Multiple Xboxes on the same network, Open NAT, cannot play together



  • Hello,

    I know that this is something you probably don't want to see again, but I am having problems getting multiple Xboxes to talk to each other. They all have open NATs, and I achieved this by following the instructions below and using static ports and giving them all static DHCP mappings. They all say open nat, and they all have the ips I have assigned them, but we cannot play with each other in the same network. I know this is the last thing you want to see on a professional UTM networking forum like this. But I would appreciate the help.

    UPNP and NAT-PMP is enabled,  I added one ACL, (even though deny upnp by default is NOT enabled/checked) I added this line in attempt to fix the issue: allow 53-65535 10.0.0.0/28 53-65535

    Followed instructions found here.  by AhnHEL , I used the "for Advanced Users" section
    https://forum.pfsense.org/index.php/topic,69319.msg384435.html#msg384435
    ![wan rules.PNG](/public/imported_attachments/1/wan rules.PNG)
    ![firewall rules.PNG_thumb](/public/imported_attachments/1/firewall rules.PNG_thumb)
    ![firewall rules.PNG](/public/imported_attachments/1/firewall rules.PNG)
    ![Outbound nat mapping.PNG_thumb](/public/imported_attachments/1/Outbound nat mapping.PNG_thumb)
    ![Outbound nat mapping.PNG](/public/imported_attachments/1/Outbound nat mapping.PNG)
    ![wan rules.PNG_thumb](/public/imported_attachments/1/wan rules.PNG_thumb)


  • Rebel Alliance Global Moderator

    Your going to have  problem here with nat reflection most likely.. If you want multiple xboxes to play together from the same network, nat is not going to be your friend for sure.  Why don't you just use ipv6 so now there is no nat, and boxes will be smart enough to know when talking to these IPs that that IP is local, etc.



  • Well, I am certainly not opposed to it, I have not used ipv6 much and simply choose ipv4 because it was what I was experienced with. Also, I am not entirely sure it is a local to local issue. The problem I am having is creating a "Party" in the game, we can create an Xbox live party without issue, but we cannot create a destiny fireteam (in game party) so we can actually play together. I would be willing to give ipv6 a shot, what settings should I change? I guess I would need to re assign the dhcp leases in ipv6. Anything else? Is nat reflection worth a shot?  Thank you so much for the help


  • Rebel Alliance Global Moderator

    You could try nat reflection.. But to be honest to me its a networking abomination that should be avoided at all costs ;)

    I don't have multiple xbox or even 1 to test/play with..  But in general your going to have issues unless there are some real smarts to the game..  Unless you can setup in the game say a local lan party??  Otherwise all these consoles are logging into to some central place.

    You might even have restrictions in the game for players all coming from the same IP which I assume you are unless your isp has given you more than 1 ipv4 or you have multiple isps involved?

    But think about it.. you have game console1 who's public IP is 1.2.3.4 and uses port X, now you have game console 2 same public IP 1.2.3.4 but port Y.  Even if this is allowed, your have console 1 trying to talk to console 2 so he sends packet to your own public IP 1.2.3.4:Y that has to be reflected back for it to work.

    Does your isp provide ipv6?  If not get a tunnel from HE..  Now all your consoles should use their ipv6 address.  And there will never be any sort of NAT at all and when console 1 wants to talk to console 2 on ipaddress ipv6:port it will know that is on the same /64 and not even have to go through pfsense, etc..



  • I do have a ipv6 address from my provider, so I am assuming they do support it. Do I need to change a setting to prefer ipv6 over ipv4? I think I read that I do not, is there any other settings that should be configured to enable full ipv6 support?

    I hate to ask, but I am also interested in nat reflection,  I tried turning on nat + proxy and it allowed one of us to connect, but it did not allow more than 1.  I am willing to sacrifice some security, I have all of the  Xboxes contained in 10.0.0.0/28 (the first 15 ip addresses). I know that I cannot make a port forward rule to multiple machines.  I know that the traffic will be coming from the 10.0.0.0/28 subnet, and I know it will be going back to that subnet from the external IP. Would anyone be willing to give me an example of a NAT rule that might help? It almost seems like a need a port forward… but that makes no sense to me, I cannot port forward to a whole subnet, and I cannot forward ports when I am not sure which ports they will be using at what time.  Would I need a rule connecting the gateway back to my own internal subnet? That sounds goofy but I will do it if need be lol.



