If you are experiencing matchmaking delays, voice chat drops, or lobby connection errors, your router's NAT type is likely Moderate or Strict. NAT (Network Address Translation) dictates how your router handles incoming connection requests from other players. To host lobbies and play without restrictions, you must achieve an Open NAT. This technical guide explains the mechanics of NAT traversal, UPnP, and port mapping across all major router brands and gaming platforms.
Achieving an Open NAT type involves allowing incoming connections through your router's firewall. While this is entirely safe for closed-system gaming consoles, you should exercise caution on Windows PCs. Never place a PC in the DMZ or configure broad, unmonitored UPnP ranges. Only forward specific ports requested by your game launchers.
To achieve an Open NAT type, apply the following steps in sequence:
Select your primary gaming console or PC client below to view port ranges, test for double NAT layers, and retrieve step-by-step router guides.
Troubleshoot why your router's admin dashboard (e.g. 192.168.1.1) is unreachable, timing out, or showing certificate errors.
Your NAT type dictates which players you can connect to in multiplayer lobbies. Refer to this compatibility matrix:
| NAT Type | Can Connect To | Lobby Hosting | Voice Chat (P2P) |
|---|---|---|---|
| Open (Type 1) | Open, Moderate, and Strict players (everyone). | Fully Supported | Perfect (Direct Link) |
| Moderate (Type 2) | Open and Moderate players. Cannot connect to Strict. | Limited Support | Generally Stable |
| Strict (Type 3) | Open players only. Cannot connect to Moderate or Strict. | Not Supported | Frequent Drops / Muted |
NAT is not a single standard; it is a set of behaviors defined by how your router handles **Endpoint Mapping** and **Endpoint Filtering**:
The router translates a local IP and port to a single public IP and port, regardless of the destination. Any external device sending packets to that public port will route directly back to the local device. This is the baseline requirement for **Open NAT**.
The router will only allow inbound packets from an external IP if the local device has previously sent an outbound packet to that specific IP. This results in a **Moderate NAT**.
The router blocks inbound packets unless they originate from the exact same external IP and port that the local device previously targeted. This creates a **Strict NAT**, forcing the use of NAT traversal protocols like STUN or TURN relays.
Routers implement **PAT (Port Address Translation)** to track connections. When your console sends a packet to a game server, the router translates your local source IP (e.g., `192.168.1.50:3074`) into its public WAN IP (e.g., `82.44.102.15:3074`) and writes this mapping into its active **State Table**.
When the game server replies, it sends packets back to `82.44.102.15:3074`. The router looks up port `3074` in its state table, translates the destination address back to `192.168.1.50:3074`, and forwards the packet.
The problem arises with inbound traffic. If another player tries to connect to your console directly (P2P matchmaking), their packet arrives at your router's public IP on port `3074` without an active entry in the state table. Without an explicit rule (like UPnP or Port Forwarding), the router firewall discards this unsolicited packet, resulting in a Moderate or Strict NAT.
Different platforms use different terminologies for NAT, but the underlying mechanisms are identical:
PlayStation categorizes NAT as Type 1 (direct connection to the internet, no router), Type 2 (connected through a router with open ports — equivalent to Open/Moderate), and Type 3 (connected through a router with blocked ports — equivalent to Strict).
Xbox uses explicit Open, Moderate, and Strict labels. An Xbox console requires port UDP 3074 to be fully mapped to negotiate peer matchmaking. If blocked, it defaults to Strict NAT, blocking party chat.
Nintendo Switch rates NAT from A (best/Open) to F (worst/Strict). Because Nintendo's online multiplayer is almost entirely P2P (players host the lobby states on their consoles), you must have NAT Type A or B to connect to matchmaking.
While both Open and Moderate NAT types allow you to play online, they handle peer connections differently:
Under a Strict NAT, your router blocks all incoming connections. To allow you to play, the game network must route your traffic through a dedicated **TURN (Traversal Using Relays around NAT)** server.
Instead of routing your coordinates directly to the lobby host, your packets travel to the ISP, then to the TURN server, and then to the host. This relay architecture introduces significant latency overhead (often adding 30ms to 80ms of ping) and can cause packet drops. For a complete troubleshooting workflow to resolve Strict NAT, read our guide on How to Fix a Strict NAT Type.
**UPnP (Universal Plug and Play)** is a set of networking protocols that allows devices on your local network to discover each other and automatically configure port forwarding rules. When you launch a game like Call of Duty, the game client broadcasts a UPnP request to your router: *'Forward port 3074 UDP to my local IP address.'*
The router registers the rule in its NAT table instantly. When you close the game, the mapping is deleted, protecting the port from external scans. While highly convenient, UPnP does carry security risks because any software (including malware) on your local network can open incoming ports without administrator approval.
If you choose to disable UPnP for security reasons, you must configure manual port forwarding. Manual port forwarding requires assigning a static IP to your gaming device via DHCP Reservation and creating rules to route specific external ports to that IP.
