It’s been a while since I’ve played any games online with my Nintendo switch, and I quickly remembered the issues with NAT types on the Switch.
When I checked, I had a NAT type of F, which will not allow online gaming. I found the guides on setting up the Hybrid NAT rules in Pfsense, but my type was still F. I then loosened up my outgoing port rules for that VLAN, and got a NAT type of B.
After tightening them back up a bit and looking online, it looks like the UDP range 1024 through 65535 is expected for outgoing UDP traffic. Is that right? That is a ton of ports, and possibly no better than just enabling uPnP.
Do I really need such a wide range to be able to maintain this NAT type B?
In normal operation a router or firewall running NAT will allow you to access the internet and receive traffic you requested and drop any unsolicited traffic originating from the internet.
If you were to access google, your PC will try to access google.com on port 443 with your PC being the source of port 5673 (any number between 1024 and 65000ish). Any traffic from Google to you will be permitted provided they are using the correct port pairings. If google then decides I am going to send you traffic on port 5677 your router/firewall will drop the traffic as it is unsolicited.
Now for the problem. Upnp allows a piece of software running somewhere in your house to register itself with your router and say “hey, if you see traffic destined for port 5555 from anywhere on the internet forward it to me, even if I didn’t start the conversation”. Considering how bad software is written this can give a threat actor a beachhead into your LAN to then vomit as much traffic back out as it wants, it could be a DDoS a mining not or just regular traffic sniffing.