PFsense - Multiple Xbox One(s) NAT Type Fail.

Wayne.C1972

Pfsense  - Causing  disconnect from gaming server on XBOX One.
I have multi a WAN environment with FiOS and Comcast as my providers. FiOS is used primary for work and Comcast used for play. FiOS provides, cable, internet and phone services. I have several gaming consoles in the home for me and my 3 kids. 2 XBOX Ones, 2 Xbox 360’s and 1 Wii. Plus more then half a dozen PC’s, tablets, phones and such. I have also have a PIA VPN which I use for transmission which is running on my FreeNAS server. I have transmission, Couch potato, SickRage, SABnzbd and Plex all running on my FreeNAS Server. The PIA VPN tunnels thru the Comcast connection. Needless to say my setup is a little more than the average home user. And it was a bitch and many hours to get everything working smoothing. My Xbox 360’s and my Xbox Ones all have open NAT with all services available. This was done with port forwarding to an Alias group and UPnP. Everything has been working well until I started playing The Division. I added the required ports to the XBOX port forwarding Alias TCP/UDP groups and it was working fine. But now I am getting DELTA ERROR 20001014 every5-10 minutes and I am disconnected from the game. This happens on both consoles at the same time. It only happens for this game. I am pretty confident that pfsense is causing the issue. I connected the XBOX One directly to the Comcast modem and played for hours without a single incident. Once I connect it to the pfsense within 5- ten minutes..DELTA ERROR 20001014. Ubisoft  Suppport is absolutely useless as they can’t even give me the definition of the error code DELTA ERROR 20001014. So my question to all the smarter people then myself, how the hell can I find out what in pfsense is causing this problem. Also I have been running  wireshark monitoring communication on the XBOX ones IP and nothing stands out. Not that I am any good with Wireshark. But what I am looking for is …..ANY HELP from ANYONE??? It sucks that The Division is my favorite game as of late. Can someone give me some direction on how to root this out?

W4RH34D

on the lan interface you're gaming on do you have the default allow any rule?

If so, then just add the computers in outbound NAT and turn on Upnp.
There's already a topic about this for other games.

This works for me, as I play the division occasionally.

If you're not using the default allow any rule on the subnet, you'll need to make rules for the uplay/steam/division ports and probably make a firewall alias for all computers that are going to play on the subnet.

Question 1.  With the current setup can one play without issues and only happens when more than one player is on?
Question 2.  What traffic is being blocked in the log?
Question 3.  Are you using squid?

Battlefield is notorious for this too for players trying to play together on the same local network joined to an online server.
They use some sort of shit where instead of icmp echo pings, they use TCP for pings and pfsense hates it.

Suggestion 1.  Packet Capture a game session that works completely.  Are all the ports being used in the perfect session open and configured for your gaming alias?

Suggestion 2. https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules

Taken from the Bungie support site for Destiny.

"If you are afraid that you may have forwarded ports incorrectly, don’t worry: it can be undone. Please try removing any existing port forwarding rules that you implemented for gaming and enabling UPnP in your router settings if your networking hardware is updated to a recent firmware. UPnP is also typically the best solution if you have more than one gaming console on your network as each required port can only be forwarded to one console at a time. If you have UPnP on and no other forwarding rules and the problem still occurs, or if your networking hardware/setup doesn’t support UPnP, ONLY THEN attempt to forward ports manually.

Port forwarding can be an incomplete solution at best if you have more than one gaming console behind your router – you may fix the problem for one console, while causing more severe issues for the other."

Clearly not every game developer spends as much time or has the appropriate talent to write netcode that will operate correctly without using hack code or jerry-rigged systems.
Destiny and BF4 both get denied and cause blips on my pfsense rig because of things like trying to connect outside of the port spec they requested be open or using strange flags on 443 or any number of things.

Overwatch has less of an issue and only randomly disconnects me once an hour or so.

Just because you have the ports forwarded through unpnp or nat rules doesn't mean your ports are open for the gameplay traffic.

the days of dedicated servers are gone.  What we have now, "Matchmaking" is almost impossible for me to get going correctly on any type of white-list rule setup.

You'd be better off separating your WAN's entirely using a gaming router on your comcast and pfsense on your business.

Do you have access to the pfsense book?  It will clear up a lot.

