Xbox Live and Cone/Symmetric NAT
I posted this question in the gaming forum earlier, but perhaps it is a bit more appropriate here as it has more to do with NAT than gaming.
I run the network for a small university with a few thousand students, many of whom have Xbox 360s. Unfortunately, in this environment I don't feel comfortable turning on UPnP in order to get them "full" Xbox Live access. According to the Microsoft Xbox Live router certification documentation, UPnP is not required for full Xbox live - just cone NAT with either no filtering or address sensitive filtering.
For pfsense, I know turning on Static Port NAT tries to remove randomization from client source ports and the wan port they are NATed to. Does this mean that the WAN port from a local IP:port are consistent when connecting to multiple different internet addresses (Cone NAT)? What about multiple local addresses trying to connect to internet address from the same port? Are they all funneled through the statically mapped wan port at the same time, or does the second request get mapped to a different port if the first ip has a lock on the appropriate wan port?
Assuming it is consistent and only one local port is mapped to a wan port at a time, what port filtering is applied: no filtering, address sensitive filtering, or address and port sensitive filtering.
I'll attach all relevant definitions from the Microsoft Certification guide so we're all speaking the same language.
As it stands, is it possible to configure pfsense to do cone NAT with address sensitive filtering?
Thanks again for creating such a wonderful product.
Port Assignment Policy
When a NAT receives a UDP packet from a client device, it must decide what UDP port to assign to that UDP source port on that client device. There are two techniques the NAT can use to do this.
1) The NAT can assign one UDP port to each UDP source port used by a client device, regardless of the destination of the UDP packet. We call this “minimal port assignment policy” because it results in the minimum number of UDP ports being assigned by the NAT. This is also sometimes called a “cone” NAT.
2) The NAT can assign a different UDP port for each UDP destination. We call this an “aggressive port assignment policy” because it results in the NAT assigning many ports. This is also sometimes called a “symmetric” NAT.
Symmetric NATs make it very difficult to establish peer-to-peer connectivity between two devices behind NATs. Symmetric NATs are not supported by Xbox Live. A user behind a symmetric NAT will be able to connect to the Xbox Live service and will be able to join some games, but will sometimes encounter problems related to the difficultly of establishing peer-to-peer connectivity, such as problems with in-game voice communication, or the inability to join some game sessions.
Port Filtering Policy
Some NATs apply filters on incoming traffic. There are three possible filtering policies:
• No Filtering: Any packet that is addressed to a port the NAT has assigned to client devices is forwarded. When combined with a minimal port assignment policy, this is sometimes referred to as a “full cone” NAT.
• Address Sensitive Filtering: A packet addressed to a port the NAT has assigned is forwarded only if it originated from an IP address the client device has previously communicated to.
• Address and Port Sensitive Filtering: A packet addressed to a port the NAT has assigned is forwarded only if it originated from an IP address and port that the client device has previously communicated to.
Xbox Live works best with “cone” NATs (those with a minimal port assignment policy) that implement No Filtering or Address Sensitive Filtering. Users behind these types of NATs will be able to connect to any other user behind any type of NAT, even incompatible “symmetric” NATs. Xbox Live will also work with “cone” NATs that implement Address and Port Sensitive filtering, but users behind these NATs may find they are unable to communicate with users behind an incompatible “symmetric” NAT.
Microsoft highly recommends that NAT vendors choose to implement No Filtering or Address Sensitive filtering policies with minimal port assignment policies. Users behind these NATs will have a true plug-and-play experience where no configuration of the NAT is required for the user to communicate with any other Xbox Live subscriber.
For reference, I'll repeat my comment from the other thread that according to those descriptions, I think pfSense would by default be symmetric NAT with address and port sensitive filtering.
Using static source ports isn't quite the same as what it describes as cone NAT or minimal port assignment policy, if I'm interpreting it correctly. What it describes sounds like the NAT device would still change the source ports, but it would use that source port again every time the same client used the same source port. There may be a way to do this with PF, but I'm not sure. I know you can do it with IP address pools; it may support doing it for pools of port numbers, too.
As for filtering, you may be able to have firewall rules on WAN to allow all connections to LAN to satisfy that, though I'm still not sure whether PF would allow it with that either. I'm not really sure whether it is possible to make PF filter by address but not port on connections trying to go through the active NAT states.
If you can make the client machine to use a fixed source port for outgoing connections you can then write an advanced outbound NAT rule for that client machine that matches the client ip and source port with static port option turned on. If the source port can not be controlled then I don't think pf can do "cone" NAT as described.