UPnP - Multiple Xbox One Gaming Consoles & NAT

[strangeluck]

Reason why I said maybe is that its not been released and ya, only to the preview program. I have one console that got an update the other day however I didn't see the feature in there.

I'm in the alpha ring, but it should trickle down to beta maybe next week and then the delta and omega rings following that. It's part of the Fall Creators' Update, which will be available to everyone in October.

 

[e38BimmerFN]

Ok I didn't know there were multiple levels LOL. wow. Ok, I'll look to again and I presume maybe it might be there next update. Can you post a picture of this new feature? Curious to see what it looks like is all.

 

[strangeluck]

Ok I didn't know there were multiple levels LOL. wow. Ok, I'll look to again and I presume maybe it might be there next update. Can you post a picture of this new feature? Curious to see what it looks like is all.

Took a bit more work than i expected getting screenshots off this device, but i think this gives you a good idea of the options available...

 

[e38BimmerFN]

Kewl. Thank you very much. Will be on the look out for this. Will be very interesting to test with two consoles and two games when this arrives.

 

[Vexira]

The problem here is people not fully understanding what these reports actually mean. Having NAT2/Moderate is not a bad thing, it's actually what you should be having. Getting NAT1/Open means your gaming console is not being NAT'ed at all, which is a bad thing, your router/firewall is essentially exposing your consoles IP directly on the WAN interface without any kind of security at all.

Why on earth would you ever need to have your gaming consoles IP fully exposed on the Internet? Online gaming has been going on for years, and pretty much all home networks due to the limitation of IPv4 have always used NAT translation to translate your single public IP address into several local IP addresses. Regular port forwarding is perfectly fine for all other online gaming, why should it be any different for a gaming console?

And it should be completely impossible to have two Xbox One's reporting Open NAT on the same network. As you most likely only have one public IP going into your home network, how would you be able to give two consoles their own fully exposed IP when your entire network only has one public IP to begin with?

It is a bad thing, it affects your ability for match making, also if it's not open you can't host games, that are P2p

 

[Vexira]

The GT NAT will be 100% identical to any other Broadcom-based Asus router - it's the exact same NAT code.

I know for a fact that the R7800 uses proprietary NAT code, it's not just speculation:

merlin@ubuntu-dev:~/netgear$ find R7800-V1.0.2.32_gpl_src/ -name ipt_CONENAT.ko
R7800-V1.0.2.32_gpl_src/git_home/kmod-conenat.git/ipt_CONENAT.ko

Again, you guys are just putting far too much emphasis on the NAT type... And you need to look at the more important fact that Full Cone NAT *IS* a security risk versus more restrictive NAT types. It pretty much nullifies part of what an SPI firewall does.

Security should be far more important than having two consoles report a magical open NAT mode. If games need that security issue to work properly, then the game code is broken, and needs fixing.

I would rather have symmetric-nat than the one I have now, at least least symmetric is secure, and with masquerade rules multiple consoles should work or with the new xbox one feature for choosing port numbers.

 

[Vexira]

just wondering, I wonder wat the nat reading is if I set internal port range to one and set secure mode to no, hmmm I wonder just as a test if it would give full cone

 

[Vexira]

Just run the two iptables commands if you don't know how to set it up as a nat-start script (there's already plenty of documentation out there on how to configure a custom user script, so I don't really feel like repeating them again, sorry.)

I think the commands are missing some thing, that why their not working, what does this mean, is there an accept command I for got to set.
"Using iptables, I set all policies to "ACCEPT" and I was able to setup two kinds of NAT"

Also I found this supposed to be for symmetric nat
https://www.larrysalibra.com/symmetric-cone-nat-using-linux-iptables/

eth1 = public ip
eth0 = lan ip

echo "1" > /proc/sys/net/ipv4/ip_forward
/sbin/iptables --flush
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE --random
/sbin/iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
/sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT


from what ive read here
https://lists.gt.net/iptables/user/66147
U can setup that symmetric as follow:

iptables -t nat -A POSTROUTING -p udp -s x.x.x.x --sport aaaa -d
y.y.y.y --dport bbbb -j snat --to-source z.z.z.z
iptables -t nat -A POSTROUTING -p udp -s x.x.x.x --sport aaaa -d
0.0.0.0 --dport bbbb -j MASQUERADE

So in theory it can be done with ip tables, I'm not sure if nat helper modules have a hand in it.
Though in the lists.gt.net link one poster said
"AFAIK, you cannot do "restricted cone NAT" nor "port restricted cone
> NAT" with the stock Netfilter/iptables. It would require dedicated
> conntrack and NAT helper modules.
At least with the version of Iptables I have (1.3.0), I can implement
"Port Restricted Cone NAT" with just one rule and I can implement an
"hardcoded" "Restricted Cone NAT" (I say it's hardcoded because It only
works for one host behind NAT)".

