XBOX 360 open NAT HowTo for pfSense 1.0?



  • It seems that with the release of pfSense 1.0, we have all the pieces needed to make an XBOX 360 see pfSense as an "open NAT" instead of the default "strict NAT" of pf.  Some have reported success with various pre-1.0 release candidates and patched binaries, but I haven't been able to get it going on 1.0 yet.  I'm thinking that this will be a common question if there isn't an easy answer that I'm just missing.  BTW, many thanks to those over in "Post a Bounty" involved with getting the miniupnpd package included in 1.0.

    Does it "just work" for you once you install miniupnpd?  If not what else has to be done?  I believe I've read that it's ok to ignore errors like this in the system
    log:

    miniupnpd[pid]: Unknown udp packet received from xBoxIPaddr:Port

    I'm hoping to bring together in one spot the necessary steps to make an XBOX 360 happy.  I'll get it started with what (I think) I know so far and then ask for help
    with the details.

    1. Install the miniupnpd package.
    2. Go to Services->Miniupnpd->miniupnpd Settings and select your LAN interface.  Click "Change" button.

    What else?  All help greatly appreciated!

    Thanks,

    Bob



  • @bobvan:

    It seems that with the release of pfSense 1.0, we have all the pieces needed to make an XBOX 360 see pfSense as an "open NAT" instead of the default "strict NAT" of pf.

    You don't need uPnP, you can do it with a static port forward.  Set up a port forwarding rule for UDP port 3074 to your 360's IP address.



  • @MikeF:

    You don't need uPnP, you can do it with a static port forward.  Set up a port forwarding rule for UDP port 3074 to your 360's IP address.

    MikeF, Thanks for the advice.  I went to try it and discovered that I seem to already have such a rule in place.  On Firewall->NAT->Port Forward, I see a rule for the WAN interface forwarding TCP and UDP port 3074 to my XBOX 360 port 3074.  (I'm also doing the same for UDP port 88.)  I think this is left over from some earlier experiments where I was trying to use a static setup instead of UPNP.

    I'd be happy with static or UPNP.  Has anybody else had success with the static approach?  Details?

    On one hand, I like the UPNP approach because it should only open what's necessary when it's necessary.  On the other hand, it's a license for any rogue bit of malware on my network to open anything it wants.  (Thankfully, I seldom run Windows.)  If I get UPNP working, I should probably add firewall rules that allow only the XBOX to talk to miniupnpd.



  • If you want to use UPnP, think there is a package for pfSense available for download through the packages interface on the webConfigurator. I've not used it personally but it's worth a shot.



  • @bobvan:

    On one hand, I like the UPNP approach because it should only open what's necessary when it's necessary.  On the other hand, it's a license for any rogue bit of malware on my network to open anything it wants.

    The UPnP has a status screen so at least you can monitor your malware ;-)



  • @bobvan:

    On one hand, I like the UPNP approach because it should only open what's necessary when it's necessary.  On the other hand, it's a license for any rogue bit of malware on my network to open anything it wants.  (Thankfully, I seldom run Windows.)  If I get UPNP working, I should probably add firewall rules that allow only the XBOX to talk to miniupnpd.

    This is a common misconception that doesn't stand up to analysis.

    The fact is, if you have malware on your network, on a typical firewall it's fully capable of opening up any outbound connections it wants. UPnP does allow it to open up inbound ports too, but only in a limited way. Is there anything that can be done with a upnp inbound connection that couldn't, technically, be done through an outbound connection? No. In fact it's probably far easier and less likely to be detected (and certainly more reliable) for malware to create vulnerabilities through initiating outbound connections and local network sniffing.

    The reality is in a lot of cases UPnP is a lot more secure than alternatives like static inbound mappings as the ports are only opened when required. They are also (if the upnp IGD is capable) loggable and monitorable.

    Sure, you don't want UPnP on a typical corporate network, but there's certainly a big place for it on home networks and even SME networks.

    Cheers,

    Keith


Log in to reply