Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Xbox Series X Open NAT Configuration Guide - 2022

    Gaming
    1
    1
    2.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mcgrewjdm
      last edited by mcgrewjdm

      I had just recently added a PFSense firewall to my home network and have been using it to learn some practical network defense strategies/technologies. Well like many great ideas there comes the moments when suddenly normal things, like your Xbox Open NAT for example, stop working due to the heightened security. I spent roughly 2 days trying to work out a solution and no matter how deep in the forums or youtube I went nothing seemed to work. Here is a guide to hopefully save you from pulling an "all-nighter" in 2022:

      1) System/Advanced/Networking - Allow IPv6

      "Teredo is a transition technology that gives full IPv6 connectivity for IPv6-capable hosts that are on the IPv4 Internet but have no native connection to an IPv6 network." - Wikipedia
      Translation, you need to allow IPv6 or else all the following steps will be for nothing and you wont be able to get Teredo to work on the Xbox Series X. This was my biggest issue as it will prevent you from even being able to get a NAT Type when you run the tests in the Xbox networking window. Familiar error codes might be 0x8008000000000000

      A) Click the Systems Tab and select Advanced
      B) Click the Networking sub-tab and selected Allow IPv6 at the top of the page
      C) Ensure to save that page before moving on to Step 2
      Click a different tab and go back to the Networking Tab to ensure its properly selected

      2) Adjust Interface Settings (LAN)
      I'm not entirely sure how necessary this is but It works for me so hey give it a shot.

      A) Click the Interfaces tab and select LAN
      B) Ensure the IPv4 Configuration Type is set to Static IPv4
      C) Ensure IPv6 Configuration Type is set to Track Interface
      *I suspect this setting will be a point of contention with individuals who may be running an IPv6 network. In that case I'm pretty sure everything would work the same just with IPv6. This setting would probably need to be changed and you'd probably have to take a look at System/Advanced/Networking tab and play around with some of the other IPv6 settings potentially.
      D) Enter an IPv4 Address range such as 192.168.1.1/24
      If you are unfamiliar with subnetting or IP address CIDR notation, for most average people the above example should work fine. If you have a really large home network, look at some of the other private IP Address ranges like 172.16.0.0. If your running into DHCP errors with a network that big I feel bad for your router. If you choose to use a different private IP address range, its perfectly okay. All the steps below are the same except you'd be using a different IP address subnet. Not a big deal.
      E) IPv6 Interface = WAN
      F) SAVE SAVE SAVE!!!

      3) Create a Static DHCP Address for the Xbox Series X

      We need to lock the Xbox to one specific IP Address for some of our later steps. Doing this is rather simple:

      A) Determine your IP Address Range and Available IP Addresses outside that Range
      First I'd recommend going to the Services tab and clicking on DHCP Server. A little ways down the page you will see a few sections called Available Range and Range (General Options Area). The static IP Address has to be outside of this range or else it will spit out an error preventing you from assigning it. The way I handled this was by creating a range, (FROM) 192.168.1.100 (TO) 192.168.1.150, essentially restricting myself to 50 DHCP Assignable IP Addresses. Now you only need 1 IP address (or 1 for every console) outside of this range so you don't need to be as extreme as me however I have a relatively small home network so its no big deal. Something like 192.168.1.1 - 192.168.1.253 would work just fine as long as your intended static IP's were outside of that range and available. Also scroll down to the option that says Domain search list and type NULL in that box. I've read other forum posts that Teredo can sometimes run into issues with your domain search lists so for the sake of safety. Throw it on there for good measure, you can always go back to this part and remove this setting to test if your console is okay without it once you get it all working. SAVE SAVE SAVE!!

      B) Find your Xbox's MAC Address
      Once you've got an IP address outside of that range, head to the Status tab and select DHCP Leases. If your xbox is connected to your Interface (i.e. LAN), you should be getting an IP Address assigned through DHCP in the range we discussed last step. If your having difficulty figuring out which device is the Xbox, go to the xbox advanced settings tab in your network settings and look for your MAC address. This will potentially be different depending on your connection type like wired or wireless. This is a key point to note, if you change your connection method it will break this solution. If you decide to switch to wireless from wire for example, follow this guide again and it should resolve your issue pretty easily. We will be referencing this TAB later to ensure the Static Mapping ends up being issued correctly.

      C) Create the Static Mapping Entry
      With the Xbox MAC Address in hand for your specific connection type, go back to the Services tab and select DHCP Server selecting your specific Interface the Xbox is connected too (i.e. LAN). Scroll to the bottom and select the add button below "DHCP Static Mappings for this Interface". Type or Copy-Paste your Xbox's MAC address for your specific connection type in the MAC Address box, then fill in the hostname "xbox". When filling in your IP Address ensure that it is once again outside of that range defined in the DHCP Servers Leasable IP Address Range. My example range earlier was 192.168.1.100 - 192.168.1.150 so I assigned my xbox 192.168.1.20. Scroll down and Save the entry and you should see it populate on the DHCP Static Mapping Table. Pretty simple, not too confusing so far so keep it going.

      D) Restart your Xbox and click the network settings tab then advanced settings tab to verify you've received the Static IP Address.
      If you still see the earlier dynamically assigned DHCP IP Address, power off your Xbox completely and navigate to the Status tab and select the DHCP Leases tab. You will see the DHCP Static assignment on the list as-well as the old Dynamic DHCP IP Address assignment. Click the trash can on the far right of the entry associated with the Dynamic DHCP Mapping. Note, if your xbox is still Online the Trash can option will not be available to delete the entry. If your confused on which entry is the correct entry, the Static mapping will have a little person at the beginning compared to the circled check mark of the Dynamic DHCP Lease. Also the Dynamic DHCP Lease will be in the IP Address range we defined earlier on. Once it's deleted, power on the xbox again and you should see the correct IP Address in the networking/advanced settings tab.

