HOWTO: XBOX One and Open NAT

ZPrime · Jul 31, 2014, 10:28 PM

The real question is, why does the XBox One require the "static port" NAT option while the 360 doesn't? My 360s have never had problems with NAT and always reported "open" with only UPnP enabled.

Unless the 360s actually do have problems, but their NAT test isn't as thorough as the XBone?

I'm going to turn this on tonight for all of my xboxen (I already use static DHCP mappings on all of my gaming systems anyway). If this fixes things, 1000 points for you!

One further thing - the XBox shouldn't need ports below 1025 available in UPnP. Port 53 and 88 only need to be open for outbound traffic, which most people already allow (if you have a default LAN -> Any rule that will cover it). The XBox never attempts to receive inbound traffic from other systems on 53 or 88… 53 is actually the port for DNS, and 88 is typically used for Kerberos (an authentication scheme).

3074 is the default port it will try to listen for inbound connections from other systems, for things like chat, etc. When you have multiple Xboxen on the same network, each will use a different port via UPnP - that's the entire purpose of UPnP. ;) The first system will typically grab 3074, but others will usually open something up in the 20-30k range for themselves.

aleatorvb · Jan 4, 2015, 7:52 PM

Thank you! What is in the initial instructions worked flawlessly.
But you only need to shut down xbox and then go to pfsense dashboard (first page after loging in) then click on show states then use the reset states tab. No need to reboot firewall.
Also i did a network test and it said open then did a multiplayer test with the buttons held down and got that my router does "cone nat".

I did NOT need to mess with multicast.

Thank you!

pfsense: 2.1.5-RELEASE (amd64) built on Mon Aug 25 07:44:45 EDT 2014 FreeBSD 8.3-RELEASE-p16
on: Intel(R) Atom(TM) CPU D2500 @ 1.86GHz 2 CPUs: 1 package(s) x 2 core(s)

mddubs · Jan 11, 2015, 6:04 PM

I did all of the steps above and was stuck on Moderate. I had to also forward all of the Xbox Live ports to obtain an Open NAT.

http://support.xbox.com/en-US/xbox-360/networking/network-ports-used-xbox-live

cuber351 · Feb 2, 2015, 3:28 AM

This worked for me. I was going around some other posts and trying their guides but this worked flawlessly. Thanks a lot.

plainzwalker · Feb 5, 2015, 2:12 PM

A lot of the NAT issues with the Xbox Ones have been traced back to an update that was pushed around October/December last year and has to do with IPV6. I have had a lot of friends that have had this issue here in Germany and the main manufacturer for ADSL modems/routers here in Europe (Fritz!) had issued a firmware patch that fixed the issue on their routers. Not sure exactly what the issue is, but it is directly related to that patch.

wewhitt · Feb 27, 2015, 9:23 AM

I followed forum advice on creating a UPnP service and I still had issues. I stumbled upon MDDUBS stating that they had to include the port forwards as well. I did - works like a champ. So I have UPnP service running - an outbound NAT rule - and Port forwards to the XBOX to finally play nice. Thanks for all the input - I would have been totally lost without these posts.

_ToXIc_ · Nov 18, 2015, 8:51 PM

did my xbox live nats but still was strict.

added these steps and bam! "open"

thanks OP!

_ToXIc_ · Nov 24, 2015, 2:58 PM

follow up question… on this step

Select Firewall: NAT: Outbound tab: and select “Manual Outbound NAT” and the Save.
This will create some default entries. Just ignore them.

Add a new mapping and change the following
Interface: WAN
Source: Change to the IP or Alias of the XBOX ONE and /32
Translation: Select “Static Port”
Description: Add something for OCD reasons

do i have to use the /32 mask or can i use my /24

the reason i'm asking is that if i use /24 it removes the last part of the IP in this case .20 and replaces it with .0
but if i use the /32 it will show the entire IP but with the /32 mask screen shot of what i currently have.

which should it be /24 or /32

KOM · Nov 24, 2015, 3:29 PM

do i have to use the /32 mask or can i use my /24

You might want to do some reading on subnet masks and bit counts. A single host is a /32, a network of 256 addresses is a /24. You want /32.

https://en.wikipedia.org/wiki/Subnetwork

https://en.wikipedia.org/wiki/IPv4_subnetting_reference

_ToXIc_ · Nov 24, 2015, 3:34 PM

@KOM:

do i have to use the /32 mask or can i use my /24

You might want to do some reading on subnet masks and bit counts. A single host is a /32, a network of 256 addresses is a /24. You want /32.

https://en.wikipedia.org/wiki/Subnetwork

https://en.wikipedia.org/wiki/IPv4_subnetting_reference

oh.. never looked up what the /32 was just thought it was some other mask. thx man..

