Multiple XBox 360's with open NAT?



  • Hi all, about a month ago a friend recommended I set up a router with pfSense to combat problems with high latencies with people maxing out torrent downloads at the place I live, so I did, and it works great! :)  pfSense is perhaps the best thing to happen to routing that I've ever seen.

    However, I'm having an issue with getting XBox Live to work properly.

    ! BEFORE YOU DISMISS THIS THREAD, I do want you to know that I have been reading numerous topics on the forums about this issue, I'm not just blindly posting here asking for an answer. :P

    Originally, the problem was with having the "strict NAT" error, so after reading some topics I set manual outbound NAT with static ports, and then forwarded those ports.  It took me a few tries to finally get it right, but I solved the problem and the NAT went back to open.

    However, now that those ports are being forwarded to an XBox with a static IP, none of the other residents' XBox's can connect properly to XBox Live.

    I read on the forums that instead of doing the static ports with port forwarding, I can just enable uPnP, but having tried that (as well as a combination of both strategies), I am simply unable to get all the XBox machines to work with an open NAT.  I even tried adding allow directives for uPnP for all the XBox IPs and for all the ports necessary, to no avail.

    I would really appreciate it if any of you have any suggestions or past experience with getting multiple XBox 360's to all have an open NAT.  Is there something I'm missing about the uPnP configuration?

    Manythanks in advance for your help!

    Regards,
    Hikky

    Edit:  Oh yeah, I am using pfSense v1.2.1 RC4



  • Have you read this thread ?:

    UPnP and multiple Xbox 360s (4-8) http://forum.pfsense.org/index.php/topic,6594.0.html



  • I've never used static IP addresses for my Xbox 360s but maybe try DHCP instead because uPnP request may be made only after DHCP.  I remember reading about some who had problems with static IPs.

    So maybe try the following:

    MAKE SURE YOU APPLY CHANGES AFTER CHANGING YOUR SETTINGS (also make sure there are no errors reported afterwards)!
    1.  Set all Xbox 360s to DHCP then power off(remove any static IP addresses for the Xbox 360)
    2.  Enable Static port in advanced outbound nat
    3.  Enable uPnP and ensure the upnp service is in fact running
    4.  Go to the Status –> uPnP page and click clear button to clear entries and restart uPnP service
    5.  Remove any port forwards to the xbox 360s and dealing with ports TCP/UDP 3074 and TCP 88
    6.  Remove any firewall rules dealing with TCP/UDP 3074 and TCP 88 or the Xbox 360 (just to be safe)
    7.  Turn on one Xbox 360, sign in to Xbox Live and verify that the Xbox has an entry in the Status --> uPnP page on Pfsense (most likely port 3074)
    8.  Perform a Xbox Live NAT test and see if it registers as open.
    9.  Power on second Xbox 360, sign in to Xbox Live and verify that it has an entry in the uPnP status page listed above(maybe port 38169. 20917 or 15331).
    10.  Perform a Xbox Live NAT test on both and see if they register as open.
    11.  If you'd like an almost static IP address for your Xbox, maybe try a DHCP reservations

    I have 8 Xbox 360s registering as open at my house behind PFsense 1.2.1 RC2 so what you're trying to accomplish is definitely possible.

    Good Luck!



  • Okay thanks xcrustwadx, that's a big help!  Didn't realize the static IPs were a problem with uPnP.

    We got both XBox 360's independently able to sign in with an open NAT.  However, only one of them can be signed in at a time; when one is signed in, the other can connect to the Internet but cannot connect to XBox Live.

    Any ideas on how to resolve this one as well?



  • @GruensFroeschli:

    Have you read this thread ?:

    UPnP and multiple Xbox 360s (4-8) http://forum.pfsense.org/index.php/topic,6594.0.html

    Yes, I read the thread earlier, it doesn't address much other than the static ports/port forwarding, and issues with never getting host.  Thanks for the help though.  I've read just about every relevant post on this board. :p



  • You can't open the same port to multiple internal devices simultaneously with any firewall, unless you have multiple public IPs.



  • Hey I edited this post.  Thanks for all your help so far everyone, I appreciate it.

    I just talked to my roommates and, while we were using our old router as the DHCP server (a Linksys WRT54G; we now use it only as a wireless access point and let the pfSense machine do all the processing), both of them were able to connect to XBox Live at the same time using the same public IP address, and play in the same game together.  I also know that, on the old router, it wasn't because of any kind of DMZ setup (which I've seen suggested on other threads, although with pfSense to do DMZ requires a third Interface and NIC) because it wasn't enabled.  We definitely only have one external IP address, it's a home Comcast cable connection.

    It's probably a safe assumption that there shouldn't be anything that a crappy Linksys router can do (by defualt even!), that pfSense cannot.  Also, if having them online at the same time were impossible, there would be no need to have multiple XBox 360s on the same network period – I can't imagine then why xcrustwadx would care to have 8 of them lol!

