Xbone, NAT strict
-
It doesn't feel like I am getting anywhere with this. I have two Xbox 360s working with Open NAT. But I can't get one Xbox One to get passed Strict.
All of the devices have a static IP assigned by DHCP. I have also tried assigning the address directly to the Xbox One.
I have tried with UPNP enabled and with it disabled and using port mappings.
WAN TCP/UDP * * WAN address 88 192.168.11.97 88 XBox One Port Forward WAN TCP/UDP * * WAN address 80 (HTTP) 192.168.11.97 80 (HTTP) WAN TCP/UDP * * WAN address 500 (ISAKMP) 192.168.11.97 500 (ISAKMP) WAN TCP/UDP * * WAN address 3544 (Teredo) 192.168.11.97 3544 (Teredo) WAN TCP/UDP * * WAN address 4500 (IPsec NAT-T) 192.168.11.97 4500 (IPsec NAT-T) WAN TCP/UDP * * WAN address 3074 192.168.11.97 3074 WAN TCP/UDP * * WAN address 53 (DNS) 192.168.11.97 53 (DNS) WAN TCP/UDP * * WAN address 3075 192.168.11.97 3075
And firewall rules…
WAN IPv4 TCP/UDP * * 192.168.11.97 88 * none NAT XBox One Port Forward IPv4 TCP/UDP * * 192.168.11.97 80 (HTTP) * none NAT IPv4 TCP/UDP * * 192.168.11.97 500 (ISAKMP) * none NAT IPv4 TCP/UDP * * 192.168.11.97 3544 (Teredo) * none NAT IPv4 TCP/UDP * * 192.168.11.97 4500 (IPsec NAT-T) * none NAT IPv4 TCP/UDP * * 192.168.11.97 3074 * none NAT IPv4 TCP/UDP * * 192.168.11.97 53 (DNS) * none NAT IPv4 TCP/UDP * * 192.168.11.97 3075 * none NAT
LAN pass * * * LAN Address 443 80 * * Anti-Lockout Rule IPv4 * LAN net * * * * none Default allow LAN to any rule IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule IPv4+6 TCP/UDP LAN net * 224.0.0.0/8 * * none Allow multicast IPv4+6 TCP/UDP LAN net * 239.0.0.0/30 * * none Allow multicast
I have no idea what to try next.
Does anyone have the Xbox One and Open NAT with pfSense?
Thank you
-
I am able to get to NAT: Moderate by adding a firewall NAT outbound rule:
WAN 192.168.11.97/32 * * * WAN address * YES
-
I've spent all day today working on it, and got my xbox one as well as the 360s to all have open NAT. It was a combination of:
-
One of the wifi access points I have on the network had UPNP turned on. They aren't using routing functionality, and this was messing with things. Useful to check if you aren't using netgear/whatever devices for anything but Access Points
-
Enable UPNP in pfSense
-
Added the rule that dandrep mentioned at the front of the list. I did however make it be from 10.0.69.0/24 so that in theory it will work with two X1s (BIL occasionally brings his over).
-
Added firewall rules for multicast, see http://forum.pfsense.org/index.php/topic,13887.msg94807.html#msg94807
-
Turned off IPv6 completely. Since I haven't gotten it working, it was causing my xbox to shoot some message about getting a teredo address (IIRC). This happened on the network test.
Omitting any of the above for me caused me to pretty much drop back to strict.
Mark
I am able to get to NAT: Moderate by adding a firewall NAT outbound rule:
WAN 192.168.11.97/32 * * * WAN address * YES
-
-
thanks guys, i will try that out next chance i get.
-
I've spent all day today working on it, and got my xbox one as well as the 360s to all have open NAT. It was a combination of:
-
One of the wifi access points I have on the network had UPNP turned on. They aren't using routing functionality, and this was messing with things. Useful to check if you aren't using netgear/whatever devices for anything but Access Points
-
Enable UPNP in pfSense
-
Added the rule that dandrep mentioned at the front of the list. I did however make it be from 10.0.69.0/24 so that in theory it will work with two X1s (BIL occasionally brings his over).
-
Added firewall rules for multicast, see http://forum.pfsense.org/index.php/topic,13887.msg94807.html#msg94807
-
Turned off IPv6 completely. Since I haven't gotten it working, it was causing my xbox to shoot some message about getting a teredo address (IIRC). This happened on the network test.
