NAT=Strict/Moderate/Open

Scholar

NAT=Strict/Moderate/Open

1) I've been reading the multiple posts on the forum about multiple xbox's in one house (including somejoe's detailed solution).  Many posts reference NAT and Strict/Moderate/Open.  I've never seen the words Strict/Moderate/Open on the gateway webpage.  Is it a user setting that I can control through the router or is a status that is derived from some other setting.  If it is router status display is it based upon some configuration from the xbox?

 

2) I've read enough to know that I can't have an xbox one and xbox 360 online at the same time but since I only have one gamer and he can't be on two systems at once is it possible to set it up so both systems would work as long as they are at different times.  (I'm assuming the answer is no which means that everytime he wants to play the "other" xbox I would have to go into the Uverse gateway settings and reassign the gaming pinhole to the "other" xbox".  (I'm not sure if this makes a difference to the answer but my gateway is the Motorola NVG589)

 

 

Message 1 of 15 (39,285 Views)
Expert
Solution
Accepted by topic author houston01
‎09-30-2015 1:39 AM

Re: NAT=Strict/Moderate/Open

[ Edited ]

2) Yes, that is correct. Even though only one system would be used at a time, you would have to go to the U-Verse gateway every time and redirect the ports to the other XBox. That's probably impractical, thus a UPnP router would be recommended.

1) The labels for NAT types of "Strict", "Moderate", and "Open" are terms invented by Microsoft and used by other gaming console manufacturers like Sony for the PS3/PS4. They are not official or defined networking terms, and thus do not appear in any router configuration. However, they do have specific meaning. They refer to how the security algorithm that the network address translation (NAT) code that is running inside the router treats incoming packets.

In a NAT router, the router must keep track of the "endpoints" of all conversations so that packets can be routed to the correct host. An "endpoint" is the combination of an IP address, a protocol (TCP or UDP), and a port number. The router uses this memorized information about each conversation to route packets.

Let's look at an example. Let's have an internal network of 192.168.1.0/24, and an outside IP address of 99.99.99.99. Let's say there are two hosts on the inside network, 192.168.1.10 and 192.168.1.20, and they both want to bring up the www.google.com web page.

Host #1 at 192.168.1.10 sends a packet to www.google.com, a TCP packet, with a source port of 10000, and a target of www.google.com with a destination port of 80 (HTTP). The router memorizes these two endpoints as conversation A:

Conversation A: 192.168.1.10:10000 -> www.google.com:80.

The router also chooses a port that it will use for this conversation on the outside IP address, let's say it chooses 30000. The memorized NAT entry now looks like this:

Conversation A: 192.168.1.10:10000 -> NAT to 99.99.99.99:30000 -> www.google.com:80.

Google's web site answers the web request, and sends back a packet to 99.99.99.99:30000. The router recognizes that incoming packet based on the port (30000), and uses the table entry above to translate the target IP address and port to 192.168.1.10:10000 and send the return packet to the correct host.

Now let's say that host #2 at 192.168.1.20 also needs to talk to www.google.com, and also happens to choose a source port of 10000.  The router makes a new NAT entry that looks like this:

 

Conversation B: 192.168.1.20:10000 -> NAT to 99.99.99.99:30001 -> www.google.com:80.

 

Return packets from Google will come to port 30001, which is enough for the router to differentiate this packet from the other conversation (conversation A).  The router will uses the NAT table entry to change the destination endpoint on the return packet to 192.168.1.20:10000 and send the packet to host #2.

 

 

Now, the question is, is there a security problem that would allow some malicious attacker to exploit these memorized conversation entries?  It turns out that different routers use different algorithms to handle incoming packets.

 

Security consideration X: Suppose that Conversation A has been memorized by the router, and I try to talk to host #1 from a different IP address.  Supposed I send a TCP packet to 99.99.99.99:30000 from my endpoint, 101.101.101.101:80 (same source port, but different source IP address).  Will the router let my packet through, even though it thinks that the conversation is supposed to be talking to Google?

 

Security consideration Y: Suppose I go further, and send a TCP packet to 99.99.99.99:30000 from endpoint 101.101.101.101:40000 (different source port AND different source IP address).  Will the router let this packet through?

 

 

The way the router handles these return packets based on the memorized conversation entry is very important to console gameplay, because the data streams for playing the game are mostly peer-to-peer, and everyone is behind a NAT router.  Each console has to communicate with the others, and there is no good way to open ports automatically for inbound traffic (exception: UPnP, but many routers do not have this).

 

Microsoft decided to label the different ways that the NAT routing code can handle these packets as follows:

 

 

If the router will allow inbound packets to a memorized conversation from any source port and any source IP address (i.e. In security consideration Y, the router routes the packet), then the NAT type is labeled as "Open".

 

If the router will allow inbound packets to a memorized conversation from any source IP address, but the source port must match (i.e. in security consideration X, the router routes the packet, but in security consideration Y, the router drops the packet), then the NAT type is labeled as "Moderate".

