I decided to put up a new-improved version for the benefit of future readers. Please continue to comment. The information content should be the same.
–-
PFSense XBox360 Setup
NAT / Portforward WAN port 3074 to the XBox360 port 3074.
NAT / Outbound
Select:
(*) Manual Outbound Rule Generation
Create rules for each of your subnets. Set "Static Port" to "YES"
on the subnet with the XBox360, "NO" on the others.
My rules look like this, the XBox 360 is on the
192.168.243.0/24 network:
WAN 192.168.240.0/24 * * * * * NO
WAN 192.168.241.0/24 * * * * * NO
WAN 192.168.243.0/24 * * * * * YES
XBox's network test declared the connection as "Strict" before setting
"Static Port", moving up to "Moderate" after setting "Static Port"
Create a Fireall / Rule for WAN allowing the portforward of 3074 to get
through to the xbox360 port 3074:
TCP/UDP * * xbox360 3074
Create the following firewall rules allowing outgoing traffic from the
subnet hosting the XBox360 (Indicated here as "LAN_Net"):
TCP/UDP LAN_Net * IF IP Address 53(DNS)
TCP/UDP LAN_Net * * 80(HTTP)
TCP/UDP LAN_Net * * 88(KEREBOS)
TCP/UDP LAN_Net 3074 * 1024-65535
TCP/UDP LAN_Net 1024-65535 * 3074
That is all you have to do. If you want to understand more, read the
explanation below.
Explanation
This setup assumes that you want to constraint the xbox360 as much as
possible without any compromises on the XBox functionality or play.
Microsoft says to "open" or "Forward" ports 88 and 3074. This is both
unnecessary and insufficient for pfsense if you have a "Default Deny"
rule-set. I assume that these directions are appropriate for other
routers because of router behavior that Microsoft has assumed but not
stated.
88 is for kerebos authentication. You have to let it out, but if you
are doing NAT then the NAT engine will generate a transient rule to
let the reponse in. No port-forward is necessary. If you put a port
forward in place for port 88, then no other machine on your network
will be able to use kerebos, since all responses will come back to
your XBox360!
3074 is used for all communication, but in various ways. During play,
all communication goes out through 3074. Some other players appear to
receive their incoming communication only on 3074, others on apparently
random registered and dynamic port numbers. A single one minute trace
contained ports from 3976 to 63789. You can block outgoing traffic
except for destination ports 88 and 3074 and receive an "Open" rating
(The highest) from the XBoxLive connection test, but as you play, there
will be many outgoing packets going to registered and dynamic ports
that are blocked. You will seem to be much harder to kill.
Since all outgoing communication during play originates on port 3074,
it would seem to make sense to move the 3074 requirement from the
destination to the source, restricting your xbox to sending on 3074
but allow it to send to any port. This would enable your xbox to
contact all other players. With this change, you will be able to
play fine, an examination of your Firewall log will not show anything
blocked, and Packet Capture will not show any packets being sent to
anything you have blocked. However the XBoxLive connection test will
fail completely, saying that your MTU is too small. This is not true;
the XBoxLive connection test sends from ports 1258, 1259, maybe 1257,
and less frequently on 1256. Those packets are blocked from going
out. Microsoft is testing on ports not being used for play, and
playing on ports not tested!
In all observed cases either the source or destination was port 3074.
Short of openning everything wide, allow both:
Source (xbox) on port 3074 to any registered (1024-49151) or
dynamic (49152-65536) port.
and
Source (xbox) on any registered (1024-49151) or dynamic
(49152-65536) port to destination port 3074.
This appears to be the tightest constraint that provides an "Open"
XBoxLive connection and does not block any packets during test or play.
I have not seen any xbox traffic to date (other than 53(DNS) or
80(HTTP) or 88(Kerebos) that did not have 3074 as either the soure or
the destination port.
