PFsense - Multiple Xbox One(s) NAT Type Fail.

Wayne.C1972

Ok so I have IPv6 fully working and can confirm that the Xb1s both have valid ipv6 addresses and they both pass ipv6-test. They both still have STRICT NAT and i am seeing communication /multiplayer issues for different games. Does anyone know if it is possible to get open NAT with IPv6? Is it possible to have Upnp over IPv6? https://forum.pfsense.org/index.php?topic=118033.0 Will that fix my issue? This is so damm frustrating.

jax7778

I am not sure how much help I can be here, but I just finally got this working with 5 Xboxes with open nat and proper communication between them.

First,  Follow this post about setting up manual outbound NAT on the PS4 from AhnHEL (works the same way on Xbox),

https://forum.pfsense.org/index.php/topic,69319.msg384435.html#msg384435

I have heard Hybrid NAT is easier, you might try that.  You give each xbox a DHCP reservation. Then you create a manual outbound rule at the top for their addresses, or their IP range, and check the box for static port.  Xboxes have a horrible time dealing with randomized ports, this is a problem on Microsoft's end NOT pfsense. Next setup Upnp as he/she instructs, (I did the optional step to restrict upnp to my xboxes only) This will give you open NAT > Then go to System > Advanced > NAT reflection > and set it to NAT+ Proxy.  Then Clear your Firewall states in Diagnostics > States > Reset States(this will kill internet for a couple of seconds, you will need to refresh) OR reboot your system and shutdown and kill power on your xboxes. Check in Settings > Network > Advanced Settings > on Xboxes and make sure they are picking up the IPs you assigned them. I did this setup, and I have 5 xboxes with open NAT and they can all now play together in one game and xbox party.

I also added the rules on LAN from "databeestje" (Thank You) on the page below for multicast traffic, Also, after reading the setup more closely, AhnHEL's guide is just a more detailed explanation of the Upnp method on the Sticky, the sticky is just a little confusing because of the new updated interface. I would add enabling NAT Reflection: NAT + Proxy.

Add these 2 allow rules on the LAN interface."

*    LAN net    *    224.0.0.0/8    *    *    none          Allow Multicast
*    LAN net    *    239.0.0.0/30    *    *    none        Allow Multicast

NOTE: I am a newb with PFsense, I am an IT Technician in my daily life, but networking is one of my weaker areas.  A much more senior member recommended IPV6, and I am sure it is a better setup, this is working for me now, I will try Ipv6 as a project later.

ALSO, The key to open nat seamed to be the Static port manual outbound NAT rule, and the key to us all being able to play together from one network, seamed to be NAT Reflection: NAT + Proxy.  If you can get Ipv6 working, that would be great! I would love to hear how it is working for you.  I know that NAT is not really part of ipv6, you can set one up, but you don't need too, and I assume that it is not this way by default, maybe your problem is in your firewall rules? I know the firewall will still be affecting traffic on Ipv6, and you need it too, since without NAT, that is the only thing between you and barracuda and shark riddled ocean that is the open internet.

johnpoz

Setting static nat for all ports is a borked configuration.  While it might some sort of mcgyver work around for broken configurations in console games.  It will cause issues at some point if your running multiple machines behind because what is suppose to happen here.

So device1:portA –-> dest portX (nat device) publicIP:portA --- destIP:portX

So that can work.. But now what happens when you have device2:portA as its source... How is the nat suppose to work?  That is the whole point of napt and sharing of 1 public IP..  when your different devices happen to use the same source port for some sort of communication on the public side of the nat, the natter ie pfsense in this case can just keep track of the connection and use a different FREE source port for the public side of the connection..

With napt you end up with this

device1:portA -- destIP:portX (nat) publicIP:portA --->destIP:portX
device2:portA -- destIP:portX (nat) publicIP:portB --->destIP:portX
device3:portA -- destIP:portX (nat) publicIP:portC --->destIP:portX
etc..

