This is totally a DenverCoder9 xkcd 979 reference.. I had same problem. You never posted back what solved yours!

Couple solutions:
http://www.vttoth.com/CMS/index.php/technical-notes/63#Appendix
https://www.waldonell.com/thoughts/articles/playing-multiplayer-starcraft-on-lan-with-multiple-subnets
A CISCO switch with 'UDP Relay/IP Helper' option to forward port 27036
Bridge the two networks
only use 1 subnet in first place

I ended up bridging the two… Don't need the security.

https://digiex.net/threads/pfsense-step-by-step-guide-to-multiple-xbox-ones-open-nat-play-together-2-3-x.15094/

Bones, I know it's been a few months but were you able to get port forwarding for COD sorted out?

If so how?

I'm currently beating my head against the wall trying to get an "Open NAT" in Black Ops 3. I have tried everything in the pfSense help pages but still no joy.

You can check your NAT status, in settings under network.

Disregard, suddenly started working

I found this solution, it works for me Somehow

https://www.youtube.com/watch?v=tApX5efOsSA

I have been having this same issue on and off again since the release of xbox ones. I tried having another crack at this over the weekend since I now have the latest dashboards on every xbox and can select which port to use instead of 3074.

The issue is the same, I have NAT Open on every box using all forms of NAT Reflection mode for port forwards, disabled, pure NAT and NAT + Proxy and have had Automatic create outbound NAT rules checked and unchecked. The issue is it works for most games but then there are a few that just refuse to multiplayer up. They can party and chat and play majority of the games.

Games like Warframe that don't connect with NAT Open just require you to set a manual outbound NAT with sticky port disabled. This will set the second xbox to NAT Strict and you will be able to play together. Once you switch games you can leave it and xbox 1 sticky and xbox 2 random port but this might affect matchmaking in other games if you don't switch back to sticky on both when not partied together.

@cfran22:

Also as an update to what has been attempted, I've now changed my ACL entries to have one Xbox be allowed 3074, the next 3075, the final 3076, then 2 rules for all of them to be allowed to grab 53-3073 and 3077-65535, as it seems from another forum that this was Activision's suggestion. Still no dice.

You cant do that..  Xboxs try 3074, then a Random Port (40k+) for Teredo, you MUST allow Xboxes to grab ANY port they want, the ONLY one you can deny is 3074, nothing else.

You can not force an Xbox you use certain ports by restricting what UPNP will allow, the Xbox will just give up since UPNP doesn't tell it "you can only use these", the Xbox ask UPNP, "can i use this", UPNP say nope, Xbox ask then "can I use this", UPNP says nope, Xbox gives up.

The ONLY UPNP rule you should have is.

deny 3074 192.168.1.0/24 3074  <<---- Replace 192.168.1.0/24 with you LAN Subnet

This forces the Xboxes to pick a different port for "Teredo", this also allows all games on all Xboxes to UPNP themselves another port if they need it.

As far as UPNP goes, every Xbox MUST be allowed to use every port except 3074.

In my setup, I have no Xbox Dedicated Inbound or Outbound NAT Rules, the only thing Xbox Related is a deny ACL for 3074.

For Outbound NAT my whole LAN has Static Port, making a separate rule is not very helpful, and forcing random ports for LAN devices hurts worse then it helps anyways, not that it hurts much, point is it offers practically 0 benifit.

I have UPNP only Blocking the use of 3074 "deny 3074 10.0.1.0/24 3074".

Then for "NAT Loopback" or "NAT Reflection" I have

Goto System -> Advanced -> Firewall & NAT

NAT Reflection mode for port forwards: Pure NAT
Enable automatic outbound NAT for Reflection: Check/Enabled

That is it, Xboxes have full open NAT, any Games can UPNP more ports if they need, and they can talk to each other via the WAN IP.

