How to Set Up a Router's Port Forwarding for a Nintendo Switch Console
en-americas-support.nintendo.comGet the top HN stories in your inbox every day.
ZiiS
sdiupIGPWEfh
I am ashamed that this has never occurred to me and shocked that I have never heard it elsewhere. Brilliant.
Apparently, the "Nintendo WiFi Network Adapter" was once a thing in Japan, and it did have a router mode.
https://www.wired.com/2008/09/nintendo-announ-2/
https://www.famitsu.com/game/news/1217892_1124.html
https://kotaku.com/nintendo-announces-wii-ds-wifi-router-bwa...
laumars
You can also use a USB Ethernet dongle with the Wii (that’s exactly my set up in fact).
This obviously doesn’t help DS users though.
salamandersauce
They did sell a USB dongle that would take a PC's net connection and use that to make a WiFi access point for the DS or Wii.
gorpomon
A joke that could really only happen here, I happily give my upvote.
cookiengineer
Ba dum tzz... sigh take my upvote.
misnome
Apparently you only _need_ to forward 45000~65535: https://www.reddit.com/r/NintendoSwitch/comments/6qjhjy/i_ha...
I went through this when setting up the switch to talk to someone behind heavy NAT over the holidays. 45000+ worked for me.
....which makes this even more ridiculous if it never uses them.
Someone
_only_? That’s, give or take, ⅓ of the full range. If everything in your network did something similar, you couldn’t have more than 3 devices in your network (and with 3, the stars would have to align for there to be no overlap between the ranges. If, for example, your tv needs 15000-35000, the largest contiguous range remaining would have about 15000 ports.
nolok
Try getting ~10 years old uplay game to work and despair. Not sure what network engine they used at the time but there is an entire set of games that basically can't connect properly without using random ports anywhere in the 10k/60k range, it's ridiculous.
And let's not ever talk about two people in the same home playing the same game together. I loved splinter cell blacklist's multiplayer but damn did it take long to get anything connected.
I'm not even sure why I mean this was with internet gaming already being the norm, I assume it's because they made games for console and then ported, and on console port issue are handled for them or whatever ? Anyway this was stupid
auto
"And let's not ever talk about two people in the same home playing the same game together."
This is my fiance and I constantly struggling with Halo:MCC. At least once a night one of us fails to join a game, and I'm convinced it's some poor NAT punch through solution that doesn't always work.
letitbeirie
Ever wanted to relive the past by playing Red Alert 2?
Get ready to relive the past by brushing up on the particulars of the IPX protocol...
the_mitsuhiko
That makes it worse. That means this is not actually a mistake in the documentation. JFC. Does it not support UPnP?
Macha
It does, these docs are for people for whom upnp has failed.
The wide port range I think is Nintendo throwing their hands in the air and not actually knowing what ports third party switch software uses
the_mitsuhiko
If it supports UPnP why do the docs not say: turn on UPnP? If you search for UPnP in the docs, you get exactly zero results back.
cat199
> not actually knowing what ports third party switch software
more than likely i'd think this is for enabling inbound responses to outbound ephemeral ports given the port range
Hamuko
I think even their first-party games use random ports.
loup-vaillant
Probably because of this: https://duckduckgo.com/?t=ffab&q=UPnP
Among the 4 first links, 3 explicitly tell me that UPnP is dangerous.
the_mitsuhiko
UPnP is significantly less dangerous than forwarding all UDP ports to a single device.
yardstick
Came here to say this. UPnP is a security vulnerability, not a feature.
criddell
Who has UPnP enabled anymore?
JAlexoid
My Verizon Router resets and defaults to it.
(Oh.... and it resets randomly...)
bin_bash
is this maybe to get around a double NAT problem? I'm not sure how UPnP works with double NAT
brynx97
That user has pfSense, and they are doing it wrong. I would follow the config and guidance from the pfSense dev on this one: https://forum.netgate.com/topic/112631/nintendo-switch-needs...
The most common problem I have seen over and over is double NAT or CGNAT. For the home networks I manage (my parents, in-laws, and my own), I put the ISP modems in bridge mode or passthrough mode.
bin_bash
The linux kernel uses 32768-60999 for ephemeral ports so you've really cut into them
goldcd
It's pretty good advice, if you're Nintendo and spending a fortune trying to provide support advice to people with crappy router config/connections. Yes it's entirely likely to cause other problems - but probably going to get that switch working.
