We use Palo Alto as well and 1:1 NAT was working fine for us, at first. However, we were using it in such a way that if the pool of addresses ran out, it would fallback to a PAT pool. We noticed that if a game console ended up in the PAT fallback it would fail to work.
What we ended up doing is giving the consoles a public IP to completely remove NAT, but used those public IPs inside our border firewalls. The game console subnet is in the same VRF that the students are in. This way they can reach them even though consoles are public IP and student devices are not - same route table internally. After that we didn't have to make any changes to the Palo Altos. All games have been functioning fine without having to open any ports inbound. The only real downside is having to carve out some public IP space for it and move those IPs inside. The mDNS/DIAL/etc stuff we still have on private addresses using NAT. We are an Aruba shop, so we have clearpass. The only thing we use clearpass for is the enablement of AirGroup and who can see which device (we limit to the building, basically). We don't use clearpass as a NAC or anything like that. Christopher Howard Director, Network Engineering University of Tennessee at Chattanooga christopher-how...@utc.edu<mailto:christopher-how...@utc.edu> On Feb 14, 2017, at 11:52 AM, Voelker, Andy <anvoel...@davidson.edu<mailto:anvoel...@davidson.edu>> wrote: We’re having increasing problems with newer games operating on a 1:1 NAT in our residence halls. Some of these games have a dozen port entries per platform (Xbox, PS4, PC) and after all that the games still aren’t acting reliably. We’re using a Palo Alto firewall, which carries application signatures for SOME games, but not that many. I’m finding myself spending too much time on this, yet not able to dedicate enough to get to a good solution. I’m interested to hear how others are handling this (since I’m new to operating this type of service). Little background info: We have a device SSID with a WPA2-PSK that dumps onto the student network, which carries some network permissions but relatively few. A potential solution would be to stop NATing addresses, provide a public IPs to the device network, and segment them into an off-campus-only VRF. However, students are starting to interact with their consoles using their PC’s and mobile devices, which would not work in this model. By this I mean screen-casting, live streaming, etc. I suspect that need will grow. Also other “things” that use the device network like Chromecast, Sonos, Google Home, WiFi lights, etc would be useless unless we wrote firewall rules that allowed each and every one of these protocols. Many of these rely on mDNS, DIAL, etc though. Not easy. I covet your thoughts. Thanks in advance. Andy Voelker Network Administrator and IT Infrastructure Team Lead Davidson College ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/discuss.