Pfsense now has a patch available via the netgate forums that finally FINALLY resolves the issues it has had with its UPNP implementation. The underlying issues were that MiniUpnp's implementation on BSD needed needed the ability to add the correct outbound NAT rules corresponding to the ports it used for inbound port forwards, as well as nat anchors to be implemented on the miniupnp nat rules so they are followed before other outbound nat rules. The patch was created too late to be included in the last release, but it will be in he next release, and can be manually installed. I have yet to test it, but it looks like this problem has actually been solved. *Edit. The UPNP Fix has been added to PfSense CE 2.7.0. Pfsense will finally work for gamers with multiple systems, just enable UPNP set and forget!

Well I’m a gamer by heart and an IT network engineer by profession. I’m using pfsense since years. Yes pfsense is complex but it is pretty straight forward. I never had any problems to setup the configuration needed for a game. Running on a dedicated server with a 4x Intel NIC with LAGG interface to a managed switch. I never had any bottlenecks on my WAN link (1gb FTTH) . The problem is you need to have deep network knowledge and understanding to setup. Still if you want to have a free firewall pfsense is the best currently.

If you want to shape 500+Mbit (I've tested up to 750Mbit), get a router based on fast ARM chips and OpenWRT compatibility. E.g. Linksys WRT1900ACS or Linksys WRT32X. Flash to OpenWRT, set up SQM and use the "cake" traffic shaper to get perfect fairness of bandwidth as well as bufferbloat mitigation.

For anyone seeing this now there is testing currently on a version of miniupnp to fix this, looks to be tested in pfsense 2.5.

I'm not terribly surprised by the troubles you ran into. pfSense is FreeBSD using the "pf" packet filter. I like pf a *LOT* from a firewall/protection/security perspective. It's highly flexible and configurable. But it defaults to "NO!!!!" Nothing about creating pf rules is simple and easy; while pfSense has made it a lot easier, it's still very much a manual process which will lean *more* towards security and *less* towards convenience.

No one talking about 1:45 and 1:55? look at the ad and how it's sync up with the speed test

I have been using pfSense for over 5 years now. I'm using it right now. We have two PS4's and two gaming PCs. I have never encountered an issue with getting the systems to play on the same game simultaneously. We play Fortnite Battle Royale with all systems since it supports cross-platform play, and we play a lot of The Division 2 on PC. No issues playing together. The simplest fix for the "Strict" issue that all games report with pfSense is to enable Hybrid Outbound NAT and add the Host PCs or consoles (eg. 10.0.1.15/32). No need to port forward or create any inbound rules. Outbound rules for each host and UPnP is all you need for the strict issue. The only issue with these settings that I have experienced is voice chat in The Division 2 does not work when set to Hybrid Outbound NAT, setting it to Automatic Outbound NAT fixes the issue. If you're having issues with multiple hosts and if you haven't already tried it, I recommend enabling NAT reflection mode's Pure NAT (System -> Advanced Firewall & NAT). As for reducing or eliminating buffer bloat using pfSense, well, that is a ripe PITA. I have tried multiple times before version 2.4.4 to get this working effectively, I have given up many times. Since it's been made a lot easier with 2.4.4, I will test it out and see how it works.

I first used OPNsense (pfSense Fork) to use FQ_CoDel but needed weeks to research and tweak it, but with the Ubiquiti EdgeRouterX i needed 5 minutes to set up the Smart Queue. It works just as fine as my OPNsense Router, but has way fewer features and you can't use Custom Hardware

Great vid as always Chris. I think an up-to-date video-explanation from you in regards to "all things network" or something like "setting up your PC network for gaming" would be hugely popular. I know you already covered leatrix and all other things, but as I said just having everything in one video from basic windows configuration to router QoS would be absolutely awesome.

If you use an OpenWRT system to pass traffic to the PFSense box via a transparent bridge using Cake the results are great. At that point however you might as well just run OpenWRT (LEDE). I just gave up with my SG-3100 in Favor of a Ubiquiti USG as I found the response is much much better. I may build another transparent bridge and use Cake, always trying to balance that 24/7 power usage with what I want.

