All you should every have to do to get the Xbox to play nice with pfSense is enable UPnP, set a static DHCP lease for your Xbox, and adjust your outbound NAT to utilize static NAT entries for the IP of your Xbox.

If that doesn't work and you are using a managed switch, check if you have any security options enabled on it.  I mention this because my ProCurve 1810's Auto DoS feature (what a name!) often caused havok with Xbox Live until I disabled it.

Port 88 is utilized by Kerberos, which can use either UDP or TCP.  IIRC, it tries TCP first, although this is how Windows domain controllers utilize it, Xbox Live might be completely different.

Good info, fixed my MW3 Thanks! ;D

I would suggest you look at the traffic shaper which should help. I would also recommend you move to the newest version of PFsense, 2.0 which has many more features.

have you check the static box under lan and or local ?

go to Firewall: NAT: Outbound select

Select Manual Outbound NAT rule generation then save
          (AON - Advanced Outbound NAT)

Static - make sure it says static YES for all then try your game

YES
Auto created rule for ISAKMP - LAN to WAN

WAN  10.10.10.0/24 * * * * *
YES
Auto created rule for LAN to WAN

WAN  127.0.0.0/8 * * * * *
YES
Auto created rule for localhost to WAN

we send UDP traffic out the T1 and everything else out the Wimax.

I bet that's your problem. I am unsure but my guess bf3 gameplay traffic is udp and punkbuster traffic is tcp. (I have no clue what port #s) So when a player joins a bf3 server it connects with T1's IP address but punkbuster sending client info from a different IP (wimax connection). Therefore a punkbuster kick. The best solution sounds like finding every bf3/punkbuster port and creating exception rule to force it to a single wan (yuck!).

Thanks, and personally I would use OpenVPN rather than ipsec (racoon).

Same as djroketboy stated but make sure the xboxes or ps3s are set to dhcp let pfsense assign the ips through static dhcp reservations. This will work like a charm, running 2 boxes at the same time from a single cable connection. ;D

@bman212121:

Double NAT is always bad…. That's likely where the issues are coming into play. Turn of DHCP on your netgear router, and plug the OPT1 port from the pfsense into a lan port on your netgear instead. This will let the pfsense's DHCP server give your xbox and laptop an IP. You shouldn't need to do anything fancy for your xbox to get online. Just make sure that you have automatic outbound nat generation. It's under Firewall > NAT > Outbound. The xbox will be able to make the outbound connections which will let traffic flow back through the firewall on the ports it opens.

Thanks for the reply, I know about the double NAT. The problem is you can't use this wireless router to connect to OPT1 through one of it's lan ports. I have tried this multiple times and the router drops connection, bypasses its wireless security and falls back to from N to G routing. It's a terrible router as in features, but it all I have at the moment. NAT is turned off in the router and so is the SPI, so even though I am using the WAN port to connect to PfSense it's is at least working as a makeshift access point. I have been keeping my eyes open for an Open source firmware, but right now the firmware is only for Version 2 of the hardware and I have version 3. My other wireless systems in the house are all Cisco and running Tomato firmware. I needed an additional wireless for ym son and thought I would give Netgear a try, well you live and learn.

Thanks for your help.

well there ya go. Either do the upnp limited to only the xbox as I did, or combine that with your own vlan for your xbox, or if you are crazy about securing this further, get another network interface and hook up the xbox (or any number of xboxes with a switch) to an entirely different subnet and set rules in pfsense to allow internet only, not the rest of your network. essentially, you are doing that with the vlan already :)

hmm.  I watch the firewall, it shows the blocked connection, but it is the same as what I have for forwarding.

what do i do if my counter works slow?

There are many bandwidth testing tools, though really to get a really representative test you need 300 test clients that behave the same as your real clients. This wikipedia page contains a useful starting list.

That said, have you read the hardware sizing guide? The bandwidth you have available, the services you're running and the typical usage by these 300 clients matters more than the raw number of clients. For instance, 300 people using IRC and P2P programs and heavy web browsing will have a very different impact than 300 people who check their email a few times a day.

The Realtek and 3com should be supported under ALTQ.

@TS:  Can you verify that the default allow any LAN NAT rule is in place?