Just in case anyone else has this problem:
I reinstalled pfsense with the same settings and now it's working.

Checkout solution
https://forum.netgate.com/topic/168376/multiple-xbox-consoles-with-open-nat-and-working-play-together

Thanks for your contribution!
i was inspired by this post and came to solution with every console with open nat and working play together

https://forum.netgate.com/topic/168376/multiple-xbox-consoles-with-open-nat-and-working-play-together?_=1639047807695

@radarg ok it looks like all the UPNP is working I see the rules pop up. Why would the second xbox try to talk to the same port at the first one? I thought that once the second xbox made contact with the server it would use a different port. Am I wrong?

To anyone got the same problem, don't tick Static port box in Outbound rule (other games may need it). It took me a few days trial and error XD

@striker-pl well after hours of investigation, turning off Storm Control on my switch solved the issue. Posting here in case it helps anyone else.

@mcury
Thanks for the help but no luck. Ill just give up on the box preforming a port forward. I'm moving soon but wanted to get some better game performance without all the packet losses. I will be thrilled to have a better ISP provider than the local one here or the other terrible option of Spectrum.

@stacyann33
Nope, we 'play' pfSense.
And you're the first one using the word 'HiRez' on this forum.
pfSense it's a firewall that assures that there are no holes. Nobody want holes in a wall. If there were, there is no meaning of putting up the wall in the first place.
pfSense can let you make 'holes', to devices that run programs on your LAN. It seems to me that Smite Hires doesn't have any public documentation - otherwise you were reading that doc instead of asking here , and do what they were asking you to do, like NATting a port(s) to the PC that runs the game.
By default : do nothing.

Btw : https://www.reddit.com/r/OutOfTheLoop/comments/2pvfen/why_is_smitehi_rez_studios_often_ridiculed_in_the/ make sme understand that, if your host your own 'server' version of the game, you should make that service accsible to the outside world == you have to "open ports" == NATting ports.

Google doesn't know anything about it, so there is only the documentation that can help you.

This looks like some great points about the game. I love all Battlefields and the multiplayer is the best you can get for any shooting game. I don't think that Call of Duty can really be compared to it! The only Battlefield I have found really hard and challenging to play was battlefield 5 as the difficulty bar was raised way too much. I'm a bit ashamed to admit it, but sometimes I have to use bf5 hacks in order to be able to stay competitive. Of course I don't use them on online multiplayers.

This might help others with multiple xbox's behind the same public IP. I'm specifically talking about Halo 5, but it could pertain to other games as well....

For anyone else that is still having a problem, I have a potential solution that allows multiple XBOX's connected behind a single Internet IP address achieve an open NAT on XBOX Live, and work with Halo 5.

I use OPNsense as my firewall, but the same steps will work on PFSense or any other firewall that allows you to configure inbound port forwarding and outbound PAT (port address translation).

I noticed that most posts that include a "fix" for the XBOX Live Open NAT issue will tell you to configure an outbound NAT rule for the XBOX and choose the option "Static Port". This will help you achieve Xbox Live Open NAT, but it's like using a bazooka to kill a mosquito. All traffic from the XBOX will preserve the original source port no matter what which doesn't work well with Halo 5 and multiple XBOX's.

XBOX traffic uses a lot of multicast and UDP packets. By looking at the traffic, I discovered that certain UDP/TCP packets will use the XBOX configured port as the source port of the packets. I also discovered that when a Halo 5 match starts, both of the XBOX's in my house were creating a UDP connection to the exact same host using the exact same source port and destination port combination at the exact same time. This is a HUGE problem if all packets are being statically translated, because the firewall won't know how to properly create a stateful connection for both XBOX's. The only way around this is to let the firewall dynamically remap the source port of the outbound traffic to ensure a unique UDP connection in the stateful database for the appropriate XBOX.

Long story short, IMO you need two things to get an open NAT in XBOX Live and for Halo 5 to work:

Configure each XBOX to use a unique static IP address and a unique static port. It's in the network settings area of your XBOX and very easy to do. You can use 3074 for one of the XBOX's if you want to, but I recommend using something in the 50,000 range. It's probably a safer bet and I didn't look at the traffic for an XBOX configured with 3074. Create a TCP/UDP port forwarding rule on your firewall for each XBOX's static IP address and its associated static port. You could use UPnP, but either way you're doing the same thing. Each XBOX will get its own unique port and a hole in the firewall to allow internet hosts to originate TCP and UDP traffic to that port. I prefer not to use UPnP because of security concerns.

Configure a manual outbound NAT rule matching only UDP traffic for each XBOX using the corresponding static port as the source port and choosing the "Static Port" option. What you're doing here is telling the firewall do not dynamically PAT (port address translate) packets from my XBOX if they are UDP packets and the source port of the packet matches the static port you configured in the XBOX. For everything else, go ahead and dynamically translate the source port to ensure a unique connection in the stateful database of the firewall. By doing this, when Halo 5 starts those packets that are going to the same destination using the same source port and destination port combinations will get a remapped source port in the firewall database and therefore the return traffic will route back to the correct XBOX.

I hope this helps someone else that like me is trying to get to SR152 and also has a wingman in the same house with them.

halo5ports.JPG Hybridnat.JPG xboxportforward.JPG xboxsampletraffic.JPG xboxnatoutbound.JPG

If anyone should stumble across this post, check out my reply https://forum.netgate.com/post/954396
Opening port 1900 isn't enough, you'll also need to open up 2189 and 5351 for uPnP to work.

2020-12-31 13_31_22-pfSense.lan - Firewall_ Rules_ VLN30_IOT and 3 more pages - Personal - Microsoft.png
I've had to allow uPnP (ports 5351, 1900 and 2189 to the firewall) and IGMP (to 224.0.0.2) to make this work, since my Xbox resides on my IoT VLAN which has limited access.

Following the manual on https://www.amixa.com/blog/2020/04/02/how-to-get-open-nat-with-xbox-or-xbox-one-and-pfsense-firewall/ and adding these rules now NAT is detected as open by the Xbox.

@kurt-angle
This isn't a community to help with games, but to help people with issues running games or internet issues when playing games behind a Pfsense configuration.

you might have better luck on a gaming community