  • I'm curious to this as well
    I connected pretense and both my boxes are strict nat. We can join each other in destiny but only 1 Xbox can chat and hear chat. The other Xbox hears chat but cannot chat.

    I followed a guide here https://forum.pfsense.org/index.php?topic=103901.0 but that left my Xbox with no teredo ip and thus no multiplayer at all. Why is this so hard?

    I can from a regular cheap TP-Link router with only Upnp turned on and both xboxes were moderate nat but we could play and chat in all games.



  • I think it is working!

    ianroberts, follow the instructions on this guide: https://forum.pfsense.org/index.php/topic,69319.msg384435.html#msg384435. You give you xboxs dhcp reservations (which you only need to do once, and on the router, you never have to touch the xbox, except to get the mac address) then you set outbound nat to manual (or I have heard that Hybrid works as well)  and make an outbound nat rule that covers your xboxes, or your sub net ( I used a ip calc to figure out what I could use). in the rule, check "Static port" this is very important because xboxes are horrible with security and cannot handle port randomization. (From what I can tell)  Then only thing that I had to change, is System > Advanced > Firewall and NAT> and enable NAT reflection, NAT+Proxy. Then Clear your Firewall states in Diagnostics > States > Reset States (or just reboot the system and the xboxes, kill all power on xboxes) It is currently working for me. It is a hassle, but the guide gave me open nat on all systems, and the NAT + Proxy seems to be working for playing together.

    I am still interested in ipv6, it sounds like a the better way to go, and I would love to make things better.  Maybe we can do this with out all this setup.  I am researching this. Thanks for the help, and I appreciate any tips for ipv6 :)



  • @jax7778:

    I think it is working!

    ianroberts, follow the instructions on this guide: https://forum.pfsense.org/index.php/topic,69319.msg384435.html#msg384435. You give you xboxs dhcp reservations (which you only need to do once, and on the router, you never have to touch the xbox, except to get the mac address) then you set outbound nat to manual (or I have heard that Hybrid works as well)  and make an outbound nat rule that covers your xboxes, or your sub net ( I used a ip calc to figure out what I could use). in the rule, check "Static port" this is very important because xboxes are horrible with security and cannot handle port randomization. (From what I can tell)  Then only thing that I had to change, is System > Advanced > Firewall and NAT> and enable NAT reflection, NAT+Proxy. Then Clear your Firewall states in Diagnostics > States > Reset States (or just reboot the system and the xboxes, kill all power on xboxes) It is currently working for me. It is a hassle, but the guide gave me open nat on all systems, and the NAT + Proxy seems to be working for playing together.

    I am still interested in ipv6, it sounds like a the better way to go, and I would love to make things better.  Maybe we can do this with out all this setup.  I am researching this. Thanks for the help, and I appreciate any tips for ipv6 :)

    Do you have a screenshot of your firewall rules? I tried it and no change, I get strict NAT and can play/chat between my 2 xbox's.  However when one xbox is online and in a party chat, the other xbox cannot join any party chat . Which is strange because we can join each others party chat if it's just the 2 of us



  • Sorry, I forgot to check back here. I should have time to post my firewall rules over the weekend.



  • Here are my firewall rules, there are some duplicates that should have been covered by lan to anything, but I saw them in my firewall logs being blocked, so I added them.

    EDIT I have removed my rules, I will re-upload my specs once I have straightened them out.


  • Rebel Alliance Global Moderator

    I see no hits on those rules other than your IPv4 first rule..  So what exactly would be the pint of the multicast rules?  What do you think those rules would accomplish exactly?



  • Johnpoz, I admit they don't make one lick of sense, I was literally just trying everything I could, I saw on another post that worked for someone, so I tried it. My rules are kind of a mess right now. After doing everything that I did, we still had problems getting more than two people to play together. I am going to clean up my rules, and post everything I did to make this work, if it is inaccurate or incorrect information, I can take it down.  These rules are not the answer, and I took them down. The keys were the static DHCP reservations, the static outbound nat ports for my 10.0.0.0/28 subnet, Nat Reflection (I know, I should and will switch to ipv6 at some point) AND blocking port 3074 in upnp Access Control Lists.  I noticed in my upnp sessions, that xboxes that had problems were getting  3 sessions instead of two.

