Can Unifi firewall/port forwarding do port "remapping"?

Sorry for the big wall of text, trying to explain in as much detail as I can. Please bear with me :sweat_smile:

So I had been running OPNsense for about a year, and PFsense before that. Those worked fine, but I wanted to get some more detailed traffic info and integrate my devices better so I switched to Unifi. I have my network up, my security cameras up, and all that stuff. Everything is working well enough and I have no issues in my day to day usage.

Myself and a roommate play Destiny 2 on PC. And while everything works, our NAT is now moderate. This is fine, but means we cannot play with any players who have a strict NAT, which I have run across a few of them including one of the guys we used to do raids with every once in a while.

On OPNsense, I was able to go to port forwarding and set it up so that when traffic came from 192.168.1.102 on port 3097, it would send out the traffic from the router on port 3098 instead. And I had a port forward that said any source IP on port 3098 then fwd to x.102 PC. In Destiny when looking at the network info, this results in the PC at x.102 saying they had an open NAT, the internal port was 3097 (which destiny likes to use) and external port was 3098.

I had the same thing set up for 192.168.1.101 but just said 3097 out and in. And then again on a spare gaming PC we have, for 192.168.1.103 to send out and receive on port 3099, even though the internal port on that PC stayed 3097.

The concept is simple enough, right? Just make the router re-map the ports so it all functions transparently and correctly. I should be able to do that on Unifi too.
I also have a PLEX server and I have it on port 33133 for external traffic, but the server only will look at its default of 32400. So I have a port forward rule set up so that any source IP on port 33133 gets forwarded to 192.168.1.100 port 32400. This seems to work as PLEX says it is fully accessible outside, PLEX shows my external IP and port 33133 going in to x.100 port 32400. So this seems like the same concept I was talking about above and does seem to be working.

However, if I try to make a rule saying: any source IP, on port 3098, forward to x.102 port 3097, it doesnt work in Destiny. The game running on that PC does not say it is using external port 3098 and it says it is still moderate NAT.
If I set up a rule that says: any source IP, on port 3097, fwd to x.101, port 3097 then my PC will say open NAT. So the forwarding functionality does work, as long as it is the same source and destination port. It is this issue of trying to make the game automatically (and transparently to the game and user) use a different, pre-set port and getting it working that I am having an issue with.

My thought is that OPNsense had a few more options in the port forwarding area than Unifi has. I think this is why I was basically able to say when traffic on IP x.102 tries to go out port 3097, send it out port 3098 instead, and a rule that said when the router sees traffic bound for x.102 port 3098 to send it to that PCs port 3097. Unifi doesnt seem to be able to do this, and the game doesnt seem to know/want to grab port 3098 or any other port really.
edit: and now that I am thinking about it and looking at more info, maybe this port remapping thing I am trying to make the router do to the traffic was really more of an “Outbound NAT” /source NAT rule I set up rather than a regular port forwarding? Does Unifi support making a source NAT rule?

So does anyone know how I would go about setting this up to make the Unifi setup map the traffic how I want and get open NAT on multiple PCs for running Destiny?

I hate that I’m even going to suggest this; but have you considered UPnP?

I know how much of a terrible idea it is and reasons why you shouldn’t use it, but I hate to say it, this is one of those times where it might actually help. Given no choice, any network I would enable UPnP would instantly be zero-trust and isolated from all other networks.

According to game developer’s FAQ:
Players who plan to use more than one console to play Destiny on the same network simultaneously will encounter connection issues when using Port Forwarding. Players are REQUIRED to use UPnP to play Destiny on more than one console on the same network simultaneously

For me the decision would be simple… find a different game to play or only play one console/PC at a time. Because there is no amount of money you can pay me to enable UPnP on my network! :wink:

This is likely because the game client is not aware you are changing the port translations on the router side. It’s telling the Destiny server “okay I’ve just opened port 3097, try and connect to me”. Neither the server nor the game client are aware of port 3098.

I have and I do have it turned on. Im not sure if it is any better than basic uPnP, but Unifi has a “secure mode” for it which I have enabled.
The game however remains at moderate NAT with uPnP.

Yes I am realizing that, but how do I go about making the router change what ports the packet is coming from when it does the NAT on the IP and port? That is where things seem to be missing in Unifi system. I could do it on PF and OPN sense and in game Destiny would show that internal port for all PCs was 3097, but external port was different on each PC. :thinking:

edit:
Reading this page:

It seems what I am trying to do is normal router type stuff, but take control of it myself by telling the router what the Post NAT Source port should be.

https://manpages.debian.org/testing/iptables/iptables-extensions.8.en.html#SNAT


Turns out it’s a bit horrible :face_vomiting:

They’re literally asking you to poke around JSON stuff that controller sends out to the device, because the UI can’t write it out.

What router/gateway are you using?
Maybe get upnp working well is easier.

1 Like

Thanks for those.
I have a UXG-Pro as my router. Which isnt part of the Dream Machine line, so it may have a config.json. Ill have to look into it more.

This is sadly pretty cumbersome and hacky, and looks like special scripts are needed to re-apply anything I do after reboots. This is going to be a major pain in the butt, but it looks like the only way so I guess ill get reading and try figuring this out.

If I do get it all going, Ill make a post about it so others can find out how to go about doing all this. There seems to be very little info out there about it from what I can find.

In the past I’ve had to edit the conf.json file (i think that was the name) to keep site-to-site connections alive for clients using USGs. Its definitely not user friendly as you have document/remember the settings your pushing out through the conf.json file but they do get applied everytime the device starts up and communicates with the controller.
So just make sure whatever is hosting your Unifi controller is always on/running.