 

[FreshJR]

Default upnp on this router gets you NAT2/moderate. This is what is supposed to be. What is the issue?

To become NAT2 it uses upnp to automatically port forward the ports it needs.
In the old old days by default you would be on NAT3 unless you forwarded ports manually. Now this happens automatically.

Apparently sometimes it glitches console side, by not redoing upnp when waking from sleep, getting you stuck in NAT3/restricted. You do not want to be in NAT3/restricted mode. NAT3 means that you will deny any incoming connections unless you are first to talk contact the incoming party. The solution is easy. Disable standby, it's a waste of power, or wait for a fix from the console manufacturer.

Why are you trying to force NAT1/open? The behavior should be identical to NAT2.
To achieve NAT1/open you can put the console behind the DMZ but what is wrong with nice upnp forwarding assuming it doesn't glitch. Logically, why would you want a device that is always exposed to the internet instead of being exposed only when it request exposure?

TLDR

NAT1/open - all ports always exposed, unsessary security risk
NAT2/moderate - ports exposed at request, identical function as NAT1 without its drawbacks. Nat2 should NOT yield less connections compared to NAT1
Nat3/restricted - Barely working, network functions limited due to many rejected incomming connections

The open in nat1/open is the console letting you know that traffic on ports was already open before it requested any port to be forwarded. To it, it thinks no NAT translation is occurring since the console saw everything was fully exposed before any port open request was performed. Aka behavior exhibited when not using a router or NAT at all. This means there's a 1:1 map with all public WAN ports pointing to the console. This is called this NAT1, but there isn't necessarily superior to NAT2. NAT2 achieves the same EXACT behavior, but the console has to first request the ports it needs.

The only cause for concern is NAT3.

 

[Vexira]

Default upnp on this router gets you NAT2/moderate. This is what is supposed to be. What is the issue?

To become NAT2 it uses upnp to automatically port forward the ports it needs. In the old old days by default you would be on NAT3 unless you forwarded ports manually. Now this happens automatically.

Apparently sometimes it glitches console side, by not redoing upnp when waking from sleep, getting you NAT3/restricted. You do not want to be in NAT3/restricted mode. Anyway the solution is easy. Disable standby, it's a waste of power.

Why are you trying to force NAT1/open?
You can put the console behind the DMZ and it will have NAT1/open but what is wrong with regular forwarding. Why would you want a device that is always exposed to the internet instead of being exposed when it requests it?

Your iptable rules are basically a DMZ limited to specific ports. Still don't see is wrong with regular port forwarding?

TLDR

NAT1/open - unsessary security risk
NAT2/moderate - Proper function with no drawbacks
Nat3/restricted - Barely working, network functions limited.

The open in nat1/open is the console saying ports are open that I didn't request. Aka no nat translation occurring since the console seems to fully everything exposed continuously instead of what it requests.

The only cause for concern is NAT3

Type one is not a security risk, it allows you to host games and no it does not just open ports randomly, type one means when it asks for a port it receives it, you need open nat for better match making and for hosting a lobby. If you actually read the console guides on open nat, any nat type other than open will cause issues, it's as if the port is open in only one direction rather than both or the port number it's requesting is already in use and the router didn't give it a port that it requested or translated the original port on the internal side to an appropriate external port number. In the case of xbox Microsoft guides always state that open nat is the most optimal situation anything else will cause issues with chat and matchmaking also parties. I don't own a playstation console so I'm not that familiar with the interface nor the network system, I have been reading into it so from my understanding type 2 =moderate nat type 1 = open, keep in mind i could be wrong.
I can see that you have very little understanding about nat and how it affects games and consoles.

So in short
Type 1 =open nat every thing will work perfectly intended situation can connect to everybody
Type 2 = can't host games can only connect to moderate or open, port number issue needs manual port forwarding will be a pain when match making

Type 3 =can't find matches only can connect to open, there's a serious problem possibly firewall or router.

