Re: [WIRELESS-LAN] Student Gaming behind NAT

[Hunter Fuller]

I'm interested in why you would separate it into a different VRF.

Anyway, we have gotten rid of NAT on Resnet and it is amazing. We are
piloting the same situation on wireless. Do it as soon as you can get away
with it. You will get fewer tickets. There is less info to chase down about
issues. Students will stop asking you how to change their NAT type because
it will always be Open. You will sleep better at night. You will find a $20
bill in a pair of pants you hadn't worn in a while. Etc.

Seriously, it's the best. Your firewall and ACLs will protect your
constituents, because that's what they're designed to do, y'know?


On Tue, Feb 14, 2017 at 10:52 AM Voelker, Andy 
wrote:

We’re having increasing problems with newer games operating on a 1:1 NAT in
our residence halls.  Some of these games have a dozen port entries per
platform (Xbox, PS4, PC) and after all that the games still aren’t acting
reliably.  We’re using a Palo Alto firewall, which carries application
signatures for SOME games, but not that many.  I’m finding myself spending
too much time on this, yet not able to dedicate enough to get to a good
solution.  I’m interested to hear how others are handling this (since I’m
new to operating this type of service).



Little background info:  We have a device SSID with a WPA2-PSK that dumps
onto the student network, which carries some network permissions but
relatively few.  A potential solution would be to stop NATing addresses,
provide a public IPs to the device network, and segment them into an
off-campus-only VRF.  However, students are starting to interact with their
consoles using their PC’s and mobile devices, which would not work in this
model.  By this I mean screen-casting, live streaming, etc.  I suspect that
need will grow.  Also other “things” that use the device network like
Chromecast, Sonos, Google Home, WiFi lights, etc would be useless unless we
wrote firewall rules that allowed each and every one of these protocols.
Many of these rely on mDNS, DIAL, etc though.  Not easy.





I covet your thoughts.  Thanks in advance.



​

Andy Voelker

Network Administrator and IT Infrastructure Team Lead

Davidson College


** Participation and subscription information for this EDUCAUSE
Constituent Group discussion list can be found at
http://www.educause.edu/discuss.

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Student Gaming behind NAT

[Howard, Christopher]

We use Palo Alto as well and 1:1 NAT was working fine for us, at first.  
However, we were using it in such a way that if the pool of addresses ran out, 
it would fallback to a PAT pool.  We noticed that if a game console ended up in 
the PAT fallback it would fail to work.

What we ended up doing is giving the consoles a public IP to completely remove 
NAT, but used those public IPs inside our border firewalls.  The game console 
subnet is in the same VRF that the students are in.  This way they can reach 
them even though consoles are public IP and student devices are not - same 
route table internally.  After that we didn't have to make any changes to the 
Palo Altos.  All games have been functioning fine without having to open any 
ports inbound.  The only real downside is having to carve out some public IP 
space for it and move those IPs inside.

The mDNS/DIAL/etc stuff we still have on private addresses using NAT.  We are 
an Aruba shop, so we have clearpass.  The only thing we use clearpass for is 
the enablement of AirGroup and who can see which device (we limit to the 
building, basically).  We don't use clearpass as a NAC or anything like that.

Christopher Howard
Director, Network Engineering
University of Tennessee at Chattanooga
christopher-how...@utc.edu

On Feb 14, 2017, at 11:52 AM, Voelker, Andy 
> wrote:

We’re having increasing problems with newer games operating on a 1:1 NAT in our 
residence halls.  Some of these games have a dozen port entries per platform 
(Xbox, PS4, PC) and after all that the games still aren’t acting reliably.  
We’re using a Palo Alto firewall, which carries application signatures for SOME 
games, but not that many.  I’m finding myself spending too much time on this, 
yet not able to dedicate enough to get to a good solution.  I’m interested to 
hear how others are handling this (since I’m new to operating this type of 
service).

Little background info:  We have a device SSID with a WPA2-PSK that dumps onto 
the student network, which carries some network permissions but relatively few. 
 A potential solution would be to stop NATing addresses, provide a public IPs 
to the device network, and segment them into an off-campus-only VRF.  However, 
students are starting to interact with their consoles using their PC’s and 
mobile devices, which would not work in this model.  By this I mean 
screen-casting, live streaming, etc.  I suspect that need will grow.  Also 
other “things” that use the device network like Chromecast, Sonos, Google Home, 
WiFi lights, etc would be useless unless we wrote firewall rules that allowed 
each and every one of these protocols.  Many of these rely on mDNS, DIAL, etc 
though.  Not easy.


I covet your thoughts.  Thanks in advance.

​
Andy Voelker
Network Administrator and IT Infrastructure Team Lead
Davidson College

** Participation and subscription information for this EDUCAUSE 
Constituent Group discussion list can be found at 
http://www.educause.edu/discuss.


**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.

Re: [WIRELESS-LAN] Student Gaming behind NAT

[Coehoorn, Joel]

Our firewall vendor (Untangle) is experimenting with a restricted UPnP
option, that may eventually allow us to use it for only approved devices
and approved ports, for an approved timespan. Other UPnP requests would be
rejected.

Not sure yet how I feel about the feature. If it works, I know our
student's would love it and I'm confident I could secure it to protect our
own public-facing services. But I'm not sure how it could allow two NAT'd
devices to both have, say, port 3074 forwarded at the same time.

On Feb 14, 2017 10:52 AM, "Voelker, Andy"  wrote:

> We’re having increasing problems with newer games operating on a 1:1 NAT
> in our residence halls.  Some of these games have a dozen port entries per
> platform (Xbox, PS4, PC) and after all that the games still aren’t acting
> reliably.  We’re using a Palo Alto firewall, which carries application
> signatures for SOME games, but not that many.  I’m finding myself spending
> too much time on this, yet not able to dedicate enough to get to a good
> solution.  I’m interested to hear how others are handling this (since I’m
> new to operating this type of service).
>
>
>
> Little background info:  We have a device SSID with a WPA2-PSK that dumps
> onto the student network, which carries some network permissions but
> relatively few.  A potential solution would be to stop NATing addresses,
> provide a public IPs to the device network, and segment them into an
> off-campus-only VRF.  However, students are starting to interact with their
> consoles using their PC’s and mobile devices, which would not work in this
> model.  By this I mean screen-casting, live streaming, etc.  I suspect that
> need will grow.  Also other “things” that use the device network like
> Chromecast, Sonos, Google Home, WiFi lights, etc would be useless unless we
> wrote firewall rules that allowed each and every one of these protocols.
> Many of these rely on mDNS, DIAL, etc though.  Not easy.
>
>
>
>
>
> I covet your thoughts.  Thanks in advance.
>
>
>
> ​
>
> Andy Voelker
>
> Network Administrator and IT Infrastructure Team Lead
>
> Davidson College
>
>
> ** Participation and subscription information for this EDUCAUSE
> Constituent Group discussion list can be found at http://www.educause.edu/
> discuss.
>
>

**
Participation and subscription information for this EDUCAUSE Constituent Group 
discussion list can be found at http://www.educause.edu/discuss.