Xboxone / strict nat and VPN



  • Hey everyone.

    I'm beating my head against the wall here as I don't understand why xboxone NAT is not working when i try to VPN some clients (not the xbox).

    Key point here:  I have a fully functional xbox one with open NAT based on the guide linked in this forum.  XboxOne is working, works well.  However the moment I attempt to VPN any traffic to my internal clients I complete break the NAT for xbox one.

    Outbound rules (in order):

    1. xbox static outbound rule is #1 in the list and is bound to WAN
    2. LAN 1 subnet
    3. LAN 2 subnet
    4. openvpn interface #1
    5. openvpn interface #2
    6. openvpn interface #3
    7. openvpn interface #4
    8. openvpn interface #5

    LAN 1 network is routed out through vpn client gateway group (openvpn interface #1 - #5)
    LAN 2 network (where xbox lives) is routed out through WAN

    All clients perform as they should.  I get a VPN address for clients in LAN 1.  Clients in LAN 2 get my WAN IP.  However with this configuration the NAT type is now broken.

    What can i check for here to see if additional configurations are required?  It's clear i'm missing a configuration with the VPN, interfaces or not fully understand how VPN and NAT work together.

    JJ



  • Hi everyone. I've solved this on my own and so i figured I'd inform others of the solution.

    Under the vpn client configuration details for each openvpn client , check the box "don't pull routes".  This resolved the issue I was having.

    ** edit - i now have a dns leak so i'll have to figure that out.



  • I am so glad I found this post. I have a very similar setup and could not wrap my head around why my gaming devices were going out through the VPN gateway even though all of my firewall rules looked like the connection should be going through WAN. This fixed the problem right away!

    As for DNS leaks, I actually have rules set up so that the only port 53 connection that is allowed are to pfSense and all other requests sent out on port 53 are forwarded to pfSense. It's interesting to see the number of IOT devices with hard coded DNS servers.


Log in to reply