Xbone, NAT strict

A Former User

SOLVED

i can't seem to modify the thread title or the original post.  if a mod could help, that would be appreciated.

i have to thank pfsense forum user AhnHEL, he sent me a PM and gave me step by step directions and everything worked, NAT is now reporting as open for the xbone.

just as his directions stated, i recommend putting any settings back to how they were, assuming you followed others threads/directions with no luck.  i changed all my settings back to what they were prior to making this thread and followed his directions.  the only thing i had to do was pull the power plug from my xbone.  after following the steps, the nat went from strict to moderate, but i ran the rest after power cycling the xbone and nat switched to open.

dhcp mapping will work, but i statically set my xbone to an ip outside of the DHCP scope instead.

Ok, I dont know what you still have setup while you were trying to get this to work but remove any port forwards or rules that you created previously.  We're going to try the UPnP method because its the easiest method to configure.  Keep your XBone off while setting this up.

1.  I'm sure you have done this, but setup a static DHCP mapping for your XBox One.  In my settings below this is 192.168.39.17

2.  Now go to Firewall: NAT: Outbound and select Manual Outbound NAT and hit save.  This should at default create two entries a LAN mapping and a Localhost mapping.

3.  Now add a mapping for your XBox One's static DHCP IP address on your LAN interface with a /32 as a mask bit in the Source section.  In the Translation section of this mapping, select the "Static Port" checkbox.  Give the mapping a name like XBone AON and save.

4.  Now take this XBone AON mapping rule and move it ABOVE your Default LAN mapping and hit Save.

5.  Go to Services: UPnP & NAT-PMP and setup as follows: check enable upnp and nat-pmp, check allow upnp port mapping, external interface, WAN, interaces, LAN, user specified permissions 1, allow 88-65535 192.168.39.17/32 88-65535  Then hit Change.

6.  Now to be sure no states to the XBox are lingering from a previous connection, go to Diagnostics: Reset state and Reset.

7.  Now fire up your XBox and you should be at NAT Open.  If not, double check your settings and if you have a managed switch on your network, disable Multicast filtering on the switch.

regarding number 6, as stated i power cycled off the xbone, clearing the states was not enough.

regarding number 7, the xbone is connected to a managed switch, but i did not need to change any settings on the switch.

thanks again, AhnHEL.

AhnHEL

Glad to have helped.  :)

benjamin

I really appreciate the hard work here, you guys are great.

My $500 question is will this work with "two" XB1's on the same network?

Enabling just UPnP has given our two 360s all the internet loving they could wish for, my XB1 is being a jerk and if this does the trick I am almost home free. But I need it to work for two of them.

It sounds like M$ likes Cone NATs and dislikes Port Symmetric NATs. Will the changes above make the difference?

AhnHEL

I dont have two XBone's but I'm sure you wont have any issues if it's setup properly.  Only real difference so far is that the XBone never really shuts off so a hard reboot is required once all the settings are setup.

A Former User

@benjamin:

I really appreciate the hard work here, you guys are great.

My $500 question is will this work with "two" XB1's on the same network?

Enabling just UPnP has given our two 360s all the internet loving they could wish for, my XB1 is being a jerk and if this does the trick I am almost home free. But I need it to work for two of them.

It sounds like M$ likes Cone NATs and dislikes Port Symmetric NATs. Will the changes above make the difference?

i don't have two xbone's, but just as AhnHEL stated, as long as you set it up properly, the second one should work.  if you only setup 1 xbone, you should have 3 spots open on the upnp and nat-pmp page for the second xbone.  proceed with creating the same rules you did for the first console and power cycle the second xbone before testing the connection for openNAT.

at this time, i don't think i will need more than 4 user specified permission rules, i wonder what happens if you needed a 5th?

AhnHEL

@tomdlgns:

at this time, i don't think i will need more than 4 user specified permission rules, i wonder what happens if you needed a 5th?

I wrote about that very thing just a few weeks ago in the PS4 thread under the part where it says For More Advanced Users

http://forum.pfsense.org/index.php/topic,69319.msg384435.html#msg384435

A Former User

@AhnHEL:

@tomdlgns:

at this time, i don't think i will need more than 4 user specified permission rules, i wonder what happens if you needed a 5th?

