@cfran22:

Also as an update to what has been attempted, I've now changed my ACL entries to have one Xbox be allowed 3074, the next 3075, the final 3076, then 2 rules for all of them to be allowed to grab 53-3073 and 3077-65535, as it seems from another forum that this was Activision's suggestion. Still no dice.

You cant do that..  Xboxs try 3074, then a Random Port (40k+) for Teredo, you MUST allow Xboxes to grab ANY port they want, the ONLY one you can deny is 3074, nothing else.

You can not force an Xbox you use certain ports by restricting what UPNP will allow, the Xbox will just give up since UPNP doesn't tell it "you can only use these", the Xbox ask UPNP, "can i use this", UPNP say nope, Xbox ask then "can I use this", UPNP says nope, Xbox gives up.

The ONLY UPNP rule you should have is.

deny 3074 192.168.1.0/24 3074  <<---- Replace 192.168.1.0/24 with you LAN Subnet

This forces the Xboxes to pick a different port for "Teredo", this also allows all games on all Xboxes to UPNP themselves another port if they need it.

As far as UPNP goes, every Xbox MUST be allowed to use every port except 3074.

In my setup, I have no Xbox Dedicated Inbound or Outbound NAT Rules, the only thing Xbox Related is a deny ACL for 3074.

For Outbound NAT my whole LAN has Static Port, making a separate rule is not very helpful, and forcing random ports for LAN devices hurts worse then it helps anyways, not that it hurts much, point is it offers practically 0 benifit.

I have UPNP only Blocking the use of 3074 "deny 3074 10.0.1.0/24 3074".

Then for "NAT Loopback" or "NAT Reflection" I have

Goto System -> Advanced -> Firewall & NAT

NAT Reflection mode for port forwards: Pure NAT
Enable automatic outbound NAT for Reflection: Check/Enabled

That is it, Xboxes have full open NAT, any Games can UPNP more ports if they need, and they can talk to each other via the WAN IP.

As others have mentioned, if the game is not coded properly to use Upnp you are not going to have much luck (ie if it only requests 1 port, and that port is the same on all your different consoles you cannot do so)  The only fix for that type of issue is to have a public IP address for every game console you own.  Most ISP's charge extra for additional IP addresses.

Also, as the other thread is locked, and I could not find the upnp restart script mentioned in that thread, I figured out a way to restart upnp for me every morning.

Here's the php script

require_once('/etc/inc/services.inc'); require_once('/etc/inc/service-utils.inc'); upnp_action('restart'); ?>

Then install the cron package, and set it to execute.  Here's what mine looks like.

/usr/bin/nice -n20 /usr/local/bin/php /root/restart_upnp.php

obviously i placed the above script code into /root/restart_upnp.php

As far as 'all home routers do this fine'  I would highly disagree with that.  If you have good luck with default settings on home routers then your upnp should be fine in pfsense.

My only issue was that after a day or two (using 2 PS4's and playing bloodborne, dark souls, etc co-op) it will eventually run out of mappings as they do not age out.  Hence the script to restart upnp every morning.

Another thing to mention is that the ps4's/xbox's don't remember their upnp settings between boots.  If your games don't work, i would suggest closing the games on all consoles,  restarting upnp on the pfsense, and then launching all the apps again.  This has fixed our issues 99.9% of the time.

Does your WAN's quality graph show anything odd? Have you ran pings to a known good few services and seen if the pings jump  up during this time?

Hey all, super sorry to necro an old thread but it has pertinent information and screenshots.

I was able to get For Honor working with the static outbound rules, however I am running into an issue where I have 2 roomates who also play and while the nat rule works for the first PC in the rule list, the other 2 never get the traffic. I tried adding an alias with the hosts specified, but this doesnt seem to work.

I come from cisco where we could forward nat traffic to a range of hosts, or even a subnet. How would I accomplish the same thing with PFsense?

Thanks!

It looks like I got it…  The post I mentioned earlier helped but it was missing one crucial step that immediately fixed my issue.  I stumbled upon another page that suggested moving the rule to the top of the list.  Once I did that, my issue was fixed.  I even removed the ACL entry and tested with positive results.

I had same problem. I fixed.

https://en.wikipedia.org/wiki/Universal_Plug_and_Play

Services > UPnP

Pretty sure I figured this out with Cisco switches and the NAT Issue on xbox. I did some research on Cisco's forums and discovered that most of the xbox's traffic is multicast for some reason (also has a TTL of 1 /boggle). I also found an article that talks about needing to have multicast turned on the switches with all the new home theatre gear, so I figured this makes sense. I added the following option to my Cisco switch and now I always have an open NAT, on both my Xbox and PS4.

conf t
ip igmp snooping

If your using L3 interfaces you need to turn on pim multicast mode on each interface so it passes multicast traffic too..

If you are referring to Steam streaming from one box to another or from your gaming PC to a Steam Link, then pfSense has absolutely nothing to do with it since Steam streaming only works for devices on the same subnet. No streaming traffic crosses pfSense.

What app?  Are you talking about logging into your bank account or something?

So your saying that these apps don't work at starbucks or hotel wifi, or any other hotspot wifi - which are not going to have UPnP enable that is for damn sure..  I would have to assume the financial app maker would get flooded with support calls since the vast majority of wifi out there does not have UPnP enabled..

UPnP allows for unsolicited inbound connections, to be forwarded at the nat device to your devices IP.. How would that be required for some app to work?  My guess is whatever you were doing for testing - something else changed when you think you enabled UPnP and so you think that is what fixed it.  Look in your UPnP status when using your APP and its working.. What does it show it opened?  This status will show you what was requested, what was opened, etc.

"with like an authentication keyfile or something on their computer "

If you have outside people that you want to limit to access your game.. Simple enough to limit your port forward to their source IPs - if they know them and they do not change all the time.  Another option would be to just let them vpn in.. And then through the vpn access the game.. This way you know for a FACT that its them, since they will be the only ones that can auth to your vpn via the cert you give them.

Alright homeslice. First things first we need a mod to move this to gaming.

Secondly, I cannot let this go unhelped because you're clearly playing games originally released on the best system ever, and what kind of gamer would I be if I let this continue?!

OK, now that THATS out of the way, do you have UPnP enabled?  You mentioned wireshark, do you have packet caps for the host attempting the traversal mode? What is your current nat/firewall rule setup regarding this?

Hope to get you online asap so you can smash.

No issue here with my PS4. Try to assign to PS4 the outbound nat rule as "static".
https://forum.pfsense.org/index.php?topic=69319.0

Xbox only uses 3074 for inbound everything else is outbound only, if 3074 is not available it will pick a random high port to try and UPNP forward.

I'm also getting the same problem did anyone give any suggestion how solve this problem?

@jimp:

172.168?

Perhaps that's a typo in the source addresses?

And that first outbound NAT rule for a destination of the switch will never be hit. It isn't necessary, remove it.

…we use 172 first octet at work...derp. I crossed the wires. I'll change that.

Edit: Xboxs' NAT is now open so I'd imagine the switch is resolved as well. Thanks for your assistance.

As far as I know the UPnP service on pfSense does not set up static port outbound NAT for the connections which is a key piece for having open NAT on the games. The UPnP service does only the port forwarding part for you.

I reverted back to 2.2.6 and have 3 Xbox One's UPNP with static Nat, All 3 of us can play the same game in the same lobby with no problem. The problem seemed to happen when they went to 2.3 it broke something. Just downgrade to 2.2.6 setup like normal and your good to go.