Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Xboxone / strict nat and VPN

    General pfSense Questions
    2
    3
    684
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      repomanz
      last edited by

      Hey everyone.

      I'm beating my head against the wall here as I don't understand why xboxone NAT is not working when i try to VPN some clients (not the xbox).

      Key point here:  I have a fully functional xbox one with open NAT based on the guide linked in this forum.  XboxOne is working, works well.  However the moment I attempt to VPN any traffic to my internal clients I complete break the NAT for xbox one.

      Outbound rules (in order):

      1. xbox static outbound rule is #1 in the list and is bound to WAN
      2. LAN 1 subnet
      3. LAN 2 subnet
      4. openvpn interface #1
      5. openvpn interface #2
      6. openvpn interface #3
      7. openvpn interface #4
      8. openvpn interface #5

      LAN 1 network is routed out through vpn client gateway group (openvpn interface #1 - #5)
      LAN 2 network (where xbox lives) is routed out through WAN

      All clients perform as they should.  I get a VPN address for clients in LAN 1.  Clients in LAN 2 get my WAN IP.  However with this configuration the NAT type is now broken.

      What can i check for here to see if additional configurations are required?  It's clear i'm missing a configuration with the VPN, interfaces or not fully understand how VPN and NAT work together.

      JJ

      1 Reply Last reply Reply Quote 0
      • R
        repomanz
        last edited by

        Hi everyone. I've solved this on my own and so i figured I'd inform others of the solution.

        Under the vpn client configuration details for each openvpn client , check the box "don't pull routes".  This resolved the issue I was having.

        ** edit - i now have a dns leak so i'll have to figure that out.

        1 Reply Last reply Reply Quote 1
        • I
          itsadamslife
          last edited by

          I am so glad I found this post. I have a very similar setup and could not wrap my head around why my gaming devices were going out through the VPN gateway even though all of my firewall rules looked like the connection should be going through WAN. This fixed the problem right away!

          As for DNS leaks, I actually have rules set up so that the only port 53 connection that is allowed are to pfSense and all other requests sent out on port 53 are forwarded to pfSense. It's interesting to see the number of IOT devices with hard coded DNS servers.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.