 

If the router drops any inbound packet that doesn't precisely match both the source port and source IP addrress (i.e. in both security consideration X and Y, the router drops the packet), then the NAT type is labeled as "Strict".

 

 

Since the NAT type is a function of the routing and NAT code, it is generally not a behavior that can be altered for any particular router.  The only way to create the equivalent of an "Open" type on a router whose native code presents a "Moderate" or "Strict" NAT type is to manually open ports on the router for inbound traffic, and direct those ports to the XBox (or other console).

 

 

Most consumer NAT routers, including the 2Wire/Pace and Motorola units that AT&T uses for U-Verse service all have NAT/routing code that results in a "Moderate" NAT type.  Opening ports will work on these routers for one console.  For more than one console, a UPnP router set up behind the U-Verse router is required.

 

Some business-class and enterprise routers have code that results in a "Moderate" NAT, but many, including the Cisco IOS, result in a "Strict" NAT type.

 

 

Message 2 of 15 (39,278 Views)
Scholar

Re: NAT=Strict/Moderate/Open

Thank you Joe.  Very interesting and helpful.

 

I'm not going to go the UPnP route based upon your prior advice.  If anyone else needs further proof this somewhat recent article might be all you need.

 

www.forbes.com/sites/andygreenberg/2013/01/29/disable-a-protocol-called-upnp-on-your-router-now-to-a...

Message 3 of 15 (39,257 Views)
Mentor

Re: NAT=Strict/Moderate/Open

I recently added a separate router behind my RG just for the purpose of enabling UPnP for an Xbox 360 and an Xbox One. Both Xboxes show an Open NAT. The router is the only device that's in the DMZ of the RG, and the Xboxes are the only devices that connect to the router. Does this minimize the security risk of using UPnP since it's only enabled for the Xboxes?

Message 4 of 15 (39,249 Views)
Expert

Re: NAT=Strict/Moderate/Open

Yes, if you must use a UPnP router, connecting only the gaming consoles to the router will minimize any security risks.

The main security risk from UPnP is that if a computer that is behind a UPnP router is compromised, then additional ports can easily be opened on the router by the attacker using the compromised computer and the UPnP protocol. However, with no computers behind the UPnP router (only game consoles), this risk is eliminated since the gaming consoles themselves are unlikely to be hacked.
Message 5 of 15 (39,240 Views)
Scholar

Re: NAT=Strict/Moderate/Open

[ Edited ]

I've got lots of cat5e wires running through the house so I'm intrigued by the possiblity of adding another router specfic to gaming devices only but I am unclear on the set-up.

 

1) I'm assuming the Motorola NVG589 will still be the dhcp "router" for the DVR, STB, computers, and iPad's in the house.

2) I'm assuming that UPnP router that I would have to buy would connect to one of the ethernet ports on the NVG589.

3) I'm assuming that I would connect the "xbox 360" and the "xbox one" directly to the UPnP router that I would be buying.

4) The Motorola NVG 589 has a different webpage console, I see no mention on DMZ, do I use the cascaded router settings?

5) For the Motorola NVG 589 do I turn-off the Firewall NAT/Gaming "service" specific to XBox 360 Live?

 

 

I didn't read all the threads on the XBOX forum but it sounds like not all routers are created equal when it comes to mulitple xbox's in one house.  One of the threads I read recommend one of 3 Netgear routers...WNR2000;WNDR3400;WNDR3700 (they listed other brands for not working so well).  Fortunately these are not state of the art so they are pretty cheap.

6) Any guess as to why only some routers support the UPnP that Xbox live likes?

7) Do I have to do any port forwarding on the UPnP router?

8) I went into the xbox settings and set manual ip's rather automatic. 192.168.1.60 and 192.168.1.61 so it would be easier to reassign/toggle NVG 589 firewall gaming service to the xbox 360 or xbox one but hopefully I won't do that anymore...any reason I can't keep the manual ip's now that I've set them?

 

 

Message 6 of 15 (39,201 Views)
Expert

Re: NAT=Strict/Moderate/Open

1) Yes, but there will be a separate DHCP server and separate IP subnet on the gaming router, which will hand out different IP addresses to the consoles.
2) Yes
3) Yes
4) No, you will use the IP Passthrough option on the Motorola gateway, which is the equivalent of DMZPlus option on the 2Wire/Pace gateways.
5) Shouldn't matter if the IP Passthrough is set up, but I'd go ahead and turn it off anyway.
6) UPnP in general has large security problems, people are better off without it if at all possible.
7) No, the purpose of UPnP is to avoid having to port forward at all.
8) Once the IP Passthrough is set up to the new UPnP router and the consoles are plugged into that, switch the consoles back to DHCP.
Message 7 of 15 (39,193 Views)
Scholar

Re: NAT=Strict/Moderate/Open

[ Edited ]

1) somejoe can you clarify step two for me.  I'm taking an ethernet cable and plugging into say port 2 on the Motorola gateway and there are 5 ports on the new UPnP router, 1 yellow labeled internet and 4 orange.  Do I plug into the single yellow or one of the 4 orange on the UPnP?

