It’s been a while since I’ve played any games online with my Nintendo switch, and I quickly remembered the issues with NAT types on the Switch.
When I checked, I had a NAT type of F, which will not allow online gaming. I found the guides on setting up the Hybrid NAT rules in Pfsense, but my type was still F. I then loosened up my outgoing port rules for that VLAN, and got a NAT type of B.
After tightening them back up a bit and looking online, it looks like the UDP range 1024 through 65535 is expected for outgoing UDP traffic. Is that right? That is a ton of ports, and possibly no better than just enabling uPnP.
Do I really need such a wide range to be able to maintain this NAT type B?
While you’re opening most outbound UDP ports for just the switch, a uPnP vulnerability has the possibility of letting an attacker open ports, especially inbound registered ports (SSH, RDP, etc), for all devices.
If you do everything right (wifi client isolation, if your WAP has that option) opening the port for the switch is “essentially” as safe as it can be. The safest being Nintendo listing their public IPs but I think switch games use P2P which is why they don’t.