    There must be something overlooked here.  Anybody have ideas on what it is?



  • Are either of the Xbox 360s connected via wireless (using the linksys or other)?

    If so, maybe try them both connected directly to a switch that is connected to pfsense.  Make sure Pfsense is the DHCP server too.

    You can't open the same port to multiple internal devices simultaneously with any firewall, unless you have multiple public IPs.

    From my experience, the first Xbox 360 will request port 3074.  The next will "see" that 3074 is already in use and request another port (see atttached pic).  So this shouldn't be an issue in this particular situation.




  • And another thing to try.  Sign on with one Xbox.  Then perform a packet capture and capture the traffic from the Xbox that is unable to connect.  Take a look at it in Wireshark and see what's happening.  It can often lead to some clues.

    I am willing to help as much as possible since I was in your shoes a couple years ago.  People expect you to know everything and fix IMMEDIATELY.  It's SO frustrating but the reward is worth your blood, sweat and tears.

    Also, if having them online at the same time were impossible, there would be no need to have multiple XBox 360s on the same network period – I can't imagine then why xcrustwadx would care to have 8 of them lol!

    We're practicing for Meadowlands 2009 (http://www.mlgpro.com/content/page/260106/Register-Now-for-2009-Pro-Circuit-Online-Qualifiers)!



  • Are either of the Xbox 360s connected via wireless (using the linksys or other)?

    Yes, one of them is connected via wireless, over the linksys (I have the linksys set up just as a switch with a WAP).

    If so, maybe try them both connected directly to a switch that is connected to pfsense.  Make sure Pfsense is the DHCP server too.

    I'd do that but we'd need enough cable to go 2 stories up and with all that's involved it would leave wires everywhere. :(  pfSense is the DHCP server.

    From my experience, the first Xbox 360 will request port 3074.  The next will "see" that 3074 is already in use and request another port (see atttached pic).  So this shouldn't be an issue in this particular situation.

    I have a few entries in the uPnP status page now, but these two are the relevant ones:

    3074  udp  192.168.1.199  Xbox (192.168.1.199:3074) 3074 UDP
    21934  udp  192.168.1.253  Xbox (192.168.1.253:21934) 21934 UDP

    It appears that this is the case but for some reason both can't be connected at the same time.

    And another thing to try.  Sign on with one Xbox.  Then perform a packet capture and capture the traffic from the Xbox that is unable to connect.  Take a look at it in Wireshark and see what's happening.  It can often lead to some clues.

    I'll happily do this but I'm fairly new to pfSense, and good routers/firewalls in general.  Can you give me a little more details as to what I should be looking for?

    I am willing to help as much as possible since I was in your shoes a couple years ago.  People expect you to know everything and fix IMMEDIATELY.  It's SO frustrating but the reward is worth your blood, sweat and tears.

    I really appreciate it man.  I live in a house with 7 other tenants and the standard Linksys router couldn't handle both gaming and torrenting at the same time, and since generally someone was always torrenting, it made playing games (and occasionally, watching streaming video) impossible.  I play a lot of competitive CS:Source so that definitely wasn't an option.  So I got an old machine and installed pfSense on it with the help of a friend, and configured the traffic shaper, and while it solved that problem, it also created this XBox Live issue.  Pending fixing that, pfSense will have made my life a whole lot easier!

    In any case, thanks a ton for your help.  Meadowlands sounds like a lot of fun, I guess you have to make the qualifier round first though eh?  I don't do ANY console gaming these days (and I'm ashamed to say I don't even know my way around an XBox), but our CS:S team is gearing up for the next CEVO season.  I don't know if you play the game at all but we beat a professional team in the Alienware Frag Fest last week (before getting eliminated by an even better team haha), so we're pretty excited.  What are you playing, Halo 3 I assume?



  • I'd do that but we'd need enough cable to go 2 stories up and with all that's involved it would leave wires everywhere. Sad  pfSense is the DHCP server.

    You don't need to run the cable 2 stories to test 2 xbox 360s connected to the switch… just move one to where the other is and test.  Please do this before anything else so we can narrow this down.

    I'll happily do this but I'm fairly new to pfSense, and good routers/firewalls in general.  Can you give me a little more details as to what I should be looking for?

    OK
    1.  Install wireshark http://www.wireshark.org/
    2.  Sign on with one Xbox.
    3.  Go to Pfsense web interface –> Diagnostics --> Packet Capture
    4.  Settings:

    Interface = LAN
    Host Address = address of Xbox that can't connect
    Port = leave blank
    Packet Length = leave at default value already there
    Count = 0 (for unlimited)
    Level of Detail = Normal
    Reverse DNS = unchecked

    5.  Press START button to begin capture
    6.  Power on Xbox that cant connect and make a few connection attempts/ perform Xbox Live connectivity tests
    7.  Click STOP on the packet capture page
    8.  Click Download capture and save it somewhere on your PC
    9.  Open downloaded capture in wireshark and have a look at it.  Each type of packet is color coded.  See if you can determine where it's having problems
    10.  Let us know what you find.

