A solution to the NAT traversal problem between a Nintendo Switch and the Juniper SRX Firewall.

I recently had to solve a problem with my son’s Nintendo Switch where the game called “Splatoon” would not find any Internet players because “there was a NAT traversal problem”. Googling told me the wildest stories from completely exposing the Switch to the Internet in a DMZ deployment  to using Static NAT on either the SRX or PFsense.

Since I only have one public IPv4 address (already used for hosting various services) and the Switch does NOT support IPv6 (ridiculous, I know) this seemed like a tough problem to crack.

I found complete cookbooks on the Internet where several large UDP port-ranges were suggested for Port-Forwarding as the Switch does not support UPNP for reverse pin-holing.

Apparently Nintendo distinguishes between S-NAT types A-D, where only types A and B would suffice. This is the information I found so far, although I can’t vouch for it’s accuracy:

-type A complies to DMZ exposure and provides optimal performance when performing online gaming.

-type B is S-NAT with port-forwarding in the reverse direction for the relevant UDP ports. (e.g. 40,000-65535). It should still be sufficient for online gaming.

-Type C is regular NAT and is supposedly insufficient.

-Type D is – for whatever reason – useless. And guess.. this is the one I got by using regular PAT.

I have tried changing the DNS IP address to google, changing the MTU, changing policies, using Wireshark to snoop the traffic between the Access-Point and the internet in trying to find out what I was missing..

Then I noticed that once I configured STATIC NAT for the Nintendo Switch, all was well and I reached “NAT Type A”. But then I could not forward my services for mail etc. on this IP address.

So.. what was the difference between S-NAT + Port-Forwarding the UDP ports I found towards the Nintendo Switch (40,000-65535 or so..) and a straight DMZ deployment?…..!

Then it hit me: the Source Port is NAT translated to another Source Port once the Public IP Datagram leaves the SRX on it’s way to the Internet. This is Randomized behavior on the SRX. Like IKE Phase 1 in IPsec, the changing of Source Ports seems to break the NAT traversal for the Nintendo Switch.

So if the Nintendo Switch uses e.g. Source Port 60,000, this Source port becomes e.g. 48,000 after translation. THAT does not happen with DMZ deployments, where straight NAT is used without PAT.

But.. what to do about this?!.. Then I found an poorly described feature of the SRX called “port-randomization disable” which does not generate Random ports after translation. I think it hands them out sequentially, but I didn’t bother to check.

So now the Source NAT is configured as follows:

pool my-nat-pool {

    address {

        <Internet IP/32>;

    }

    port {

        range {

            1024;

            to {

                63487;

            }

        }

    }

}

port-randomization disable;

 

The very strange thing is.. that the Nintendo Switch still claims that I have NAT Type C, but the game works.

And.. even better: I do NOT USE PORT FORWARDING on the SRX towards the Nintendo Switch! Just S-NAT seems to do the trick.

I hope this helps you on your quest.. it took me quit a while to figure this out.

Leave a comment if this helped you.

This entry was posted in Nintendo Switch. Bookmark the permalink.

8 Responses to A solution to the NAT traversal problem between a Nintendo Switch and the Juniper SRX Firewall.

  1. pim says:

    pff… that took me ages to find out!

  2. zypher says:

    Hmm, I’m still having trouble with my SRX 240 H2. NAT type on my switch is still D even after adding port-randomization disable to my source NAT.

    The switch connected fine from behind a pfsense VM on my connection (comcast) so I’m sure it’s something in my firewall and I’m taking heat from the kids for breaking things lol.

    Any other ideas? Could you post more of, or even your entire SRX config for me to review?

    • pim says:

      Hello Zypher,

      Thanks for responding to my blog regarding the NAT problem and the nintendo switch.

      Here is nat configuration, I am using a Juniper SRX300 on Junos: 15.1X49-D160.2.

      Here is the security source nat section you asking for:
      pool ulimit {

      address {

      ;

      }

      port {

      range {

      1024;

      to {

      63487;

      }

      }

      }

      }

      port-randomization disable;

      rule-set to-untrust {

      from zone [ dmz trust ];

      to zone untrust;

      rule source-nat-rule {

      match {

      source-address 0.0.0.0/0;

      }

      then {

      source-nat {

      pool {

      ulimit;

      }

      }

      }

      }

      }

      I hope this will help you in your quest.. please let me know if this helps you.

      Cheers,

      Pim.

      • zypher says:

        Thanks Pim!

        Just wanted to report back it’s now working on my SRX 240 (running JunOS 12.3X48-D75.4).