As someone having to constantly reboot a router ever since I turned on its prioritization features, this is of interest to me. I already have three PC's in the house and one is positioned perfectly to function as the router for the house, this video was very nicely timed. As a newbie to all this, you've at the very least saved me from messing with PfSense. My brother moved in with me, I have two gaming PC's and multiple other devices and I need them all to work with a relative minimum of hassle. Looking forward to the video about whatever thing it is that's working better for you!

I use pfsense with FQ_CODEL on an Intel NUC8I7HNK. Even with 1gbit the processor sits on single digit load %. You need to set up the queue and port forwarding (use hybrid NAT), but once its done, it works.

I agree. I spent weeks troubleshooting only to realize this cannot be done. I caved and bought a USG to use a smart queue.

I am absolutely excited for the next video on bufferbloat control. My last two routers (Netgear R7800 and ER-X) have been inspired by your content and I use them in tandem for my current setup with the netgear acting as an AP. I lose about 30Mbps (180 to 150) off my package with QoS enabled, but its good enough for now. I tried OpenWrt on my R7800, but it was not using all the cores for QoS so I think I got around 100Mbps from it.

PFSense is one of those Firewall Distro that go by security first and not supposed to be a one click solution to do everything but one you get it work then its a match made in heaven, untangle is the best one for gaming since it uses linux and apparently the BSD networking stack is a lot more strict on what it allows, comparing to linux that is more lax and most consumer routers uses the linux kernel as the back bone of the os.

*PFSENSE FINALLY FIXED THIS UPNP ISSUE!* / _(fix not included in current PfSense release as of 2022.06.29)_ forum.netgate.com/topic/169837/upnp-fix-for-multiple-clients-consoles-playing-the-same-game ------------------------ Bufferbloat Test: www.dslreports.com/speedtest EdgeRouter Setup Tutorial: kzbin.info/www/bejne/pV7KY4Nph51nmtk

I finally managed to fix this. Apparently there is now a patch for the problem of UPNP not being able to switch ports, if the port is already in use, which claims you shouldnt need static port mapping anymore, which will be rolled out in the release after 2.4.0, but is available as a manual patch now. Also I had a separate issue, where upnp would just refuse to open my nat on pfsense, even though it seemed to be working, and it turned out I had not one but two other separate routers in my network which were running in wifi client mode, however were still running upnp server, since apparently you need to disable this separately, and the games tried to forward ports on these routers instead of my pfsense.

Had this issue with R6 Siege. I have 3 OpenVPN clients on my PFSense so I route each computer over a separate OpenVPN which allows me to have up to 4 devices playing together online. If you forget to enable you have to exit the game and reset states. Not a set and forget by any means but it does work. So far is the only issue I have had with PFsense over the years of using it.

This is why i use OpenWRT with Cake SQM, however you could check the kernel log to see if nf_conntracks is working which is part of UPnP, if it doesn't it will show an error like "nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead."

I run OpenWRT on WRT1200AC which provides enough throughput to do ~500 megabit/s using CAKE / FQ_CODEL (I personally use this on a 250/100 megabit/s connection and I am not even close to running the CPU full). If you install OpenWRT on the same PC hardware that you installed pfSense on you should be able to easily get full gig forwarding speed, with same UPNP etc support, and enable SQM to fix bufferbloat. You install basic OpenWRT and then you add the sqm_scripts package and the equivalent luci package, and then you can configure this from LUCI, quite easily. openwrt.org/docs/guide-user/network/traffic-shaping/sqm

Don't create manual rules for a specific game. Flip the NAT rule mode to manual and change the default outbound LAN-wide rules for the complete *-* (-500) port range to not use randomization with the "static port" checkbox. Works in Warframe and will enable multiple clients to play simultaneously.

So what would the advantage be with UPnP as opposed to NAT hole punching? The latter allows for direct UDP packets between clients and doesn't require the horrible mess of UPnP, in addition to requiring zero manual configuration. Apparently some games already use this.