2) is there a link to a representative post that I can read that discusses IP Passthrough

Message 8 of 15 (39,184 Views)
Expert

Re: NAT=Strict/Moderate/Open

You will use the yellow port labeled Internet.

 

See the following post for an example of how to use IP Passthrough with the Motorola gateways (NVG510 and NVG589):

 

https://forums.att.com/t5/Features-and-How-To/NVG510-Bridge-Mode/m-p/2928989#M29846

 

 

Message 9 of 15 (39,155 Views)
Scholar

Re: NAT=Strict/Moderate/Open

I found these two links,

http://forums.xbox.com/xbox_forums/xbox_support/f/9/t/157383.aspx

www.unofficialguidetolive.co.uk/faqs/228-xbox-live-certified-hardware

 

somejoe777 link (below) is also very helpful (see his accepted solution which also cites his sources)

 

http://forums.att.com/t5/Residential-Gateway/XBox-Live-problem-2wire-NAT-is-not-open/m-p/3449081#M93...

 

-----------------------------------------

microsoft pulled their recommended router list from their forums which is why I included the second link (xbox-live-certified-hardware)  I'm going to give the Netgear WNR2000 a whirl (other posts I saw have had good luck with it)

Message 10 of 15 (39,154 Views)
Scholar

Re: NAT=Strict/Moderate/Open

Somejoe:

I've read all 3 pages of the suggested post.

 

There are many well intentioned comments in the post but there are a few that have conflicting recommendations.

 

As far as IP Passthrough on the Motorola 589 a post from 11/21 recommends setting the Allocation Mode="passthrough" with the passthrough mode set to DHCPS-dynamic and the post on 12/18 recommends Allocation Mode="default server" and using a default server internal address.

 

Any thoughts?

Message 11 of 15 (39,128 Views)
Expert

Re: NAT=Strict/Moderate/Open

Well, I have never owned/used one of the Motorola gateways, so I can't advise you based on personal experience. However, from reading various posts here and the manuals for the NVG510 and NVG589, I believe the correct mode is IP Passthrough, allocation mode="Passthrough", and Passthrough Mode="DHCPS-dynamic".

These settings are supposed to give your router's WAN interface the outside IP address.

Message 12 of 15 (39,114 Views)
Contributor

Re: NAT=Strict/Moderate/Open

[ Edited ]

Dear SomeJoe7777, thank you for your wonderful post. However, I am so not a techie I am not sure I can follow it all, yet I am a Dad. Can u help me? If so, here or direct to email [edited for privacy]; here's the deal:

 

We have UVerse and the internet package. No idea what package but I am willing to upgrade if that would be helpful.

 

We both have a PS4 and both enjoy playing Battlefield 4; he is 16 and I am not, he is fabulous and I suck at the game, but its playing with your son and his online pals, so what's not to like?

 

My PS4 is connected to the wall directly where the internet comes out, and his PS4 uses the built-in wifi. My home iMac uses the wifi, as does his laptop and my wife's laptop.

 

We can usually both get onto a server with a good ping, but recently something is dropping his capacity to hear me via the microphones we are both using to communicate with one another and our other squadmates (his buddies, local, also online).

 

My ATT UVerse 2Wire box is about a year old.

 

Is there something a novice can do to help this work better? I don't know what a port is or how to get to a port. Other than one where ships come to dock.

 

 

Message 13 of 15 (38,732 Views)
Contributor

Re: NAT=Strict/Moderate/Open

Please include a simpler solution. My ps4 is showing moderate. Is there a way to make it open? Secondly, I have 4 d-link wireless cameras and one hardwired d-link nvr router. How do I put them on a different channel or any suggestions to stop interruptions on my cameras and ps4?
Message 14 of 15 (6,361 Views)
ACE - Expert

Re: NAT=Strict/Moderate/Open


Skidog74 wrote:
Please include a simpler solution. My ps4 is showing moderate. Is there a way to make it open? Secondly, I have 4 d-link wireless cameras and one hardwired d-link nvr router. How do I put them on a different channel or any suggestions to stop interruptions on my cameras and ps4?

Most of this thread is more than 2 years old and they are no longer here.  You have to put the dlink router in the DMZ zone or IP Passthrough, depending on which RG you have. Smiley Surprised

 

Chris
__________________________________________________________

Please NO SD stretch-o-vision or 480 SD HD Channels
Need Help? PM ATT Uverse Care (all service problems)
ATT Customer Care(billing and all other problems)
Your Results May Vary, In My Humble Opinion
I Call It Like I See It, Simply a U-verse user, nothing more

*The views and opinions expressed on this forum are purely my own. Any product claim, statistic, quote, or other representation about a product or service should be verified with the manufacturer, provider, or party.
Message 15 of 15 (6,341 Views)
Share this topic
Announcements

Welcome to the AT&T Community Forums!!! Stop by the Community How-To section for tips on how to get started.