 

[FreshJR]

No type2 means it's a successfully forwarded port. A FORWARDED port means traffic freely flows in both directions. This includes incoming traffic that was uninitiated by you like a regular port forward. In a port forward, all incomming traffic on that forwarded port will be destined to that forwarded client. Traffic flows in both directions and is never dropped.

Type3 means traffic flows freely in one direction with an unsolistated incomming traffic dropped. This is not port forwarded behavior, but rather what occurs every time a router does its NAT translation. This is not a network problem but just typical expected closed port behavior.

So there you have it, it's either forwarded or it's not, SIMPLE.

So what is Nat1 you may ask? It means that the console received incoming traffic on ports that it didn't yet request to have forwarded. This traffic was tested before the forward was initiated. If this traffic still reached the client, instead of being dropped (typically any NAT would drop these packets) then console assumes that NAT is not being formared or already OPEN/pointing to the console without any forward requests. Once again, the console then assumes that no Network Address Translation is taking place since traffic is reaching the client without requested forwards, which is non typical or OPEN/NAT1 behavior. This is the exact behavior that would happen if it WASN'T behind a router, aka fully open throughout the entire port range, no forwarding required.

If you want this fully open behavior, then it still is achieve this possible while behind a router. You would have to forward all the ports to your console which is exactly what the DMZ does. Now the console won't have to request ports since all of them already point to it so you have NAT1 behavior. This behavior will performed at the expense of all your other clients. Other clients won't able to request any ports since NON will be free.

Otherwise, instead of forwarding all ports with DMZ, you can permanently forward a limited range of ports to your console by using static port forwarding. This will make so the console does not have to request the ports itself. It will act like NAT1 on predefined ports. This is a pseudo NAT1 since its not open on the entire range.

Now explain to me how a NAT1 system is better than NAT2? With NAT2, the console requests what it needs and it is granted if it's available. The grant is FULL two way traffic. Gone are the days where you are stuck on NAT3 until you manually forward. The only way I see where NAT1 would be better in the situation where the console is actually pushing traffic on ports that it DID NOT request to open. This is improper behavior on the console side, should be fixed console side, and should of never been exhibited in the first place. Only work around is a static port forward for this occurance, while it is patched.


In the bigger picture you only have 1 PUBLIC ip which is why you are doing NAT in the first place. Any incomming connection on a public WAN port has to be forwarded to a single device or dropped. Port forwards do NOT drop any incoming questions. Non-port forward traffic is typically dropped if not intiated/triggered by the client in accordance to the 4 types discussed (Cone,Symettric, Etc) In reality, you CANNOT have two consoles be NAT1. The text is arbitrary

**IPV6 changes this entire scenario**
With IPV6 it is not needed to perform NAT due to the increased public addresses pool.
With IPV6 you no longer have 1 public IP, but enough to issue each device can receive a public IP.
Since all ports per IP point only to that one device, no NATting is nessecary

 

[ColinTaylor]

I think the commands are missing some thing, that why their not working, what does this mean, is there an accept command I for got to set.
"Using iptables, I set all policies to "ACCEPT" and I was able to setup two kinds of NAT"

You guys should stop throwing commands at the router without any understanding of what they do or how they interact with what is already there.

That said, amongst all the rubbish that's been posted there was this little gem (-j MASQUERADE --random) which might help you with your obsession with Symmetric NAT. [This assumes you do not have a 6in4 tunnel enabled]

iptables -t nat -D POSTROUTING ! -s $(nvram get wan0_ipaddr) -o $(nvram get wan0_ifname) -j MASQUERADE
iptables -t nat -A POSTROUTING ! -s $(nvram get wan0_ipaddr) -o $(nvram get wan0_ifname) -j MASQUERADE --random

 

[FreshJR]

Okay so I read up on the issue since I was feeling a little out of the conversion.

I used this video to concisely and simply explain

-full cone nat
-restricted cone
-port restricted cone

All three of these cone nats are the SAME principle just the latter two have a way tighter grip in reguards to security behavior for new incoming connections that are originating from different servers or even different source ports from the same server. That different behavior is more dropped connection (NAT3 console speak).

My interpretation of a full cone nat is that it behaves EXACTLY like I would expect a static port forward to behave. Aka, all unsolicited incoming incoming to that port will be accepted/forwarded to the defined device only AFTER that any connection is initiated on that port (so NAT3 that turns to NAT2 after any connection). This happen behavior WITHOUT port forwards being explicitly open but only after the console first establishes a connection on that port.

