The gateway on my home network runs OpenBSD with a fairly simple pf configuration. When I recently tried to play online multiplayer games on the Nintendo Switch, I encountered NAT traversal errors, and the system diagnosed my network configuration as "NAT type D" (on an A-F grading scale).

Luckily, a bit of searching revealed that the root of the problem is that the Switch needs the source port on NAT'ed packets to be preserved. (Thanks to the users on Reddit and the pfSense forums who identified the issue.) Configuring pf to do this is trivial. The relevant lines in my pf.conf file on OpenBSD 6.3 look something like this:

# Define a macro for the static IP addresses assigned to
# the Nintendo Switch's wired and wireless interfaces.
nintendo = "{, }"

# Nintendo Switch needs static ports for UDP over NAT.
match out on egress inet from $nintendo to any nat-to (egress:0) static-port

# Standard NAT configuration for everything else.
match out on egress inet from !(egress:network) to any nat-to (egress:0)

With the static-port option set, the Switch graded my NAT configuration as "type B," and I was able to connect to multiplayer games without issue.

The Reddit post linked above shows the equivalent configuration for other versions of pf that use the old pf.conf syntax.