With static port mapping this breaks down as soon as you have more than 1 device trying to make connections to the outside with the same port.  this might rarely happen with a handful of devices but as you ramp up the number of devices behind your nat your odds of it happening ramp up as well.

The use of ipv6 is suppose to fix all of these issues these games have with being behind a nat.. Since all the devices will have publicIP..  So if they want sure they can all use the same sourceport in the sessions since they all have their own IP.

If your seeing issues with stating your strict NAT I would assume its testing your ipv4 and not your ipv6..  IPv6 has no nat, so how would it be anythingNAT?  But yes your going to have to make sure your firewall rules allow the traffic you want when you start using ipv6.

Wayne.C1972

@johnpoz:

If your seeing issues with stating your strict NAT I would assume its testing your ipv4 and not your ipv6..  IPv6 has no nat, so how would it be anythingNAT?  But yes your going to have to make sure your firewall rules allow the traffic you want when you start using ipv6.

That  part I do understand.  Currently I believe I allow ALL ipv6 traffic for my gaming network (The network that my Xbox Ones are On) I think the problem lies within the XBox Ones. They dont seem to switch to IPv6 Only. They accept ipv6 and acquire local-link and global ipv6 address but they ALWAYS defer to the ipv4 network. But If I take and put both Xbox ones on my cheap Cisco (Linksys) E1000 IPv4 Only router with upnp…no problems at all! Why can that POS router work it out and pfsense cannot?


johnpoz

while that rule allows your ipv6 out….  Where is your inbound rules.. How exactly do you have ipv6 setup?

Native dual stack from isp, HE tunnel?

Your inbound rules would have to be where inbound would be seen first, wan or your tunnel, etc.

From outside trying to ping what of your IPv6 console IPs, do you see it allowed do you get an answer, or is blocked

Wayne.C1972

For Ipv6 I have Comcast which runs native ipv6.

Using online ping test http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-ping.php I am able to successfully ping my XBOX One at its ipv6 address

johnpoz

ok I see 42 states open via ipv6.. so is your stuff working now?

Wayne.C1972

@johnpoz:

ok I see 42 states open via ipv6.. so is your stuff working now?

Currently I have verified IPv6 working and I have IPv4 NAT Type OPEN for both XBox ones. But I still have many connection issues. I am pretty sure that pfsense is causing the connection problems. I believe pfsense CANNOT properly negotiate the Upnp traffic for both console even thou I have NAT Type OPEN.

savagews6

@Wayne.C1972:

@johnpoz:

ok I see 42 states open via ipv6.. so is your stuff working now?

Currently I have verified IPv6 working and I have IPv4 NAT Type OPEN for both XBox ones. But I still have many connection issues. I am pretty sure that pfsense is causing the connection problems. I believe pfsense CANNOT properly negotiate the Upnp traffic for both console even thou I have NAT Type OPEN.

I've been in the works on configuring my dads Xbox One and triggering port forwards. All of my other applications, qBittorrent, OpenVPN ports are working correctly. I've done multiple NAT changes that I've found around reddit and here. Best I got was Moderate NAT, but then I lost it and back to strict. Unfortunately no experience with the Xbox One on 2.2.6 but curious if that is any different.

johnpoz

"But I still have many connection issues"

Do you have static ports set for everything?  Like I said that sort of config is BORKED!!!  And yeah your going to have issues with that sort of setup..  A port here or there when only 1 thing would be using the ports at a time ok… But you can not just say all ports static when you have devices wanting to use the same ports and other devices using napt (network address port translation) to share the 1 public IP.

If you want multiple consoles for ipv4, then you really should have multiple IPv4 addresses..  It amazes me that it would still use ipv4 if it can do ipv6.  Every other OS on the planet if has ipv6 prefers it over ipv4, and won't even use it unless ipv6 isn't available for what its trying to do.

W4RH34D

It only works for me with manual outbound nat with per device static port entries in the outbound nat rules for allow any udp to that device.  I could make it more secure but I have a "gaming" subnet with more lax rules.