Of course.

1. openjdk
    a. https://www.freebsd.org/java/
    b. pkg install openjdk8

2. Minecraft
    a. I followed this guide, but instead of sudo apt-get, I just used pkg: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-minecraft-server-on-linux
    b. note that if you run the commands from root or from a script, it may create all the minecraft files in an unexpected directory.. Most likely just an operator error on my part but all my files ended up in my /root directory instead of my /minecraft one.

3. pfSense rules
    a. Create a new firewall rule
          i. interface WAN, protocol TCP, source ANY, Destination THIS FIREWALL(SELF), Port Range from (OTHER) 25565 to (OTHER) 25565

thats about it. the NIC I am using is an intel pro 1000 pt gigabit quad port interface card, I believe the 9490 model.. and my machine is a Dell Optiplex 790 with an i5 and 6 GB of mixed ram (2x2 + 2x1). I can access the minecraft server from both LAN and WAN, which is nice. Anything else just ask. Still working on the autorun script issue.. oh well.

So, I got both XB1's on an open NAT, and things work, for the most part, without having to reboot pFsense.

First, I tried adding an additional router (Linksys EA6400 AC1900). Basically it went Modem -> Linksys -> pfSense -> internal network.
The linksys had wifi enabled and a hardline to the XB1's. Only enabled uPnP, no port forwarding. During that, I found that XB1 boot order mattered. /boggle

Anyway, so i wondered, if this works, what i move everything back behind pfSense and get rid of that extra hop. So I did.

Lo and behold, using the "proper" boot order does matter, at least for me.

A little more about that magical boot order:
I have both XB1s set to energy saver in power options, so they completely shutdown.
One XB1 (XBA) was bought within 3 months of XB!'s release.
The other (XBB) was bought about a year after release. Don't ask why this matters, even microsoft is "dunno"

So, If I boot XBA (the older one) first, THEN boot XBB (the newer) both get an open NAT, and everything works great.
If i boot them in the opposite order,XBA gets strict and XBB gets open.
I have no idea why this matters aside from the older XB1 will get the default ports and the other relies solely on uPnP.

Side note from Microsoft, aka hill-billy tech support:
When I first talked with them about what ports should be forwarded, they could only say "follow this guide and make sure ports yada yada were open".
Given that (Like Bradenmcg says) ports 53, 88, etc are garbage ports, everyone allows those outbound. I asked microsoft, "OK, make sure the ports are open… So, which direction and which protocols?"
I asked that 3 times, kept ignoring the question, finally they said, (after dropping packet capture results, basic networking rules, etc on the poor guy) he said "I'm sorry, but what you're talking about is beyond my ability."
It just so happened that during the chat session I found the "proper" boot order for my XB1s. Told chat about it, asking if there was a known problem with what I was calling Gen1 XB1s, because obviously, there is a problem. They said there is only 1 generation of XB1. They said the last resort was to reset it to factory defaults (Sorry, I don't feel like downloading 120GB of data tonight and re-setting everything back up, fix your networking) and see if that fixed the problem.
Finally after getting both working with open NAT on that boot order thing, they asked if there was anything else they could help me with... lets say i really wanted the ability to post a Jackie Chan meme in the chat box.

COD also requires 3074 to be open to have Open NAT, make sure that's set up properly.

Hi johnpoz ,  Thx for your reply. The wireless-G works flawlessly great!  I have a long high gain antenna on the G nic card.  I still have the N and an AC routers as well in case I upgrade to 100Mb+.  I don't have any hiccups/stutters/buffering with my current setup so I will venture back to N and AC when higher speed or more distance is desired or necessary…

I don't know how much this will help (XBox guy here) but I actually had better luck with making a manual NAT rule to encompass the UPnP rules.

for example, UPnP user spec permissions Allow X-Y192.168.1.142/32 X-Y
Then setting up a NAT rule that is the same for X-Y. But place it towards the bottom of the rule set so higher more specific rules that fall within that range will work.

I'm not sure how PS4 handles teredo or if it even uses it. but I noticed in your UPnP status that .109 has 3074 and your PS4 got 3075. Generally a good implementation can use any UPnP port, but you may try forcing the PS4 into getting 3074 instead of 3075 and seeing how that works for you. Since you didn't specify what kind of device .109 is, I can only assume it's more configurable than a PS4 on what ports it uses. This is just my wild stab in the dark at PS4, but I fouight multi XBox Open NAT problems for about a week and a half before getting something that worked.

Not sure if this will help, but in order to get Open NAT and party chat working on my PS4, beside enabling upnp on pfSense I also had to create a manual port forward for the ports used by the game. You may want to check what ports BF uses and try to do the same.

Not sure why it's necessary, since in theory upnp should take care of everything, but I guess the PS4 doesn't like pfSense's upnp that much.

@EWTHeckman:

Which is why I needed—and asked for(!)—help.

You will NOT get any instant recipe either. It's just NOT how it works. Read the IDS/IPS forum, invest time in reading, learning, getting the info to get rid of the most common false positives, then you can go on with tuning the thing. You should run it for a couple of weeks without any blocking, study the alerts/logs and keep modifying the configuration.

"Hey tell me how do I do it" won't work. What works for me won't work for you - I for instance do exactly ZERO gaming. You need different kind of rules for a gaming rig, you need something different for running a webserver farm behind Snort/Suricata.

What packages do you have installed?  Any traffic shaping or anything set up?

One thing you might want to look into is how long the ports opened by uPnP are being held open.  Just make sure that they arent hitting a point where it no longer allows the box to open more.  Do you have the gaming network set to static outbound?

I solved the issue by writing the rule for the top half of a two subnet class C but not actually subnetting the network.  This way the rule only applies to addresses above 128.  Then, I just set static DHCP leases to put the game consoles in that half of the network.  Completely solved the issue.

@Ryu945:

You may want to look at this:  https://forum.pfsense.org/index.php?topic=99161.0

Also, what about your set up makes this a DMZ.  I must be missing it from reading your guide.  All I see is you naming an interface to DMZ but what did you actually change to make it a DMZ?

I'm good, thanks. What you basically did is create a static route. I mentioned several times that this didn't work for my setup. I have no idea why - I agree it should have. What I wanted to do was plug my device into the OPT1 port ("why" isn't important).

It's a DMZ because of the section labeled "Second", where I pass all traffic.

@Aaron:

Any idea when this will be merged in? It appears to me that it was merged, but I'm not seeing it in 2.2.4?

It was merged into master (2.3.x) not RELENG_2_2 (2.2.x) – new features like that probably won't make it to a maintenance release. Though someone will need to go back and make sure that change carried over to the bootstrap branch as well.

There is another post on here about adding multicast subnets to your LAN profile. Since doing that on mine, my 360 has been able to use uPNP correctly every time.

Proto Source Port Destination Port Gateway Queue Schedule Description IPv4*  LAN net * 224.0.0.0/8 * * none Allow Multicast IPv4*  LAN net * 239.0.0.0/30 * * none Allow Multicast

Your going to have to probably create a LAN rule to send all traffic from the game out one WAN.  BF3 is like that as well.  The client will go out one WAN then PB will go out the other as it makes a new connection and the player will get kicked.

I think that is good enough.

This would be better asked in a new thread instead of hijacking this one…

There is no one best algorithm for shaping games.  The real question to ask is, how time-critical are my requirements?  If you want certain users or apps to have priority regardless of anything else, use PRIQ or CBQ.  If you need to guarantee realtime performance while best-serving other users, HFSC is better.  PRIQ is easy; HFSC is hard.