My interpretation of "restricted port cone" is of (NAT3 on console) behavior. Aka only incoming connections are allowed from the established server ip/port combinations that were initiated by you and are in the NAT connection tracker. All others are blocked. This means that any unsolicited incoming connections on that port, that are already not established by you initiating will get dropped. This is terrible for gaming or anything service wise.

Full cone vs restricted does NOT matter with correct port forwards. Those are correct behavior FULL TIME.

Running the java NAT detector, it said my upnp ports are of "port restricted cone" type. Now this cannot be true when looking at the actual behavior of UPNP port forwards. **What it actually meant is that all NON port forwarded ports have "port restricted cone" behavior.**


--- This is what needs clarification


There is a BIG difference between the java test upnp port mapping behavior and the upnp forwards present from my PS4 and torrent client requests.

The PS4 and torrent unpn port forwards showed up listed permanently under the port forwarding section under system log tab in the UI.​

The upnp ports from the java test did not! This means the java test did NOT create port forwards. It just queried the ability too. All non forwarded ports will exhibited the default nat behavior that the router uses.​

So understand there are two different types of port mappings.

There are temporary mapping, these do not use UPnP to perform port forward. The the java test performs this mapping. These temporary NAT mappings will exhibit NAT3 like behavior on our routers since we what a port restricted NAT.​

AND

There are permanent mapping, these use UPnP to perform a port forward and show up in the webUI. These will exhibit NAT2 like behavior. These have behavior exactly what you would expect from any regular manually defined port forward. These defiantly can be using for server hosting without limiting any connections.​

To confirm this behavior, I port scanned my WAN IP on a port and that was forwarded by a torrent upnp request. That port was OPEN and ACCESSIBLE to a random device (my phone) that scanned the port no prior established connection.

Do not getting fixated on the semantics of NAT1, NAT2, or NAT3, just confirm actual behavior, is what you would expect.

TLDR:

Nat3 = restricted cone NAT behavior. (This is present on our routers without port forwarding)
Nat2 = full come NAT behavior, if NAT is "restricted cone" type then a port forward needs to be created to acheive NAT2 behavior. (This is present on our routers after a port forward is created, either UPnP or manually. Active port forwards will be listed in the webUI).
Nat1 = No nat behavior or pseudo nat behavior. Console did not need upnp port forward since traffic was already open.

Either way, my experiments confirms that NAT2 is exhibited for ports when UPNP forwards the ports correctly. NAT2 status is the most ideal for hosting and completely equivalent to NAT1.

Since we have port forwarding being performed, NAT types (full, restricted, symmetric) do NOT matter.

Only time NAT1, and by lesser extension "full cone nat" provides superior results is when/IF UPnP glitches and does not open ports in use and needed to be opened.

The non-opening port behavior is incorrect behavior console side. You shouldn't want to introduce NAT1 or a "full cone nat" due to a console bug. Find a fix for the bug or manually define port forwards.

 

[ColinTaylor]

Running this java NAT detector and it said my upnp ports are of port restricted cone type.

Are you sure or are you getting confused with the STUN test which is a something different?

 

[FreshJR]

Are you sure or are you getting confused with the STUN test which is a something different?

View attachment 10088

I'm speaking from actual first hand results.

After I ran the java test, I did not see any UPnP port forwards present in webUI.
My torrent client DID open a UPnP port forward in WEBUI. This opened UPnP port acts like a regular port forward (very similar to Full Cone Nat behavior, except I do not have to initiate any connection first with a port forward).

In my test WAN:7575 was UPnP mapped to LANCLIENT:7575 and exhibited full regular port forward behavior <-- this is what matters to me

This means that the UPnP forward will NOT drop any unsolicited incoming connections and instead route them to the LAN device that requested the forward. I can host any server on this ports knowing that my device will receive all incoming connections on that port without any rejection.

The NAT2/NAT1 name is arbitrary, my NAT2 behavior is the same as NAT1.

How can there be more ideal behavior? What is the actual issue at hand besides people wanting to see NAT1 arbitrary text on their screens?

I can safely say that I trust in being able to
-reboot my pc
-reboot my router
-open my torrent client, so it initiates the UPnP port open
-close my torrent client
-host a counter strike server on the same port the torrent client requested
-give you my WANIP+PORT
-you and everyone else will be able to connect.