I just solved my Destiny issue by busting it out.  Packet Capture saw the 443 issue I had.  I went and looked and lo and behold my rule for 443 was not formatted correctly.

Boom - no more red packet capture and rando disconnects.

Wayne.C1972

My apologies for the delay in response.

Question 1.  With the current setup can one play without issues and only happens when more than one player is on?
No it still happens even with only XBOX one on.

Question 2.  What traffic is being blocked in the log?
Most if not all of the blocks say blocked by Default Deny rule.

Question 3.  Are you using squid?
I have remove Squid, Snort and pfBlockerNG

Suggestion 1.  Packet Capture a game session that works completely.  Are all the ports being used in the perfect session open and configured for your gaming alias?

Will do. Gotta learn wireshark a little better. I have done some captures using the Packet Capture under diagnostics. But nothing stands out. I have to learn how to go with the packet analysis.

Suggestion 2. https://doc.pfsense.org/index.php/Asymmetric_Routing_and_Firewall_Rules
I tried this not sure if it made a difference. But the disconnects seems to happen allot less frequently

Do you have access to the pfsense book? I do but, Is there a part I should focus on for this issue?

I just solved my Destiny issue by busting it out.  Packet Capture saw the 443 issue I had.  I went and looked and lo and behold my rule for 443 was not formatted correctly.

What in particular did you find wrong? Also I removed all of the port forwarding rules and have only UPnP running. I have a firewall LAN rule that routes all of my game systems to the comcast WAN which is the WAN that is configured for UPnP. XBOX One network Status is OPEN NAT with ALL services available. One thing I did notice…..I was playing The Division and my son was playing Destiny (We just got it :-) ) We were in a party chat and we both got disconnected from our game sessions at the exact same moment but were not disconnected from the network, XBOX Live  or the party chat.

You'd be better off separating your WAN's entirely using a gaming router on your comcast and pfsense on your business. I have done this as a temporary work around, but then I can’t use the XB1’s to access my plex server and I also can’t stream to my PC.

Appreciate any assistance.

W4RH34D

Hmm with what you've told me it sounds like you may need to set your firewall optimization to conservative under system/advanced/firewall & Nat.

I like to review the firewall rules in the book.  I had the source set to something strange for my 443 rule. (since I'm not using the any rule).

In wireshark I'd just sort by the ports and see what all is there and make sure there's a corresponding rule for each.

skynetsysadmin

It's basically a message that says "I can't talk to the server". I get the same message form time to time on PS4. The error message also displays when there is an issue with the server side of the Division. XBOX and PS4/PS3 are very finicky when it comes to NATs and Routing.

I ran into a reddit post that helped me, although it requires opening up your rules a bit which some might be uncomfortable with.

https://www.reddit.com/r/PFSENSE/comments/2uc645/need_help_getting_open_nat_on_ps4/

I've had a much better experience on my PS4 by following the recommendation in that thread about going to a static IPs on the consoles with UPnP turned on, but restricted to those IPs.

I assume you've already seen this, but if not maybe this can help. It lists a number of ports that they recommend opening up for the Division specifically. A lot of these are used by other games as well.

https://support.ubi.com/en-GB/Faqs/000024737/Connectivity-issues-in-The-Division-on-Xbox-One

Another option is to put consoles on their own subnet with relaxed or full access to the internet, but blocked from the rest of the pfsense subnets. But, that hinders your ability to access LAN resources like Plex from your consoles.

For me opening up UPnP, but restricting it to just my PS3 and PS4 IPs has worked well and I can still access Plex for example from the console.

W4RH34D

Another crazy idea would be doing ipv6 on the gaming subnet.  If your ISP is in to that sort of thing.

Wayne.C1972

Thought I had solved the with UPNP. I turned off all port forwarding and only turned on uPnP. I limited UPnP only to the 2 Xbox ones. The first Xb1 worked like a champ. The second XB1 only seems to be able to get NAT TYPE:Strict. Therefore it was unable to chat but was still able to play multiplayer such as Destiny. My temporary patch for now is to put the XB1(s) on a separate router coming off the Comcast modem and plug my pfsense Comcast_wan into one of the ports on the router. With this setup I get open nat on both XB1s but now they don't integrate with the rest of my network. I don't understand why a crap Cisco E1000 router can manage to make this work but the pfsense can not.

W4RH34D

Can you try the IPV6 thing?  Microsoft specifically put it in there for scenarios like these.

