Xbone, NAT strict
-
i cant get the xbone NAT to switch off of strict. i have googled, searched this forum, and read the FAQ that was posted (set NAT to outbound and create static entires). none of those worked.
i am also noticing that what works for one person might not work for others.
i assume the xbox 360 and xbone consoles are not the issue since xbox live ports didn't change.
anyone else having issues with getting the xbone NAT to switch from strict to open?
thanks.
edit-
2.1-RELEASE (i386)
built on Wed Sep 11 18:16:50 EDT 2013
FreeBSD 8.3-RELEASE-p11You are on the latest version.
-
i temporarily took the pfsense out of the mix and installed a backup/spare linksys router (RVS4000) and logged into xbl, NAT Type is Open.
there is no question that pfsense needs the NAT options to be tweaked, but there is nothing clear cut on what needs to be changed.
-
enable static ip for xbox one.
set static ports to be enabled for xbox one ip in manual outbound rules for NAT and that the rule is above the existing outbound rule for that wan.
enable user specified permissions in upnp (allow 88-65535 192.168.1.62/32 88-65535). i have by default deny access to upnp as well.
make sure your xbox one ip is using the wan interface upnp is enabled on and try specifying the gateway manually (multiple wan users only).
clear the states for the xbox one in firewall.
do a hard reboot of the console as in my experience flushing the states alone was not working (holding power until it turns off).run network check again.
if you just cant get upnp working, and only have one console, port forward! make sure to disable upnp if using port forward.
WAN UDP * * WAN address 3544 (Teredo) 192.168.1.62 3544 (Teredo) WAN UDP * * WAN address 88 192.168.1.62 88 WAN UDP * * WAN address 4500 (IPsec NAT-T) 192.168.1.62 4500 (IPsec NAT-T) WAN TCP/UDP * * WAN address 3074 192.168.1.62 3074these ports below should not need to be forwarded but if all else fails give it a try
WAN TCP/UDP * * WAN address 53 (DNS) 192.168.1.62 53 (DNS) WAN UDP * * WAN address 500 (ISAKMP) 192.168.1.62 500 (ISAKMP)i used https://forum.pfsense.org/index.php/topic,69319.msg384435.html#msg384435 as a reference.
-
the ports you have opened don't match the ports on the xbox live site. i don't think i should open ports that are not needed by xbox live.
Network ports used by Xbox Live
Port forwardingIf you have a firewall or network hardware, such as a router, you might need to make a configuration change in order for your PC or Xbox 360 console to communicate with Xbox Live. This configuration change is sometimes called “opening ports” or "port forwarding."
Xbox Live requires the following ports to be open:
Port 88 (UDP)
Port 3074 (UDP and TCP)
Port 53 (UDP and TCP)
Port 80 (TCP) -
It doesn't feel like I am getting anywhere with this. I have two Xbox 360s working with Open NAT. But I can't get one Xbox One to get passed Strict.
All of the devices have a static IP assigned by DHCP. I have also tried assigning the address directly to the Xbox One.
I have tried with UPNP enabled and with it disabled and using port mappings.
WAN TCP/UDP * * WAN address 88 192.168.11.97 88 XBox One Port Forward WAN TCP/UDP * * WAN address 80 (HTTP) 192.168.11.97 80 (HTTP) WAN TCP/UDP * * WAN address 500 (ISAKMP) 192.168.11.97 500 (ISAKMP) WAN TCP/UDP * * WAN address 3544 (Teredo) 192.168.11.97 3544 (Teredo) WAN TCP/UDP * * WAN address 4500 (IPsec NAT-T) 192.168.11.97 4500 (IPsec NAT-T) WAN TCP/UDP * * WAN address 3074 192.168.11.97 3074 WAN TCP/UDP * * WAN address 53 (DNS) 192.168.11.97 53 (DNS) WAN TCP/UDP * * WAN address 3075 192.168.11.97 3075And firewall rules…
WAN IPv4 TCP/UDP * * 192.168.11.97 88 * none NAT XBox One Port Forward IPv4 TCP/UDP * * 192.168.11.97 80 (HTTP) * none NAT IPv4 TCP/UDP * * 192.168.11.97 500 (ISAKMP) * none NAT IPv4 TCP/UDP * * 192.168.11.97 3544 (Teredo) * none NAT IPv4 TCP/UDP * * 192.168.11.97 4500 (IPsec NAT-T) * none NAT IPv4 TCP/UDP * * 192.168.11.97 3074 * none NAT IPv4 TCP/UDP * * 192.168.11.97 53 (DNS) * none NAT IPv4 TCP/UDP * * 192.168.11.97 3075 * none NATLAN pass * * * LAN Address 443 80 * * Anti-Lockout Rule IPv4 * LAN net * * * * none Default allow LAN to any rule IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule IPv4+6 TCP/UDP LAN net * 224.0.0.0/8 * * none Allow multicast IPv4+6 TCP/UDP LAN net * 239.0.0.0/30 * * none Allow multicastI have no idea what to try next.
Does anyone have the Xbox One and Open NAT with pfSense?