    Normally each xbox one created two reservations for itself, 1 for teredo, one for the game, (usually demonware portmapping). The xbox with problems would create 3 sessions, one for the game, and then 2 teredos, one under a random port in the dynamic range, and one on the Default port of 3074 I know this is more than you asked.

    Also, I understand that this is an enterprise solution, and that a lot of other enterprise firewalls don't even have upnp or other consumer router features.

    Johnpoz, I am sorry I have ticked you off so much, I know you and the other high level forum members deal with a lot of crap on these forums, and you are probably sick of people like me who use this in gaming home.  Thank you for all of your help.


  • Rebel Alliance Global Moderator

    You did not tick me off, and its great that you and other and even myself use it a home setup.

    The thing that does get frustrating is the same questions over and over and over and over again ;)  And then people posting (trying to help) what they say works when it clearly has nothing to do with anything at all.

    Anyone suggesting use of static nat for their whole network is asking for trouble - this is NOT a valid configuration by any means.  It can not work with any actual traffic.  Your going to run out of ports to do napt with.  Now if you have a hand of a sessions doing nat you might run into a problem or it would be so rare you wouldn't put 2 and 2 together.  But its a borked sort of setup plain and simple.

    As to running UPnP and port forwarding at the same time for your consoles?  Use one or the other!  If you ask me what is broke is the makers of these console games.  You should clearly and loadly and easy to find the ports required for XYZ to work.  If your going to promote ipv6 then use it and use it correctly.  That it tries to make a teredo connection when it has a global IPv6 address is beyond stupid!!!!

    Why do you you just put it on a ipv6 only network, NO ipv4 does it work then?



  • I completely understand the portforwarding and UPnP at the same time. It makes no sense, to the point where no matter what anyone says, I am not going to try that. It is illogical. (I know, I can't talk).

    Also, I think there might be some confusion here about people suggesting "static port." From my research, the people who knew what they were talking about (few and far between, and I am not one) were suggesting turning on "Static Source Port Mapping" in our outbound NAT configuration. This seems different from "Static NAT" which is routing all data from one external IP to a specific internal IP.

    What we or I enabled was static source port mapping, from this document in the pfsense wiki:
    https://doc.pfsense.org/index.php/Static_Port

    I also only enabled it for my /28 subnet, so it is only for the first 14 addresses.

    This also only applies for outgoing traffic, but requested traffic would end up coming in on the same port it left, and we have UPnP for other incoming traffic, right?

    If static source port mapping is what you meant, I have a question (albeit a mostly academic one, please don't feel the need to answer.)

    Static source port mapping has always seemed like a bad idea security wise, because people can tell by port number what type of traffic it is. However, I don't really get how it is running me out of ports.

    From my understanding, in normal randomized port operation, traffic flows out of my router on different internal and external source ports, going out on one internal port  then routed to an randomized external port, recorded by the router, before reaching the web. This is what some devices, like the xbox, seem unable to tolerate, they want the souce port to be whatever port they originally sent the traffic on, not on some other random source port.

    In contrast, static port mapping instructs the router to no longer randomize the external source port, the internal source port is the same as before, and the external source port is exactly the same as the internal port.

    In either scenario, I am using the same number of internal and external ports, the difference is that if I have the default port randomization turned on, then traffic flows out internal port 2001, and out externally on some other unused port, like 52,120. Where in static source port mapping, traffic leaves on the same internal and external port, such as internal port 2001, and external port 2001.

    From what I can work out, the limit would be 65535 ports (in a home setup) in either case, because whether the outgoing port is randomized or not, you still only have 65535 ports with which to work with?

    I know that is really long winded, but I am curios, do I have that wrong?


  • Rebel Alliance Global Moderator

    " "Static Source Port Mapping""

    That model is BROKEN!!  You can not put multiple systems behind napt which what pfsense does..  And have it use the source port of the original connection made by the boxes behind the nat.

    So I have device A he wants to talk some where.. Does not matter what so he creates a Connection to it with some source port the client comes up with..

