I have been having this same issue on and off again since the release of xbox ones. I tried having another crack at this over the weekend since I now have the latest dashboards on every xbox and can select which port to use instead of 3074.
The issue is the same, I have NAT Open on every box using all forms of NAT Reflection mode for port forwards, disabled, pure NAT and NAT + Proxy and have had Automatic create outbound NAT rules checked and unchecked. The issue is it works for most games but then there are a few that just refuse to multiplayer up. They can party and chat and play majority of the games.
Games like Warframe that don't connect with NAT Open just require you to set a manual outbound NAT with sticky port disabled. This will set the second xbox to NAT Strict and you will be able to play together. Once you switch games you can leave it and xbox 1 sticky and xbox 2 random port but this might affect matchmaking in other games if you don't switch back to sticky on both when not partied together.
Also as an update to what has been attempted, I've now changed my ACL entries to have one Xbox be allowed 3074, the next 3075, the final 3076, then 2 rules for all of them to be allowed to grab 53-3073 and 3077-65535, as it seems from another forum that this was Activision's suggestion. Still no dice.
You cant do that.. Xboxs try 3074, then a Random Port (40k+) for Teredo, you MUST allow Xboxes to grab ANY port they want, the ONLY one you can deny is 3074, nothing else.
You can not force an Xbox you use certain ports by restricting what UPNP will allow, the Xbox will just give up since UPNP doesn't tell it "you can only use these", the Xbox ask UPNP, "can i use this", UPNP say nope, Xbox ask then "can I use this", UPNP says nope, Xbox gives up.
The ONLY UPNP rule you should have is.
deny 3074 192.168.1.0/24 3074 <<---- Replace 192.168.1.0/24 with you LAN Subnet
This forces the Xboxes to pick a different port for "Teredo", this also allows all games on all Xboxes to UPNP themselves another port if they need it.
As far as UPNP goes, every Xbox MUST be allowed to use every port except 3074.
In my setup, I have no Xbox Dedicated Inbound or Outbound NAT Rules, the only thing Xbox Related is a deny ACL for 3074.
For Outbound NAT my whole LAN has Static Port, making a separate rule is not very helpful, and forcing random ports for LAN devices hurts worse then it helps anyways, not that it hurts much, point is it offers practically 0 benifit.
I have UPNP only Blocking the use of 3074 "deny 3074 10.0.1.0/24 3074".
Then for "NAT Loopback" or "NAT Reflection" I have
Goto System -> Advanced -> Firewall & NAT
NAT Reflection mode for port forwards: Pure NAT
Enable automatic outbound NAT for Reflection: Check/Enabled
That is it, Xboxes have full open NAT, any Games can UPNP more ports if they need, and they can talk to each other via the WAN IP.
As others have mentioned, if the game is not coded properly to use Upnp you are not going to have much luck (ie if it only requests 1 port, and that port is the same on all your different consoles you cannot do so) The only fix for that type of issue is to have a public IP address for every game console you own. Most ISP's charge extra for additional IP addresses.
Also, as the other thread is locked, and I could not find the upnp restart script mentioned in that thread, I figured out a way to restart upnp for me every morning.
obviously i placed the above script code into /root/restart_upnp.php
As far as 'all home routers do this fine' I would highly disagree with that. If you have good luck with default settings on home routers then your upnp should be fine in pfsense.
My only issue was that after a day or two (using 2 PS4's and playing bloodborne, dark souls, etc co-op) it will eventually run out of mappings as they do not age out. Hence the script to restart upnp every morning.
Another thing to mention is that the ps4's/xbox's don't remember their upnp settings between boots. If your games don't work, i would suggest closing the games on all consoles, restarting upnp on the pfsense, and then launching all the apps again. This has fixed our issues 99.9% of the time.
Hey all, super sorry to necro an old thread but it has pertinent information and screenshots.
I was able to get For Honor working with the static outbound rules, however I am running into an issue where I have 2 roomates who also play and while the nat rule works for the first PC in the rule list, the other 2 never get the traffic. I tried adding an alias with the hosts specified, but this doesnt seem to work.
