Pfsense OpenVPN with UPNP = Double NAT/Strict NAT?

I’m far from a network guru, I’m a hardware guy and having trouble figuring this out. Watched a ton of the videos from Lawrence Systems on just about everything I use (also in Detroit too).

I am using Pfsense to replace my Ubiquiti Edgerouter X as I want to run a VPN 24/7 for one of my VLANs. Basically I have a teen who keeps getting DDOSed while paying xbox games. Apparently it’s a thing now and pretty easy to do.

My network consists of…

-Gigabit Comcast (1Gbps down/40Mbps up).
-Netgear CM1000 modem connected to WAN.
-Pfsense Box with WAN in and one trunked LAN out.
-Mikrotik 10G switch where everything else connects.
-Two TP Link Omada WAPs/3 unmanaged switches.

Primary network LAN 192.168.2.0
VLAN 10 192.168.1.0
VLAN 20 192.168.4.0

When I set up my pfsense and add a rule to allow all traffic on VLANs, all current devices appear to connect and work as they should on their respective networks… When I start to mix UPNP and openVPN is where the issues start.

So after playing around for about 4 hours tonight I found some more details and specifics of what’s causing it. If I keep the my client openVPN through private internet access off, I can enable UPNP and with the rules in my NAT outbound settings, and my gaming Alias with multiple IPs it works perfect.

If I turn openvpn on with the associated rules and UPNP off, I get a normal but strict NAT type.

If I run openvpn with UPNP both on, I get a report of a double NAT that is strict and I can’t solve it.

TL:DR

OpenVPN off, UPNP on = Open NAT yayyy!
OpenVPN on, UPNP off = Strict NAT
OpenVPN on, UPNP on = Double NAT, strict

A couple things stand out. Gaming over VPN will have higher latency which is never good and frustrating. Also it would make since that your NAT wouldn’t be open because your Xbox is no longer terminating out the gateway of your ISP but, instead ending up out the gateway of your VPN. The only way to get rid of DDoS is actually through your ISP and I wouldn’t think a VPN would stop an attacker from sending an attack to your VPN IP.

Hey thanks for the reply! I am aware of the latency issues, looks to add about 20-30ms to the latency running 128bit encryption to the server nearby. It will be all of my my kids gaming devices and all IoT devices on the VPN. So as long as he wants to hopping in random xbox parties and “trash talking” to where other kids are getting his IP address, he will remain on a VPN lol. Honestly they won’t know the difference.

When looking up DDOS attacks it seems most reputable VPNs have services to prevent these kind of attacks. When I go. Through the VPN and DDOS myself it shows little no no effect.

When I DDOS, or anyone does for that matter, the Edgerouter the CPU is pinned at 100% and it shard to even get into the routers interface.

When I DDOS my new pfsense router with an i5 7200u I only see the CPU spike at around 40% and although it’s using my full gigabit connection it does appear I can still browse the internet although a bit slow.