I wrote about that very thing just a few weeks ago in the PS4 thread under the part where it says For More Advanced Users

http://forum.pfsense.org/index.php/topic,69319.msg384435.html#msg384435

yeah, that makes sense, i guess i was stuck on 1 rule is 1 IP/device, i never though about adding a range.

sometimes you miss the obvious.

thanks.

benjamin

i don't have two xbone's, but just as AhnHEL stated, as long as you set it up properly, the second one should work.  if you only setup 1 xbone, you should have 3 spots open on the upnp and nat-pmp page for the second xbone.  proceed with creating the same rules you did for the first console and power cycle the second xbone before testing the connection for openNAT.

I have made my changes and confirmed that this worked to get the first xb1 online with an open nat (cone). My brother will be purchasing his new xb1 this month, so to-be-continued, so far so good.

The two 360s "did" start experiencing issues though they are in the same network range (/29) found in both the UPnP and NAT rules I created
I added two UPnP rules that would allow port 53 and 80 separately from our 88-65535 rule mentioned above, as they are required according to M$. They still didn't work after that for 20 minutes or so then automagically started working again. They both have open NATs now and appear happy. No idea, I might be able to remove those two rules but until I have a reason to I wont just in case.

Big thanks to all.

A Former User

@benjamin:

i don't have two xbone's, but just as AhnHEL stated, as long as you set it up properly, the second one should work.  if you only setup 1 xbone, you should have 3 spots open on the upnp and nat-pmp page for the second xbone.  proceed with creating the same rules you did for the first console and power cycle the second xbone before testing the connection for openNAT.

I have made my changes and confirmed that this worked to get the first xb1 online with an open nat (cone). My brother will be purchasing his new xb1 this month, so to-be-continued, so far so good.

The two 360s "did" start experiencing issues though they are in the same network range (/29) found in both the UPnP and NAT rules I created
I added two UPnP rules that would allow port 53 and 80 separately from our 88-65535 rule mentioned above, as they are required according to M$. They still didn't work after that for 20 minutes or so then automagically started working again. They both have open NATs now and appear happy. No idea, I might be able to remove those two rules but until I have a reason to I wont just in case.

Big thanks to all.

when i was running 360, i never did anything other than enable upnp (and checked the box for MS) and everything worked fine.  no custom upnp, no custom NAT/outbound NAT….nothing.  meaning, i never opened 80 and 53.  personally, i dont think those are needed and i did not have to open those up for the xbone.  everything i did in this thread and read in other threads was put back to how it was prior to making the xbone thread and i followed the few steps i posted on the bottom of page 1 which got me openNAT on with the xbone.  i know MS states they need to be open, but i feel confident saying that they don't need to be (80 and 53) and that the issue was specifically with NAT rules, not a port forward rule.

it we are both using pfsense and a 360 and let's just assume we have a basic switch in between our 360 and pfsense box, then 80/53 should not be needed if i was able to get it to work w/o opening those ports.

again, i am not saying that will fix your problem, just giving you some more information.

good luck.

benjamin

i know MS states they need to be open, but i feel confident saying that they don't need to be (80 and 53) and that the issue was specifically with NAT rules, not a port forward rule.

I didn't mean to get off into the woods, and I agree with you on this. In the past UPnP being enabled was enough to ensure victory for multiple 360s.

A Former User

@benjamin:

i know MS states they need to be open, but i feel confident saying that they don't need to be (80 and 53) and that the issue was specifically with NAT rules, not a port forward rule.

I didn't mean to get off into the woods, and I agree with you on this. In the past UPnP being enabled was enough to ensure victory for multiple 360s.

no, i don't think you did.  it is important to discuss all options as long as we don't get too far off track.  i think it is important to discuss what works and what doesn't work/isn't needed.

RamGuy

I've done everything described in this thread but I'm only getting my Xbox One to go from "Strict" to "Moderate" and not "Open". This is quite fuzzy as I was successful at getting it "Open" before I just had to replace a hard drive in my pfSense server and ever since I did a re-install I have not been able to get it open again.