Wayne.C1972

Tried all of the solutions above. The best I could get was open NAT on the first XB1, moderate on the second XB1. This was achieved by configure each XB1 to use a different WAN and port forwarding.  uPnP would only work with one XB1 the other would get unavailable NAT and fail multi-player test. Will attempt ipv6 only, could use some guidance.  Not able to pass test-ipv6.com unless pass rule for ipv4 is enabled.

Ok added rule for ipv4. Test-ipv6.com and ipv6-test.com both pass. Still have strict NAT..but did pass multiplayer test and haven't had any issue with game chat or party chat. Will do more testing and will test on other XB1 tomorrow. Its 3am.. I'm going to bed.

Wayne.C1972

Ok so I have IPv6 fully working and can confirm that the Xb1s both have valid ipv6 addresses and they both pass ipv6-test. They both still have STRICT NAT and i am seeing communication /multiplayer issues for different games. Does anyone know if it is possible to get open NAT with IPv6? Is it possible to have Upnp over IPv6? https://forum.pfsense.org/index.php?topic=118033.0 Will that fix my issue? This is so damm frustrating.

jax7778

I am not sure how much help I can be here, but I just finally got this working with 5 Xboxes with open nat and proper communication between them.

First,  Follow this post about setting up manual outbound NAT on the PS4 from AhnHEL (works the same way on Xbox),

https://forum.pfsense.org/index.php/topic,69319.msg384435.html#msg384435

I have heard Hybrid NAT is easier, you might try that.  You give each xbox a DHCP reservation. Then you create a manual outbound rule at the top for their addresses, or their IP range, and check the box for static port.  Xboxes have a horrible time dealing with randomized ports, this is a problem on Microsoft's end NOT pfsense. Next setup Upnp as he/she instructs, (I did the optional step to restrict upnp to my xboxes only) This will give you open NAT > Then go to System > Advanced > NAT reflection > and set it to NAT+ Proxy.  Then Clear your Firewall states in Diagnostics > States > Reset States(this will kill internet for a couple of seconds, you will need to refresh) OR reboot your system and shutdown and kill power on your xboxes. Check in Settings > Network > Advanced Settings > on Xboxes and make sure they are picking up the IPs you assigned them. I did this setup, and I have 5 xboxes with open NAT and they can all now play together in one game and xbox party.

I also added the rules on LAN from "databeestje" (Thank You) on the page below for multicast traffic, Also, after reading the setup more closely, AhnHEL's guide is just a more detailed explanation of the Upnp method on the Sticky, the sticky is just a little confusing because of the new updated interface. I would add enabling NAT Reflection: NAT + Proxy.

Add these 2 allow rules on the LAN interface."

*    LAN net    *    224.0.0.0/8    *    *    none          Allow Multicast
*    LAN net    *    239.0.0.0/30    *    *    none        Allow Multicast

NOTE: I am a newb with PFsense, I am an IT Technician in my daily life, but networking is one of my weaker areas.  A much more senior member recommended IPV6, and I am sure it is a better setup, this is working for me now, I will try Ipv6 as a project later.

ALSO, The key to open nat seamed to be the Static port manual outbound NAT rule, and the key to us all being able to play together from one network, seamed to be NAT Reflection: NAT + Proxy.  If you can get Ipv6 working, that would be great! I would love to hear how it is working for you.  I know that NAT is not really part of ipv6, you can set one up, but you don't need too, and I assume that it is not this way by default, maybe your problem is in your firewall rules? I know the firewall will still be affecting traffic on Ipv6, and you need it too, since without NAT, that is the only thing between you and barracuda and shark riddled ocean that is the open internet.

johnpoz

Setting static nat for all ports is a borked configuration.  While it might some sort of mcgyver work around for broken configurations in console games.  It will cause issues at some point if your running multiple machines behind because what is suppose to happen here.

So device1:portA –-> dest portX (nat device) publicIP:portA --- destIP:portX

So that can work.. But now what happens when you have device2:portA as its source... How is the nat suppose to work?  That is the whole point of napt and sharing of 1 public IP..  when your different devices happen to use the same source port for some sort of communication on the public side of the nat, the natter ie pfsense in this case can just keep track of the connection and use a different FREE source port for the public side of the connection..

