XBox and Torrents and UPnP, OH MY!!!

entropydravis

All,
A couple of things to get out of the way first:  I've read / searched the forums, I'm running pfSense 1.2, I've enabled AON and static port.  (I think that's all the default information / suggestions.)

I'm an alumni administrator for a fraternity house using pfSense as it's router / firewall.  I also happen to live 200+ miles away.  There are 40 guys in the house, and closer to 70 devices connected to the private network.  They have ONE internet connection (shoot me,) and ergo one public IP. (Inside private subnet 192.168.1.0/24.)  Because there are multiple XBoxes behind pfSense, I can't do port forwarding and give anyone preferential treatment here. I need a solution that lets everybody connect.
I'm at my wits end because I can never seem to make these guys happy.  They want XBox Live to work, which is understandable since they pay for the service, but it requires Static Port (no big deal) and UPnP to be enabled.  However, with UPnP enabled, the Torrenters go to town, gobbling up upstream bandwidth and slowing the entire network to a crawl.  Even though I expressly block torrent ports (both source and destination) in the LAN firewall rules, (there's a schedule to allow them, and yes, I know the scheduling logic) with UPnP enabled, the torrent apps still seem to be sending & receiving traffic.
Here's what I'd like to do:
1.) Change UPnP from a Default Allow to a Default Deny. (I'm assuming that's what the "By Default, deny access to UPnP" check box does.) I want to do this to prevent BitTorrent and Limewire from having easy access to the net and bypassing my firewall rules. (Yes, I know it's not perfect and there's a war on between sharing apps and sys admins, but I want to make it one step harder for them.)
2.) Put in an allow statement that lets XBox Live traffic pass.  Ideally, I'd like to add rules allow Skype and MSN Messenger too.

I know ports 3074 and 88 are required for XBox Live, but I don't know what that statement would look like.  Would that be the external port range? Internal port range?  The UPnP rules are kind enough to give me a format for my allow / deny statements… I just don't know what goes where.  It will look something like    allow xxxx 192.168.1.0/24 xxxx  I just don't know the variables.

Also, do I need to put any pass rules on the WAN connection to let XBox Live traffic pass?  I have them in place currently, but wonder if it's necessary.
If pictures are worth a thousand words, please see attached pics.  (By the by, the XBoxLivePorts alias has ports 3074 and 88.)

Thank you all for your help, and a big shout out to the creators / those who maintain pfSense. AMAZING solution!!!

GruensFroeschli

I dont think it's enough to just block the ports BitTorrent uses, because almost every client randomizes it's ports.

Why dont ou try to configure the traffic-shaper?
Since you only want to avoid that everything gets slowed down when something torrents, and not block it alltogether this might be the solution.

Also i think it wont be enough just to allow the ports 3074 and 88 for Xbox live.
After the first client connected these ports are used and the next client will use different ports.

Maybe you could google/tcpdump and look what the second/third client uses.