Summary
I’ve been running PfSense since 2014 and was never able to get UPnP to work with multiple consoles trying to play the same game and get open NAT. I’m currently running version 220.01/2.6.0 and still no resolution to the issue. Every few months the complaint would come up in the house; one person trying to convince the other to stop playing so they could play with open NAT, etc. So, I would do my regular check and test my Google-fu to see if the problem had been solved and try different options others claim have fixed the issue with no resolution. Finally, after years of let down I stumbled across a promising thread involving a Netgate employee and developer, and the community destined to solve this issue. Thank you! Thank you! Thank you!!
So, here are my documented steps following the forum post, which you can find below in the references…
*** This Patch is No Longer Needed if Using
PfSense 2.7.0 ***
Add and Apply Patch
PfSense Dashboard->System => Patches = Add New Patch
The patch can be applied using the System Patches package.
to create a new entry. Click the commit id to copy it to your clipboard and paste it into the URL/Commit ID box.
3b50f7656967fbb4daa869a7ae6d18bc5ab6eec3
Then save and apply changes.
Alternately, you can paste in the added rules. Diagnostic->Edit File and browse to /etc/inc/filter.inc
The patch will appear in the table with the option to revert the patch.
After applying the fix, either reboot the firewall OR trigger a filter reload (Status > Filter Reload) and then reset the state table (Diagnostics > States).
Settings
After applying the patch, port forwards were removed for UPnP services and outbound NAT mappings were removed, and Outbound NAT Mode was set to “Automatic outbound NAT rule generation”. Before this, it was set to Manual Outbound NAT with an attempt to manually map services with no luck.
I set up ACL entries in the UPnP Access Control Lists for the consoles that I want to limit UPnP to.
Services->UPnP & NAT-PMP = UPnP Access Control Lists
Conclusion
After applying the patch and changing settings above, all the consoles and PC’s had open NAT even when two consoles/PC’s were playing the same game. I received much praise after this but of course we are only standing on the shoulder of giants. Much thanks to JIMP and the community who made this possible!
References
Last piece of the puzzle – The discussion that led to the fix
The Fix – The documented fix with additional solutions of other community members