05-11-2011 01:18 PM
From what I have experienced, you can only get "open nat" using a device that supports UPNP. As far as I know, none of the devices Juniper has support UPNP.
The route we took was to put all the clients that need to use xbox live, and psn into a network with real IP addresses, and allow all traffic out, and only the xbox/psn ports in.
Originally we were going to allow specific games through the FW, and hoped that doing that would limit the exposure, but it is next to impossible for you to do this. Pages such as www.portforward.com are simply wrong on 99% of the PSN games. Something like Madden 11 required random udp ports in the 40k to 64k range - to anywhere on the Internet.
Trying to firewall that is basically useless and created so much work for us, and frustration for the end users that we just allowed evrything out, and only the necessary PSN/XBOX live ports back in.
The XBOX live stuff is a bit better and sticks a little more closely to what they say they need open for most games, but even that is not 100% exact. Now add the Nintendo DS, Wii and other stuff and you have hte biggest hodgepodge of custom services you've ever seen.
I realize that this is a far from perfect solution. You could try to create a policy that uses a DIP in case someone triggers a certain service, but I think even that is too erradic to really use as a permanent solution.
05-13-2011 12:10 PM
An important thing to remember is that these firewalls were designed for enterprise networks.
Online gaming doesn't really fit into the "enterprise network" model.
UPNP, in my opinion, is one of the worst ideas of recent time. Let's take a device whose purpose is to lock down and secure/protect a network (a firewall), and create a protocol that lets devices control what ports the firewall allows traffic on -- with no authentication or authorization.
Yes, it makes things easy for the home users who don't understand firewalls, but what happens when someone gets a virus on their computer that wants to connect to a botnet or become a zombie? With UPNP, a semi-intelligent virus writer can just use UPNP to open the firewall ports and then allow the infected computer to connect to the botnet or zombie control network. Great idea, security folks.
We've struggled with these same issues as we are a university -- securing an enterprise network while still providing a useful service to our residents who live here and use our network for personal as well as academic work. We solved this issue by separating traffic out of the residence halls into an entirely separate public IP space and did away with NAT. We route the separate IP space outside of our campus firewalls, so in effect we are an external ISP. When access from that net block needs to come into our campus network, it has to pass through our campus border firewalls just like any other untrusted / outside traffic.
08-25-2011 04:49 AM
as the discussion is moving on a general Juniper Firewall and UPNP or something similar, i wanted to write here my opinion.
Ok, there is a KB where Juniper say that UPNP is for residential market, not for professional.
But in the SRX at least we can configure the persistent Nat (formerly cone Nat) which is the ability to connect to the post-Nat-IP (i.e.: the reflexive transport address).
So maybe this is the solution. In fact using persistent-Nat with any-remote-host option is and equivalent of full-cone Nat or in other words open Nat / on-demand Nat.
My two cents.
JNCI, JNCIP-SEC, JNCIS-ENT, JNCIS-FWV
08-30-2011 03:37 AM
Chiming in late, but the only way I have found this to work reliably, is to give users internet routable IP addresses. You are correct in stating that the only way to get "open nat" is to have a upnp device sit between the gaming device and the internet, and that is simply not possible as mentioned before.
If you only have one console to work with it is not that big of a deal, but if you have a network full of them, this is simply not doable with nat (at least in my opinion - we have about 400 of these on our network).