I always enjoy watching your videos to the end cuz that outro is so gooood

Thanks for sharing the dslreports site with the buffer bloat test. I can improve my buffer bloat rating from C to A by enabling QoS on my Netgear router and reducing the download speed by 45% (350 => 200 Mbps). This reduces peak throughput of course, however fixing the ping spikes in game is priceless so worth the hit IMO

Why in the world do games require a specific source port? I understand the server needs one because the clients need to know what to connect to (though, server browsers/matchmaking systems could list/provide the port as well..). But it needs to track per-client state anyway, there's no good reason to require the clients to use a specific source port. Just grab a random ephemeral (49152-65535 on windows) port and go from there... Is there ANY good reason for a game that doesn't run a listen server requiring a specific port on the clients?

CAKE is a more effective algorithm that is available on OpenWRT

openwrt can be made to work on x86 pc's but takes some work. usually if you have a decent router and a gigabit connection you can just enable sqm on the upload side and disable it on the download. most of the bottleneck will be on the upload side anyway with such big connection. but if you install openwrt on a pc you can have sqm on ANY size connection you want. a 50 dollar dell optiplex with a 3rd gen i7 will be more than enough

This flew a bit over my head. Fortunately, I don't really play multiplayer games, so ping and latency are not that important now.

I have been using pfSense for more then 10 years. I first noticed this when i started playing Destiny 2. I really hope there will be a much easier way to get this to work. Great video as always Chris! :)

So I opened this video has I hadn't really heard about Bufferbloat, but I do use pfSense as my home firewall. I can't comment on the issues of NAT, as my setup does not have two gaming computers, I can say that FQ_CoDel does work very well on pfSense, and I went from a C to A rating after adjusting it :)

Is there an updated video on this new firewall, what is it called?

@Battle(non)sense maybe reach out to Level1Techs. Wendel did a video on pfsense a while ago so doing a refresh on that with your use case in mind might would be a cool collab video.

I use Traffic Shaper on pfSense and Bufferbloat is very good with it on a Multi WAN 450 MBit/s connection. Of course it runs on a i7 CPU. pfSense is doing nothing by it's own and that's good and what you want! You have to allow everything you want and setup correct. I don't know what you did there wrong, but I never used UPnP or NAT-PMP. It's also not recommenced. You should not forward any port for a game. I have multiple clients running the same game on the network and everything runs fine.

A simple solution for windows machines is to run NetLimiter. It can limit programs upload and download speeds (or the whole connection). This allows you to play games, while doing a download/upload. You just set the upload/download speed to 80-90% (or so) of it's maximum speeds. You can also get routers that can set limits per machine. Search for bandwidth throttling.

Keep up all your good work mate. Appreciate your insight

Getting PFSense to work with the PS4 for NAT is a pain. I needed to work hard and to set up hybrid outbound NAT with static ports (all things you've tried) but it appears to work for me now. Setting up FQ-CoDel was a complete ball ache - but it did work eventually and bufferbloat was fixed. PfSense running on a VM after my EdgeRouter melted.

my network has been fucked with bufferbloat issues for the past week. Hopefully this vid will help

I’ve used pfSense for 3 years now I haven’t experienced such ping spikes or strict NAT on my games with my firewall I suggest use 2.3.5 release. I run a wisp too ping spikes or Apex dc’s are not a problem for me (sorry for my bad english)

Damn you explain everything perfectly

Can't wait for your next video showcasing the final solution :D

Of course you can do it with pfSense or OPNSense. If your only goal is to reduce bufferbloat , you would make the firewall part transparent to the network (allow all rule) and only use the congestion algo from the traffic shaper.

Jesus @ Battle(non)sense this video (and yourself) came out of the blue from a KZbin recommendation and you really hit the nail on the head. I've used pfSense in SOHO environments without issues for years and thought I'd use it at home as my Draytek Vigor simply cannot cope with anything more with 220 mbit, I tried for 3 days to get the latest stable build of pfSense to work and had exactly the same issues with multiple xbox and Warframe. To make matters worse, Warframe on xbox does NOT let you change the ports it uses, only enable IPv6 for chat :( I believe the problem seems to be a poor (or buggy) implementation of UPnP IGDv1 with "miniupnpd". You can trick pfSense into mostly working by enabling PureNAT and restricting what addresses each device can grab through UPnP by adding an allow rule under UPnP settings, and then limiting one of the consoles to static port (leaving the other defaulting to dynamic), however even though we could play two games separately we could not join the same session. To make matters worse, when a party invite was sent, the sender received an invite back to themselves, weird :) I've abandoned pfSense for now and will be trying OpenWRT on x86/64 but I fear as it also uses miniupnpd it may suffer from the same problem. The only difference is OpenWRT is Linux kernel based whereas pfSense is FreeBSD based. For now, you've got a new subscriber, keep up the good work :)