Everything works as intended.

---

if you are talking as to what the NAT behavior is for non-forwarded ports. I really don't care, I would hope it is very restrictive since to me if it is not forwarded then it is unsolicited incoming traffic.
Doesn't the stun test tell you the typical NAT behavior experienced with non-forwarded ports?

 

[e38BimmerFN]

From my testing yesterday on a ASUS GT5300 and BiggShooter testing his RT-AC5300, the GT has OEM FW and is reported that Port Address Restricted Cone NAT was seen on the GT and BiggShooters RT-AC5300 loaded with 3rd party Merlin FW. All of my testing was with just a wired PC connected to the router and the router connected directly behind the ISP Modem. ALL other devices were disconnected including wireless.

 

[e38BimmerFN]

Are we referring to Sonys NAT or MS NAT naming conventions? Sony and MS differ on this I presume everyone is aware of.

Type one is not a security risk, it allows you to host games and no it does not just open ports randomly, type one means when it asks for a port it receives it, you need open nat for better match making and for hosting a lobby. If you actually read the console guides on open nat, any nat type other than open will cause issues, it's as if the port is open in only one direction rather than both or the port number it's requesting is already in use and the router didn't give it a port that it requested or translated the original port on the internal side to an appropriate external port number. In the case of xbox Microsoft guides always state that open nat is the most optimal situation anything else will cause issues with chat and matchmaking also parties. I don't own a playstation console so I'm not that familiar with the interface nor the network system, I have been reading into it so from my understanding type 2 =moderate nat type 1 = open, keep in mind i could be wrong.
I can see that you have very little understanding about nat and how it affects games and consoles.

So in short
Type 1 =open nat every thing will work perfectly intended situation can connect to everybody
Type 2 = can't host games can only connect to moderate or open, port number issue needs manual port forwarding will be a pain when match making

Type 3 =can't find matches only can connect to open, there's a serious problem possibly firewall or router.

 

[ColinTaylor]

I'm speaking from actual first hand results.

Well you actually said "this java NAT detector and it said" which is why I queried it.

After I ran the java test, I did not see any UPnP port forwards present in webUI.

Yes I noticed that as well. So I turned on debugging in miniupnpd and can see that the Java test does not do any port mapping it just queries the miniupnpd daemon for some basic information. (So not much of a test really)

My torrent client DID open a UPnP port forward in WEBUI. This opened UPnP port acts like a regular port forward (Full Cone Nat behavior).

Indeed, and the mapping can be controlled by the application which is why it's always better to use UPnP when possible.

Doesn't the stun test tell you the typical NAT behavior experienced with non-forwarded ports?

Yes.

 

[FreshJR]

Are we referring to Sonys NAT or MS NAT naming conventions? Sony and MS differ on this I presume everyone is aware of.

In my posts I used them interchangeably

Open(Xbox) = Nat1(Sony)
Moderate(Xbox) = Nat2(Sony)
Restricted(Xbox)=Nat3(Sony)

Type 1 =open nat every thing will work perfectly intended situation can connect to everybody
Type 2 = can't host games can only connect to moderate or open, port number issue needs manual port forwarding will be a pain when match making

Type 3 =can't find matches only can connect to open, there's a serious problem possibly firewall or router.

@Vexira, let me clarify this.

Type1 - CORRECT, but this setup has drawbacks for other devices on the router. Only 1 device can really be Type1.
We can later return to the pseudo type1 due to the iptables commands.

Type2 - Partially Incorrect

Type2 due to a proper UPnP port forward means you CAN host a games/server and accept ALL incoming connections. A manual port forward should not be necessary since the device is supposed to request a UPnP and perform it automatically. If this does not happen its a problem with the software/device code!

Type2 due "Full Cone Nat" should really be called type 2.5. It temporarily restricts incoming connections until you initiate at least one connection on that port. After your initiated connection, that connections port will be in the routers connection tracker and behave like port forward. This is a "pseudo-port forward" behavior without the use of UPnP. You shouldn't rely this behavior and decreasing your security with a "Full Cone NAT" just because your device is not handling UPnP properly. Fix the UPnP issue or create a manual entry!​

Type3 - Your type2 description should actually be a type3 description. You cannot host games and since you will miss out connections. You should figure out why a UPnP port was not created/working. It's NOT a serious problem, it is just typical secure "restricted NAT" behavior since no port forwards are present. Fix UPnP again.

