Multiple XBOX 360s and pfSense

  • My house currently has three XBOX 360s and a router/firewall running pfSense.

    I have the XBOXs working with UPnP however I was wondering if there is a way to use just port forwarding/NAT?  So far from what I get reading other forum topics is that this isn't possible, am I wrong?

    Additionally what security vulnerabilities am I introducing into my network by allowing UPnP to be on?

  • I know this was from Feb, but I'm hoping you're still around.

    I've been using pfSense for a while now, but I am by no means an expert with it.  I believe that you can create vlans and separate your xbox from the rest of your lan, create your upnp settings on the vlan with your xbox and leave upnp disabled for you other vlan.

    HOWEVER - This is just based off my knowledge of enterprise firewalls - I have no earthly clue how to get this to actually work with pfSense.  Or at least what would appear to be the logical steps for this setup don't seem to work for me.

    I can't even get an open NAT with one xbox, let alone two -  Granted, I haven't spent but about 10 minutes on trying to get it to work, but my question for you  =  how did you get it to work with multiple xboxes?

    I'm suspicious of my hardware with its vlan support.  It supports vlans, but so far the results have been sketchy.  I'm using an asus nettop with only one jmicron nic.  I think the jmicron might be the source of most of my problems.  Anyway - how?

  • You can't really NAT single ports to multiple IPs, it's the nature of the beast. The firewall would have no idea for which IP to forward to for a port.
    UPnP is useful for this purpose in that it negotiates the port to be opened with the firewall so that a connection can be made. The security implications are that the default settings for UPnP are inherently trusting. This means that a trojan or misconfigured program using UPnP could open ports on your firewall and widen your attack footprint.
    A best practice would be to limit UPnP access to certain IPs or interfaces.
    You could statically assign your Xboxes to those IPs and have UPnP ignore anyone else. Or, (in my opinion) a better way would be to hang your xboxes off an isolated interface and deny UPnP access to any other interface. You can do this with either a VLAN or a hard port.
    Generally, for a home network, UPnP is a useful tool, with some security implications to consider. Provided good security practices are followed, it is safe.

Log in to reply