        I had my rule-set as:
        rule nsw-src-interface {
        match {
        source-address 0.0.0.0/0;
        destination-address 0.0.0.0/0;
        }
        then {
        source-nat {
        interface;
        }
        }

        When it really should be like your example:
        rule-set nsw_srcnat {
        from zone LAN;
        to zone Internet;
        rule nsw-src-interface {
        match {
        source-address 0.0.0.0/0;
        }
        then {
        source-nat {
        pool {
        my-nat-pool;
        }
        }
        }
        }
        }

  3. anon says:

    You can do this more elegantly with persistant-nat.

    set security address-book global address switch-wireless
    set security address-book global address-set untrust-persistent-nat-devices address switch-wireless
    set security nat source interface port-overloading off
    set security nat source rule-set untrust-snat from zone trust
    set security nat source rule-set untrust-snat to zone untrust
    set security nat source rule-set untrust-snat rule untrust-persistent-nat match source-address-name untrust-persistent-nat-devices
    set security nat source rule-set untrust-snat rule untrust-persistent-nat match destination-address 0.0.0.0/0
    set security nat source rule-set untrust-snat rule untrust-persistent-nat then source-nat interface persistent-nat permit target-host
    set security nat source rule-set untrust-snat rule untrust-source-nat match source-address 0.0.0.0/0
    set security nat source rule-set untrust-snat rule untrust-source-nat match destination-address 0.0.0.0/0
    set security nat source rule-set untrust-snat rule untrust-source-nat then source-nat interface

  4. Pocky says:

    I wanted to post a solution that allows the Nintendo Switch to remain on the shared trust network while allowing proper operation of both NAT-A and B options without interfering with other services on your network and without the need for placing the switch in a DMZ.

    Of course, This can also be modified for use in your DMZ example which isolates the Nintendo Switch from the rest of the trusted network for more security.

    You will replace the Nintendo Switch address and ISP address with your own. these are here for demonstration purposes.

    The following will achieve NAT-A
    1.) The source NAT pool uses the “port no-translation” command which targets NAT to specific rules using the outbound switch pool as as opposed to disabling PAT for the entire source nat.
    2.) Rule 1 applies the defined pool to the Nintendo Switch only – (Enables NAT B)
    3.) Rule 2 handles the remaining source NAT traffic on the same network and treats it normally.
    4.) the Destination NAT will perform NAT on all INBOUND port 45000-65535 traffic to the switch – (enables NAT A)
    5.) the security policy (combined with the switch address book entry and application entry) is required to allow the traffic to pass from the external to trust zones.

    For NAT-B only (very secure on trust network) simply issue a “deactivate security nat destination from-external rule external-switch-nat-a” command and commit. This effectively blocks all inbound traffic to the Nintendo Switch without impacting the rest of the network or losing the NAT-A configuration if you wish to re-enable in the future.

    security {
    address-book {
    global {
    address switch 192.168.1.150/32;
    }
    }
    nat {
    source {
    pool outbound-switch {
    address {
    2.2.2.2/32; ## Your ISP ip address
    }
    port {
    no-translation;
    }
    }
    rule-set trust-to-external {
    from zone trust;
    to zone external-isp1;
    rule trust-switch-nat-b {
    description “Rule 1 – Nintendo Switch perform outbound NAT”;
    match {
    source-address 192.168.1.150/32; ## your switch address
    }
    then {
    source-nat {
    pool {
    outbound-switch;
    }
    }
    }
    }
    rule trust-default {
    description “Rule 2 – All other traffic outbound PAT”;
    match {
    source-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    destination {
    pool inbound-switch {
    address 192.168.1.150/32; ## Your switch address
    }
    rule-set from-external {
    from zone external-isp1;
    rule external-switch-nat-a {
    description “Rule 1 – Nintendo Switch perform inbound NAT”;
    match {
    destination-address 0.0.0.0/0; ## From any Outside IP
    destination-port {
    45000 to 65535;
    }
    }
    then {
    destination-nat {
    pool {
    inbound-switch;
    }
    }
    }
    }
    }
    }
    }
    policies {
    from-zone external-isp1 to-zone trust {
    policy to-switch {
    description “Permit inbound traffic to Nintendo Switch”;
    match {
    source-address any;
    destination-address switch;
    application switch-udp-ports;
    }
    then {
    permit;
    }
    }
    }
    }
    }
    applications {
    application switch-udp-ports {
    term nat-a protocol udp destination-port 45000-65535;
    }
    }

    Hope this is helpful to somebody.

  5. Adam says:

    Thank you so much for this. In this time of quarantine it was really nice to whip my sisters’ butt in Mario Kart 🙂

  6. Thomas Anderson says:

    I just wanted to say thanks because this was able to resolve my issues! I was able to shorten the port range from 1024 to 35000 and I have a NAT C, which is enough to work. I’m still kind of new to networking, but I was wondering if there was a way to limit the source address to just the IP of the Switch?

Leave a Reply to pim Cancel reply

Your email address will not be published. Required fields are marked *