Bottom line, if UPnP is working then the routers NAT implementation is irrelevant to server performance. I would prefer to have a more secure NAT implementation vs a loose NAT to mask UPnP issues.

Loose NAT security is a duck tape fix. Multi million dollar game companies should figure out how to use UPnP.

 

[Vexira]

No type2 means it's a successfully forwarded port. A FORWARDED port means traffic freely flows in both directions. This includes incoming traffic that was uninitiated by you like a regular port forward. In a port forward, all incomming traffic on that forwarded port will be destined to that forwarded client. Tracking ffic flows in both directions and is never dropped.

Type3 means traffic flows freely in one direction with an unsolistated incomming traffic dropped. This is not port forwarded behavior, but rather what occurs every time a router does its NAT translation. This is not a network problem but just typical expected closed port behavior.

So there you have it, it's either forwarded or it's not, SIMPLE.

So what is Nat1 you may ask? It means that the console received incoming traffic on ports that it didn't yet request to have forwarded. This traffic was tested before the forward was initiated. If this traffic still reached the client, instead of being dropped (typically any NAT would drop these packets) then console assumes that NAT is not being formared or already OPEN/pointing to the console without any forward requests. Once again, the console then assumes that no Network Address Translation is taking place since traffic is reaching the client without requested forwards, which is non typical or OPEN/NAT1 behavior. This is the exact behavior that would happen if it WASN'T behind a router, aka fully open throughout the entire port range, no forwarding required.

If you want this fully open behavior, then it still is achieve this possible while behind a router. You would have to forward all the ports to your console which is exactly what the DMZ does. Now the console won't have to request ports since all of them already point to it so you have NAT1 behavior. This behavior will performed at the expense of all your other clients. Other clients won't able to request any ports since NON will be free.

Otherwise, instead of forwarding all ports with DMZ, you can permanently forward a limited range of ports to your console by using static port forwarding. This will make so the console does not have to request the ports itself. It will act like NAT1 on predefined ports. This is a pseudo NAT1 since its not open on the entire range.

Now explain to me how a NAT1 system is better than NAT2? With NAT2, the console requests what it needs and it is granted if it's available. The grant is FULL two way traffic. Gone are the days where you are stuck on NAT3 until you manually forward. The only way I see where NAT1 would be better in the situation where the console is actually pushing traffic on ports that it DID NOT request to open. This is improper behavior on the console side, should be fixed console side, and should of never been exhibited in the first place. Only work around is a static port forward for this occurance, while it is patched.


In the bigger picture you only have 1 PUBLIC ip which is why you are doing NAT in the first place. Any incomming connection on a public WAN port has to be forwarded to a single device or dropped. Port forwards do NOT drop any incoming questions. Non-port forward traffic is typically dropped if not intiated/triggered by the client in accordance to the 4 types discussed (Cone,Symettric, Etc) In reality, you CANNOT have two consoles be NAT1. The text is arbitrary

**IPV6 changes this entire scenario**
With IPV6 it is not needed to perform NAT due to the increased public addresses pool.
With IPV6 you no longer have 1 public IP, but enough to issue each device can receive a public IP.
Since all ports per IP point only to that one device, no NATting is nessecary

My point is that if type 2 is if equivalent to moderate nat, there will be issues, I don't understand why Sony doesn't use the standard convention for naming nat status, it's confusing, they need to clarify exactly what they mean, its almost like they are writing two was of saying open nat, one is equivalent to dmz the other is just a upnp opening.
You should be able to achieve type 1 nat via upnp, since all it means is that the port was forwarded successfully or should since on xbox one I get open nat and I also get open nat on my xbox 360 with both of them on, this leads me to believe that the console has an issue with the accuracy of reading nat type correctly, even though the console should read type one its reading as type 2 because of a bug in the net code

The only games where nat will have an issue are the peer to peer games like call of duty, this would not be an issue if they had dedicated servers, also console are affected by it as well nat issues can cause problems with party chat and other things.

I personally would prefer a hybrid solution, I want to see an implementation that's both secure and allows everything to work as it should.

All importantly regardless of NAT implementation if the port has been forwarded correctly the nat reading should be open regardless. From my research symmetric NAT is the most secure hence why I wouldn't mind using it. I understand where your coming form about security but if your that paranoid you might as well disable upnp altogether.


Also read this
http://support.xbox.com/en-AU/xbox-one/networking/nat-error-solution