    So client 192.168.1.100:45678 –-> publicIP:destPORT (NAT Router) srcPublicIP:45678 --- destpublicIP:destport

    So that would be static setup..

    Now what happens when 192.168.1.101 just happens to use that same source port of 45678? What about 192.168.1.102, 103, 104, etc. etc..

    Your clients are not talking to each other and saying.. Hey you use port A for your source and  I will use source port B, etc.  Yes you are correct you have 65k ports that you could use with your 1 public IP your natting all your clients too.  Pfsense is the one that determines hey .100 is making a connection from source 45678.. Oh shit .101 had a connection using that same port but I changed it to 47812, so lets change .100 connect to use 47813..

    How many clients do you have?  How many actual connections are they making to the internet.. You only have your 65K source ports you can use with your 1 public IP.  Your clients are not talking to each other.. So there is nothing saying that client A would use same source port as client B..  But since pfsense is told he has to use the same source port - what happens???

    What tells the client hey sorry buddy I couldn't nat your connection because the port you were using was already in use.. So what happens to that connection?  Client sends a few retrans for the syn.. But never hears anything back.. So he tries to make another connection??  So he uses sourceport+1, what if that is in use by client C already?

    That is why that model is BORKED!!  When pfsense can change the source port, then yes all your clients can share the 65k source ports.  But when your say they have to be static..  Then depending on how many clients you have and how many connections they create you are going to run into a problem with client A making a connection using the same source port as client B for some connection.  And guess what systems normally all start their connection in the same place..  So you have say 5 or 6 pcs and they all get turned on about the same time.. There all going to be trying to use the same sourceport space..

    on your windows machine

    netsh int ipv4 show dynamicport tcp

    Protocol tcp Dynamic Port Range

    Start Port      : 49152
    Number of Ports : 16384

    So it starts at port 49152, and then starts counting up..  All your machines would be using the same range as their starting point.. So as I mentioned before if you have a couple of devices making limited connections, maybe you don't see the problem or the problem only hits on a blue moon.  But you increase your number of clients behind the nat and your going to run into more and more and more..  That is why its BORKED..

    When you say hey any connections that are using source port of 500 make those the same, ie the static setting..  That limits you to 1 client doing that.. So if these console games are so source port locked.. And you have multiple consoles playing the same game.. What determines that they are all using different source ports, and why would the game then work?  You don't have problem when all the games are coming from different IPs all using the same source port.  But when you have all of them behind the 1 public IP how does that model work?  Lets say game X uses source port 10000, how do they all use source port 10000 when it can only be used once on your public IP?



  • Thanks for the reply, I was assuming that, if an outbound port was in use, the router simply rejected the connection, reported this to client, and then the client made the request on another port. I thought that the router would be rejecting the connections, and that would let the client know, "hey I could not make your connection" then the client would ask, hey, can I get my connection on port+1.

    I get where you are coming from, in a system of any size, it would cause a backup of broken connections all trying to get the same port, then failing, then either requesting a port+1 and failing, then timing out and failing or just failing.

    Thanks for the info,


  • Rebel Alliance Global Moderator

    How would the router tell the client to use a different port?  Send it RST?  Even then it wants to make the connection it just going to try with +1 using the next source port.  Once you have a bunch of clients using the same range of ports.. Which all windows clients all start off using the same your just going to have a crap load of failed connections.

    The whole reason for NAPT is to allow for multiple clients all using the same source port with different IP behind 1 IP, etc.



  • I tried an experiment, I setup Ipv6 on my network, and tried connecting, still had issues. So I tried disabling ipv4 altogether, so we were communicating solely on ipv6. The xboxes could connect, however. My game started throwing errors about no internet connection detected. After some research, I found one forum post from a Bungie (Developer) team member stating that Destiny does not support ipv6. (Not much, but it is all I could find!) It turns out that even though the console as a whole is compatible with ipv6, there is no requirement for their games to be. So it is up to the developers whether they want to support it, and on Destiny, they do not.

    Maybe NAT reflection is really my only option, but that is a mess. If I disable static port mapping for my xbox sub net, I get a "strict symmetrical NAT" error, which is officially not supported by xbox live. I also don't see where pfsense officially uses symmetrical NAT, so this may just be the Xbox reporting incorrect information, but if it does….