EvilUnicorn · Jan 8, 2016, 3:26 PM

Great! Worked like a charm and changed strict to open in a few clicks, thanks…

Does the changing of the Outbound NAT setting from automatic to manual have an impact on other settings?

Glo8al · Jan 14, 2016, 11:25 AM

I did the above and it worked but also found the below page
https://thepracticalsysadmin.com/fix-xbox-strict-nat-on-pfsense/
which has screen shots if it helps anyone?

cabldevil · Jan 24, 2016, 12:04 AM

Worked perfectly! Thank you….

I only set the UPNP rules and it didnt work all the time (strict).

The NAT/ Firewall setting made it all preform as it should.

ty

Maxamoto · Mar 29, 2016, 4:12 AM

Perfect guide, concise and to the point. I went from strict NAT to open in less than 5 minutes. I also had to reboot everything (3 switches, the firewall and a wireless AP) before it would show open, so yes, established sessions need to be killed before it will update. Great job, OP!

captainshiner · Apr 26, 2016, 1:58 PM

Hey guys. I'm new to the forum, but I just wanted to share my experience getting my multiple XB1s to work with Open NAT. I'm running the latest build (2.3-RELEASE (amd64) ), and this guide just wasn't working for me. I wasn't about to give up and go back to a crummy off the shelf router/firewall, so I kept pushing foward! Here is what I did to make it work… and it's much simpler than the guide above with this latest release.

First, set your Xbox / Game Consoles to a static IP, or static DHCP address. This will make things much easier. After that, just copy my screenshots below, and that is all there is too it.
-Enable UPnP service
-Select Hybrid Outbound NAT
-Create a Outbound NAT rule for each device ( DeviceIP/32 - even if you are on a /24) I won't go into explaining subnetting..

Even with the NAT rules enabled, the only way I would get Open NAT was by selecting Hybrid Outbound NAT . Any other option would immediately throw it back to Strict.

I hope this helps, and takes some of the pain out of deploying pfSense at home for gamers. Everything else has just worked out of the box 8)

arsenic32 · Apr 29, 2016, 8:54 PM

Have you tried joining multiplayer games together with this configuration? I tried setting a static nat path for both of my xbox and it worked to get them to report "Open Nat", but they were unable to join the same online multiple game together.

Also, what is the purpose of setting a static NAT for any outbound request for port 500?

sulrich · Jun 7, 2016, 11:01 AM

I found after much frustration, opening up the xboxes to everything (DMZ) and doing the above (thanks for this btw) - taking the xbox one offline, turning off UpnP, putting it back online, test multiplayer connection - front bumper and triggers, then take offline again, turn on Upnp, then test multiplayer connection, front bumper and triggers….and finally got open NAT.

its sort of Hit and Miss with the buggy xbox one code. Have no probs with two xbox 360s on the same network running at same time, playing halo reach.

mhab12 · Jun 13, 2016, 3:57 PM

Original guide worked for me. Just left the XBox One powered down completely for a period of time which must have been long enough to let the states reset. Powered up and my nat showed as open. Thanks!

jgkpffrm · Jan 24, 2017, 12:05 AM

Nice writeup but i have a few questions to the community on tightening this down.

I noticed after implementing the ACLS to allow that a few other devices with uPNP enabled showed up. Once i checked the box to Default Deny, only the XBOX One showed up. Some devices you cannot turn uPNP off and so I would prefer to not allow them to register. Does this behavior I see mean that without that box checked, the ACLs arent really denying other addresses?

ACL Entries
allow 88 192.168.1.18/32 88
allow 3074 192.168.1.18/32 3074
allow 53 192.168.1.18/32 53
allow 80 192.168.1.18/32 80
allow 500 192.168.1.18/32 500
allow 3544 192.168.1.18/32 3544
allow 4500 192.168.1.18/32 4500

Until my son comes home from school though all i can tell is the Xbox Status now says Open. What I am not sure of is:

1. I read elsewhere that only 3074 is needed. the rest are outbound ports. Anyone confirm?
2. Should the allow be 1024-65535 ip/32 3074 ? I would think the remote clients source port would vary but the incoming port be the same.

thanks,

mhab12 · Jan 24, 2017, 12:19 AM

I think your/our understanding of the default deny box is correct.

I have mine setup as follows using just one rule and a range of ports as different games (FIFA 16 & 17) were having different issues. My friends and I don't call it an XBox as it really only serves one purpose…we call it the FIFA machine.

Perhaps your method would be more secure, but this worked for me.

default deny

ACL Rules: allow 53-30009 192.168.1.9/32 53-30009