Multiple Xbox Ones, Open NAT Failure
-
Hey everybody,
I was wondering if anybody is running a similar set up as me and could provide some insight.
I am running pfSense in a Proxmox VM as my router…
From the pfSense LAN, I go to the Nighthawk x6 WAN(using as LAN).
I have the Nighthawk set up as an access point, strictly following these configuration steps: https://www.dd-wrt.com/wiki/index.php/Wireless_Access_PointOn pfSense, I have my LAN configured as 192.168.1.0/24.
I have static DCHP leases for all of the Xboxes, 192.168.1.15 - 192.168.1.17.
I have created a firewall alias for these.I have a firewall rule set on the LAN to force the Xbox alias over the WAN (I have a VPN client running).
From there, I have enabled the UPnP service, checking off enable, allow UPnP, allow NAT-PMP, with the external interface as WAN, interface as LAN.
Also, I have an ACL deny rule across the LAN on port 3074 as I've heard allowing it can cause Teredo issues.I have my outbound NAT changed to manual, with a NAT rule at the top as follows: WAN XboxAlias * * * WAN Address Static Port checked.
Under System > Advanced > Firewall & NAT, I have the NAT reflection mode set to Pure NAT and I have Enable automatic outbound NAT for Reflection checked.
This was all configured based on the following guide: https://digiex.net/threads/pfsense-step-by-step-guide-to-multiple-xbox-ones-open-nat-play-together-2-3-x.15094/
With my current setup, all of the Xboxes say NAT unavailable, and when running the multiplayer test, they fail with can't get a teredo IP address.
Sorry if this has been answered elsewhere. I've been plugging at this for the past two days and can't get it to work. My housemates are getting cranky about their strict NAT.
Thanks!!
*** Update #1 ***
I turned off the setting allowing UPnP by default and switched to using ACL rules to control which ports each Xbox could request. I have all 3 set to allow 100 port blocks. Then, in Firewall > NAT > Port Forward, I have these blocks port forwarded to their respective Xboxes. This has alleviated the can't get teredo ip issue and brought the NAT type to moderate. However, my housemate has informed me that the multiplayer test reported the slow download speed error and the Xbox store and other things seem not to be loading, however, game play, chat, etc seem to be working fine. I'm getting closer, but still seems that I'm missing something. -
you might try using a static outbound rule.
-
All you need for 1 or more XboxOnes.
This Change helps 1 or more then 1 XboxOne.
Change to Manual Outbound NAT rule generation. Change the Outbound NAT rule "Auto created rule - LAN to WAN" to Static Port. No need to make more than one rule or anything.
https://doc.pfsense.org/index.php/Static_Port even notes "Rewriting the source port eliminates these potential (but unlikely) security vulnerabilities."The above change helps with more then just Xbox, PS4, PC Games, and other apps, hence why its far easier to Static Port the whole LAN, for very little/practically no risk.
This UPNP Rule is only needed for more then 1 Xbox with Open NAT
Then add a UPNP ACL to block 3074.
deny 3074 <lan subnet="">3074
This forces each Xbox to Randomly generate a different port and forwards it. Supposedly upcoming will be an option in Xbox to specify a port, but until the Xbox Must pick a random one when 3074 is blocked or unavailable.Those 2 steps are all that is needed for 1 or more XboxOnes to get Open NAT. You will likely want to clear states or just reboot pfSense, and reboot the Xbox once the changes are made. Assuming you truly have your public IP on the WAN of pfsense.'</lan>
-
I have tried everything here, step by step, including the static port for the auto LAN to WAN, and the best I can get is NAT Type: MODERATE. Xbox One Detailed NAT information: Your network is behind a UPnP port-restricted NAT. Anymore suggestion.
-
What are the first 3 sections of the WAN IP?
What is in front of Pfsense (Modem, ONT, gateway, etc)?
Who is your ISP. Are they Cable, DSL, Fiber, etc?
What is your WAN Type DHCP or PPPoE for example? -
What are the first 3 sections of the WAN IP?
What is in front of Pfsense (Modem, ONT, gateway, etc)?
Who is your ISP. Are they Cable, DSL, Fiber, etc?
What is your WAN Type DHCP or PPPoE for example?What are the first 3 sections of the WAN IP? 96.227.??.???
What is in front of Pfsense (Modem, ONT, gateway, etc)?ONT
Who is your ISP. Are they Cable, DSL, Fiber, etc? Verizon FIOS Gigabit
What is your WAN Type DHCP or PPPoE for example? DHCP -
What are the first 3 sections of the WAN IP? 96.227.??.???