Thank you
-
I am able to get to NAT: Moderate by adding a firewall NAT outbound rule:
WAN 192.168.11.97/32 * * * WAN address * YES -
I've spent all day today working on it, and got my xbox one as well as the 360s to all have open NAT. It was a combination of:
-
One of the wifi access points I have on the network had UPNP turned on. They aren't using routing functionality, and this was messing with things. Useful to check if you aren't using netgear/whatever devices for anything but Access Points
-
Enable UPNP in pfSense
-
Added the rule that dandrep mentioned at the front of the list. I did however make it be from 10.0.69.0/24 so that in theory it will work with two X1s (BIL occasionally brings his over).
-
Added firewall rules for multicast, see http://forum.pfsense.org/index.php/topic,13887.msg94807.html#msg94807
-
Turned off IPv6 completely. Since I haven't gotten it working, it was causing my xbox to shoot some message about getting a teredo address (IIRC). This happened on the network test.
Omitting any of the above for me caused me to pretty much drop back to strict.
Mark
I am able to get to NAT: Moderate by adding a firewall NAT outbound rule:
WAN 192.168.11.97/32 * * * WAN address * YES -
-
thanks guys, i will try that out next chance i get.
-
I've spent all day today working on it, and got my xbox one as well as the 360s to all have open NAT. It was a combination of:
-
One of the wifi access points I have on the network had UPNP turned on. They aren't using routing functionality, and this was messing with things. Useful to check if you aren't using netgear/whatever devices for anything but Access Points
-
Enable UPNP in pfSense
-
Added the rule that dandrep mentioned at the front of the list. I did however make it be from 10.0.69.0/24 so that in theory it will work with two X1s (BIL occasionally brings his over).
-
Added firewall rules for multicast, see http://forum.pfsense.org/index.php/topic,13887.msg94807.html#msg94807
-
Turned off IPv6 completely. Since I haven't gotten it working, it was causing my xbox to shoot some message about getting a teredo address (IIRC). This happened on the network test.
Omitting any of the above for me caused me to pretty much drop back to strict.
Mark
I am able to get to NAT: Moderate by adding a firewall NAT outbound rule:
WAN 192.168.11.97/32 * * * WAN address * YESi am still getting a strict NAT.
did you reboot your firewall after you made these changes? i didnt
on the upnp page, other than enabling upnp, did you fill out any of the 'User specified permissions 1' fields? all i did was enable upnp
what is your NAT mode set to under NAT, outbound? mine is on 'Manual Outbound NAT rule generation
(AON - Advanced Outbound NAT)'the only post i followed was yours and the WAN rule you referenced. did you follow any other ports?
-
-
SOLVED
i can't seem to modify the thread title or the original post. if a mod could help, that would be appreciated.
i have to thank pfsense forum user AhnHEL, he sent me a PM and gave me step by step directions and everything worked, NAT is now reporting as open for the xbone.
just as his directions stated, i recommend putting any settings back to how they were, assuming you followed others threads/directions with no luck. i changed all my settings back to what they were prior to making this thread and followed his directions. the only thing i had to do was pull the power plug from my xbone. after following the steps, the nat went from strict to moderate, but i ran the rest after power cycling the xbone and nat switched to open.
dhcp mapping will work, but i statically set my xbone to an ip outside of the DHCP scope instead.
Ok, I dont know what you still have setup while you were trying to get this to work but remove any port forwards or rules that you created previously. We're going to try the UPnP method because its the easiest method to configure. Keep your XBone off while setting this up.
1. I'm sure you have done this, but setup a static DHCP mapping for your XBox One. In my settings below this is 192.168.39.17
2. Now go to Firewall: NAT: Outbound and select Manual Outbound NAT and hit save. This should at default create two entries a LAN mapping and a Localhost mapping.
3. Now add a mapping for your XBox One's static DHCP IP address on your LAN interface with a /32 as a mask bit in the Source section. In the Translation section of this mapping, select the "Static Port" checkbox. Give the mapping a name like XBone AON and save.
4. Now take this XBone AON mapping rule and move it ABOVE your Default LAN mapping and hit Save.
5. Go to Services: UPnP & NAT-PMP and setup as follows: check enable upnp and nat-pmp, check allow upnp port mapping, external interface, WAN, interaces, LAN, user specified permissions 1, allow 88-65535 192.168.39.17/32 88-65535 Then hit Change.
6. Now to be sure no states to the XBox are lingering from a previous connection, go to Diagnostics: Reset state and Reset.
7. Now fire up your XBox and you should be at NAT Open. If not, double check your settings and if you have a managed switch on your network, disable Multicast filtering on the switch.
regarding number 6, as stated i power cycled off the xbone, clearing the states was not enough.
regarding number 7, the xbone is connected to a managed switch, but i did not need to change any settings on the switch.
thanks again, AhnHEL.
-
Glad to have helped. :)
-
I really appreciate the hard work here, you guys are great.
My $500 question is will this work with "two" XB1's on the same network?
Enabling just UPnP has given our two 360s all the internet loving they could wish for, my XB1 is being a jerk and if this does the trick I am almost home free. But I need it to work for two of them.