    Here is an excerpt from their documentation on "Two different NAT types"

    1. The NAT can assign one UDP port to each UDP source port used by a client device, regardless of the destination of the UDP packet. We call this “minimal port assignment policy” because it results in the minimum number of UDP ports being assigned by the NAT. This is also sometimes called a “cone” NAT.

    2. The NAT can assign a different UDP port for each UDP destination. We call this an “aggressive port assignment policy” because it results in the NAT assigning many ports. This is also sometimes called a “symmetric” NAT.

    Symmetric NATs make it very difficult to establish peer-to-peer connectivity between two devices behind NATs. Symmetric NATs are not supported by Xbox Live. A user behind a symmetric NAT will be able to connect to the Xbox Live service and will be able to join some games, but will sometimes encounter problems related to the difficultly of establishing peer-to-peer connectivity, such as problems with in-game voice communication, or the inability to join some game sessions.

    I have another question, and maybe this is where I should have started from. Should I be trying to get a Cone NAT, and is there any method of getting a "Cone NAT" functionality in pfsense, not full Cone, because I understand that is static NAT, but maybe a restricted cone, or port restricted cone? Or is this one of those things that an enterprise networking platform does not do for security reasons or the like?  If these terms are incorrect, I got my NAT information from:

    https://www.think-like-a-computer.com/2011/09/16/types-of-nat/

    And, if anyone wants it, here is the link to the Xbox Live documentation that the quote is from:

    http://download.microsoft.com/download/5/b/5/5b5bec17-ea71-4653-9539-204a672f11cf/Xbox-Live.doc


  • Rebel Alliance Global Moderator

    If your games are not going to support ipv6, and these games also what all the members of the game to be using the same source port for their connection.  Then your only solution is to have multiple IPv4 address..

    You say you want static source nat so that source port talking to the public IP is the same as the game is using when it sends the connection.  Then yeah you have a problem with multiple machines all looking like they came from the SAME IP.  Maybe they do this on purpose for some sort of game security??

    Nat reflection does not solve your source port issue.  If your isp will not give you multiple IPv4 address.  Maybe you could just get a bunch of vps and setup vpn connections to them.  Now you could setup console 1 to use your native connection.  console 2 to use your vpn connection, console 3 to use 2nd vpn connection.

    You can get a vps for like $15 a year and setup openvpn on it, so even if you needed 4 or 5 of these your only talking less than $100 year, etc.



  • Well, as you have probably heard before, this works fairly well with a consumer router, we had a Netgear 6250. We sometimes had our 5th member would get kicked, but it worked some what well. If I could get back to that, that would be enough. I tried this to learn about Pfsense, and this enterprise routing platform. It is very interesting, and VERY nice to have so much control over your network. I love the Open VPN setup, and I was really looking forward using that. It is a great platform, I am just a little sad that I could not find out whatever hidden magic some of the consumer router's seem to have. But, I have 4 other people that play in the house I live in, and they don't care as much about that if we can't play together. I mean most of the time, we just get flat out failures trying to connect to one another, and they just don't seem to show up in the logs.

    However, I am a stubborn person, I am not giving up on this, I will keep this box, and probably use it as my home router at a later date. I will follow updates, and try to figure out what sort of configuration could possibly allow us to communicate with each other peer 2 peer on the same sub net. That is all we really want to fix, and it is still having problems.  I should probably try to analyze the traffic and see if i can figure out what is going on.  If nothing else, ipv6 support will increase, and the whole problem will go away  ;) .

    Thank everyone for all of your help, but my fellow gamers are threatening to smash my little black router box if we can't play together.  So I will probably have to take offline, and then setup the Netgear again.  I will keep checking this forum to see if anyone else has any ideas. I know there must be something that I am missing.


  • Rebel Alliance Global Moderator

    Well maybe your consumer router is doing a shitty job and nat and is just doing a cone nat where once you open the port anyone can send traffic to your publicIP:port and get forwarded to your machine behind the nat?

    But how does that solve an issue when game requires source port to be X?  Is it really only require source port to be X thru Z?  What is required to figure out your issue is understanding the ports used in the game and any requirements they have like hey this connection to destIP:port has to come from source port X?

    Makes no sense why that would be a requirement to be honest  Why would you give a shit what the source port is??  If that is the case it would seem they put in such a restrictions to prevent multiple players from all playing from the same IP..

