«

»

Dec 31

PS4, dynamic port forwards and my MikroTik

PS4 parteh parteh parteh

I have recently discovered the messy hell that is the PS4 voice/party chat.  Seems that even in 2015, developers still can’t get it right with respect to voice chats, NAT and firewalls, even when you’re on “NAT Type 2”.

I then came to my senses and did things differently.

Normally, most home users can get away with turning on uPnP on their router, and the PS4 (and most other gear) will happy multicast away and open up their network to the internet.  I got so tired of party chat not working that I entertained the idea myself.

The issue with uPnP in my network is that it’s not flat — my internal network (smartly) sits behind a Linux firewall VM that I have, with subnets, and so uPnP can’t work without all kinds of silly multicast routing across subnets/interfaces, or putting my PS4 into a “DMZ” kind of arrangement.

I then came to my senses and did things differently.

My WAN router, a MikroTik RB450G, is capable of dynamically enabling and disabling rules, based on ICMP reachability.  It’s called Netwatch.

Some assumptions

There’s a few things to keep in mind with my solution:

  • You already have your masquerading and packet filter rules working fine (though, technically, you need no filtering rules, as this will be a port forward from your public IP, to a private, probably RFC1918 address)
  • I use a static IP (handed out via DHCP) for my console to keep things simple — I tend to do that with most of my gear anyway
  • The ports I’m forwarding are for the PS4, as per this page (at the bottom), and I’m quite sure most of them aren’t needed

Configure the rules

So, first things first, you need to add the NAT rules to the MT that will eventually be toggled on and off based on Netwatch.

Here’s mine as an example:

add action=dst-nat chain=dstnat comment=PS4 disabled=yes dst-port=3478,3479 in-interface=pppoe protocol=udp to-addresses=10.0.0.45
add action=dst-nat chain=dstnat comment=PS4 disabled=yes dst-port=80,443,3478,3479,3480 in-interface=pppoe protocol=tcp to-addresses=10.0.0.45

Configure Netwatch trickery

Here’s the fun part.  We configure a rule to ping the PS4, and enable or disable the above rules based on that ping result.  The trick is to use RouterOS’s cool filtering feature, “find“:

/tool netwatch
add down-script="/ip firewall nat disable [find comment=PS4]" host=10.0.0.45 interval=30s up-script="/ip firewall nat enable [find comment=PS4]"

This obviously uses the comment fields we used earlier to batch enable or disable!

Conclusion

The obvious thing to say here is… “why?!?”

So there you have it, a kinda-uPnP solution to a slightly annoying problem.  The application possibilities of course are broad, too.

The obvious thing to say here is… “why?!?”  If the PS4 is off, and the rules just stay permanently enabled, so what?  A fair point, but I tend to not like dangling rules, forwards, allows, etc, and this took very little effort.

And in agreeing with the case of actively returning ICMP filter responses to ports that are admin filtered, this doesn’t particularly rely on a specific rule to return those codes, but instead can fallback to more global rules.

About the author

Jason

I love technology, and have been involved with it for over thirty years. I'm a IT manager, a seasoned network, storage, Unix and virtualisation guy. I love to code (mmm, sweet sweet Python), and I django, SQLalchemy, Eve and pytest when I'm behaving. I'm also a DJ, and photographer.

Leave a Reply

%d bloggers like this: