pfSenseSecurity

pfSense & Nintendo Switch connectivity

originally posted by Nimrod on Digiex – link here

If you’ve ever tried to play online with a Nintendo Switch behind a pfSense or similar router/firewall, you will likely find out of the box it doesn’t quite work alright. Everytime you try to go online on either Splatoon, Mario Kart 8 Deluxe or even Fast RMX you’ll just get constant errors when trying to join with the Error Code ‘2618-0516’ Unable to connect to the other user’s console / NAT Traversal Process has failed.

This is due to pfSense’s out of the box security model with randomizing ports on outgoing connections. It can be easily resolved though by taking the following steps in your Router Config:

Static IP and Static Port

Firstly, you’ll need to give your Nintendo Switch a Static IP address in pfSense.

Assuming you are using the out of the box setup you will have your router at 192.168.1.1 and a DHCP server running which is handing IP’s out between 192.168.1.100-192.168.1.200. If you are using a different setup, adjust the below steps accordingly.

Browse to Services > DHCP Server > LAN and then scroll down to “DHCP Static Mappings for this Interface” and click Add.

Screen Shot 2017-03-25 at 13.30.54.png

If you are unsure of your Nintendo Switch’s Mac, you can get it from by going on the Nintendo Switch’s Settings application and selecting ‘Internet’ and Connection Status. Please remember, if you use an ethernet adaptor when in the Dock you will have a different MAC address for ethernet vs wireless. If you intend to use both methods, you should repeat this for each.

In the example I used, I gave my Nintendo Switch the IP of 192.168.1.13 because it is within the subnet of the Router’s LAN interface but outside of the normal DHCP Pool of random addresses (100-200) meaning the Switch can always have it.

Apply the changes once done in pfSense, and hard reboot the Nintendo Switch (Press and hold power until the Power Options display and select ‘Power Off’ as oppose to ‘Sleep’ as this will turn off the network interface). Then boot up your Switch fresh and you should find it gets its new IP address.

Next up, we need to add a Static Port in the NAT Firewall section of pfSense. To do this, browse to Firewall > NAT like so and then select the Outbound Tab as seen below.

Screen Shot 2017-03-24 at 13.26.32.png

You need to then select ‘Hybrid Outbound NAT’ and click Save and then Apply the changes.

The Mapping section just underneath should now become available and you can click the Green ‘Add’ button to setup your Static Port rule.

Screen Shot 2017-03-25 at 13.31.20.png

For the rule, you will need to add the Nintendo Switch’s IP to the ‘Source’, tick the ‘Static Port’ in the Translation area and then give your rule a nice description. Then you can Save the rule and then click the Apply button to set the rules live on your pfSense box.

All going well, you should now be able to join other users games when playing on the Nintendo Switch.

However, all is not over – You currently won’t be able to host your own games doing this setup. But that’s solvable in the next step.

Enabling UPnP

The Nintendo Switch supports UPnP which is a really simple yet clever protocol which can be used on your home network which allows devices to request ports be opened on demand on the firewall / NAT to allow the Switch to make itself connectable to the wider world which in turn lets you become the host on games or host your own private sessions for friends.

To enable it in pfSense all you need to do is browse to Services > UPnP & NAT-PMP and enable it:

Screen Shot 2017-03-24 at 13.27.29.png

Tick the ‘Enable’ box, as well as UPnP and NAT-PMP specific boxes. You will need to make sure the External Interface is set to WAN and your local network (LAN) interface is selected at the bottom as seen above.

Click Save at the bottom and the UPnP Service will start.

Summary and NAT Types

Once these changes are made, you should find no problem connecting to Games or hosting your own on your Nintendo Switch.

An interesting point is that Nintendo has added ‘NAT Types’ to the Nintendo Switch which can be seen when doing Connection Tests:

2017032512015400-57B4628D2267231D57E0FC1078C0596D.png

When I first did one out of the box with pfSense; my NAT Type was D and I was unable to join games without getting the 2618-0516 Error. After making the changes in this guide, I got it to C when just doing the Static Port and could join other games and I got it to B once UPnP was also enabled and could also host my own games to.

After doing some digging, it seems NAT Type A which is perfect can only be achieved when there is no Firewall or NAT taking place (ie; the Nintendo Switch is directly connected to the internet with an external IP address). As such, a Grade B is the best you can expect when the Switch is behind any Router sharing an IP address and is a good enough grade to both join and host online games when playing on the Nintendo Switch.