Xbox One (incl. S and X) - Howto for Open NAT

  • I don't easily see a definitive Howto for how to get Open NAT on the Xbox One, and I've done this on both my Xbox One and Xbox One X, even simultaneously, and have no problems with both getting open NAT for Xbox Live, so I wanted to share my settings. I'm running pfSense 2.4.2 now, though I was running 2.4.1 when I set it all up. I'm not using UPnP at all, so there's no risk to network security for other devices or programs that could open ports using that. It's possible that UPnP could actually interfere with the settings I provide below, so if you have issues, try disabling UPnP first.

    Here's how I did it…

    1. First, set a static IP address or DHCP reservation for the console, whatever you prefer. If you have multiple consoles, see the note below on grouping multiple consoles together with neighboring IP addresses to simplify the Outbound NAT rule.

    2. Verify the port number in the Xbox network settings. If you have multiple consoles, go into the advanced settings and manually choose a high port number. Each console will need to use a different port number for this to work.

    3. Create the port forward(s) in the Firewall > NAT > Port Forward. TCP/UDP, port number, and forward to the IP address you assigned to the console. Reload the filter when done.

    4. Go to the Outbound NAT settings. Set to Hybrid. This will allow you to create your manual rule for the Xbox, but allow everything else to still operate using automatic rules. Save. If you are using manual Outbound NAT for other reasons, then you can likely keep it manual and just create the appropriate rule for the Xbox IP address(es).

    5. Add a new Outbound mapping. Specify the IP Address of your console as the source and 32 for the mask for a single console. If you have multiple consoles, see the note below for a change to the IP address and netmask settings. In the translation section, check the box for Static Port.  Save this rule. Reload the filter again.

    You're done. Go back to your console, make sure the IP address is set properly if you're using a DHCP reservation, and if all is good, you should have Open NAT, at least for Xbox Live services. It's possible that other games may need other ports open too, but at a minimum, this should meet the core requirements for Xbox Live.

    ** For multiple consoles **
    If you have multiple consoles, use neighboring IP addresses that are within a smaller network range. By doing this, in the Outbound NAT rule, you can specify the netmask that corresponds to the size of your smaller address block. In the future, you can add more consoles just by adding a port forward (and DHCP reservation, if you're using that method). If you need to increase the size of the "network" to accommodate more consoles, just change the netmask in the outbound NAT rule.

    If you really want to, you could just simply create multiple Outbound NAT rules, one for each console… but I prefer the idea of having all my consoles grouped together with neighboring IP addresses, just for the purpose of network management.

    Example scenario...
    Xbox One: x.x.x.161, port 55123
    Xbox One X: x.x.x.162, port 56124
    Created two port forwards, one for each console
    Set Outbound NAT to Hybrid
    Created manual Outbound NAT rule, x.x.x.160/29 (allows use of addresses from x.x.x.161-166), checked static port setting

    If I need to add more consoles in the future (I doubt I ever will, but just to entertain the idea), I can change the /29 to /28 and go from 161 to 174 in IP addresses for consoles.

  • Does this work for both consoles playing the same game at the same time? (ie. Rainbow Six Siege, The division, For Honor, COD MW remastered….)

  • If the game uses Xbox Live for everything on the network side, then I would think it would work.

    If the game uses its own servers, a different port number that you can't change (to make each console use a unique port), or requires UPnP, then obviously my solution would not work.

  • @virgiliomi Thanks! This still works on current Xbox consoles and latest version of PfSense 👍🏼

  • Yep, and Windows 10 as well, though you need to run a netsh command in Windows to get Teredo to use a specific port. But it does work. :) I'm up to a gaming laptop, gaming desktop, Xbox One X, and Xbox One, all with open NAT in the Xbox Live network test.

    Though the Xbox One gets kicked to the curb next week. 🙂