??? All Internet services rely on IP only per se (with exceptions). DNS is a convenience for us humans. Anyway if NAT reflection works for you then good.

Resolved the issue by enabling the tick box "Enable automatic outbound NAT for Reflection" in System > Advanced > Firewall & NAT. It even says in the description that this needs to be enabled for NAT Refection to work properly, just wish it had prompted me to enable it when i set Pure NAT mode in the rules i setup.

I think you are trying to do too many things at once. I'd break it down and try to figure out a thing at a time and get it working.

If you remove the VPN from the picture, are you able to get the XBox to open? NordVPN does not forward ports so you'll never get an open NAT using them. There are a few providers from my searching that do support port forwarding. I personally use TorGuard as they support port forwarding and seemed a fair price point.

To get a single IP to go through the VPN, I made an alias for my traffic group and set a rule so it goes through my VPN gateway.

0_1534595846071_8c4ea14a-5ca8-4970-a491-fbefd01f71c7-image.png

Here is an example of what my rules look like.

Vlan ;)

Your going to have a hard time behind a double nat maintaining static ports..

Napt by its nature changes the source port when you make an outbound connection. This can be overcome with with setting static port in your oubound nat on pfsense. But your router in front of pfsense would also have to maintain this static port..

Many services in these console games (for some unknown reason like to see static ports) ie connection coming from specific port.. So lets for example say you create an connection to publicIP:80 from privateIP:2000

Normally with nat (napt) you have this

privateIP:2000 ---> publicIP:80 (pfsense) YourPublicIP:RandomPort ----> publicIP:80

To get some of these applications/games to work you have to setup outbound nat to be static so you get this.

privateIP:2000 ---> publicIP:80 (pfsense) YourPublicIP:2000---> publicIP:80

If you put a nat device in front you normally get this.

privateIP:2000 ---> publicIP:80 (pfsense) otherprivateIP:RandomPort ----> publicIP:80 (nat router) YourpublicIP:SomeOtherRandomPort ----> publicIP:80

What you mignt need to happen is this.

privateIP:2000 ---> publicIP:80 (pfsense) otherprivateIP:2000 ----> publicIP:80 (nat router) YourpublicIP:2000 ----> publicIP:80

This is just an example of problem you can have with double nat and such services that for whatever reason want to see some specific sourceport.

So is pfsense the only thing doing nat? What is your outbound mapping look like?

Each Xbox have a different hostname.

What I did was to create an alias for each game/game service, with all their port numbers, for the firewall, then created a rule using each, to keep things tidy and easy to change per service if they change ports.  I tested with that only, no snort or squid or anything else.  Once all was working correctly, I then added squid and squidguard.  Once that was tuned, I added snort and tuned that up.  If I had put all three in there at once I would never have been able to figure out just what was doing what if something wasn't working.  So I would disable Suricata or set the default allow-all out the firewall lan interface, and test.  If it works, at least you have narrowed it down to what you had disabled, firewall rules or Suricata.

Hello,

Try to separate your alias xboxgroup (do a alias for each one).
Disable your rule prioritizing.
Create ACL for UPnP

It's works for me with 2 Xbox One, except for Warframe game.
Test with this configuration (copy/paste from an other post)

I have manies issues with Warframe on 2 Xbox on the same ISP (only 1 public IP address).
In Warframe, I can't invite a friend to join me.
At the best, only 1 Xbox can see the other player, launch a invit but an error message tell "The player is offline).

All the network test on Xbox is OK : (Internet, Multiplayer and NAT Open)
I try with other game (Rocket League and Warhammer Vermintide) without problem.

I use PFsense 2.4.3-RELEASE (amd64)

Firewall / NAT / Outbound

Mode : Manual Outbound NAT

Interface : WAN
Source : Xbox1 (alias for 192.168.0.16)
Port Source : any
Destination : any
Port Destination : anay
NAT Address : WAN
NAT Port : any
Static Port : YES

Interface : WAN
Source : Xbox2 (alias for 192.168.0.17)
Port Source : any
Destination : any
Port Destination : anay
NAT Address : WAN
NAT Port : any
Static Port : YES