I come from cisco where we could forward nat traffic to a range of hosts, or even a subnet. How would I accomplish the same thing with PFsense?
It looks like I got it… The post I mentioned earlier helped but it was missing one crucial step that immediately fixed my issue. I stumbled upon another page that suggested moving the rule to the top of the list. Once I did that, my issue was fixed. I even removed the ACL entry and tested with positive results.
Pretty sure I figured this out with Cisco switches and the NAT Issue on xbox. I did some research on Cisco's forums and discovered that most of the xbox's traffic is multicast for some reason (also has a TTL of 1 /boggle). I also found an article that talks about needing to have multicast turned on the switches with all the new home theatre gear, so I figured this makes sense. I added the following option to my Cisco switch and now I always have an open NAT, on both my Xbox and PS4.
ip igmp snooping
If your using L3 interfaces you need to turn on pim multicast mode on each interface so it passes multicast traffic too..
If you are referring to Steam streaming from one box to another or from your gaming PC to a Steam Link, then pfSense has absolutely nothing to do with it since Steam streaming only works for devices on the same subnet. No streaming traffic crosses pfSense.
What app? Are you talking about logging into your bank account or something?
So your saying that these apps don't work at starbucks or hotel wifi, or any other hotspot wifi - which are not going to have UPnP enable that is for damn sure.. I would have to assume the financial app maker would get flooded with support calls since the vast majority of wifi out there does not have UPnP enabled..
UPnP allows for unsolicited inbound connections, to be forwarded at the nat device to your devices IP.. How would that be required for some app to work? My guess is whatever you were doing for testing - something else changed when you think you enabled UPnP and so you think that is what fixed it. Look in your UPnP status when using your APP and its working.. What does it show it opened? This status will show you what was requested, what was opened, etc.
"with like an authentication keyfile or something on their computer "
If you have outside people that you want to limit to access your game.. Simple enough to limit your port forward to their source IPs - if they know them and they do not change all the time. Another option would be to just let them vpn in.. And then through the vpn access the game.. This way you know for a FACT that its them, since they will be the only ones that can auth to your vpn via the cert you give them.
Alright homeslice. First things first we need a mod to move this to gaming.
Secondly, I cannot let this go unhelped because you're clearly playing games originally released on the best system ever, and what kind of gamer would I be if I let this continue?!
OK, now that THATS out of the way, do you have UPnP enabled? You mentioned wireshark, do you have packet caps for the host attempting the traversal mode? What is your current nat/firewall rule setup regarding this?
As far as I know the UPnP service on pfSense does not set up static port outbound NAT for the connections which is a key piece for having open NAT on the games. The UPnP service does only the port forwarding part for you.
I reverted back to 2.2.6 and have 3 Xbox One's UPNP with static Nat, All 3 of us can play the same game in the same lobby with no problem. The problem seemed to happen when they went to 2.3 it broke something. Just downgrade to 2.2.6 setup like normal and your good to go.
Firewall rules were set up according to specified.
By this, do you mean that the Firewall rules for the LAN Interface that the PC is connected to were setup per Ubisoft AND the Firewall/NAT/Port Forwards were also setup to forward the unsolicited inbound to the PC and added the corresponding firewall rules?
Do you see any blocked packets in your firewall logs on your WAN interface when you start up the game?
Probably be good to post some screen shots of your config.
Step 1. DHCP Static Mapping
Step 2. Outbound NAT rule & mapping order (put it at the top)
Step 3. NAT Port forwards
Step 4. UPnP Config
Step 5. Firewall rules
At a minimum, your firewall rules should allow traffic to port 1900 for the uPnP SSDP discovery broadcast, and to port 2189 to talk to the miniupnpd server
Also, to diagnose this, you can either do a Diagnostics - Packet Capture on your PC and comb through the capture to map out your traffic OR setup a Floating Match rule to log all traffic in & out of your PC into the firewall log. Then correlate those to WAN block/pass events.
The XB1 running CoD sets up a Demonware port in UPnP and makes a connection to the Demonware (Activision CoD) server using the server port 3074 as the destination.
