XB1 NAT STRICT



  • Hi Pf sense forum members, i have a quick question is there anyway to turn off static port so pfsense dosen't randomize port to the internet which gives xb1 a strict nat, now i have fixed this with the static dhcp and the static port which gave me a open nat but is annoying to say the least. I love this software and have been using it for months without any issues but this one, do any forum members have any advice on how to permanently fix this issue. Also i know netgear routers have a open nat option in there firmware could pfsense implement this?



  • TLDR: Use NAT rules to forward all ports, or less, to your XB1 in Firewall -> NAT -> Port Forward tab. Be careful of the order if you have other NAT rules and UPnP.

    It's a double edged sword really. No network gear exists that is performing NAT "magic" that really guarantees open nats without a sacrifice elsewhere.

    What your netgear is really doing is forwarding all ports to your xb1, think like the old DMZ IP setting.

    The way to do the same thing in pfSense is to do just that, forward all your ports via NAT rules to that one xb1 IP. Realistically, it only needs to be 1024-65535.
    There are a few drawbacks though.

    1. Lets say you do this, and forward all the ports. then you need to forward a port for a teamspeak server or something on your network. You must put that teamspeak rule above the "all" rule for your xbox. This also means that if you happen to have a game that needs that teamspeak port by random chance to be forwarded to your xbox, it won't work. It will be forwarding game traffic to your teamspeak server.

    2. I believe, and please correct me pfSense guru's if I'm wrong, but the UPnP that some services need on your network will be overridden by the all port forwards NAT rule as I believe UPnP is processed after explicit NAT rules. For example, Skype uses UPnP, if every port for both TCP and UDP is forwarding to your XB1, then skype may not work.

    pfSense Guru's, I don't know if this is correct, but will pfSense skip over a NAT rule if the IP it is to forward to is not in its ARP table? i.e. machine is turned off.