Other problems will go to other vendors - and if their advice stops your switch from working, that's on them.
notum
Exactly. Just like on the Apple's website: "If someone starts shooting at your iPhone: guard it with your body. Layers of tissue and fat should prevent the bullets from scratching iPhone's screen."
Perfect business sense.
andi999
Is this on their website, or is it a joke. Seriously, I cant tell anymore.
smoyer
It's not on their website - all bullets know that even scratching an iPhone offends Jony Ives design sensibilities so if someone is shooting at you, show them you've got an iPhone and the bullets will refuse to leave the barrel.
notum
Of course it's a joke, everyone knows shards of bone are sharp enough to scratch iPhone's screen.
hamasho
I guess they don't like it. If the device is not broken, but the user is dead, they have fewer consumers and more good devices in the secondhand market, no profit. But if the user survives and the device is broken, he or she continues to buy Apple products, at least the next one immediately, profit!
foxtrottbravo
This seems like an obvious case of Support-Team knowledge topic: people are having issues with their switch getting on to the Internet, here is a support article describing a one size fits all solutions. But as a network guy I hatte the assumptions they made. It's the same as telling a user: Just disable the Firewall and it will work.
I feel like it would be a fun excercise to intentionally subvert the assumptions they made and see how they handle it.
Something like putting your Switch on a /30 or Configuring DHCP to assign IPs in decreasing order.
dotancohen
> I feel like it would be a fun excercise to intentionally subvert the assumptions they made and see how they handle it.
[1] https://en-americas-support.nintendo.com/app/answers/detail/...
KennyBlanken
A shocking number of game publisher troubleshooting instructions include "just run it as administrator" among their troubleshooting steps, which is pretty horrifying. It's considered standard advice in PC gaming circles among the 20-and-under or tech-uneducated adult segments.
HPsquared
On a single-user machine, there really isn't much "security" difference between user vs root.
Full access to the user's data, and ability to run 99% of code that one might want to run, is plenty bad enough already.
spockz
So… what if you have two switches?
foxtrottbravo
You obviously need a separate ISP package for every Switch you own
spockz
At that point it would be easier if it just came with its own 5g modem and ipv6 support.
MauranKilom
This whole article is... optimistic.
> 4. Enter the IP address you found on the network device, but add 20 to the last section of digits, and then select OK.
> As an example, if your computer's IP address displays as 192.168.2.5, enter 192.168.2.25 on the Nintendo Switch.
Hope you don't have more than 20 devices on your network (after your PC), and that they're not configured to be close to 255 there...
willis936
It also assumes that your DHCP range is the top half of the last byte. That's a de facto convention in consumer routers, but not codified anywhere and the kind of thing that could change and probably isn't even correct for some routers shipping today.
yardstick
Definitely not codified anywhere, and not in any of the routers I’ve used (to be fair they are more prosumer).
The main dhcp server used in most routers, dnsmasq, also assigns IPs using a MAC algorithm by default for consistent IP addressing of devices in a LAN. You would need to explicitly configure it for sequential first come first serve.
toyg
Tbf, this is the fault of network people, not the poor support guys left holding the bag of shit. The whole stack is still dangerous and obscure, 25 years after the internet went mainstream. UPnP was an effort at simplifying the situation and seems to have failed, so now we're back trying to teach IT toddlers to spell "characteristic" when they don't even know the ABC (nor do they care about it). It's inevitable that shortcuts will be taken.
46424ea63d4c
Just a quick advice, as I struggled with this as my daughter complained that she could not join network games in Animal Crossing because she had only “NAT Type D”.
Forwarding all these ports was the recommended solution in Nintendo’s docs. However, it did nothing to resolve this problem. What helped was to ensure not to modify source ports in the NAT setup (“static-port” in pf).
goodlinks
When i use routers provided by my ISP the switches always just work. when i was running pfsense (i need to set it up again soon :) ).. I just had to set a rule for them to always get the same IP and the correct NAT type and it worked perfectly.
