Our firewall vendor (Untangle) is experimenting with a restricted UPnP option, that may eventually allow us to use it for only approved devices and approved ports, for an approved timespan. Other UPnP requests would be rejected.
Not sure yet how I feel about the feature. If it works, I know our student's would love it and I'm confident I could secure it to protect our own public-facing services. But I'm not sure how it could allow two NAT'd devices to both have, say, port 3074 forwarded at the same time. On Feb 14, 2017 10:52 AM, "Voelker, Andy" <anvoel...@davidson.edu> wrote: > We’re having increasing problems with newer games operating on a 1:1 NAT > in our residence halls. Some of these games have a dozen port entries per > platform (Xbox, PS4, PC) and after all that the games still aren’t acting > reliably. We’re using a Palo Alto firewall, which carries application > signatures for SOME games, but not that many. I’m finding myself spending > too much time on this, yet not able to dedicate enough to get to a good > solution. I’m interested to hear how others are handling this (since I’m > new to operating this type of service). > > > > Little background info: We have a device SSID with a WPA2-PSK that dumps > onto the student network, which carries some network permissions but > relatively few. A potential solution would be to stop NATing addresses, > provide a public IPs to the device network, and segment them into an > off-campus-only VRF. However, students are starting to interact with their > consoles using their PC’s and mobile devices, which would not work in this > model. By this I mean screen-casting, live streaming, etc. I suspect that > need will grow. Also other “things” that use the device network like > Chromecast, Sonos, Google Home, WiFi lights, etc would be useless unless we > wrote firewall rules that allowed each and every one of these protocols. > Many of these rely on mDNS, DIAL, etc though. Not easy. > > > > > > I covet your thoughts. Thanks in advance. > > > > > > Andy Voelker > > Network Administrator and IT Infrastructure Team Lead > > Davidson College > > > ********** Participation and subscription information for this EDUCAUSE > Constituent Group discussion list can be found at http://www.educause.edu/ > discuss. > > ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.