However, Demonware then makes a separate connection from a different server on server port 3075 to port 3076 on your public IP address. It only does this once. pfSense CE's normal behaviour is to block this unsolicited traffic.
As soon as I created a NAT forward source: Any:3075 destination: WAN address:3076 to the XB1 & the associated firewall rule, I got open NAT in CoD. (Now of course I changed Any to the Demonware IPs for better security, but this was just for the test)
So it seems,
If you are not forwarding (nor permitting in the firewall rules) port 3076 to your XB1, you will get NAT type moderate in CoD.
If you are forwarding (and permitting in the firewall rules) port 3076 to your XB1, you should get NAT type open in CoD.
Of course, this Demonware/Activision server configuration/behavior means that only 1 XB1 can get an open NAT type in CoD due to the NAT forwarding of port 3076 to only 1 XB1. We have multiple XBox's & PC's, so only 1 XB1 can get an open NAT type in CoD.
In your case, you might want to verify that you have a NAT forward & permit rule of inbound WAN destination port 3076 to your PC. In fact, I would suggest logging this traffic so that you can see the inbound successful connection. Because if you don't see the inbound packet at all, it means it's being blocked farther up your WAN (like your ISP)
Also, feel free to post a screen shot of your Status / UPnP&NAT-PMP page while the game is running (which should show your Teredo port & your Demonware port).
I have a moderate nat on my ps4 and every other system, it depends on the game though, some games report an open nat despite the ps4 saying NAT Type 2 in the network section.
I did what most of the other users did: enabled upnp, static port and set up the necessary nat outbound rules. it works fine for me, i have no issues with VIOP, chat or connecting to games.
I have all that in place now as well but I recieved an Open NAT (some problems with my NAT type with Call of Duty games) but I read that having a Moderate NAT type can be expected with how pfSense works, and in other cases people will say they have a harder time getting connected to games.
Just an observation, static ports are for outbound source ports, not what you want, you want to port forward inbound destination ports. (which technically would be outbound source ports on the replies the destination port would be what they sent in on and if you start rewriting that you are going to break the traffic at the firewall their end)
Novice question: If I'm setting up a MineCraft server (on a separate FreeNAS box) located on my local LAN and I want others (i.e. my kid's friends) to be able to access the server from WAN, then this is the setup to use, correct?
It only works for me with manual outbound nat with per device static port entries in the outbound nat rules for allow any udp to that device. I could make it more secure but I have a "gaming" subnet with more lax rules.
I don't know if you still need help, but, First, I wanted to say that I was going to bridge the connections on my system, I found several posts saying basically "Shame on you, bridges are bad" and after researching, yes, bridges are bad. They are forcing software to act like a switch, which will never work as well as a switch. What most people DON'T tell you, ( I think they expect you to work out) is that the only thing stopping your other networks (subnets) from communicating is the firewall rules (or lack thereof) for that interface, I duplicated the default "Lan to any" rule on my second network, because I wanted that network to be able to communicate, and it worked fine, it does mean doing every firewall rule twice, but it works! So consider doing this.
If you want to be a bridge troll (kidding) them I do have one question. PFsense filters traffic in the interfaces that are bridge members by default, NOT in the bridge itself, you can change this behavior, if you edit some lines in system tunables. Here is the quote from pfsense docs
By default, traffic is filtered on the member interfaces and not on the bridge interface itself. This behavior may be changed by toggling the values of net.link.bridge.pfil_member and net.link.bridge.pfil_bridge under System > Advanced on the System Tunables tab
They use P2P - and yes it can "destroy" your cpu if you're using proxy and anti virus.
I only have 150mb down and it was only saturating 90mb at it would shoot my cpu to 100%. Once I turned of the AV (which I assumed was only scanning port 80 and 443) the cpu went back down to nearly nothing. However, I have very bad nics which are being replaced today.
Bad nics can destroy your cpu when you're doing high traffic over a ton of simultaneous connections.
You should only experience this when downloading the game not during gameplay.
Intel(R) Core(TM)2 CPU 4300 @ 1.80GHz