NAPT type and filtering for multiple Xbox 360 - no UPnP
With all the Xbox 360 threads, sorry if this is beating a dead horse. I wasn't able to find anything about my particular question.
I run the network for a small university with a few thousand students, many of whom have Xbox 360s. Unfortunately, in this environment I don't feel comfortable turning on UPnP in order to get them "full" Xbox Live access. According to the Microsoft Xbox Live router certification documentation, UPnP is not required for full Xbox live - just cone NAT with either no filtering or address sensitive filtering.
For pfsense, I know turning on Static Port NAT tries to remove randomization from client source ports and the wan port they are NATed to. Does that mean that connections from the same client source port will be mapped to the same wan port for connections to multiple different IPs? I.e:
privateIP:48193 –(wan:48193)-> internetIP1
privateIP:48193 --(wan:48193)-> internetIP2
Or will the wan port be changed on different connections.
Assuming it is consistent, what port filtering is applied: no filtering, address sensitive filtering, or address and port sensitive filtering.
I'll attach all relevant definitions from the Microsoft Certification guide so we're all speaking the same language.
Thanks again for creating such a wonderful product.
Port Assignment Policy
When a NAT receives a UDP packet from a client device, it must decide what UDP port to assign to that UDP source port on that client device. There are two techniques the NAT can use to do this.
- The NAT can assign one UDP port to each UDP source port used by a client device, regardless of the destination of the UDP packet. We call this “minimal port assignment policy” because it results in the minimum number of UDP ports being assigned by the NAT. This is also sometimes called a “cone” NAT.
- The NAT can assign a different UDP port for each UDP destination. We call this an “aggressive port assignment policy” because it results in the NAT assigning many ports. This is also sometimes called a “symmetric” NAT.
Symmetric NATs make it very difficult to establish peer-to-peer connectivity between two devices behind NATs. Symmetric NATs are not supported by Xbox Live. A user behind a symmetric NAT will be able to connect to the Xbox Live service and will be able to join some games, but will sometimes encounter problems related to the difficultly of establishing peer-to-peer connectivity, such as problems with in-game voice communication, or the inability to join some game sessions.
Port Filtering Policy
Some NATs apply filters on incoming traffic. There are three possible filtering policies:
• No Filtering: Any packet that is addressed to a port the NAT has assigned to client devices is forwarded. When combined with a minimal port assignment policy, this is sometimes referred to as a “full cone” NAT.
• Address Sensitive Filtering: A packet addressed to a port the NAT has assigned is forwarded only if it originated from an IP address the client device has previously communicated to.
• Address and Port Sensitive Filtering: A packet addressed to a port the NAT has assigned is forwarded only if it originated from an IP address and port that the client device has previously communicated to.
Xbox Live works best with “cone” NATs (those with a minimal port assignment policy) that implement No Filtering or Address Sensitive Filtering. Users behind these types of NATs will be able to connect to any other user behind any type of NAT, even incompatible “symmetric” NATs. Xbox Live will also work with “cone” NATs that implement Address and Port Sensitive filtering, but users behind these NATs may find they are unable to communicate with users behind an incompatible “symmetric” NAT.
Microsoft highly recommends that NAT vendors choose to implement No Filtering or Address Sensitive filtering policies with minimal port assignment policies. Users behind these NATs will have a true plug-and-play experience where no configuration of the NAT is required for the user to communicate with any other Xbox Live subscriber.
According to those descriptions, I think pfSense would by default be symmetric NAT with address and port sensitive filtering.
Is there any way to enable Cone NAT with Address Sensitive Filtering in pfSense? In freeBSD in general?
Anyone? Perhaps I should post in the NAT forum.