Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Nintendo Switch - NAT Type D

ggatten
Just browsing
Monday
Monday

Nintendo Switch - NAT Type D

Hello, Customer participates in eSports leagues using Nintendo switches. When client connects to Nintendo, the NS switch status says NAT TYpe D; while NAT type A or B is required for proper operation. This is typically caused be port randomization on the firewall/NAT device. Other customers we've had to disable port-randomization to make it work, but as this one is using MX firewall I don't think we can do that? Is this something Meraki Support can do, or is there another option? TIA for any ideas!
0 Kudos
Subscribe
3 Replies 3
PhilipDAth
Kind of a big deal
Kind of a big deal
Monday
Monday

I am thinking to achieve something like that you'll need one of these solutions:

  • An IPv6 connection.  Each device can then get a public IPv6 address, and you can create an IPv6 firewall rule to allow all traffic in.  This will only work for communication to other IPv6 devices.
  • A block of public IP addresses from your ISP, and do a 1:1 NAT to each device.
  • You could try asking Meraki support to enable "Layer 3 Inbound Firewall Rules", which substantially disables a lot of the security.  Not as likely to work as the above two options.

 

Basically it requires all security to be disabled, and to allow anything in from the Internet.  It sounds like an incredibly bad idea to me.

0 Kudos
Subscribe
ggatten
Just browsing
Monday
Monday

Hello, thanks for reply.  I sorta like the IPv6 idea.  But, let me explain a bit further:

 

 - Cisco routers/NAT do not randomize source ports by default.  

 - pfSense does randomize by default, but you can disable it - which we have.

 

Source port randomization is...   1.1.1.1 tcp 55555 to 2.2.2.2 tcp 443 when NAT'd becomes 1.1.1.1 tcp 31673* to 2.2.2.2 tcp 443.  * is the randomized source port.

 

I know in theory non-random ports are more vulnerable to certain attack vectors, but in practice - it's not even in my top 10 list of worries.

 

I opened a case with Meraki support.  We'll see... 

0 Kudos
Subscribe
RowellDomingo
New here
yesterday
yesterday

@ggatten i ran into the same problem and just resolved it. I have a meraki MX105. 

 

Solution: As per Meraki Team we can't disable the port randomization firewall/NAT but instead define a firewall/NAT port Session Persistence. Once a port is assigned to a session, that port will remain mapped to the session until the session is terminated or times out. During the life of the session, the port will not change, ensuring that the external service communicates with the same source port throughout. Achieved NAT A and B Nintendo switch perfectly working now. 9-26-2024 11:10. It took me a while to work with meraki support for almost 2hours

 

P.S this feature can be configured from the backend. So, you need to open a case with meraki support, and they will help you out. Only few individuals Meraki tech has knowledge on this as this is something new in their environment.

Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.