You can't really NAT single ports to multiple IPs, it's the nature of the beast. The firewall would have no idea for which IP to forward to for a port. UPnP is useful for this purpose in that it negotiates the port to be opened with the firewall so that a connection can be made. The security implications are that the default settings for UPnP are inherently trusting. This means that a trojan or misconfigured program using UPnP could open ports on your firewall and widen your attack footprint. A best practice would be to limit UPnP access to certain IPs or interfaces. You could statically assign your Xboxes to those IPs and have UPnP ignore anyone else. Or, (in my opinion) a better way would be to hang your xboxes off an isolated interface and deny UPnP access to any other interface. You can do this with either a VLAN or a hard port. Generally, for a home network, UPnP is a useful tool, with some security implications to consider. Provided good security practices are followed, it is safe.

http://www.youtube.com/watch?v=BB6fdyVNlVg

This would be similar to the Xbox 360? http://forum.pfsense.org/index.php/topic,43624.0.html

Someone has posted a Youtube video on getting the Xbox LIVE to work www.youtube.com/watch?v=YjO2evPb_Sk - Look at this one First! http://www.youtube.com/watch?v=BB6fdyVNlVg - CSS for PC for you get the idea? or http://forum.pfsense.org/index.php/topic,43624.0.html

Simple and effective. Worked for me!

I had LANParty few months ago, and we played BF3. Only thing I needed to do was setup static port on outgoing nat. I have uPNP disabled (Not multi-wan friendly).

All you should every have to do to get the Xbox to play nice with pfSense is enable UPnP, set a static DHCP lease for your Xbox, and adjust your outbound NAT to utilize static NAT entries for the IP of your Xbox. If that doesn't work and you are using a managed switch, check if you have any security options enabled on it.  I mention this because my ProCurve 1810's Auto DoS feature (what a name!) often caused havok with Xbox Live until I disabled it. Port 88 is utilized by Kerberos, which can use either UDP or TCP.  IIRC, it tries TCP first, although this is how Windows domain controllers utilize it, Xbox Live might be completely different.

Good info, fixed my MW3 Thanks! ;D

I would suggest you look at the traffic shaper which should help. I would also recommend you move to the newest version of PFsense, 2.0 which has many more features.

have you check the static box under lan and or local ? go to Firewall: NAT: Outbound select Select Manual Outbound NAT rule generation then save           (AON - Advanced Outbound NAT) Static - make sure it says static YES for all then try your game YES Auto created rule for ISAKMP - LAN to WAN WAN  10.10.10.0/24 * * * * * YES Auto created rule for LAN to WAN WAN  127.0.0.0/8 * * * * * YES Auto created rule for localhost to WAN

we send UDP traffic out the T1 and everything else out the Wimax. I bet that's your problem. I am unsure but my guess bf3 gameplay traffic is udp and punkbuster traffic is tcp. (I have no clue what port #s) So when a player joins a bf3 server it connects with T1's IP address but punkbuster sending client info from a different IP (wimax connection). Therefore a punkbuster kick. The best solution sounds like finding every bf3/punkbuster port and creating exception rule to force it to a single wan (yuck!).

Thanks, and personally I would use OpenVPN rather than ipsec (racoon).

Same as djroketboy stated but make sure the xboxes or ps3s are set to dhcp let pfsense assign the ips through static dhcp reservations. This will work like a charm, running 2 boxes at the same time from a single cable connection. ;D