Omitting any of the above for me caused me to pretty much drop back to strict.
Mark
I am able to get to NAT: Moderate by adding a firewall NAT outbound rule:
WAN 192.168.11.97/32 * * * WAN address * YES
i am still getting a strict NAT.
did you reboot your firewall after you made these changes? i didnt
on the upnp page, other than enabling upnp, did you fill out any of the 'User specified permissions 1' fields? all i did was enable upnp
what is your NAT mode set to under NAT, outbound? mine is on 'Manual Outbound NAT rule generation
(AON - Advanced Outbound NAT)'the only post i followed was yours and the WAN rule you referenced. did you follow any other ports?
-
-
SOLVED
i can't seem to modify the thread title or the original post. if a mod could help, that would be appreciated.
i have to thank pfsense forum user AhnHEL, he sent me a PM and gave me step by step directions and everything worked, NAT is now reporting as open for the xbone.
just as his directions stated, i recommend putting any settings back to how they were, assuming you followed others threads/directions with no luck. i changed all my settings back to what they were prior to making this thread and followed his directions. the only thing i had to do was pull the power plug from my xbone. after following the steps, the nat went from strict to moderate, but i ran the rest after power cycling the xbone and nat switched to open.
dhcp mapping will work, but i statically set my xbone to an ip outside of the DHCP scope instead.
Ok, I dont know what you still have setup while you were trying to get this to work but remove any port forwards or rules that you created previously. We're going to try the UPnP method because its the easiest method to configure. Keep your XBone off while setting this up.
1. I'm sure you have done this, but setup a static DHCP mapping for your XBox One. In my settings below this is 192.168.39.17
2. Now go to Firewall: NAT: Outbound and select Manual Outbound NAT and hit save. This should at default create two entries a LAN mapping and a Localhost mapping.
3. Now add a mapping for your XBox One's static DHCP IP address on your LAN interface with a /32 as a mask bit in the Source section. In the Translation section of this mapping, select the "Static Port" checkbox. Give the mapping a name like XBone AON and save.
4. Now take this XBone AON mapping rule and move it ABOVE your Default LAN mapping and hit Save.
5. Go to Services: UPnP & NAT-PMP and setup as follows: check enable upnp and nat-pmp, check allow upnp port mapping, external interface, WAN, interaces, LAN, user specified permissions 1, allow 88-65535 192.168.39.17/32 88-65535 Then hit Change.
6. Now to be sure no states to the XBox are lingering from a previous connection, go to Diagnostics: Reset state and Reset.
7. Now fire up your XBox and you should be at NAT Open. If not, double check your settings and if you have a managed switch on your network, disable Multicast filtering on the switch.
regarding number 6, as stated i power cycled off the xbone, clearing the states was not enough.
regarding number 7, the xbone is connected to a managed switch, but i did not need to change any settings on the switch.
thanks again, AhnHEL.
-
Glad to have helped. :)
-
I really appreciate the hard work here, you guys are great.
My $500 question is will this work with "two" XB1's on the same network?
Enabling just UPnP has given our two 360s all the internet loving they could wish for, my XB1 is being a jerk and if this does the trick I am almost home free. But I need it to work for two of them.
It sounds like M$ likes Cone NATs and dislikes Port Symmetric NATs. Will the changes above make the difference?
-
I dont have two XBone's but I'm sure you wont have any issues if it's setup properly. Only real difference so far is that the XBone never really shuts off so a hard reboot is required once all the settings are setup.
-
I really appreciate the hard work here, you guys are great.
My $500 question is will this work with "two" XB1's on the same network?
Enabling just UPnP has given our two 360s all the internet loving they could wish for, my XB1 is being a jerk and if this does the trick I am almost home free. But I need it to work for two of them.
It sounds like M$ likes Cone NATs and dislikes Port Symmetric NATs. Will the changes above make the difference?
i don't have two xbone's, but just as AhnHEL stated, as long as you set it up properly, the second one should work. if you only setup 1 xbone, you should have 3 spots open on the upnp and nat-pmp page for the second xbone. proceed with creating the same rules you did for the first console and power cycle the second xbone before testing the connection for openNAT.
at this time, i don't think i will need more than 4 user specified permission rules, i wonder what happens if you needed a 5th?
