After upgrading from 23.9.1 to 24.3, unable to play Destiny 2 on Xbox with family members.
-
This weekend I upgraded pfSense from 23.9.1 to 24.3. The upgrade went well, but now I am unable to play Destiny 2 with my daughter. We can connect without issue in Xbox Party. For those familiar with Destiny 2, we are able to connect in orbit. But when we try to try to go in to any destination, one of us will get the 'Cabbage' error. Cabbage error, according to Bungie, is a NATing issue.
Prior do upgrading, there were no issue with us playing. I had configured pfSense to allow all NAT and UPnP & NAT-PMP configuration for multiple Xboxes and both Xboxes showed Open NAT within system. After the upgrade, I verified all the setting pfSense and Xbox; nothing seemed to change, but could not connect fully as stated above. Did a Factory Default to pfSense setting and applied a backup from a few months ago; no change. I did a second Factory Default and manually reconfigured the NAT and UPnP & NAT-PMP setting; still not working.
I took an older Netgear Router I had laying around and placed it between the Modem and pfSense, placed the Xboxes in the network and everything works just fine. So the issue is with pfSense. I would like to get the Xboxes working again behind pfSense again.
EDIT: as a side note, we can play the game separately without issues too.
-
@Sabrcyclon I don't play Destiny 2, nor do I have Xboxes but I do have a lot of gaming going on in the house. And since quite a few releases back I have had no issues whatsoever and get Open NAT in every single game.
I too have upgraded to 24.3 and have seen no issues after that upgrade...But perhaps you can provide your settings here to look at?
Services / UPnP & NAT-PMP settings. Do you use ACL entries?
System / Advanced / Firewall & NAT down at the NAT secion
Also your Outbound NAT settings, are they Automatic?? -
@Gblenn - Here are my setting currently. Both Xbox network settings are showing Open NAT.
I use https://forums.lawrencesystems.com/t/pfsense-and-multiple-xbox-ones-open-nat-guide/2409/1 as a guide.
-
@Sabrcyclon First of all, what is the purpose of hiding your internal IP's? There is no risk showing that information, as it is internal to your network only! It's your public IP that you might want to keep to yourself...
Anyway...
There are a two things that are different to how I have it set up...
First of all, I have been using Automatic Outbound rules ever since UPnP was updated a few releases back. Don't think this is the culprit though.
But, the ACL settings do not look right to me... You are in fact denying the ability to use one of the key ports for most games, namely "Deamonware port" 3074. And it looks like you deny it for all IP's on your network (192.168.1.0/24). Try deleting that deny entry and see what happens. You might need to reboot your Xboxes or kill the states for them from within pfsense (under Diagnostics / States).
The default deny that you have marked, takes care of safeguarding against any and all devices in your network and prevents them from using UPnP. Then your ACL entries list the two Xboxes with IP's ending 65 and 66 that you have created allow entries for.
What I would look into, if you want to increase security, is to limit the ports available to the Xboxes further, once you get things working. Now you are simply allowing every single port from 0 to max. But that is usually not at all needed and in my case it actually looks like this:
Only two PC's are allowed to us UPnP. And I have tested and found that for all the games I play, all I need to allow are those few ports starting from 3074 and 28960. With only one PC playing I can get away with just the 3074 and 28960...
-
This post is deleted! -
@Gblenn - I have tried the setting suggestion above, but now both Xbox are having issues with keeping an Open NAT. With NAT set to Automatic, both Xbox when to Strict NAT, so I reverted back to Hybrid Outbound. Change the ACL by removing the deny and changing available ports from 0-65535 to 1024-65535. NAT on both xbox to Moderate NAT; reverted back to 0-.
-
@Sabrcyclon Hybrid shouldn't really be necessary but no harm in keeping it.
After removing the deny ACL rule, do you now get Open NAT on both Xboxes when you allow 0-65535 ??
I have found it a bit of work testing these things since you have to make sure everything is "reset" on the PC/console whenever you make a change. On a PC it's simply a matter of doing ipconfig /release, /renew, AND restarting the game you are testing with.
But on Xbox, PS, I don't know... And it does become quite tedious to reboot each time you change something, but perhaps you can reset the network connection via the menu? And make sure to restart Destiny of course...Anyway, I suppose what you are seeing is that Destiny requires some port lower than 3074 and perhaps 1200 is one you can test? It does come up in a lot of lists for quite a number of games so you could try setting the starting point to 1200...
However, just because a port is being used doesn't mean it needs to be "opened" as in port forwarding or via UPnP. It's only required when there is an inbound connection expected on the port in question.Anyway which ports do you actually see listed on the status page when you have the games up and running? It's under Status / UPnP & NAT-PMP
-
@Gblenn - I wasn't even trying to run Destiny yesterday when testing. In the Network setting for Xbox it has a section to look at how NAT is currently connected. There are three states: Strict, Moderate and Open. When I made the changes yesterday, neither one of them would stay in Open NAT for any length of time. I am willing to give the setting a try again. Currently both Xboxes are unplugged. Here are my current NAT and UPnP configurations:
-
@Gblenn - I am not sure what I did differently from yesterday, but it all seems to be working now. I know I was restarting both firewall and xboxes. The only thing I can think of is that I had both Xboxes unplug when making the changes, clears all states out for both Addresses and removed the Mapping line before switching and saving Automatic Outbound NAT.
Thank you for your help.
Sabrcyclon -
@Sabrcyclon Great that it's working with that setup. If you ever get the urge to do more testing, you can always try to recreate that deny rule and see if it breaks things. Then you can try limiting the ports as well, but testing takes time so question is, is it worth it... ?