or to
use Internet applications (like CUseeMe).
 
Last edited:
One last question -- if I have port forwarding enabled for selected ports, and the port forwarding is only forwarding ports to the static IP address of the PS3 (assuming I set this as static)-- that should only let any traffic to the PS3 right... when I go through the port forwarding walkthru for my router for PSN it has me forward them to one IP address

http://www.portforward.com/english/routers/port_forwarding/Netgear/WGR614v5/PlayStation_Network.htm
Yes, if you manually forward ports to the static IP of your console, then traffic emanating from the outside through those ports will only go to your console.
But *if* your console is compromised through those ports, then a hacker will be able to access all of your home network which is accessible from your consoles IP. (Although a hacker might be able to change the IP on the console that would break outside connectivity.)
To safeguard your PC's against that eventuality make sure that all your PC's block the consoles IP in their firewall. It is not enough just to disable the mediaplayer, - but if the mediaplayer stops working then it's a sign that the PC firewall is doing it's job.
If your console is compromised and you're running UPnP, then a hacker will probably be able to completely reconfigure your router and render all your efforts in vain.

Regarding the portforwarding instructions link, only forward what is absolutely needed!
I seriously doubt that you need 80 and 443 (those are for webservers, - webbrowsing does not need ports forwarded).
Odds are you will only need 1 of the UDP ports (and open it only for UDP).
 
How does this sound for securing my game/network....

I can save configurations on my router-- creating a gaming configuration... for this:

UPnP - on... I'm going to experiment with port triggering, if you read my above post-- the manual says the ports need to originate from my end and you can set time limits on them-- all IPs on my network other then the console locked down (can't be used)-- I still want to run the game through the router so the console is at least behind the router's firewall (assuming it is providing me some protection).

When done reload the other configuration-- for this one, the PS3's IP address is locked down-- open all other ones-- UPnP and port triggering is off....

Toggle off the router and back on to make sure the ports are closed....

This sounds like the best way to do this without possibly getting a 2nd router with a built in firewall for the PS3 only... and only running one router at a time.

How does that sound??

(this is really my last question-- I swear)...
 
Last edited:
I'm not really sure what you're trying to do.
But if that means that your PC's are disconnected while you're using open ports on your console, that should leave your PC's safe (but simply setting up a static IP for your console and make sure that that address is blocked in the PC's firewalls would probably be just as safe and easy and a lot more convenient).

I also don't get why you want to set things up manually and still use UPnP? It shouldn't be needed and might actually override your manual settings.
UPnP is used to set up things totally automatically without any manual intervention or control, - there's a reason it's called Plug 'n Pray ;)

I'm not sure exactly what "port triggering" is (it sounds like a crude form of connection tracking). But if it allows you to only keep ports open when they're actually needed then it's probably a good thing (provided you can come up with a proper rule to trigger it)
 
Just trying to plug holes (ports) ;)...

Your solution does sound more convenient (the simple solution)-- assuming I can get the game to work with UPnP off. I'll try and set up port forwarding again with a static IP address and see if the game works as it has with UPnP enabled--

the portion of my router manual I quoted above concerning port triggering said you needed to have UPnP enabled -- the only reason I mentioned it in my previous post.

Thanks again for your insight.

Spuds
 
Back