Xbox 360 configuration NAT: strict



  • I have been using pfsense as my main router for a couple months now.

    I am having trouble configuring my router correctly for the xbox 360.

    I set up port forwarding for port 88, 2074, and 3074.

    When I go to the xbox console and click test network connections, under the NAT test, I am listed as "strict".
    it is supposed to be listed as "Open" to work correctly.  Any ideas on how I could fix this?

    thanks,
    Zack



  • You might try installing Miniupnpd. It will automatically open the ports the Xbox requests.



  • I actually just did that and it works great.

    Thanks for a great routing solution and to those who made the upnd package!

    Zack



  • This also fixed my xbox 360 issue, but maybe one of you gurus can answer me this.  Under the MiniUPNPD log window, i see the following..

    Port  Protocol  Internal IP  Description
    3074 udp 192.168.1.117 Xbox (192.168.1.117:3074) 3074 UDP

    Now this was automagically opened when I did the xbox live test, it listed my NAT as OPEN.  What I don't understand is when I do this mapping manually, going into the rules and nat section of PFSENSE and inputting the same mapping as the log, the xbox live test indicates a STRICT NAT, instead of open.  Why is that?  Even though the same ports/protocol is going to the same place, it stops my xbox 360 from working.  I am just confused as to why the manual mapping does not work for me, yet using MiniUPNPd does work.

    The real reason why I want to know is because, I don't want to use miniupnpd, since I cannot do restriction to the IP/MAC/PORT/PROTOCOL/etc of what can use the miniupnp daemon.  If i was able to do such restrictions, I wouldn't have a problem leaving it running, obviously there is a major security risk to leaving it running 24/7.  I guess for now ill have to enable and disable it every time I wish to play online.



  • @stratos:

    This also fixed my xbox 360 issue, but maybe one of you gurus can answer me this.  Under the MiniUPNPD log window, i see the following..

    Port  Protocol  Internal IP  Description
    3074 udp 192.168.1.117 Xbox (192.168.1.117:3074) 3074 UDP

    Now this was automagically opened when I did the xbox live test, it listed my NAT as OPEN.  What I don't understand is when I do this mapping manually, going into the rules and nat section of PFSENSE and inputting the same mapping as the log, the xbox live test indicates a STRICT NAT, instead of open.  Why is that?  Even though the same ports/protocol is going to the same place, it stops my xbox 360 from working.  I am just confused as to why the manual mapping does not work for me, yet using MiniUPNPd does work.

    The real reason why I want to know is because, I don't want to use miniupnpd, since I cannot do restriction to the IP/MAC/PORT/PROTOCOL/etc of what can use the miniupnp daemon.  If i was able to do such restrictions, I wouldn't have a problem leaving it running, obviously there is a major security risk to leaving it running 24/7.  I guess for now ill have to enable and disable it every time I wish to play online.

    You also need a advanced outbound nat entry at the top of the list for the xbox ports with the static-port option enabled.  Search the forum for static-port.  It's asked about weekly now.



  • Doesn't that only apply if I am filtering OUTBOUND traffic as well?  IE, having "Enable advanced outbound NAT" enabled?  I currently only filter INBOUND traffic from the internet, through my firewall, into my LAN subnet, but not outbound.  Am I incorrect?  I am under the impression that the xbox 360 is able to talk OUTBOUND to the internet at anytime, its only the inbound traffic that needs the port forwarding/mapping to make it work.  Maybe I am confused on all the jargon and have come under an incorrect assumption of how pfsense works by default.



  • @stratos:

    Doesn't that only apply if I am filtering OUTBOUND traffic as well?  IE, having "Enable advanced outbound NAT" enabled?  I currently only filter INBOUND traffic from the internet, through my firewall, into my LAN subnet, but not outbound.  Am I incorrect?  I am under the impression that the xbox 360 is able to talk OUTBOUND to the internet at anytime, its only the inbound traffic that needs the port forwarding/mapping to make it work.  Maybe I am confused on all the jargon and have come under an incorrect assumption of how pfsense works by default.

    Nope, it has nothing to do with filtering…are you familiar with what NAT does?  NAT translates the source port of outgoing packets to something random which it tracks so it can have multiple computers accessing the internet at the same time.  What scott was talking about is using the "static-port" option in the NAT rules which will force the NAT to leave the source port alone.  What happens when using NAT sometimes (I had this problem with my PS2) was that the app will think its sending data on port "x" and that everyone who receives that data will see that it comes from port "x" but then the NAT will translate it to "y" so the apps receiving that data see it as coming from port "y".  It shouldn't interfere because if the connected computer sends data back to port "y" then NAT will translate the packet back to port "x", but if the connected machine sends someone else information saying that your machine is receiving information on port "y" then NAT will reject it because it doesn't think that the new machine should be able to send information to that port "y" (which it shouldn't).  The static-port option fixes this by not doing the translation from port "x" to port "y", so the connected machine will see the data as coming from port "x" instead of port "y".

    Ok, that was a long and confusing explanation...as scott said, look for static-port in the forums and on the web and you can probably find a better one.



  • @zboll:

    I actually just did that and it works great.

    Thanks for a great routing solution and to those who made the upnd package!

    Zack

    Any tips for someone in the same situation for who this DIDN'T work quite so easily?  I just migrated my install from CD-ROM/floppy to HDD to be able to install the upnpd package, enabled it, disabled the log packets option, and backed out all my firewall/NAT rules I had tried to get this to work before but no luck.  Is there something I have to do on the xbox 360 to get it to try to use upnp?

    [update]Ah, I had to use DHCP instead of manual IP address assignment.  Works now.[/update]



  • @stratos:

    The real reason why I want to know is because, I don't want to use miniupnpd, since I cannot do restriction to the IP/MAC/PORT/PROTOCOL/etc of what can use the miniupnp daemon.  If i was able to do such restrictions, I wouldn't have a problem leaving it running, obviously there is a major security risk to leaving it running 24/7.  I guess for now ill have to enable and disable it every time I wish to play online.

    MiniUPnPd will have access restrictions in the next week or so. It was just added to the code. I just need to fix up the package gui to support it and verify it works correctly.

    Heres an excert from the sample config.

    allow 1024-65535 192.168.0.0/24 1024-65535
    allow 1024-65535 192.168.1.0/24 1024-65535
    allow 12345 192.168.7.113/32 54321
    deny 0-65535 0.0.0.0/0 0-65535



  • To help you (I hope ^^) :

    I've got a 360 connected to lan. And the only thing I had to do to make XboxLive! work is to set up a nat on the following ports :

    • 3074 TCP -> 3074 TCP
    • 3074 UDP -> 3074 UDP (and not 2074 like you said ;) )
    • 88 UDP -> 88 UDP
      (From WAN, TO the 360)

    Sometimes when I'm running the Live! test on my xbox, it tell me that its Strict, but often it tell me that its OPEN.
    So I suppose that its OPEN in all cases and its just a bad detection from the 360 :)

    And don't forget to make the rules to allow this traffic in your firewall ;)


Log in to reply