There is absolutely no need to forward ports nore enable upnp for any game with a server on the internet. The only way you would ever need to do this is if you are hosting the server or the game uses some weird peer to peer server but this is far and few between. Your router uses PAT and is a one to one connection to the server out on the internet thus another computer on your network will also connect to the same server successfully. The source port is generated randomly ensuring the connection returns to the correct source pc.

I get insane bufferbloat, upwards of 500ms and it's a pain in the ass, I can't wait to see your solution in the new video soon.

hey chris! just contacted you via e-mail to get this to work with RouterOS on x86 without the need of enabling UPnP. just tried it out and it worked pretty well.

Wow, this issues has essentially been my last year of tinkering with pfsense 2.4.2-2.4.4 on a protecli firewall. Even after I sorted the strict NAT on two Xboxes, I had massive bufferbloat issues to work through and fix with FQCODEL. Finally I have it all working, but like the video said at a small bandwidth loss. Apparently I could tweak bucketsize but I'm going to accept the bandwidth hit for now. I'de for pfsense to address this, I like it a lot otherwise.

Very glad I watched this video because I currently have an Edgerouter X and have been looking to upgrade to pfsense. Guess I will wait for your next video then.

It's a shame because I have issues with buffer bloat. I was thinking about building a pfsense router for this, but I have to share my connection and I don't feel like configuring pfsense for multiple connections for multiple games. I hope you can find an alternative as my networking knowledge is limited. Great content btw.

I solved my issues with Mikrotik.... cheap & reliable....Gruß aus Graz

What I Did was took my Old Mikrotik 951 Routerboard and flashed it with a build of LuCI openwrt, Then used the Cake option on the SQM QOS, I Highly reccomend a video on taking a cheap Mikrotik routerboard and Installing openwrt.

It looks like he went with Untangle. I might have been one of the posts on the netgate forums that he saw lol. I tried to make PFsense work in 2016, and had a back and forth with one of the long time members there. I am sad to report that while there has been some progress (there is a test build of miniupnp that "hopes to allow pf to implement upnp in the linux masquerade style") it is still an issue. At the time, my roommates forced me to give up and go back to our netgear that they could live with! honestly I should have gotten an edgerouter. Untangle was free once upon a time, but not any more. I would love to try OpenWrt, maybe it doesn't have these issues.

How does this product compare with something like the Netduma? I wanna use the edge router mainly because it seems to be way better than a Netduma would ever be, with the exception that it does not have geofiltering :(

Its awesome seeing dave show up on the issue. Chris I'm dead serious give this man time just look his name up and it's all over the bufferbloat community. To the man himself thank you and the hard working bufferbloat community for the solutions you've given us the last decade. Back to the video. PFsense wouldn't have been my choice, though it seems from comments you either have a configuration or distro issue. My advice see how hard it would be to use a version of openwrt on that machine. Openwrt has a better routing and more consistent setup at a low level. FQ_Codel is a nice option but cake is superior. You should be commended for making your own custom router but it's good you're showing people why we need router companies to get on the ball and start offering this feature with hardware accelerated support. It's still experimental on routers that allow it so I cannot recommend it as a good options. More gamers would benefit from going in to their routers if they can and dealing with ethtool -c (coalesce) or -k (offload) settings and ensuring the bad ones are disabled and that you're packets aren't being held up. While I run games with cake on a R7800 netgear cake itself is only helping out problems on my end. Cake and FQ codel will not fix bad hops or problems on other hops. The tech is great but only if you're you have a ton of people on the LAN making Upload wan problems or you want to ensure latency/bandwidth in a situation of that nature. Openwrt offers you more be it a router or customizing you're own pc to do so. Ask dave or come to openwrt forums or contact me for help.

