[the_mitsuhiko]

That makes it worse. That means this is not actually a mistake in the documentation. JFC. Does it not support UPnP?

[Macha]

It does, these docs are for people for whom upnp has failed.

The wide port range I think is Nintendo throwing their hands in the air and not actually knowing what ports third party switch software uses

[the_mitsuhiko]

If it supports UPnP why do the docs not say: turn on UPnP? If you search for UPnP in the docs, you get exactly zero results back.

[Macha]

I don't think anybody here (including me) claims these are _good_ docs.

[the_mitsuhiko]

Is there any evidence that the Switch supports UPnP? Because some quick googling did not suggest it does.

[TingPing]

My router has never seen the switch use upnp.

[SkyPuncher]

IMO, because they're trying to keep it simple.

Most readers of HN will understand (or at least understand the goal of) the checklist for debugging network issues.

Skipping straight to Port Forwarding eliminates any issues on whether UPnP is actually working correctly. Growing up, some of my friends had routers struggled to handle UPnP correctly. If I knew they were the only one needing port forwarding, I'd simply turn that on for them instead of trying to figure out if UPnP was actually working correctly.

[cat199]

> not actually knowing what ports third party switch software

more than likely i'd think this is for enabling inbound responses to outbound ephemeral ports given the port range

[Macha]

Even a restricted NAT should allow for this without explicit port forwarding configuration?

Unless you're doing something like active FTP where it's replying to a different port than the one the request originated from. Which would be a interesting choice for a console designed in like 2018.

[laumars]

It’s a firewall thing not a batting thing. You need a stateful firewall to do that kind of smart port forwarding. Which, to be fair, all consumer routers should have.

Stateless firewalls, however, need to have explicit rules for UDP traffic. So that’s what Nintendo are addressing here.

[fulafel]

NAT functionality especially for UDP can be incredibly flaky in a lot of consumer hardware, mangling payloads, randomly dropping associations or having extremely short timeouts, and other plain buggy behaviour.

[Hamuko]

I think even their first-party games use random ports.

[loup-vaillant]

Probably because of this: https://duckduckgo.com/?t=ffab&q=UPnP

Among the 4 first links, 3 explicitly tell me that UPnP is dangerous.

[the_mitsuhiko]

UPnP is significantly less dangerous than forwarding all UDP ports to a single device.

[yardstick]

Came here to say this. UPnP is a security vulnerability, not a feature.

[solarkraft]

Worse than forwarding all ports?

[yardstick]

Neither is an acceptable solution.

Although I will say that if you are forwarding all ports, at least it’s to a device you know about. Not some random IoT or PC software or whatever opening up ports without your knowledge.

[criddell]

Who has UPnP enabled anymore?

[JAlexoid]

My Verizon Router resets and defaults to it.

(Oh.... and it resets randomly...)

[criddell]

My AT&T router (Arris) doesn't even have that setting.

https://forums.att.com/conversations/att-internet-features/h...

[thescriptkiddie]

This is made doubly frustrating by the fact that AT&T does not allow you to use your own router.

[criddell]

You can put your own router behind the AT&T gateway and then tell the gateway it's a DMZ.

AT&T does a lot to make me angry, but removing uPnP is the right call IMHO.

[thescriptkiddie]

Using DMZ doesn't completely solve my problem, the AT&T gateway is still routing every packet (at less than line speed) and randomly dropping some of them.

[bin_bash]

is this maybe to get around a double NAT problem? I'm not sure how UPnP works with double NAT

[kelnos]

UPnP is a security risk (as is forwarding all UDP ports to a single device). Nintendo should set up STUN servers so the Switch can do UDP hole punching.

[WolfRazu]

How is hole punching more secure than UPnP? They both achieve exactly the same thing.

[kelnos]

Enabling UPnP on your router enables a malicious app to permanently forward ports from the outside to the inside. The malicious app could also forward ports to other devices on your network. For example, installing a bit of malware on your laptop could set up a port forwarding rule from the internet to your NAS's web interface.

UDP hole punching via STUN requires continuous work on the part of a malicious app to keep that port open. Work that could be noticed much easier than a rogue UPnP-using bit of malware. And it can't open ports to other devices on your network.