With napt you end up with this

device1:portA -- destIP:portX (nat) publicIP:portA --->destIP:portX
device2:portA -- destIP:portX (nat) publicIP:portB --->destIP:portX
device3:portA -- destIP:portX (nat) publicIP:portC --->destIP:portX
etc..

With static port mapping this breaks down as soon as you have more than 1 device trying to make connections to the outside with the same port.  this might rarely happen with a handful of devices but as you ramp up the number of devices behind your nat your odds of it happening ramp up as well.

The use of ipv6 is suppose to fix all of these issues these games have with being behind a nat.. Since all the devices will have publicIP..  So if they want sure they can all use the same sourceport in the sessions since they all have their own IP.

If your seeing issues with stating your strict NAT I would assume its testing your ipv4 and not your ipv6..  IPv6 has no nat, so how would it be anythingNAT?  But yes your going to have to make sure your firewall rules allow the traffic you want when you start using ipv6.

Wayne.C1972

@johnpoz:

If your seeing issues with stating your strict NAT I would assume its testing your ipv4 and not your ipv6..  IPv6 has no nat, so how would it be anythingNAT?  But yes your going to have to make sure your firewall rules allow the traffic you want when you start using ipv6.

That  part I do understand.  Currently I believe I allow ALL ipv6 traffic for my gaming network (The network that my Xbox Ones are On) I think the problem lies within the XBox Ones. They dont seem to switch to IPv6 Only. They accept ipv6 and acquire local-link and global ipv6 address but they ALWAYS defer to the ipv4 network. But If I take and put both Xbox ones on my cheap Cisco (Linksys) E1000 IPv4 Only router with upnp…no problems at all! Why can that POS router work it out and pfsense cannot?


johnpoz

while that rule allows your ipv6 out….  Where is your inbound rules.. How exactly do you have ipv6 setup?

Native dual stack from isp, HE tunnel?

Your inbound rules would have to be where inbound would be seen first, wan or your tunnel, etc.

From outside trying to ping what of your IPv6 console IPs, do you see it allowed do you get an answer, or is blocked

Wayne.C1972

For Ipv6 I have Comcast which runs native ipv6.

Using online ping test http://www.subnetonline.com/pages/ipv6-network-tools/online-ipv6-ping.php I am able to successfully ping my XBOX One at its ipv6 address

johnpoz

ok I see 42 states open via ipv6.. so is your stuff working now?

Wayne.C1972

@johnpoz:

ok I see 42 states open via ipv6.. so is your stuff working now?

Currently I have verified IPv6 working and I have IPv4 NAT Type OPEN for both XBox ones. But I still have many connection issues. I am pretty sure that pfsense is causing the connection problems. I believe pfsense CANNOT properly negotiate the Upnp traffic for both console even thou I have NAT Type OPEN.

savagews6

@Wayne.C1972:

@johnpoz:

ok I see 42 states open via ipv6.. so is your stuff working now?

Currently I have verified IPv6 working and I have IPv4 NAT Type OPEN for both XBox ones. But I still have many connection issues. I am pretty sure that pfsense is causing the connection problems. I believe pfsense CANNOT properly negotiate the Upnp traffic for both console even thou I have NAT Type OPEN.

I've been in the works on configuring my dads Xbox One and triggering port forwards. All of my other applications, qBittorrent, OpenVPN ports are working correctly. I've done multiple NAT changes that I've found around reddit and here. Best I got was Moderate NAT, but then I lost it and back to strict. Unfortunately no experience with the Xbox One on 2.2.6 but curious if that is any different.

johnpoz

"But I still have many connection issues"

Do you have static ports set for everything?  Like I said that sort of config is BORKED!!!  And yeah your going to have issues with that sort of setup..  A port here or there when only 1 thing would be using the ports at a time ok… But you can not just say all ports static when you have devices wanting to use the same ports and other devices using napt (network address port translation) to share the 1 public IP.

If you want multiple consoles for ipv4, then you really should have multiple IPv4 addresses..  It amazes me that it would still use ipv4 if it can do ipv6.  Every other OS on the planet if has ipv6 prefers it over ipv4, and won't even use it unless ipv6 isn't available for what its trying to do.

W4RH34D

It only works for me with manual outbound nat with per device static port entries in the outbound nat rules for allow any udp to that device.  I could make it more secure but I have a "gaming" subnet with more lax rules.