Fortunately there has been more consumer routers coming out with actually working QoS features over that last year. I waited for Ubiquity to come out with something semi-consumer that wasn't built upon an ancient processor, but grew tired and gave the TP-LINK Archer C2300 a shot. Very fast and excellent latency under load. Sure the config isn't too sexy, but home routers don't need that. It even works out of the box, though that's almost frowned upon by some people.

Hoping for the next video soon. Thanks chris

Hi. Why don't you try openwrt on an x86 machine? Works absolutely fine and it has fqcodel as well as fqcake!

As there was no mention of it, I'm curious if you were aware of/attempted using the "+clientport XXXXX" launch command during your testing for Apex Legends.

Not only are you techsmart but you’re pretty good at aiming as well

What is the alternative firewall you are testing now?

PFsesne leans more toward security than convenience so this isn't surprising. You do have to set up a lot of rules to get things working, but this also gives you more control over your network as a result. Set and forget out of the box, isn't the point of PFsense.

The root of the problem is IPv4. Its flaws already became apparent in the 90s, which is why IPv6 came to be. But instead workarounds like NAT and UPNP were invented to mitigate the issues with IPv4. Now while more and more ISPs switch to IPv6 (simply because they run out of addresses), the routers and modems they provide typically block all inbound traffic, because 'Inbound == bad'. So we inherit all the drawbacks of IPv6, most of which come down to lack of adoption, but gain none of the benefits. Rant over. Thanks for your attention.

when "enable UPNP" means "check here but do other things to get UPNP working"... *edit* untangle > pfsense.

I went from pfsense to untangle. Very good user friendly ui, fq_codel, and speed. I might give openwrt a try

What is the name of that other Firewall PLS :) Dont leave us like this :)

I gave up on wireless and began using a powerline adapter. Keep in mind that it's heavily dependent upon the wiring in your house. If it's old as shit, you're out of luck. I was getting bufferbloat on wireless 2 feet away from the router. Doesn't matter how good your wireless is.

Warframes famous problem with strict NAT detected, I clicked fast.

Edgerouter Pro is still affordable for home use. What is the SmartQueue limit of Edgerouter Pro?

hi, what program u said u testing and not have the problems u find on pfsense? i not have router just an old cable modem

So…. What’s the firewall software your using now? I’m currently using Pfsense but it definitely causes issues for some games I play with my friends that includes strict NAT or outright not allowing us to play at all.

Upload speed is important and there's less delay in games.

CAN WE PLEASE GET AN XR500 REVIEW? :)

Hi Chris! Have you looked anything at QUIC (protocol for HTTP/3)? Will that help gaming in any way?

286/5000 For us Brazilians life is very difficult, we like to play online, but we depend on American servers, we have 2 opponents, one is the game the other the bad internet. I solved the bufferbloat but I have problems with packet loss, Brazilian life is never easy.

i get my enjoyment from manually configuring everything possible, so pfsense is perfect for me

I understand your issue but I prefer configuring port forwarding manually for security reasons and to better control/understand my network traffic. I don't know if many users have this issue you're facing, we have serveral PC's at home but only 1 game PC.

an r6220 from netgear, used from ebay for about 25 dollars, is a great router for openwrt. good for at least 100meg internet with sqm enabled. maybe up to 200 meg. its a dual core at 800mghz and has 128mb of ram. you have to install openwrt yourself and setup sqm but its worth it and cheap

Does the Edge router also work with a 4G modem/router?

Hi Battle(non)Sense, Due to your BufferBloat video last year I decided to do a bit of digging as I also suffer from that issue. However... I bought a 'probable' solution and I'm not sure if it will work, but according to some users it should be better. Due to me being in the Netherlands and having Ziggo as a provider I am 'locked' to a router. I need to have the router/modem combination in my network, that only hosts 4 ports. This thing is so poorly optimized for anything other than streaming and TV signals, your gaming connection can vary from very low pings, to massive spikes that the game does not register immediately as they are really short, only when a user starts to watch netflix or when a device starts to download a massive update or sync its files. But I bought the NetGear Nighthawk S8000 and will connect all my wired deviced to this thing as it has QoS and other "pro gaming" network features. Is it possible you can test these so called "Gaming Switches" that have QoS to enhance gaming network performance?