What is in front of Pfsense (Modem, ONT, gateway, etc)?ONT
Who is your ISP. Are they Cable, DSL, Fiber, etc? Verizon FIOS Gigabit
What is your WAN Type DHCP or PPPoE for example? DHCPGood, should mean no double NAT.
How Many Xboxes on the network/LAN?
Are you Checking NAT status in the Xbox System settings or in game? If a game, what game?
Are you trying to let UPNP work or static Port Forwards?If UPnP, what settings were used?
If Port Forward, did you forward 3074 UDP (none others are need for base Xbox/NAT Check, XBL Based Multiplayer/Chat, 3rd par). -
OPEN NAT Resolved. Went thru and reconfigured the entire pfsense. Reset to default and reconfigured the entire firewall. Then I followed instruction for Open NAT. Now I have Open NAT every time on both XB1s.
But they cannot play most multiplayer games at the same time. What I really find annoying is for all of pfsense's greatness it cant achieve the UPnP results of my 25$ E2500 from biglots.
I even went so far as to configure an IPv6 tunnel. Results were the same OPEN NAT but failure on playing the same multiplayer games at the same time. :( This issue lands squarely in pfsense as with the aforementioned Linksys E2500. No issues at all. Now searching to see if there is a way to have the XB1 run IPv6 Only. FYI I am using the new XB1 interface that allows you to change the port that its using for its connection. So Each XB1 is set to use a different port.
-
Now searching to see if there is a way to have the XB1 run IPv6 Only. FYI I am using the new XB1 interface that allows you to change the port that its using for its connection. So Each XB1 is set to use a different port.
XBL Services/Chat/Multiplayer doesn't even use Native IPv6 at all, even when available. Its uses IPv6 via Teredo which is over IPv4, so IPv4 is required. Note some 3rd party developers do not use XBL for Matchmaking/Communications so they can use Ipv4 or IPv6
What game/s can you not play at the same time?
FYI I am using the new XB1 interface that allows you to change the port that its using for its connection. So Each XB1 is set to use a different port.
Are you setting up static port forwards with those ports or still just letting UPNP work? I have never needed static port forwards behind pfsense, or to set the port xbox is using, I have only had to deny 3074 via UPnP ACL.
Confirm in Advanced -> Firewall & NAT:
NAT Reflection mode for port forwards = Pure NAT
Enable automatic outbound NAT for Reflection = Checked -
Games we cannot play at the same time: Rainbow six siege, call of duty infinite warfare remastered, for honor, ghost recon wildlands, to name a few.
SET To pure-NAT
Reflection turned on.
UPNP is doing all the forwarding.
-
Have you made sure that you have hard reset the XB1's
I have 5 XB1 (lots spoilt kids inc me!)
They have static IPV4 with alias, IPV6 DHCPV6
UPNP on with both UPNP and NAT-PNP
NAT on hybrid with individual mappings for static port via alias (i did have an alias for all the XB1 together but that didnt work)
All XB1 on open NAT no probs with multiplayer games, do get kicked at times but no more than when only 1 is on and no issues joining.
I had issues without the hard reset of each XB1 every time I made a change.
Hope this helps
-
NAT on hybrid with individual mappings for static port via alias (i did have an alias for all the XB1 together but that didnt work)
pfSense treats those two scenarios no different, more likely you had old states from not rebooting or clearing states. Also just easier to go Manual Outbound NAT and set the whole subnet for Static Port. Even https://doc.pfsense.org/index.php/Static_Port says "Rewriting the source port eliminates these potential (but unlikely) security vulnerabilities." really it's pretty pointless and tends to cause more issues than it solves.
They have static IPV4 with alias, IPV6 DHCPV6
With pfSense's DHCPv4 server, they practically already have static Address. And setting the whole subnet for Static Port further make this pointless.
-
I have been having this same issue on and off again since the release of xbox ones. I tried having another crack at this over the weekend since I now have the latest dashboards on every xbox and can select which port to use instead of 3074.
The issue is the same, I have NAT Open on every box using all forms of NAT Reflection mode for port forwards, disabled, pure NAT and NAT + Proxy and have had Automatic create outbound NAT rules checked and unchecked. The issue is it works for most games but then there are a few that just refuse to multiplayer up. They can party and chat and play majority of the games.
Games like Warframe that don't connect with NAT Open just require you to set a manual outbound NAT with sticky port disabled. This will set the second xbox to NAT Strict and you will be able to play together. Once you switch games you can leave it and xbox 1 sticky and xbox 2 random port but this might affect matchmaking in other games if you don't switch back to sticky on both when not partied together.