I don’t really play games anymore, just one - that being Super Smash Brothers Melee for the Nintendo Gamecube, uh, I mean for PC. Project Slippi is a crazy cool thing and kept the community alive through the COVID era. Your only option before was to use delay-based netcode, and Slippi made Melee playable again. Also, I’m not good at Melee, in fact I’m awful, I just love the game and I’ve been playing it since I was in middle school.
This started happening after I switched over to my router-on-a-stick configuration, or thereabouts. Now that I’ve solved it, I think it may have started happening earlier - when I set up Tailscale and started using Hybrid outbound NAT generation, but I can’t be sure.
The gist of the issue was that I would load up Slippi, start searching for a match, and never actually get into a match. The matchmaking server was up, I’d start connecting to someone, and then it would revert to search after 5-15 seconds of trying to connect. (The weirdest part of this issue is that it would sometimes work, but never consistently. This is still bothering me.)
Every few weeks I’d get frustrated at it and sit there fiddling with settings in my OPNsense router. I disabled my DNS blocking, fiddled with DNSSEC and DoT settings (including turning them off entirely), removed all FW rules from the interface except for the allow all rules, fiddled with UPnP, tried with and without Tailscale enabled, switched to Automatic Outbound NAT rules, on and on. I honestly forget every single setting I changed, but if it was remotely possible that it was causing the issue, I would test it. I knew it was a network issue, because I had tried from my phone hotspot and it worked just fine - which ruled out the PC itself. Eventually I tried a Wireshark packet capture on the interface, but I couldn’t really make heads or tails of it.
I figured it had something to do with NAT, but I don’t really have a great understanding of how that works, and I’m not familiar enough with the OPNsense stack either.
This past time, I had a lead from a friend who said it sounded like a FW issue. I knew I had tested all the rules, but I didn’t think about it being one of the automatically generated ones - default deny / state violation. Basically, incoming from the WAN.
From what I can tell, how the matchmaking server works is like so: you connect to it, I connect to it, the server pairs us up, and then we both send outgoing UDP on a random high port directly to the other’s IP address. There’s the issue. My UDP packets were sending out just fine, but incoming UDP packets were being denied at the WAN. They weren’t getting NATed. I found this from doing a live monitor on the OPNsense machine and filtering to UDP packets, after doing another packet capture on my laptop and narrowing down the output to what made sense. I saw outgoing connections on UDP on a high port - and lo and behold, I saw those return calls getting blocked on the WAN interface when I looked in the router.
So how did I fix it? Previously I had made the rookie mistake of searching for specifically Slippi / Melee connection issues when I was digging around on the world wide web - meaning I was looking for the small subset of humans on this planet who play Melee, are technical enough to use OPNsense, and are non-technical enough to have not solved the issue on their own and thus posted about it on the internet. Obviously what I should have done is instead searched for the much more generalized, and nearly as applicable, “OPNsense gaming connection issues”, which turned up a result on the first try. Thank you to this reddit post for fixing my issue.
Steps:
- Prerequisite: create a separate VLAN for gaming, and isolate it from the rest of the LAN, since this is allowing incoming connections
- Create the VLAN, assign it to an interface, assign an IP, enable DHCP, enable DNS
- Create firewall rules: allow DNS and DoT, allow all except RFC1918 traffic
- Enable UPnP on that VLAN interface
- Create a manual NAT rule (if not specified, default):
- Interface: WAN
- Source: GAME net
- Translation target: WAN address
- Static port: enable
- Add a description
And that’s it…pretty simple, but frustrating. That’s what UPnP is for, right?
EOF