It does make me wonder if all ISP provided routers are pretty insecure in some way?
ginko
What is this needed for? I never set up any port forwarding and don't remember having any issues with network connectivity. But then again I don't play that much online.
smcl
I came to ask the same thing - I haven't picked up my Switch in a couple of months but I never touched my router settings for this and it was always working fine. Maybe it's just something from a recent Switch firmware update? Or perhaps just for online play in specific games.
tootie
Typically you'd do this for enabling peer-to-peer connections. I run some Minecraft servers in my house this way. I have no idea what kind of peer-to-peer gaming Switch enables. Social gaming is done over the internet with a cloud subscription that costs like $20/year.
stevenwoo
I dunno if this had anything to do with it but there is peer to peer online gaming with Divinity Original Sin 2, and I tried grouping up with many folks I friended online and not in the same time zone and it never worked for us. Borderlands also appears to use peer to peer connections.
smcl
Yeah this is what I thought, I remember fiddling around with this to make Soulseek (or something) work on my old Linksys WRT54G back when I was at university. I wonder what Switch services/games work this way
mschuster91
My s/o and her sister (CS student) regularly play Animal Crossing over the Internet. I (and the SIL) wanted to curse Nintendo to hell and back for requiring users to essentially put their Switches available to the wide Internet (meaning, as long as the Switch is powered on, any RCE exploit on the Switch turns it into a full, unrestricted gateway into my home network!) simply because Nintendo doesn't want to follow basic Internet standards like UPnP or, heaven forbid, provide STUN/TURN proxies paid for by the Nintendo Online subscription.
Hell it took years for them to implement Bluetooth audio on the Switch, and that's output-only, no microphone. What stuff is their software division smoking?
echelon
Nintendo, despite making some of the first attempts at networked play in the late 80's and 90's, does not really understand the internet.
https://en.wikipedia.org/wiki/Family_Computer_Network_System (1988)
https://en.wikipedia.org/wiki/Satellaview (1995)
https://en.wikipedia.org/wiki/64DD (1999)
They don't understand a lot of things, even some of which they've lucked into, like the competitive Smash scene. Or fan remakes and tributes (of which Sega notoriously doesn't send their lawyers after).
But they still make some incredibly compelling games.
djtango
Yes networking is def not a core competency. Strange though, the senior people are super technical (I recall the stories of Iwata writing compression algos in Pokemon)
Maybe the DNA of the company is just too focused on games specifically
smaudet
This is just an aside, but this might explain why their (online) shop sucks so hard (and no browser on what amounts to a phone without a SIM card?)...
It's not just that the UX is a bit clunky, it's that it's a veritable morass of junk, a lot of which is regurgitated ports of PC titles...
They didn't understand how online shops work, to be fair all titles still at least play, but there is not as high quality control as I would have expected.
I say this as, Nintendo has a reputation and clout as a games developer (honestly none of their consoles have ever been great - they have mishaps in the software world but it is rarer), looking at their store you see a suspicious similarity to steam with sales - in fact as far as software goes a humble bundle subscription is probably a better value proposition. It's just not the rich and high quality, unique catalog people have come to associate with them. Maybe it was always like that regarding 3rd party games, but it just underlines how much they don't understand the internet...
tokamak-teapot
I’ve played Animal Crossing with friends over the internet and I certainly didn’t touch anything on our router to do so. Any idea if there is a particular scenario where this becomes required?
thanatos519
What, they can't use UPnP like a good citizen?
OldTimeCoffee
Because UPnP is disabled by default on a lot of routers.
yrro
Maybe if the network administrator has disabled UPnP that is a hint that they don't want to allow random devices to expose themselves to the entire internet?!
undefined
exikyut
Because it wound up with the sufficient complexity and implementational discohesion as to be broken, existentially insecure, or both: https://computer.rip/2021-11-26-no-u-pnp.html (https://news.ycombinator.com/item?id=29356874)
undefined
GekkePrutser
I don't think upnp is used a lot anymore as it's also really handy for malware makers
eternityforest
Programmers need to stop trying to kill UPnP.
The buggy firmware that allowed control from outside had nothing to do with UPnP, it was... just buggy firmware implementing it wrong. And it can be easily detected with online testers.
I always leave UPnP on, and I've never seen it disabled by default, nor would I ever want them to do that.
