Just to throw this out there. For xbox to easily have open NAT, it requires DHCP + uPNP.
http://miniupnp.tuxfamily.org/forum/viewtopic.php?t=393

To secure your upnp, I would recommend checking the box next to "By default deny access to UPnP & NAT-PMP?"

Then in your rule set next to "User specified permissions 1" set "allow 3074 xbox.ip.address 3074"

Setting a static DHCP reservation in pfsense will not work in your main subnet.

http://doc.pfsense.org/index.php/Why_can't_I_have_static_mappings_inside_my_DHCP_range%3F

Its a realy stupid "bug"

I needed over 6 hours to find this…

tyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy

Perhaps something like this?
http://doc.pfsense.org/index.php/Traffic_Shaping_Guide

I fired my ISP and turned off traffic shaping. With the new ISP all my issues seem to have disappeared.

WoW isn't using the pfSense proxy, so your problem hasn't got anything to do with pfSense.

I think is because 2 ports are trying to access the internet.
Have you tryed with "1" PS3 with theses following port's TCP&UDP 3478-3479, TCP 3480, 5223

http://manuals.playstation.net/document/en/ps3/current/settings/connecttest.html
http://www.ps3devwiki.com/wiki/Online_Connections#Game Specific Port usage

In the past I have found the only reliable way to get 2 (or more) Xboxes running is either:

Easy Solution
DMZ to individual external IP's

More unusual Solution
Port Triggering - see this posting if you want to contribute:
http://forum.pfsense.org/index.php/topic,39638.0.html

The above was with DD-wrt or similar router with port triggering facility. 
One specific router I had (sorry long gone) simply required uPnP enabled - as long as the XBoxes received IP by DHCP (and therefore gave MAC addresses) the router managed the two through automatic triggering.

Not knowledgeable enough with pfs to know if this is possible

Good Luck

Fixed.  Turns out I didn't have NAT reflection turned on.  Once I turned that on, they could talk to each other.

You might want to look into the plugin http://dev.bukkit.org/server-mods/multiverse-core/

Have a single gateworld.

Jump from there to multiple different servers on other ports than the default port.
–> Run each server on it's own port.

There's an article out there that says to add the following to the squid.conf for MSN functionality:

acl MSN_ports port 1863 443 1503
acl MSN_domains dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com
acl MSN_hosts dstdomain messenger.hotmail.com
acl MSN_nets dst 207.46.111.0/255.255.255.0
acl MSN_methods method CONNECT

http_access allow MSN_methods MSN_ports MSN_hosts
http_access allow MSN_methods MSN_ports MSN_domains
http_access allow MSN_methods MSN_ports MSN_nets

Here's the article -> http://fedorasolved.org/Members/realz/squid_IM

Please don't post duplicate posts.

@pstuart:

FYI, I did fix this issue.  Nothing wrong with pfsense.

My managed switch had multicast filtering turned on.  This interfered with UPNP which is multicast based.

Pfsense UPNP and multiple xbox's using DHCP works just fine in 2.0.  NAT shows open in network testing.

I have 3 xbox's that can all play online at the same time.

I've had multiple XBox's working for a couple of years now using UPnP but just recently upgraded my home switch to a managed one and experienced this exact issue which was driving me nuts.  Disable Multicast filtering and I'm back in business, thank you pstuart.

You could try blocking the IP's of the master servers or blocking the ports MW3 uses for game sessions. Problems may arise though if the game's master servers are shared with other games or run in a cloud type environment. Doing a quick search indicates TCP port 3074 is uses to connect to master server so you could try blocking outbound connections to this destination port.

If you got the budget get another line and failover it much better than shaping been using it for weeks right know

Make sure when you add those rules that they are listed at the top. By default it's going to put them below the default rules so they will not work. If they are the last rules in your list click the little checkbox next to them, and hit the up arrow that is on the right side of the screen for the rule you want to place them above.

You can't really NAT single ports to multiple IPs, it's the nature of the beast. The firewall would have no idea for which IP to forward to for a port.
UPnP is useful for this purpose in that it negotiates the port to be opened with the firewall so that a connection can be made. The security implications are that the default settings for UPnP are inherently trusting. This means that a trojan or misconfigured program using UPnP could open ports on your firewall and widen your attack footprint.
A best practice would be to limit UPnP access to certain IPs or interfaces.
You could statically assign your Xboxes to those IPs and have UPnP ignore anyone else. Or, (in my opinion) a better way would be to hang your xboxes off an isolated interface and deny UPnP access to any other interface. You can do this with either a VLAN or a hard port.
Generally, for a home network, UPnP is a useful tool, with some security implications to consider. Provided good security practices are followed, it is safe.