If your manual port forwarding rules are not resolving your NAT type, check our troubleshooting guide on Why Port Forwarding Is Not Working to audit your configuration.
Double NAT occurs when you have two routers performing address translation on the same network (for example, connecting a personal mesh Wi-Fi system to an ISP-provided modem-router gateway).
In this setup, your game packets must pass through two separate NAT translation tables. Even if you configure port forwarding on your personal router, incoming traffic is blocked at the upstream ISP router. To resolve this, read our step-by-step guide on How to Resolve Double NAT Environments.
Many ISPs (especially cellular, satellite, and rural fiber providers) use **CGNAT (Carrier-Grade NAT)** to conserve IPv4 space. Under CGNAT, the ISP assigns your router a private WAN IP address within the shared **`100.64.0.0/10`** block (from `100.64.0.0` to `100.127.255.255`) defined by RFC 6598.
Because the carrier is performing the address translation at their central gateway, local port forwarding or UPnP configurations cannot reach the public internet. If your WAN IP lies within this range, you will be locked to Strict NAT. The only solution is to contact your ISP and purchase a public static IP, or use an IPv6 configuration.
Use these menu paths to configure NAT settings on your specific router brand:
Log into admin > Advanced > NAT Forwarding > UPnP > Enable. For static bindings: Advanced > Network > DHCP Server > Address Reservation > Add your console MAC and IP.
Log into dashboard > WAN > Connection Tab > Enable UPnP > Set to Yes. For DHCP binding: LAN > DHCP Server > Enable Manual Assignment > Input MAC and select IP.
ADVANCED > Advanced Setup > UPnP > Turn on UPnP. For static leases: ADVANCED > Setup > LAN Setup > Address Reservation > Click Add and assign IP.
Log into router > Connectivity > Administration > Toggle UPnP to Enabled. For IP reservation: Connectivity > Local Network > DHCP Reservation.
For more advanced configurations (such as shaping traffic or optimizing DNS), see our guides on Best Router Settings for Gaming and Best QoS Settings for Gaming.
To achieve an Open NAT on Xbox Series X/S, configure these parameters:
On PlayStation, a Type 2 NAT is the target connection type when using a router:
PC launchers (Steam, Battle.net, Epic Games, EA App) use different port ranges to negotiate multiplayer lobbies. Configure these rules:
The long-term solution to NAT limitations is **IPv6**. Under IPv4, NAT is required because there are only 4.3 billion addresses. IPv6 provides 340 undecillion addresses, meaning every single device on earth can have its own unique public IP.
Under IPv6, there is no address translation. Your router still has a firewall, but it does not perform NAT. If you enable IPv6 globally, your consoles and PC receive direct, public addresses, achieving the equivalent of Open NAT natively without needing UPnP or port forwarding rules.
Opening ports exposes those specific avenues of incoming traffic to the internet. To minimize security vulnerabilities:
Use these CLI tools on your operating system to verify that the ports are actively listening and mapping correctly:
netstat -ano | findstr 3074
Checks if port 3074 is listening or established.ipconfig /all
Displays network adapter configurations.
ss -tulw | grep 3074
Lists active TCP and UDP listening sockets on port 3074.sudo iptables -t nat -L -n -v
Inspects the active NAT table mappings on Linux routers.
If you are behind CGNAT and your ISP refuses to provide a public IP, standard port forwarding will not work. You can bypass this restriction using these network overlay alternatives:
For more details on resolving network routing issues, see our diagnostic guides on High Ping Resolution and Packet Loss Testing.
Without UPnP, the router blocks incoming connection requests, forcing game ports to remain closed and resulting in a Moderate or Strict NAT.
Having two routers running NAT in series (e.g., an ISP modem-router and a personal mesh router) locks ports on the secondary layer.
Many ISPs assign private WAN IP addresses to save IPv4 space, preventing inbound port maps from reaching your home router.
Strict router firewall rules or active SIP ALG modules drop incoming UDP packets, breaking peer association tables.
Log into your router admin panel and navigate to the WAN, Status, or Device Info tab. Locate your WAN (Internet) IP address. Check if this IP falls within the range of 100.64.0.0 to 100.127.255.255. This block is reserved for Carrier-Grade NAT (CGNAT). If your WAN IP is in this range, your ISP is sharing a single public IP among multiple subscribers, making an Open NAT impossible through standard settings. You will need to contact your ISP and request a static public IP.
Navigate to the NAT, Advanced, or WAN setup page in your router's interface. Find the UPnP (Universal Plug and Play) option and toggle it to Enabled. UPnP allows game clients on your PC or console to dynamically open the specific incoming UDP/TCP ports they need when the game starts, and close them when you log off, achieving an Open NAT without manual configuration.
