HOWTO: Xbox 360 Live connection with pfSense (Port Forward & UPnP)

storkus · Dec 7, 2010, 4:45 AM

This is all well and good for one gaming machine or computer, but I'm using pfSense on a motel network where multiple machines and ports are used and we can't be adding exceptions all the time–especially since I'm the only computer literate person here!

After upgrading from 1.2.3 to 2.0beta4, a guests Xbox360 stopped working. uPnP did nothing. Someone elsewhere mentioned that pfSense does port randomization by default and that it can break stuff. After seeing the official docs on the subject, I simply turned it off for the whole network:

Go to Firewall>NAT>Outbound and select manual (AON)
Then click on the default WAN rule, scroll down, and select "Static port", then save

Everything will now work by magic, though obviously you lose that bit of security; then again, though, this IS a public network, so...

Mike

vronp · Dec 24, 2010, 3:36 AM

Neither method works here on 1.2.3

It's pretty funny that one can find posts that describe 10 different ways "that work".

I wish one of them worked for me.

lint · Jan 2, 2011, 4:24 AM

@vronp:

Neither method works here on 1.2.3

It's pretty funny that one can find posts that describe 10 different ways "that work".

You should try to change the outbound NAT settings instead of using UPnP.

In the pfSense interface, go to Firewall - NAT - Outbound. Change Automatic to Manual. Then, create or modify the default mapping so that static port is checked.

It should look like:

WAN 192.168.100.0/24 * * * * * YES

Once saved, you should be able to connect to Xbox Live with a moderate NAT type instead of strict. This is typical of connections with a firewall.

Further, you can port forward UDP 88 and TCP/UDP 3074 to your Xbox if you wish to have more accessibility.

(Confirmed with pfSense 1.2.3 running nanobsd on an Alix 2c board)

lint · Jan 23, 2011, 4:11 AM

I tested UPnP since some people are having trouble. I got it working just fine, and now have an open NAT connection to Xbox Live.

I pretty much did the same thing that BerSerK posted above, but limited the outbound ports for UPnP to the Xbox Live ports.

Step 1
Set Xbox to static IP (or assign a static through DHCP).

Step 2
Services -> UPnP
Checked to enable UPnP
Set to LAN Int
Checked to enable "By default deny access to UPnP"
Set following permissions:
allow 88 x.x.x.x 88
allow 3074 x.x.x.x 3074
(x.x.x.x is static IP of Xbox)

Step 3
Firewall -> NAT -> Outbound
Change from Automatic to Manual, then press save.
A rule will be automatically created. Edit it and check "static port," then save and apply.

Step 4
Test Xbox live and confirm UPnP is working by checking the following:
Status -> UPnP

Note: If you have an Open NAT type, but cannot locate lobbies, the problem is most likely that you did not complete step 3. Go back and try again.

Sikh · Jan 25, 2011, 4:43 AM

Works for only 1 xbox, not multiple.

databeestje · Mar 9, 2011, 1:14 PM

I have just committed a fix that automatically creates multicast filter rules on 2.0 so that the 360 can communicate with the miniupnpd deamon.

This thread is full of #fail with conflicting or downright wrong advice. I'm amazed in a sort of way.

brianm · Mar 11, 2011, 3:25 PM

Hi everyone,

I tell you even trying all the recommendations indicate, and yet I still have the problem, the Xbox tells me I have a strict NAT.
I updated my version of pfSense from 1.2.3 to 2.0 on 11 March.
Now I work in Multiplayer games without problems, but the message still appears. Someone comes up with some other option?

Greetings and thank you very much.

BerSerK · Mar 13, 2011, 12:05 AM

@databeestje:

This thread is full of #fail with conflicting or downright wrong advice. I'm amazed in a sort of way.

If this howto is outdated or wrong please tell us how to correct it or simply remove the sticky or delete the thread.

xtropx · Mar 17, 2011, 7:45 PM

Yes please. Grace us humble pfsense newbies with the knowledge on how to correctly set this up!

This worked for me in UPnP:

allow 88 x.x.x.x 88
allow 3074 x.x.x.x 3074
(x.x.x.x is static IP of Xbox)

With no manual outbound rule generation.

…but I should not have to use UPnP. ::)
Now I have everything set up to NAT ports 80, 88, 53, & 3074; firewall rules; static ports through manual outbound, and XBOX NAT type is still "moderate."

Edit: I will gladly provide any details about my configuration in order to assist in finding a proper method to configure this.

databeestje · Mar 25, 2011, 8:12 PM

with upnp enabled the xbox will request a port forward and succeed. It works fine for my xbox 360 at home. I don't get NAT type strict.

The missing multicast traffic rule prevented the xbox 360 from succeeding to add a port forward mapping.

Sikh · Apr 11, 2011, 3:44 AM

@databeestje:

with upnp enabled the xbox will request a port forward and succeed. It works fine for my xbox 360 at home. I don't get NAT type strict.

The missing multicast traffic rule prevented the xbox 360 from succeeding to add a port forward mapping.

Thank YOU VERY MUCH. Ive been trying to figure what was the issue.

Any idea when it will go into effect? I just got a second xbox that will be permanent on my network and its not working. One will fail the other one will Open.

Both of them use to be Open / Moderate. But now its Open / Incorrect MTU.

Both are port forward to 80/88/3074/53.

Sikh · Apr 13, 2011, 3:22 AM

@databeestje:

with upnp enabled the xbox will request a port forward and succeed. It works fine for my xbox 360 at home. I don't get NAT type strict.

The missing multicast traffic rule prevented the xbox 360 from succeeding to add a port forward mapping.

So has this missing multicast traffic rule been put into play?

I completely erased everything to do with port forwarding, rules etc. First 360 went open, next one had no connection.

databeestje · Apr 15, 2011, 10:03 PM

Aha, multiple 360's. That explains, I think it overwrites the existing rules.

I don't think Microsoft considered the possibility of 2 xboxes on 1 upnp router.

Sikh · Apr 17, 2011, 7:23 PM

Not true because when we have multiple xboxs on the network, upnp automatically gives the first one 3074(default xbox live port) and then the rest xbox's get random ports.

Its Pfsense not being able to handle this.

DD-WRT does it perfectlly fine so idk

AhnHEL · Apr 20, 2011, 4:34 AM

Just as an update, multiple Gaming Consoles do work quite well with pfSense and this tutorial fully explains how to get it up and running.

What I feel is not stated in enough detail in the tutorial, for any new users to pfSense, is the explanation that Advanced Outbound NAT rules work just like the Firewall rules. They work top to bottom and match the first rule that applies and ignores the rules below it. So your LAN rule should always be at the bottom and your specific individual host IP addresses and/or ports should be above the LAN rule. The diagram shows the proper order but does not explain why.

Hopefully this additional information will help some users who are running into problems. Personally, using the UPnP method, I have 2 XBoxes and 2 PS3s on my LAN and they all work with Open NAT, all at the same time with zero issues.

trendchiller · May 16, 2011, 8:42 PM

regardless of what i do, following the whole steps mentioned here:

upnp does not seem to allow the packets, you can see the packet answers always to be blocked in the system-logs :-(

i use 2.0-RC2 (i386) built on Sun May 15 20:43:07 EDT 2011

now i defined NAT by hand and it works…
but why not upnp ?

i used the following upnp rule: allow 1-65535 xxx.xxx.xxx.xxx/32 1-65535

anyone any ideas ?

i even created a pass-rule for the upne ports from lan-network to lan-address as stated in http://forum.pfsense.org/index.php/topic,33024.0.html
but it still does not work, there are simply no mapping in the upnp status...