Here's a recent article (posted on reddit too https://www.reddit.com/r/NintendoSwitch/comments/agv6hw/fixing_nat_for_a_nintendo_switch_using_upnp_w/) for people trying to make a switch work.
Starting with : https://www.reddit.com/r/NintendoSwitch/comments/6qjhjy/i_have_figured_out_the_actual_range_of_ports_to/
I also read: https://forum.opnsense.org/index.php?topic=1368.0
FWIW (I don't want to argue with people - tigher security is generally better - that's why people have doors and windows instead of large holes you can crawl through at night). Some facts...
-
Nintendo has articles advising people to use the DMZ function.
-
Some articles advise setting all ports to forward.
-
Some people say it doesn't matter... but it might.
-
Some people say Nintendo is built on unix - or FreeBSD or that FreeBSD is Linux. Those people don't know what they are talking about. Nintendo used a license which indicates they must have used SOMETHING from FreeBSD - but maybe just the network stack or part of it. FreeBSD is not Linux - BSD tends to have a more solid network stack than linux (linux builds often suffer from improperly closing sockets and required garbage collection). Anyways...
uPnP basically lets the prisoners inside the fence control the locks. That's scary. If you trust them and they stay well behaved it might be easier than hiring guards. But if they decide to misbehave, open the doors and throw a party, you may be unable to do anything. If something on your network gets a virus, it could use uPnP to open the network to allow it to use your bandwidth to attach others. This defeats the point of a good firewall.
That said, we need a hybrid approach. Let the fewest number of devices that have to, access uPnP - so most computers that might be infected - most IoT gadgets do NOT need this.
So here's what I did for the 5 minute Nintendo switch.
-
I use OPNsense as a router. Not practical for everyone - but it has a configurable uPnP.
-
I added a static DHCP lease so when the switch is on my network it will always get the same IP - but when it leaves it will still work (this is simpler than switching back and forth from DHCP to Static.
-
I added hybrid outbound NAT rule mapping the internal IP to the selected external interface and enabled Static Port mapping.
-
I enabled uPnP with these settings:
-
Allow uPnP port mapping
-
Allow NAT-PMP Port mapping
-
Matched the external interface used in the NAT rule
-
Internal interface matching the local network.
-
Set the maximum download / upload speeds
-
Set default deny - VERY IMPORTANT
-
Added a custom rule "allow 1024-65535 192.168.1.5/32 1024-65525"
-
That 192.168.1.5 was the static lease I set up in DHCP and that I used in my outbound NAT rule.
-
Started uPnP service.
-
-
Played online.
That's it. Doing it this way prevents a virus or program on another device from using uPnP. Which means everything in your network can't do what your switch can. But that means they can't run rampant through your firewall, steal your data and attack your neighbours when you click the wrong link either.
I hope this helps someone. Having a good router is the basis of a good network, but you have to put in the time to know how to set it up, or find someone who does.
Have fun out there!
net-heizen