It sounds like M$ likes Cone NATs and dislikes Port Symmetric NATs. Will the changes above make the difference?
-
I dont have two XBone's but I'm sure you wont have any issues if it's setup properly. Only real difference so far is that the XBone never really shuts off so a hard reboot is required once all the settings are setup.
-
I really appreciate the hard work here, you guys are great.
My $500 question is will this work with "two" XB1's on the same network?
Enabling just UPnP has given our two 360s all the internet loving they could wish for, my XB1 is being a jerk and if this does the trick I am almost home free. But I need it to work for two of them.
It sounds like M$ likes Cone NATs and dislikes Port Symmetric NATs. Will the changes above make the difference?
i don't have two xbone's, but just as AhnHEL stated, as long as you set it up properly, the second one should work. if you only setup 1 xbone, you should have 3 spots open on the upnp and nat-pmp page for the second xbone. proceed with creating the same rules you did for the first console and power cycle the second xbone before testing the connection for openNAT.
at this time, i don't think i will need more than 4 user specified permission rules, i wonder what happens if you needed a 5th?
-
@tomdlgns:
at this time, i don't think i will need more than 4 user specified permission rules, i wonder what happens if you needed a 5th?
I wrote about that very thing just a few weeks ago in the PS4 thread under the part where it says For More Advanced Users
http://forum.pfsense.org/index.php/topic,69319.msg384435.html#msg384435
-
@tomdlgns:
at this time, i don't think i will need more than 4 user specified permission rules, i wonder what happens if you needed a 5th?
I wrote about that very thing just a few weeks ago in the PS4 thread under the part where it says For More Advanced Users
http://forum.pfsense.org/index.php/topic,69319.msg384435.html#msg384435
yeah, that makes sense, i guess i was stuck on 1 rule is 1 IP/device, i never though about adding a range.
sometimes you miss the obvious.
thanks.
-
i don't have two xbone's, but just as AhnHEL stated, as long as you set it up properly, the second one should work. if you only setup 1 xbone, you should have 3 spots open on the upnp and nat-pmp page for the second xbone. proceed with creating the same rules you did for the first console and power cycle the second xbone before testing the connection for openNAT.
I have made my changes and confirmed that this worked to get the first xb1 online with an open nat (cone). My brother will be purchasing his new xb1 this month, so to-be-continued, so far so good.
The two 360s "did" start experiencing issues though they are in the same network range (/29) found in both the UPnP and NAT rules I created
I added two UPnP rules that would allow port 53 and 80 separately from our 88-65535 rule mentioned above, as they are required according to M$. They still didn't work after that for 20 minutes or so then automagically started working again. They both have open NATs now and appear happy. No idea, I might be able to remove those two rules but until I have a reason to I wont just in case.Big thanks to all.
-
i don't have two xbone's, but just as AhnHEL stated, as long as you set it up properly, the second one should work. if you only setup 1 xbone, you should have 3 spots open on the upnp and nat-pmp page for the second xbone. proceed with creating the same rules you did for the first console and power cycle the second xbone before testing the connection for openNAT.
I have made my changes and confirmed that this worked to get the first xb1 online with an open nat (cone). My brother will be purchasing his new xb1 this month, so to-be-continued, so far so good.
The two 360s "did" start experiencing issues though they are in the same network range (/29) found in both the UPnP and NAT rules I created
I added two UPnP rules that would allow port 53 and 80 separately from our 88-65535 rule mentioned above, as they are required according to M$. They still didn't work after that for 20 minutes or so then automagically started working again. They both have open NATs now and appear happy. No idea, I might be able to remove those two rules but until I have a reason to I wont just in case.Big thanks to all.
when i was running 360, i never did anything other than enable upnp (and checked the box for MS) and everything worked fine. no custom upnp, no custom NAT/outbound NAT….nothing. meaning, i never opened 80 and 53. personally, i dont think those are needed and i did not have to open those up for the xbone. everything i did in this thread and read in other threads was put back to how it was prior to making the xbone thread and i followed the few steps i posted on the bottom of page 1 which got me openNAT on with the xbone. i know MS states they need to be open, but i feel confident saying that they don't need to be (80 and 53) and that the issue was specifically with NAT rules, not a port forward rule.
it we are both using pfsense and a 360 and let's just assume we have a basic switch in between our 360 and pfsense box, then 80/53 should not be needed if i was able to get it to work w/o opening those ports.
again, i am not saying that will fix your problem, just giving you some more information.
good luck.
-
i know MS states they need to be open, but i feel confident saying that they don't need to be (80 and 53) and that the issue was specifically with NAT rules, not a port forward rule.
I didn't mean to get off into the woods, and I agree with you on this. In the past UPnP being enabled was enough to ensure victory for multiple 360s.
-
i know MS states they need to be open, but i feel confident saying that they don't need to be (80 and 53) and that the issue was specifically with NAT rules, not a port forward rule.
I didn't mean to get off into the woods, and I agree with you on this. In the past UPnP being enabled was enough to ensure victory for multiple 360s.
no, i don't think you did. it is important to discuss all options as long as we don't get too far off track. i think it is important to discuss what works and what doesn't work/isn't needed.
