Console NAT Types Explained: Strict, Moderate, Open (and How to Fix Strict)

The Short Version

• Open NAT (Type 1 or 2 open): easiest matchmaking, can host and join anyone
• Moderate NAT (Type 2): can join most games, some voice-chat issues
• Strict NAT (Type 3): slow matchmaking, can only connect to open / moderate peers
• Usually fixed by: enabling UPnP, setting DMZ, or using port forwarding + static IP
• CGNAT on the ISP side forces strict NAT no matter what you do — check with your ISP

What NAT Actually Is

NAT (Network Address Translation) lets many devices share one public IP. Your router keeps a table of which outbound connection belongs to which internal device and translates addresses back and forth. It's been how home internet works for 25 years.

NAT "type" describes how strict your router is about accepting incoming connections. Strict NAT only accepts replies to connections your console started. Open NAT accepts inbound connections from anywhere. Moderate is in between.

Matchmaking in multiplayer games often requires two peers to initiate connections to each other at the same time — "hole punching." That only works reliably when at least one peer is open or moderate.

How to Check Your Current NAT Type

PlayStation 5 / PS4

Settings → Network → Connection Status → NAT Type

• Type 1: directly connected to internet (rare, open)
• Type 2: behind a router, ports are open (equivalent to open)
• Type 3: strict — this is the problem

Xbox Series X / One

Settings → General → Network settings → NAT type shows Open / Moderate / Strict directly.

Nintendo Switch

System Settings → Internet → Test Connection → NAT Type is shown as letters A through F; A-B are effectively open, C is moderate, D-F are strict.

Why Strict NAT Happens

1. Double NAT. Your ISP's modem does NAT and so does your router, so the console is behind two NAT layers. Very common with ISP-provided gateways.
2. CGNAT at the ISP. The ISP itself uses a shared public IP for many customers. No router setting will fix this — you need the ISP to give you a real public IP, or use IPv6 where the game supports it.
3. UPnP is disabled. UPnP lets consoles request port mappings automatically. Without it, the router doesn't know to open gaming ports.
4. Firewall rules. Some ISP-provided routers have "high-security" firewall modes that block the inbound signaling games need.
5. Port forwarding broken. You set up port forwarding but the console got a new LAN IP from DHCP.

Fix 1: Turn On UPnP

This is the fastest fix that works for most people.

• Log into your router (usually 192.168.1.1 or 192.168.0.1)
• Find Advanced → UPnP or NAT Forwarding → UPnP
• Enable it
• Reboot the console; retest NAT type

UPnP is usually safe for home networks and lets consoles and games request mappings as needed.

Fix 2: Eliminate Double NAT

If your ISP gave you a combined modem-router-gateway and you added your own router behind it, you have double NAT. Fix with one of:

• Bridge mode on the ISP gateway. Log into the ISP gateway, find bridge / modem-only mode, enable it. Your own router now does all NAT. Best option.
• DMZ+ mode. Some ISP gateways offer DMZ+ which effectively bypasses NAT for the device behind it. Set your router's WAN IP as the DMZ target.
• IP passthrough. AT&T-style feature that hands the public IP straight to your router.

Fix 3: Port Forward + Static IP (the nuclear option)

Works reliably but takes more work. Steps:

1. Give your console a static LAN IP, either in the console's network settings or as a DHCP reservation in the router.
2. Forward the specific ports for your console/game to that IP.

PlayStation 5 / PS4 ports

• TCP: 80, 443, 3478, 3479, 3480
• UDP: 3074, 3478, 3479

Xbox Series X / One ports

• TCP: 53, 80, 3074
• UDP: 53, 88, 500, 3074, 3544, 4500

Switch ports

• UDP: 1-65535 is what Nintendo recommends for open NAT — basically requires DMZ

Fix 4: DMZ the Console

A DMZ (demilitarized zone) removes all firewall barriers for a single device. Set your console's static IP as the DMZ host in your router. Simplest way to get open NAT but removes the router's firewall protection for that device.

Modern consoles are hardened enough that DMZ is generally safe, but any other device with poor security shouldn't be DMZed.

Fix 5: Check for CGNAT

Find your router's WAN IP (in router admin). Compare it to your public IP at whatismyip.com. If they're different, you're on CGNAT. Common with 5G home internet, some cable ISPs, most fixed-wireless, and Starlink.

• Ask the ISP for a static public IPv4. Often a $5-10/mo add-on on business tiers; sometimes free if you ask.
• Use IPv6 where the game supports it — CGNAT is usually only an IPv4 issue.
• Use a VPN or tunnel with port forwarding enabled on the remote side (Mullvad used to offer this; some providers still do).
• Switch ISPs if matchmaking is chronically bad and the ISP won't help.

Does NAT Type Really Affect Ping?

Not directly. NAT type affects who you can connect to and how easily matchmaking works. It doesn't change latency between you and a given game server. But strict NAT often forces relay-server usage, which does add latency — so indirectly, open NAT can reduce ping.

Common Mistakes

• Port forwarding without setting a static IP — the console gets a new IP after reboot and the forward breaks
• Using an online "NAT type test" from a browser — only the console's own test is reliable
• Enabling both UPnP and manual port forwarding for the same device — they can conflict
• Factory-resetting the router then forgetting to re-enable UPnP or the port forward

What About PC Gaming?

PCs rarely report NAT type directly. Windows uses 'Teredo' for Xbox Live services on PC, and reports via the Xbox app. For most other PC games, strict NAT shows up as "can't host" or "can't hear in voice chat" rather than an explicit error. The same fixes — UPnP, bridge mode, port forwarding — apply.