I've read about the lack of support for UPnP.
For using an external Firewall i need to make a 1:1 NAT from untrust zone to the static ip assigned to this firewall, right?
Relating PSN network there are several guides, for example:
https://www.bungie.net/en/Help/Article/11931
Basic ports for obtain NAT 2 on PS4 are:
TCP 1935, 3478, 3479, 3480
UDP 3074, 3478, 3479
so i've tried this conf:
## Last changed: 2016-11-24 04:02:04 CET
version 12.1X46-D55.3;
system {
host-name JuniperSRX210;
time-zone Europe/Rome;
root-authentication {
encrypted-password "password";
}
name-server {
8.8.8.8;
8.8.4.4;
208.67.222.222;
208.67.220.220;
}
services {
ssh;
telnet;
xnm-clear-text;
web-management {
http {
interface vlan.0;
}
https {
system-generated-certificate;
interface vlan.0;
}
}
dhcp {
router {
192.168.5.1;
}
pool 192.168.5.1/24 {
address-range low 192.168.5.110 high 192.168.5.250;
}
propagate-settings ge-0/0/0.0;
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/2 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/3 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/4 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/5 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/6 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
fe-0/0/7 {
unit 0 {
family ethernet-switching {
vlan {
members vlan-trust;
}
}
}
}
at-1/0/0 {
encapsulation ethernet-over-atm;
atm-options {
vpi 8;
}
dsl-options {
operating-mode auto;
}
unit 0 {
encapsulation ppp-over-ether-over-atm-llc;
vci 8.35;
}
}
pp0 {
traceoptions {
flag all;
}
unit 0 {
point-to-point;
ppp-options {
pap {
default-password "text";
local-name Ispname;
local-password "text";
passive;
}
}
pppoe-options {
underlying-interface at-1/0/0.0;
client;
}
no-keepalives;
family inet {
negotiate-address;
}
}
}
vlan {
unit 0 {
family inet {
address 192.168.5.1/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop pp0.0;
metric 0;
}
}
}
security {
address-book {
global {
address server-qnap 192.168.5.60/32;
address server-netgear 192.168.5.70/32;
address server-ps4 192.168.5.80/32;
}
}
alg {
ftp ftps-extension;
mgcp disable;
rsh;
sccp disable;
sip {
disable;
application-screen {
unknown-message {
permit-nat-applied;
}
}
traceoptions {
flag all;
}
}
}
flow {
tcp-mss {
all-tcp {
mss 1350;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set trust-to-untrust {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool nat-pool-qnap {
address 192.168.5.60/32;
}
pool nat-pool-netgear {
address 192.168.5.70/32;
}
pool nat-pool-ps4 {
address 192.168.5.80/32;
}
rule-set main-rule-set {
from zone untrust;
rule qnap-51413 {
match {
destination-address 0.0.0.0/0;
destination-port 51413;
protocol tcp;
}
then {
destination-nat {
pool {
nat-pool-qnap;
}
}
}
}
rule qnap-57532 {
match {
destination-address 0.0.0.0/0;
destination-port 57532;
protocol tcp;
}
then {
destination-nat {
pool {
nat-pool-qnap;
}
}
}
}
rule qnap-9091 {
match {
destination-address 0.0.0.0/0;
destination-port 9091;
protocol tcp;
}
then {
destination-nat {
pool {
nat-pool-qnap;
}
}
}
}
rule qnap-3306 {
match {
destination-address 0.0.0.0/0;
destination-port 3306;
protocol tcp;
}
then {
destination-nat {
pool {
nat-pool-qnap;
}
}
}
}
rule netgear-21 {
match {
destination-address 0.0.0.0/0;
}
then {
destination-nat {
pool {
nat-pool-netgear;
}
}
}
}
rule netgear-51414 {
match {
destination-address 0.0.0.0/0;
destination-port 51414;
protocol tcp;
}
then {
destination-nat {
pool {
nat-pool-netgear;
}
}
}
}
rule ps4-1935 {
match {
destination-address 0.0.0.0/0;
destination-port 1935;
protocol tcp;
}
then {
destination-nat {
pool {
nat-pool-ps4;
}
}
}
}
rule ps4-3478 {
match {
destination-address 0.0.0.0/0;
destination-port 3478;
protocol tcp;
}
then {
destination-nat {
pool {
nat-pool-ps4;
}
}
}
}
rule ps4-3479 {
match {
destination-address 0.0.0.0/0;
destination-port 3479;
protocol tcp;
}
then {
destination-nat {
pool {
nat-pool-ps4;
}
}
}
}
rule ps4-3480 {
match {
destination-address 0.0.0.0/0;
destination-port 3480;
protocol tcp;
}
then {
destination-nat {
pool {
nat-pool-ps4;
}
}
}
}
rule ps4-udp-3074 {
match {
destination-address 0.0.0.0/0;
destination-port 3074;
protocol udp;
}
then {
destination-nat {
pool {
nat-pool-ps4;
}
}
}
}
rule ps4-udp-3478 {
match {
destination-address 0.0.0.0/0;
destination-port 3478;
protocol udp;
}
then {
destination-nat {
pool {
nat-pool-ps4;
}
}
}
}
rule ps4-udp-3479 {
match {
destination-address 0.0.0.0/0;
destination-port 3479;
protocol udp;
}
then {
destination-nat {
pool {
nat-pool-ps4;
}
}
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy server-access-qnap {
match {
source-address any;
destination-address server-qnap;
application app-set-qnap;
}
then {
permit;
}
}
policy server-access-netgear {
match {
source-address any;
destination-address server-netgear;
application [ junos-ftp app-netgear-51414 ];
}
then {
permit;
}
}
policy server-access-ps4 {
match {
source-address any;
destination-address server-ps4;
application app-set-ps4;
}
then {
permit;
}
}
}
}
traceoptions {
file flowtrace size 10m world-readable;
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.0;
}
}
security-zone untrust {
screen untrust-screen;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
at-1/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
pp0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
}
applications {
application app-qnap-51413 {
protocol tcp;
destination-port 51413;
}
application app-qnap-57532 {
protocol tcp;
destination-port 57532;
}
application app-qnap-9091 {
protocol tcp;
destination-port 9091;
}
application app-qnap-3306 {
protocol tcp;
destination-port 3306;
}
application app-netgear-51414 {
protocol tcp;
destination-port 51414;
}
application app-ps4-1935 {
protocol tcp;
destination-port 1935;
}
application app-ps4-3478 {
protocol tcp;
destination-port 3478;
}
application app-ps4-3479 {
protocol tcp;
destination-port 3479;
}
application app-ps4-3480 {
protocol tcp;
destination-port 3480;
}
application app-ps4-udp-3074 {
protocol udp;
destination-port 3074;
}
application app-ps4-udp-3478 {
protocol udp;
destination-port 3478;
}
application app-ps4-udp-3479 {
protocol udp;
destination-port 3479;
}
application-set app-set-ps4 {
application app-ps4-1935;
application app-ps4-3478;
application app-ps4-3479;
application app-ps4-3480;
application app-ps4-udp-3074;
application app-ps4-udp-3478;
application app-ps4-udp-3479;
}
application-set app-set-qnap {
application app-qnap-51413;
application app-qnap-57532;
application app-qnap-9091;
application app-qnap-3306;
}
}
vlans {
vlan-trust {
vlan-id 3;
l3-interface vlan.0;
}
}
The ports related to the both nas (Qnap and Netgear) are opened, the ports related to ps4 are closed.