-
@tomdlgns:
at this time, i don't think i will need more than 4 user specified permission rules, i wonder what happens if you needed a 5th?
I wrote about that very thing just a few weeks ago in the PS4 thread under the part where it says For More Advanced Users
http://forum.pfsense.org/index.php/topic,69319.msg384435.html#msg384435
-
@tomdlgns:
at this time, i don't think i will need more than 4 user specified permission rules, i wonder what happens if you needed a 5th?
I wrote about that very thing just a few weeks ago in the PS4 thread under the part where it says For More Advanced Users
http://forum.pfsense.org/index.php/topic,69319.msg384435.html#msg384435
yeah, that makes sense, i guess i was stuck on 1 rule is 1 IP/device, i never though about adding a range.
sometimes you miss the obvious.
thanks.
-
i don't have two xbone's, but just as AhnHEL stated, as long as you set it up properly, the second one should work. if you only setup 1 xbone, you should have 3 spots open on the upnp and nat-pmp page for the second xbone. proceed with creating the same rules you did for the first console and power cycle the second xbone before testing the connection for openNAT.
I have made my changes and confirmed that this worked to get the first xb1 online with an open nat (cone). My brother will be purchasing his new xb1 this month, so to-be-continued, so far so good.
The two 360s "did" start experiencing issues though they are in the same network range (/29) found in both the UPnP and NAT rules I created
I added two UPnP rules that would allow port 53 and 80 separately from our 88-65535 rule mentioned above, as they are required according to M$. They still didn't work after that for 20 minutes or so then automagically started working again. They both have open NATs now and appear happy. No idea, I might be able to remove those two rules but until I have a reason to I wont just in case.Big thanks to all.
-
i don't have two xbone's, but just as AhnHEL stated, as long as you set it up properly, the second one should work. if you only setup 1 xbone, you should have 3 spots open on the upnp and nat-pmp page for the second xbone. proceed with creating the same rules you did for the first console and power cycle the second xbone before testing the connection for openNAT.
I have made my changes and confirmed that this worked to get the first xb1 online with an open nat (cone). My brother will be purchasing his new xb1 this month, so to-be-continued, so far so good.
The two 360s "did" start experiencing issues though they are in the same network range (/29) found in both the UPnP and NAT rules I created
I added two UPnP rules that would allow port 53 and 80 separately from our 88-65535 rule mentioned above, as they are required according to M$. They still didn't work after that for 20 minutes or so then automagically started working again. They both have open NATs now and appear happy. No idea, I might be able to remove those two rules but until I have a reason to I wont just in case.Big thanks to all.
when i was running 360, i never did anything other than enable upnp (and checked the box for MS) and everything worked fine. no custom upnp, no custom NAT/outbound NAT….nothing. meaning, i never opened 80 and 53. personally, i dont think those are needed and i did not have to open those up for the xbone. everything i did in this thread and read in other threads was put back to how it was prior to making the xbone thread and i followed the few steps i posted on the bottom of page 1 which got me openNAT on with the xbone. i know MS states they need to be open, but i feel confident saying that they don't need to be (80 and 53) and that the issue was specifically with NAT rules, not a port forward rule.
it we are both using pfsense and a 360 and let's just assume we have a basic switch in between our 360 and pfsense box, then 80/53 should not be needed if i was able to get it to work w/o opening those ports.
again, i am not saying that will fix your problem, just giving you some more information.
good luck.
-
i know MS states they need to be open, but i feel confident saying that they don't need to be (80 and 53) and that the issue was specifically with NAT rules, not a port forward rule.
I didn't mean to get off into the woods, and I agree with you on this. In the past UPnP being enabled was enough to ensure victory for multiple 360s.
-
i know MS states they need to be open, but i feel confident saying that they don't need to be (80 and 53) and that the issue was specifically with NAT rules, not a port forward rule.
I didn't mean to get off into the woods, and I agree with you on this. In the past UPnP being enabled was enough to ensure victory for multiple 360s.
no, i don't think you did. it is important to discuss all options as long as we don't get too far off track. i think it is important to discuss what works and what doesn't work/isn't needed.
-
I've done everything described in this thread but I'm only getting my Xbox One to go from "Strict" to "Moderate" and not "Open". This is quite fuzzy as I was successful at getting it "Open" before I just had to replace a hard drive in my pfSense server and ever since I did a re-install I have not been able to get it open again.