Services / UPnP & NAT-PMP

Enable UPnP & NAT-PMP

Allow UPnP Port Mapping

Allow NAT-PMP Port Mapping

External Interface : WAN

Interface : LAN + loopback

ACL Entries : allow 1-65535 192.168.0.16 1-65535

ACL Entries : allow 1-65535 192.168.0.17 1-65535

System / Advanced / Firewall & NAT NAT Reflection mode for port forwards : Pure NAT Enable NAT Reflection for 1:1 NAT Enable automatic outbound NAT for Reflection Firewall / NAT / Port Forward

Nothing, because I activate UPnP

Actually, I must use the bad ISP-box only for Warframe ;-)

Regards,

Aym

The part that is missing is the outbound NAT.  The Factorio server is a client to the factorio pingpong servers that are used for NAT punching(1).  The source ports when talking to these pingpong servers must not be mangled, so an outbound NAT rules is needed to prevent this (PFSense mangles ports by default).  Just got all this working today.

Firewall/NAT/Outbound:

Outbound NAT Mode: Hybrid Outbound

Add this mapping:

Interface: WAN
Source: <internal address="" of="" your="" server="">Source Port: udp/34197
Destination: *
Destination Port: udp/*
NAT Port: *
Static Port: YES

(1) https://www.factorio.com/blog/post/fff-143</internal>

I split this off into its own thread, since it not at all specific to the Switch which was the topic of the original post.

Firewall -> Traffic Shaper -> Wizards

Explore that menu.

@AndroBourne:

I havn't had a chance to test it with many other games. But I've been playing Ark a lot lately and noticed that I keep getting time outs. I'll run a continous ping check and time it. Every 2 hours on the dot I get a row of 4 packet loses in a row and my Ark client times out.

I have troubleshooted local hardware, including switch and NIC etc… I left the continous ping running all day long and came back to a 0% packet loss. It seems to only happen when I'm playing Ark.

I have it feeling it might have to do with how packets are handled. I'm trying to set my NAT from auto to manual and see if that makes a difference. But while I'm testing that... anyone else have any recommendations?

And yes. I have the game ports forwarded.

By any chance does your DHCP lease reset every two hours?  It shouldn't be disconnecting you but something to consider.

@Thierry69:

Have made it working, I publish my rules if somebody is interested on it …
Cheer,

Works for the servers you are playing on, I see many using ports not in your rules.

20167, 19777, 47200, just to name a few. Again BF4 Server port can be anything.

Perhaps not the exact answer any of you are looking for but this works and works well and is relatively easy to get going:
https://github.com/RyanEwen/lan-cache-docker

I've tested it with:
    Steam
    Origin
    Uplay
    Blizzard (Including Destiny 2)
    League of Legends
    ArenaNet (Guild Wars 2)
    Frontier (Elite Dangerous)
    Microsoft (Windows Updates)

Simply setup an Ubuntu Server 16.xx Server without the LAMP option (you'll need to disable Apache if you do, it will intercept port 80), I suggest choosing the OpenSSH server, is easier to paste commands from another PC with PuTTY etc.
Once the server is installed simply follow the setup instructions here https://github.com/RyanEwen/lan-cache-docker/wiki/Setup-instructions.
Set the IP of this new lan-cache server as your DNS server instead of using pfSense for DNS.

Trying to shoehorn nginx, sniproxy and the way dnsmasq is used for hijacking the various Game CDN names into pfSense is well beyond my abilities.

I have gone straight to the manual on the disc I have the correct ports.

This is what I use, In general works for all steam games.

27000:27015  Game Client Traffic
27016:27030  Matchmaking
27031:27036  Streaming
3478:3479      Voice
4380              Voice

Ignoring that you are running a fairly old version of pfsense.

The rule you have setup for your game has several problems:

1. It is limited to udp and tcp traffic, but the game updater might use ping requests to check if a host exists, pinging use the icmp protocol (but that would also take place on another port, so it would still not pass by this rule).
2. The rule only passes for a single port? Are you sure the game updater only uses that one port? If not the traffic is split between your WANs, that is usually a problem since the host server expects traffic to come from the same source IP, not from different.

Basically, I have not reason to think that your current setup should work at all.

ah, I've fixed mine!  see this thread: https://forum.pfsense.org/index.php?topic=126746.msg772656#msg772656