Once I reloaded my config file, suddenly the xbox one is working.  I have no idea why and I did not change any of the settings after restore.  Very odd.  Maybe it was a hardware reboot that fixed it.

I have a network segment on its own interface just for gaming, and have only static NAT configured for it - no UnPNP. Two WII-U consoles can splat with no issues.

The 3DS games that set the packet TTL to 3 hops are the ones that are killing me.

I just updated the XBox guide on how to make this work, and this should resolve your issue as well. Look for my recent post.

https://forum.pfsense.org/index.php?topic=73012.15

@exodus21:

So based on my settings, its probably not my PFSense blocking the connection over the hotspot, but the hotspot itself?

I just want to ensure that my internal settings are correct and arent blocking external sources from connecting.

Thanks

Check the UPnP status and make sure that the PS4 is listed after doing a network test on the PS4 itself. After that, check that your Verizon public IP isn't being blocked by pfSense. If UPnP is set up correctly, and the IP isn't being blocked, I don't see how it could be pfSense.

I checked the block rule, and sure enough it was the default rule, to block private networks.  I should have grabbed a screenshot of the message, but I didn't.  I decided to upgrade to 2.3 this morning, and viola- UPnP is working, I can see the session under the status page, and my PS4 is reporting NAT Type 2.  Thanks

Better later than never I guess :)

Try disabling pf scrubbing, it should work now.

Don't know exactly why, nor any way to disable scrubbing just for those ports. Any suggestion is welcome, since I like my packets well scrubbed and I have to turn it off when I want to play, and back on again after playing. It's very annoying.

@cyanic:

Strict NAT occurs when A. hosts cant initiate connections to you on a specific port and B. your firewall is changing the source port for your outbound connections on that specific port.

Fix B and you will have a Moderate NAT
FIX A & B and you will have an Open NAT

Look here for B

https://doc.pfsense.org/index.php/Static_Port

This is correct, lots of games/consoles require static outbound for their traffic.  The easiest way to do this for multiple consoles is to just set Static outbound to apply as if it were applying to a subnet, i.e set the subnet mask of the static outbound rule to a /25 subnet and just stick all of the game console DHCP leases in addresses above 128.

As a small update the last couple games ive played forward 3074 themselves with UPNP however I'm now trying to see how to get multiple PCs to do it.  What consoles do you have that you had to mess with the NAT settings?  I'd rather change outbound for one port than NAT functionality for all of them

Of course.

1. openjdk
    a. https://www.freebsd.org/java/
    b. pkg install openjdk8

2. Minecraft
    a. I followed this guide, but instead of sudo apt-get, I just used pkg: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-minecraft-server-on-linux
    b. note that if you run the commands from root or from a script, it may create all the minecraft files in an unexpected directory.. Most likely just an operator error on my part but all my files ended up in my /root directory instead of my /minecraft one.

3. pfSense rules
    a. Create a new firewall rule
          i. interface WAN, protocol TCP, source ANY, Destination THIS FIREWALL(SELF), Port Range from (OTHER) 25565 to (OTHER) 25565

thats about it. the NIC I am using is an intel pro 1000 pt gigabit quad port interface card, I believe the 9490 model.. and my machine is a Dell Optiplex 790 with an i5 and 6 GB of mixed ram (2x2 + 2x1). I can access the minecraft server from both LAN and WAN, which is nice. Anything else just ask. Still working on the autorun script issue.. oh well.

So, I got both XB1's on an open NAT, and things work, for the most part, without having to reboot pFsense.

First, I tried adding an additional router (Linksys EA6400 AC1900). Basically it went Modem -> Linksys -> pfSense -> internal network.
The linksys had wifi enabled and a hardline to the XB1's. Only enabled uPnP, no port forwarding. During that, I found that XB1 boot order mattered. /boggle

Anyway, so i wondered, if this works, what i move everything back behind pfSense and get rid of that extra hop. So I did.

Lo and behold, using the "proper" boot order does matter, at least for me.

A little more about that magical boot order:
I have both XB1s set to energy saver in power options, so they completely shutdown.
One XB1 (XBA) was bought within 3 months of XB!'s release.
The other (XBB) was bought about a year after release. Don't ask why this matters, even microsoft is "dunno"

So, If I boot XBA (the older one) first, THEN boot XBB (the newer) both get an open NAT, and everything works great.
If i boot them in the opposite order,XBA gets strict and XBB gets open.
I have no idea why this matters aside from the older XB1 will get the default ports and the other relies solely on uPnP.

Side note from Microsoft, aka hill-billy tech support:
When I first talked with them about what ports should be forwarded, they could only say "follow this guide and make sure ports yada yada were open".
Given that (Like Bradenmcg says) ports 53, 88, etc are garbage ports, everyone allows those outbound. I asked microsoft, "OK, make sure the ports are open… So, which direction and which protocols?"
I asked that 3 times, kept ignoring the question, finally they said, (after dropping packet capture results, basic networking rules, etc on the poor guy) he said "I'm sorry, but what you're talking about is beyond my ability."
It just so happened that during the chat session I found the "proper" boot order for my XB1s. Told chat about it, asking if there was a known problem with what I was calling Gen1 XB1s, because obviously, there is a problem. They said there is only 1 generation of XB1. They said the last resort was to reset it to factory defaults (Sorry, I don't feel like downloading 120GB of data tonight and re-setting everything back up, fix your networking) and see if that fixed the problem.
Finally after getting both working with open NAT on that boot order thing, they asked if there was anything else they could help me with... lets say i really wanted the ability to post a Jackie Chan meme in the chat box.

COD also requires 3074 to be open to have Open NAT, make sure that's set up properly.

Hi johnpoz ,  Thx for your reply. The wireless-G works flawlessly great!  I have a long high gain antenna on the G nic card.  I still have the N and an AC routers as well in case I upgrade to 100Mb+.  I don't have any hiccups/stutters/buffering with my current setup so I will venture back to N and AC when higher speed or more distance is desired or necessary…

I don't know how much this will help (XBox guy here) but I actually had better luck with making a manual NAT rule to encompass the UPnP rules.

for example, UPnP user spec permissions Allow X-Y192.168.1.142/32 X-Y
Then setting up a NAT rule that is the same for X-Y. But place it towards the bottom of the rule set so higher more specific rules that fall within that range will work.

I'm not sure how PS4 handles teredo or if it even uses it. but I noticed in your UPnP status that .109 has 3074 and your PS4 got 3075. Generally a good implementation can use any UPnP port, but you may try forcing the PS4 into getting 3074 instead of 3075 and seeing how that works for you. Since you didn't specify what kind of device .109 is, I can only assume it's more configurable than a PS4 on what ports it uses. This is just my wild stab in the dark at PS4, but I fouight multi XBox Open NAT problems for about a week and a half before getting something that worked.

Not sure if this will help, but in order to get Open NAT and party chat working on my PS4, beside enabling upnp on pfSense I also had to create a manual port forward for the ports used by the game. You may want to check what ports BF uses and try to do the same.

Not sure why it's necessary, since in theory upnp should take care of everything, but I guess the PS4 doesn't like pfSense's upnp that much.