      1. Enable and Restrict UPnP to an Access Control list with the Xbox's static IP Address
        I bet your nervous about reading that one, trust me its super simple.

      A) Go to the Services TAB and select UPnP & NAT-PMP.
      B) Enable UPnP & NAT-PMP (The very first option)
      C) Then allow both UPnP * NAT-PMP Port Mapping (The next 2 options)
      D) External Interface option should have WAN selected
      E) Interfaces option should have LAN highlighted/selected
      F) Default Deny should be checked (Deny access to UPnP & NAT-PMP by default)
      Why did we turn UPnP and NAT-PMP on just to deny it? Well it's not a very secure protocol and definitely not something most people would recommend bouncing around aimlessly on your network. Your essentially enable it only for devices on the access control list (ACL) instead of it just being available to all devices on your network. WAY BETTER OPTION!!
      D) Scroll down to the UPnP Access Control List section and enter the following in the ACL Entries Box:
      (Example) allow 53-65535 (Your Xbox Static Assigned DHCP IP Address)/32 53-65535
      (Real Example) allow 53-65535 192.168.1.20/32 53-65535
      allow = allow this device to UPnP
      53-65565 = allow UPnP access to ports in this range
      192.168.1.20/32 = Your giving it the Xbox's static IP Address and the /32 makes sure it only giving access to that specific IP address and not a range of IP address like /24 would give you.
      E) Ensure to Save this configuration

      5) Create some Firewall Aliases

      Up to this point we've been referring to one singular xbox however you would just repeat all the same steps above for each Xbox you have on your LAN to get the same result to this point.
      Aliases will make later configuration easier and if you've got multiple consoles it's gonna save you some typing.

      A) Go to the firewall tab and select aliases
      B) Click add on the IP sub-tab
      C) name it xbox_ips and ensure the type is set to Hosts
      D) Enter your Static DHCP Assigned IP Address for your Xbox in the IP or FQDN Boxes.
      At this point, add any other static Xbox IP address if you have multiple Xbox's on your LAN.
      E) Once complete, ensure you save.
      F) Ensure the Firewall Aliases is listed corrected and the values listed are for your devices IP Addresses or Address

      6) Add an Outbound NAT Rule

      A) Select Firewall/NAT/Outbound
      B) Make sure Hybrid Outbound NAT is selected
      C) Ensure you save this selection before moving on
      D) Click Add with the Up Arrow on the Mappings table
      E) Interface should be set to WAN
      F) Address Family = IPv4+IPv6
      G) Protocol = any
      H) Source | Type = Network | Source Network for the outbound NAT Mapping = xbox_ip / 32
      I) Destination | Type = Any
      J) Address = Interface Address
      K) Ensure static mapping is checked in the Translation Menu below Address
      L) Save

      1. If you have multiple consoles or just want to be safe, you need to enable NAT port Reflection. Click the System/Advanced/Firewall&NAT tabs and scroll till you see the Network Address Translation sub menu. Select Pure NAT for the NAT Reflection mode for port forwards. SAVE SAVE SAVE!!

      2. Finally click on the diagnostics tab and scroll down to click on states, then reset states tab. Select the reset the firewall state table box and click reset. It may seem frozen but you will need to fresh the page in a couple of seconds and it will load just fine.

      3. TL;DR for whats below here, there's video covering the main parts of this on youtube and if its still giving you hell. Reboot the firewall in the diagnostics tab and pray thats the solution.

      Okay so this should have solved your problem and it seems to have done so for some people experiencing these issues on this youtube video covering these steps: https://www.youtube.com/watch?v=whGPRC9rQYw

      However there was still weird problems I occurred using various different forum posts and the above list video that I could not figure out for the life of me. Once minute my IP Address was good, then it would skip the Static assignment and default to Dynamic DHCP Assignment. Then I had problems with Teredo Tunneling or UPnP. After all of these settings were configured correctly I still had problems and they would fluctuate randomly while I was troubleshooting. Absolutely Nightmare!! It drove me to the point of creating essentially a crap DMZ with no Firewall just for gaming consoles in hopes of getting it to work but I quickly realized I was just overcomplicating things and missing something. After a day and half of the DMZ idea I swear to god I just said screw it and rebooted the firewall and it all fixed itself. There a special place in hell for sysadmins who say "Oh well did you restart it?" "NO I DIDN'T JUST RESTART IT DAVE!". Yeah well dave was right, try rebooting your firewall if Teredo is specifically giving you a run for your money.

      If you are still having problems from here more than likely you misconfigured a setting or missed another. If you are running an IPv6 based home network, there is probably a setting or two not specifically outline in this guide that you'd need to mess around with to get it working. Also there are a few very very specific issues other people ran into on this forum. They are not detailed well at all but if you search for xbox or teredo for example on this forum you can find some other posts for resources.

      This post was a compiling of some additional information I gather or other settings not covered explicitly in other posts or videos that solved my problems. The xbox is super finicky sometimes so just stick to it and eventually you'll find the setting or solution you need to get it to work. I promise it is possible to get an Open NAT type if you work at it. Hopefully Admins will lock this guide to the home page so other people will post their solutions to specific problems. If I made a mistake or didn't cover something please put it below so I can hopefully make some corrections to this page.

      1 Reply Last reply Reply Quote 1
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.