If UPnP is disabled for security reasons or fails to open NAT, you must forward ports manually. Go to LAN Settings > DHCP Client List on your router, select your gaming device, and bind its MAC address to a fixed local IP address (Static IP). Next, open the Port Forwarding, Virtual Server, or NAT tab. Create a forwarding rule targeting your device's static IP for port 3074 UDP/TCP (the default port for Xbox and Call of Duty) or platform-specific ports.
Double NAT occurs when you have two routers in series doing Address Translation. Locate the upstream modem provided by your ISP. Log into its admin panel and toggle it into 'Bridge Mode' or 'IP Passthrough' to turn off its routing functions. This passes the public IP directly to your personal router, leaving only a single layer of NAT.
Contact your ISP if your router's WAN IP lies within the CGNAT range (100.64.0.0/10), which prevents all forms of local port mapping, or if you require a static public IP to resolve persistent NAT translation conflicts.
Having an Open NAT is generally safe for gaming consoles (PS5, Xbox, Switch) because they run closed, locked-down operating systems that do not expose standard desktop services. However, for a Windows PC, exposing all ports via DMZ or a broad UPnP configuration carries security risks. A Windows PC runs background network services that could be scanned and targeted. For PC gaming, it is safer to manually forward only the specific ports required by the game launcher rather than placing the entire PC in a DMZ.
This fluctuating behavior is typically caused by UPnP mapping timeouts. When your router or console restarts, UPnP dynamically registers port mappings. If another device on the network requests the same ports or if the lease time expires, the router may release the mapping, forcing the NAT back to Moderate. To fix this, configure a DHCP reservation to assign your gaming device a static IP, and set up permanent, manual port forwarding rules instead of relying on dynamic UPnP.
It is extremely difficult to get an Open NAT on a mobile hotspot (4G LTE or 5G). Cellular networks run behind Carrier-Grade NAT (CGNAT) by default because mobile carriers do not have enough public IPv4 addresses for millions of cellular devices. Since CGNAT blocks all incoming ports at the carrier level, you cannot forward ports. The only ways to get an Open NAT on a hotspot are to request a static public IP from your carrier (which usually requires a business plan) or route your traffic through a gaming VPN with port forwarding capabilities.
Open NAT does not lower your base ping (which is determined by geographical distance and routing paths). However, it prevents latency spikes and connection drops. With Moderate or Strict NAT, you may be unable to establish direct peer-to-peer (P2P) connections. When this happens, the game is forced to route your traffic through intermediate relay servers. These relays add extra routing hops, which can increase your ping by 30ms to 80ms. Open NAT guarantees direct routing.
Under Moderate NAT (Type 2), some incoming ports are open, allowing you to connect to most players, host lobbies, and hear voice chat. However, you cannot connect to players with Strict NAT. Strict NAT (Type 3) means all incoming ports are closed. You cannot host lobbies, and you can only connect to players with Open NAT. Moderate NAT is acceptable for most gamers, while Strict NAT severely limits matchmaking pool sizes and breaks party systems.
Yes, if your ISP and the game servers support it. IPv6 (Internet Protocol version 6) allocates trillions of unique public IP addresses, completely eliminating the need for NAT. Under IPv6, every device in your home has its own public IP, allowing direct inbound and outbound connections. If you enable IPv6 globally, you bypass NAT types entirely, achieving the equivalent of Open NAT natively without needing UPnP or manual port forwarding rules.
No, configuring both at the same time is redundant and can cause conflicts. DMZ (Demilitarized Zone) acts as a catch-all rule: it forwards all incoming traffic on unmapped ports to a single designated device. If you have active port forwarding rules, the router will send traffic on those specified ports to those devices, and send everything else to the DMZ host. It is best to use Port Forwarding for specific devices and leave DMZ disabled, or use DMZ exclusively for one console.
ISPs use Carrier-Grade NAT (CGNAT) to conserve their limited pool of public IPv4 addresses. Instead of assigning a unique public IP to each subscriber, they pool thousands of users behind a single public IP. Because the carrier controls the port mappings at their gateway, subscribers cannot configure inbound port forwarding. For online gaming, this locks your NAT type to Strict, preventing P2P connections, hosting custom games, and voice chat.
No, UPnP does not cause network lag. UPnP only handles the initial handshake to register port mappings when a game starts. Once the mapping is registered in your router's NAT table, the router forwards incoming packets instantly with no CPU overhead. However, UPnP can be security-vulnerable if malicious software on a local device opens ports without your knowledge, which is why some security-conscious gamers prefer manual port forwarding.
If you connect a personal mesh system (like eero, Google Nest, or TP-Link Deco) to your ISP-provided gateway, both devices will perform NAT. To fix this, open your mesh system's settings app, navigate to Advanced Settings > Operating Mode, and change it from 'Router' to 'Bridge Mode' or 'Access Point (AP) Mode'. This disables the mesh system's routing functions, leaving your ISP gateway as the sole NAT provider.