I was going to build a pfsense router with some old hardware until I saw this. Now not so sure. I have a ER-4 today on a 400Mbps connection, but was hoping to go to a 1Gbps fiber option in the fall. What would be a good replacement for the ER-4?

Gotta admit my pfsense box likes getting fussy on certain games with upnp, but i read the title as pfsense with codelq not working? But your problems were with UPNP?

How many of these "solutions" work on a EuroDOCSIS cable connection? And will they be effective behind the router provided by the ISP?

it's also a shame a ubiq can't make a NICE SMALL full USG router with some proper horse power.

has this issue been resolved inn the meanwhile?

love your work very accurate

I just did this DSLreports speedtest and i got A+ on bufferbloat without smart queue... What gives? Why am i immune to this bufferbloat? (speed is at 400mbit down / 200 mbit up)

can i assume that you have tried setting up an IP or Alias NAT forwarding rule (bi-directional) and it failed?

I use a NetDuma Router, also has a geo-filter to block laggy Hosts/Dedis

VyOS (vyatta fork), OpenWRT, EdgeOS (Unifi devices, vyatta fork),or OPNsense (PFsense fork). Every OS support SQM. I prefer VyOS and OpenWRT

Great video, thank ypu for the insight, looking forward to your next one, but I'm curious abor your pfsense setup, would you bye able to test Nintendo switch consoles in that setup or the next? as I'm running Pfsense myself and had issues getting one console to connect, I ended up creating a group and having to add MAC addresses for all my friends switches so that they get whitelisted, big mess, so far we've been using local play so we didnt encounter that issue, but I have a friend coming over tonight will test online play on both consoles, if it works I'll share my setup. Although not plug and play.

Why do you even need upnp? Since when is that a requirement for SQM?

Im runing pfsense with 8 concurrent pc and not having any problems

If I remember well you can download packets for pfsense, maybe you could find one with a different implementation, or even create your own with time and effort ^^'. I know it's not a big help but well it's all I know.

So next video in couple of weeks with the better firewall.

great tips!

Yeah nice, uPnP is totally broken on pfsense. Works perfectly on dd-wrt, for example. Gonna try Openwrt x86 now, wish me luck lol

Hello Chris, great video again! I've been trying to fix this problem for a long time. I have a 200 Mbit/s cable connection (Vodafon Germany) and when running the speedtest, I immediately get bufferbloat over 1000ms. Online gaming sucks on this connection but it's the best i can get here. I have a FritzBox 6490 which only has rudimentry settings for traffic shaping and is maintained by the provider, so i don't know if I can use custom firmwares. I don't have much experience with those features. Any advice you can give?

Have you tried using untangle

Hey Chris ! Ich finde deinen content super ! Kannst du vielleicht mal ein Video machen, indem du zeigst wie du deinen Rechner inkl Router/ internet im allgemeinen fürs Gaming vorbereitest ?! Ich musste bei meinem aktuellen Lieblingsgame, Escape from tarkov, feststellen, dass die Nutzung von cloudflare zwar einen super Ping gebracht hat, aber warum auch immer ich im Spiel selbst Rückkehr und stutters von bis zu einer Sekunde mit 0fps hatte und seit ich auf die Google DNS gegangen bin, ist das weg ! Erklären könnte ich es mir nicht geholfen hat es aber dennoch 😂😂 Mach auf jeden Fall weiter so !!!

great video- thanks for this info. for someone that's just getting into performance firewalls etc what recommendation in terms of hardware + routing software would you have for a simple home set up? any insight would be much appreciated. I started looking into pfsense but thinking maybe openwrt makes more sense? I'm fairly technical so i should have no issue in setting things up just not sure which hardware to go with if i'm going to flash openwrt.

Please do a netcode analysis video on The Division 2.