    Pfsense can clearly do nat reflection, and it can do UPnP so that would be exactly what your consumer router would be doing.  How does that get you around any sort of source port restriction??

    As to doing cone nat, it might be possible to do that.. It's not a option in the gui that I am aware of..  But I would think it possible.. Would not suggest it from a security point of view that is for sure.  Can you not just get multiple IPs from your ISP.. This would be the best solution for sure!!!



  • I really don't think that the xboxes require source port to be x. I think that setting static source port made the xbox believe that it was behind a cone nat, which was creating one udp port for each source port, regardless of destination. Where it was really causing as many problems as it was solving.

    I had to re-setup our netgear, my roommates could not stand it any longer. I will still experiment though, although it certainly looks like enterprise security and game consoles just don't mix. (Who is really that surprised?).

    I will say, Johnpoz, you are really the voice of tough love on this forum,  you are trying to help , but you don't tolerate bulls%&t, I thank you for it. I will look into doing a cone nat, but I am honestly looking at the x86-64 version of OpenWrt, It is a hack, but it is just consumer oriented enough that it might work. I cannot use any other enterprise routing solution like untangle or sophos, since they don't even have upnp as an option at all! I will re-install pfsense when I have a setup more under my control. I still think I must be missing something with my setup. I will research at a later day.

    Or maybe I will just setup a completely custom setup with a linux distro, iptables, and miniupnpd.  But god I hate iptables.


  • Rebel Alliance Global Moderator

    Or just get multiple IPs from your ISP would be the simple solution if you ask me.



  • @johnpoz:

    Well maybe your consumer router is doing a shitty job and nat and is just doing a cone nat where once you open the port anyone can send traffic to your publicIP:port and get forwarded to your machine behind the nat?

    But how does that solve an issue when game requires source port to be X?  Is it really only require source port to be X thru Z?  What is required to figure out your issue is understanding the ports used in the game and any requirements they have like hey this connection to destIP:port has to come from source port X?

    Makes no sense why that would be a requirement to be honest  Why would you give a shit what the source port is??  If that is the case it would seem they put in such a restrictions to prevent multiple players from all playing from the same IP..

    Pfsense can clearly do nat reflection, and it can do UPnP so that would be exactly what your consumer router would be doing.  How does that get you around any sort of source port restriction??

    As to doing cone nat, it might be possible to do that.. It's not a option in the gui that I am aware of..  But I would think it possible.. Would not suggest it from a security point of view that is for sure.  Can you not just get multiple IPs from your ISP.. This would be the best solution for sure!!!

    I have played with this issue for years, and somehow my linksys router running DDWRT can pull off NAT "magic" to allow multiple xboxs to play online. It might be doing something outside the TCP/UDP/IP spec, but it works. When enabling UPnP the xboxs can see that if an inbound port is currently being used and it will pick a different one. Then all of the xboxs operate as if they have dedicated IPs. I am able to get similar UPnP functionality out of my pfSense box but I have never been able to replicate the NAT functionality.

    It's a mystery that many have tried to solve in pfSense, but I have yet to see it work as well as some lesser consumer routers.


  • Rebel Alliance Global Moderator

    "xboxs can see that if an inbound port is currently being used and it will pick a different one."
    "I am able to get similar UPnP functionality out of my pfSense box but I have never been able to replicate the NAT functionality."

    That is the really the whole point of UPnP.. Your saying that UPnP in pfsense does not do that??  Or just doesn't work with xboxes?  If client 1 says hey I need port xyz forward to me..  The nat box doing UPnP should open that for them, if not should tell them hey pick another port that one is in use.

    Can you sniff the UPnP traffic on your dd-wrt router and see what is going on?  My guess is more that its just doing cone nat and has no security at all so that is why it works.  I open a connection to IP-A from source publicIP:X… Then IP-B can then talk to me going to publicIP:X  which is not secure.

    The biggest issue to getting it to work is undertanding the communication required.. Since it never seems that any of these game makers actually point out what ports need to be used, or allow to change ports, etc.

    Why can you not go into the game on console 1 and say use port X, then forward that port on your router.  Then go into console 2 and say use port Y and go into your router and forward Y to that console, etc.