As others have mentioned, if the game is not coded properly to use Upnp you are not going to have much luck (ie if it only requests 1 port, and that port is the same on all your different consoles you cannot do so)  The only fix for that type of issue is to have a public IP address for every game console you own.  Most ISP's charge extra for additional IP addresses.

Also, as the other thread is locked, and I could not find the upnp restart script mentioned in that thread, I figured out a way to restart upnp for me every morning.

Here's the php script

require_once('/etc/inc/services.inc'); require_once('/etc/inc/service-utils.inc'); upnp_action('restart'); ?>

Then install the cron package, and set it to execute.  Here's what mine looks like.

/usr/bin/nice -n20 /usr/local/bin/php /root/restart_upnp.php

obviously i placed the above script code into /root/restart_upnp.php

As far as 'all home routers do this fine'  I would highly disagree with that.  If you have good luck with default settings on home routers then your upnp should be fine in pfsense.

My only issue was that after a day or two (using 2 PS4's and playing bloodborne, dark souls, etc co-op) it will eventually run out of mappings as they do not age out.  Hence the script to restart upnp every morning.

Another thing to mention is that the ps4's/xbox's don't remember their upnp settings between boots.  If your games don't work, i would suggest closing the games on all consoles,  restarting upnp on the pfsense, and then launching all the apps again.  This has fixed our issues 99.9% of the time.

Does your WAN's quality graph show anything odd? Have you ran pings to a known good few services and seen if the pings jump  up during this time?

Hey all, super sorry to necro an old thread but it has pertinent information and screenshots.

I was able to get For Honor working with the static outbound rules, however I am running into an issue where I have 2 roomates who also play and while the nat rule works for the first PC in the rule list, the other 2 never get the traffic. I tried adding an alias with the hosts specified, but this doesnt seem to work.

I come from cisco where we could forward nat traffic to a range of hosts, or even a subnet. How would I accomplish the same thing with PFsense?

Thanks!

It looks like I got it…  The post I mentioned earlier helped but it was missing one crucial step that immediately fixed my issue.  I stumbled upon another page that suggested moving the rule to the top of the list.  Once I did that, my issue was fixed.  I even removed the ACL entry and tested with positive results.

I had same problem. I fixed.

https://en.wikipedia.org/wiki/Universal_Plug_and_Play

Services > UPnP

Pretty sure I figured this out with Cisco switches and the NAT Issue on xbox. I did some research on Cisco's forums and discovered that most of the xbox's traffic is multicast for some reason (also has a TTL of 1 /boggle). I also found an article that talks about needing to have multicast turned on the switches with all the new home theatre gear, so I figured this makes sense. I added the following option to my Cisco switch and now I always have an open NAT, on both my Xbox and PS4.

conf t
ip igmp snooping

If your using L3 interfaces you need to turn on pim multicast mode on each interface so it passes multicast traffic too..

If you are referring to Steam streaming from one box to another or from your gaming PC to a Steam Link, then pfSense has absolutely nothing to do with it since Steam streaming only works for devices on the same subnet. No streaming traffic crosses pfSense.

What app?  Are you talking about logging into your bank account or something?

So your saying that these apps don't work at starbucks or hotel wifi, or any other hotspot wifi - which are not going to have UPnP enable that is for damn sure..  I would have to assume the financial app maker would get flooded with support calls since the vast majority of wifi out there does not have UPnP enabled..

UPnP allows for unsolicited inbound connections, to be forwarded at the nat device to your devices IP.. How would that be required for some app to work?  My guess is whatever you were doing for testing - something else changed when you think you enabled UPnP and so you think that is what fixed it.  Look in your UPnP status when using your APP and its working.. What does it show it opened?  This status will show you what was requested, what was opened, etc.

"with like an authentication keyfile or something on their computer "

If you have outside people that you want to limit to access your game.. Simple enough to limit your port forward to their source IPs - if they know them and they do not change all the time.  Another option would be to just let them vpn in.. And then through the vpn access the game.. This way you know for a FACT that its them, since they will be the only ones that can auth to your vpn via the cert you give them.