    What are you playing, Halo 3 I assume?

    I play Gears of War 2 but my brother is the Halo 3.  We have teams for both with different players.  However I am also a long time CS fan.  I've moved to console gaming because PC gaming is more expensive.  It's sad I know but I still get in some Quake 3 Arena so I suppose I'm OK.



  • Okay, I followed your instructions exactly, with one exception:  we didn't hook the one Xbox up directly to the switch, we kept it on wireless for now.  It's a pain to dismember everything and I don't own the Xbox and haven't spoken to the owner about moving it upstairs yet.  I don't even know what's involved in setting one up or tearing one down lol.  :-X

    I have uploaded the .cap file to my web server, you can download it here:

    http://hikkyz.net/misc/packetcapture.cap

    I apologize in advance, you may have to use Internet Explorer to download it – there seems to be an issue on my server where, when browsed with Firefox, some files which should ask to be saved instead get displayed as text.  You can also right click the above link and save it directly that way.

    In any case, I started the packet capture, then turned on the XBox and went to Network Settings, and performed a connection test.  It failed, then I powered off the XBox and stopped the packet capture.

    This is my first time using Wireshark so I'm not sure what to make of it.  Everything is coded as light blue, and I can't find anything indicating the problem -- I probably just don't know where to look though.

    Let me know if you can make any sense out of it.



  • It's a pain to dismember everything and I don't own the Xbox and haven't spoken to the owner about moving it upstairs yet.  I don't even know what's involved in setting one up or tearing one down lol.

    It's not hard at all.  It would make this easier to diagnose but whatever.

    I looked at your capture and noticed that the source port and destination port was 3074 however the uPnP mapping indicates it is supposed to use port 21934.  I also noticed no replies back from the Xbox Live server.  So there may be a configuration issue with your WAP.  I'm not sure what though… maybe make sure uPnP is off on the WAP itself?  Are you using stock linksys firmware or 3rd party?.

    For the Xbox .253, the source port should be 21934 and the destination should be 3074 (in this case).  It seems to me that both consoles are trying to use the same port and that may be why you're unable to have both on at the same time (see CMB's post!).



  • It's not hard at all.  It would make this easier to diagnose but whatever.

    I'll do this next then.

    I looked at your capture and noticed that the source port and destination port was 3074 however the uPnP mapping indicates it is supposed to use port 21934.  I also noticed no replies back from the Xbox Live server.  So there may be a configuration issue with your WAP.  I'm not sure what though… maybe make sure uPnP is off on the WAP itself?  Are you using stock linksys firmware or 3rd party?.

    For the Xbox .253, the source port should be 21934 and the destination should be 3074 (in this case).  It seems to me that both consoles are trying to use the same port and that may be why you're unable to have both on at the same time (see CMB's post!).

    I confirmed that uPnP is off on the WAP, and it's using stock linksys firmware.

    So you're saying, the source port (i.e. the port open on the Xbox 360) should match the uPnP mapping (21934), but the destination port (i.e. the port on the XBox Live server) should be 3074.  But in this case, the source port is also 3074?

    I wonder if that could that have something to do with the Static Ports option in the NAT?  Because if what you said is correct, then perhaps static ports should be disabled so that there is some translation between the source and destination ports, no?

    In any case, what CMB said makes sense, but what doesn't make sense is how if that's true, how can anyone have multiple machines working simultaneously on the same public IP address?

    It sounds like the packets are not being properly sent to the XBox Live server (as it doesn't respond); since the problem doesn't appear to be the destination port, there must be some kind of interruption between the jump from LAN to WAN.  Does that logic sound right to you?

    I'll try a few things tonight and maybe post another packet capture or two so kindly sit tight and if you find out anything else let me know. :)



  • Okay weirdest thing ever man.  I'm completely baffled.  ???  I didn't change a stinkin' thing since my last post but it just magickally started working LOL.  Probably was something completely retarded like the DHCP lease had to expire or something.

    Well in any case, everyone seems to be able to connect to XBox Live and play games together with an open NAT.

    Thanks you guys for your help, we greatly appreciate it (especially your suggestions xcrustwadx as they worked wonders).  :D

    /bow



  • I wonder if that could that have something to do with the Static Ports option in the NAT?

    You should probably keep static ports on.

    Anyway I'm glad everything worked out OK for you! ;D

    It sounds like the packets are not being properly sent to the XBox Live server (as it doesn't respond); since the problem doesn't appear to be the destination port, there must be some kind of interruption between the jump from LAN to WAN.  Does that logic sound right to you?

    I suppose it doesn't matter now but…
    I think what was happening is that the Xbox Live server was responding to requests by Xbox 2, only the packets were being directed to Xbox 1 since it was assigned port 3074 by uPnP/pfsense.


Locked