When the router does it right, it's just a small extra convenience for malware that can only be used when they already compromised your system. If they are in your network already, they can already do whatever they want.
cassianoleal
* Scenario 1:
Malware running on your network requests port over UPnP. Router accepts it. Hacker has direct inbound access to code they control.
* Scenario 2:
Malware running on your network requests port over UPnP. Router denies it (UPnP is disabled). Malware doesn't know how to open a reverse tunnel. No inbound access.
* Scenario 3:
Same as 2, but malware sets up reverse tunnel. Hacker is in.
* Scenario 4:
Buggy and/or sloppy firmware that's not otherwise malicious requests port over UPnP even though it doesn't need to receive connections from the Internet. Router allows it. Hackers know about this slop and other CVEs on device. Network compromised.
* Scenario 5:
Same firmware from 4, but this time UPnP is disabled on router. It's safe to say this non-malicious firmware doesn't set up a reverse tunnel. No inbound access.
This is obviously a very simple threat model but from here you can see that 2 out of 5 attack scenarios would have been prevented by disabling UPnP on the router.
OldTimeCoffee
It's disabled on all AT&T Residential Gateways and can't be enabled, you have to use port forwarding or put another router behind it using IP Passthrough. It's also disabled by default on EdgeRouters and can only be enabled in the ConfigTree or CLI. On UniFi it's disabled, but can be enabled in the GUI.
It's a convenience over control item. Most things do NAT traversal pretty well anyway, UPnP IGD has run it's course at this point. PCP is better in every way, push for that instead.
willis936
Doesn't seem worth it.
tjoff
No need. UPnP is already dead.
Edit: and to add on that, programmers are the absolutely only people on earth that wish it wasn't dead.
tux3
Malware that's already on your system can do whatever it wants. NAT punching is not some complicated dark art for people who already have working exploits...
GekkePrutser
No but it stops them using your system as a C&C node accepting connections from external systems.
It doesn't stop it per se but it makes it a lot harder. Part of security is not being the easiest target on the block.
1_player
What? It's used by tons of legitimate applications as well. Not only malware benefits from being able to accept connections from the Internet. Games, torrents and other p2p services, etc.
GekkePrutser
I play a lot of games and I've never had any issues not having UPnP. They got used to working around it. Probably with centralised servers. I never liked the P2P model anyway, dedicated servers are more fun because you can influence the gamemode, add mods etc.
For torrents I don't know... If I were to torrent I would not do it without VPN anyhow.
zibzab
That's not portforwarding, that's moving to the DMZ...
dm319
Darn, I hope this isn't the solution to the problem I have where my switch won't join other worlds on minecraft.
smcleod
PlayStation is pretty bad too, they want 80, 443 (and 1935, 3074, 3478-3479), if you don't you can get all sorts of really annoying problems joining games, delays joining voice chats etc....
fuzzy2
Yeah except of course they do not actually need most of these. It’s all BS and it’s my favorite pet peeve with port forwarding guides. For whatever reason they almost always put all ports for both incoming and outgoing traffic in a list and call it a day.
3np
WTF are they strictly needing 80/443 for? Are those TCP?
yrro
They aren't. They need _outbound_ access to TCP ports 80/443, and Sony are too cheap to hire people who actually know what they're talking about to write support articles.
sneak
Cox (US residential ISP) recently started blocking all port 80 inbound to residential IPs.
KronisLV
Don't most ISPs already use NAT and therefore disallow all inbound traffic to devices behind it? I personally had to use WireGuard to work around it for some of my homelab servers that i wanted to publish: https://blog.kronis.dev/tutorials/how-to-publicly-access-you...
sneak
I don't know about "most", but in the US, the residential broadband I've seen has public IPs. LTE/5G mobile networks do not.
smcleod
Some use CGNAT, but you can disable it if you need to run servers.
smcleod
That's common in Australia and New Zealand along with some other potentially high risk ports, usually you can opt out of it in your settings.
thrdbndndn
Just curious, what if you have another layer of NAT, or your router is out of your control (and no UPnP)?
You just can't play networked games with Switch, or what?
Get the top HN stories in your inbox every day.
If they need all your incoming traffic they should probably have called it a "router" not a "switch".