Nintendo Switch NAT type A

Sun, May 4, 2025

There comes a time in the life of many an aging geek, that some toy needs to be hooked up to the internet. For me that time was last week and the toy was a Nintendo Switch with Animal Crossing New Horizons on it. Nintendo made a few absolutely bone-headed decisions here. The first: only supporting peer-to-peer connectivity for gaming. The second: pretending like IPv6 does not exist. The result? You need to do a lot of stupid twiddling with NAT on the IPv4-side of your network to get online gaming to work. There’s so much well-meaning but wrong information floating around, that I decided to write down for posterity and my fellow geeks how I set this up with an OPNSense firewall.

NAT types

Nintendo distinguishes six levels of connectivity by telling you about at so-called “NAT type” in the system settings’ Internet connectivity test screen. This “NAT type” has little if anything whatsoever to do with NAT at all, but let’s just go over them:

NAT Type A Connectivity is completely unimpeded. You get this by either having a routable IP straight on your switch, or proper port forwarding for everything Nintendo needs.
NAT Type B Seems to mean you got outbound NAT with static ports set up, but not necessarily any proper port forwarding into your LAN.
NAT Type C I haven’t been able to hit this one, so I don’t know what gives you this status.
NAT Type D Outbound NAT is configured, but with dynamic ports (as I’d say it should be).
NAT Type E/F No connectivity with the Internet whatsoever, apparently.

Vague terminology abounds. So what should you do to get your stuff running at NAT Type A?

NAT Type A requirements

The simplest way to get a perfect connection is to plug your Switch straight into your ISP’s modem and have it grab your public IP address right off the bat. That way you skip NAT altogether and everything works, but the rest of your home has to do without any Internet connectivity until you’re done gaming. Not optimal.

Static IP addressing

Either configure your router to statically assign a fixed and known internal IP-address to your Switch, or enter a fixed IP address into the Switch network configuration screen yourself. Do make sure that if you enter a static IP address into your Switch, you pick one that’s not part of your network’s local DHCP pool or you’re bound to experience issues with duplicate addresses. I’d advise setting up a static mapping for your Switch so that it still uses DHCP, but always gets the same address from your router. I use OPNSense at home, and this is what that looks like on my end.

Static mapping for DHCP

Static port outbound NAT

OPNSense randomizes the source port on any outbound NAT connection for the sake of security. This actually a good thing, because it prevents a class of unlikely but still possible security vulnerabilities. Nintendo, obviously, does not care. It needs outbound NAT to preserve the source port or you won’t get your “NAT type” beyond B. So on OPNSense I had to create a specific outbound NAT rule that only applies to the Nintendo device.

You’ll notice in the screenshot that I’m using the NintendoSwitch alias. That’s a host alias I created in OPNSense’s Firewall menu. I find it helps a lot in keeping your configuration readable.

Alias for the Nintendo Switch

Inbound port forwarding

Nintendo unashamedly tells you to just forward ALL your inbound traffic to the Switch. Umm.. how about no? I’m unfortunately still in the process of narrowing down the ports that Nintendo actually does use, but a range from 40000-65535 does the job just fine for now. At least this permits me to keep services that I was already running on the lower ports to remain unaffected. I added an alias named NintendoPorts that I can easily tweak later. It’s just a port range for now.

The alias for the port range currently in use for the Switch.

The actual port forwarding rule looks like this:

The forwarding rule in OPNSense’s GUI

Firewall rule

Now for the evil firewall rule: you need to allow the Switch unfettered access outbound, which most consumer networks already have. You also need a firewall rule to allow full inbound access on the Internet interface so that the world can reach your Switch. Yeah. You’re opening up your firewall to allow connections from the whole world into a children’s toy that has networking bolted on as an afterthought. That’s why this thing is going into its very own VLAN first thing tomorrow so that it sits in complete isolation from everything else.

With all of the above in place, the Switch reports NAT Type A. Contrary to things people say on the Internet, there is zero requirement to use a wired connection. This works on either WiFi or wired, just not both at the same time. Keep in mind that a Switch has two network interfaces that are very likely to live on the exact same subnet. Only ever use one at the same time, and ensure that the port forwarding rigamarole above is set to the right one.

So Nintendo, if you’re reading this: peer-to-peer gaming is a swell use case for IPv6! It’ll keep your customer paying for an online service that doesn’t even have any servers and there won’t be any NAT types to worry about.