HOWTO: XBOX One and Open NAT
-
I have been trying to fix my new XBOX ONE having a "Strict" NAT. I have tried to follow all the posts here and on other sites, but none of them a very clear and detailed enough for beginners to pfsense, so here is a guide that I used to get an "open" NAT with a XBOX ONE. I do have a XBOX 360, that was working fine without all these changes needed, and I have not had a chance to see what affect these changes have had on the NAT status of that box. (might try and update this guide at a later time)
First, I suggest you first run the detailed XBOX diagnostics to see what type of NAT you have. This guide is quite good in explaining the NAT issue from MS
https://support.xbox.com/en-AU/xbox-one/networking/nat-error-solutionFrom the Network settings screen, select Test multiplayer connection.
After the test is complete, you will need to pull and hold both triggers and both bumpers on your controller. This will display a "Detailed network statistics" screen.My setting was "Your network is behind a port-symmetric NAT"
A few notes:
Make sure your XBOX is OFF completely. Not in sleep mode.
Reboot pfsense after you make any changes.
Reboot any additional network hardware after any changes. (for some reason, after these changes, I could not connect to my wireless network, until I rebooted all the switches and WAP's - I have 2 x 24 port Cisco switches and 7 x Cisco WAP's and a 8 port switch with VLAN's after the pfsense box connecting directly into a fiber internet connection. I had to reboot everything before it would all work)Steps:
I created a DHCP Static Mapping for the XBOX ONE.
Go to Services: DHCP Server: and right down the bottom, you will see the DHCP Static Mappings. You will need to know the MAC Address of your XBOX ONECreate an Alias for the XBOX ONE (Only if you are OCD and need everything cleanly documented)
Select Firewall: NAT: Outbound tab: and select “Manual Outbound NAT” and the Save.
This will create some default entries. Just ignore them.Add a new mapping and change the following
Interface: WAN
Source: Change to the IP or Alias of the XBOX ONE and /32
Translation: Select “Static Port”
Description: Add something for OCD reasonsI did not change any other settings on this page, so suggest you see my screencap just in case yours is different.
Once this is created, it will be at the bottom of those automatically added Mappings. You now need to move it to the top of the mapping list. Select the rule and the click the “rewind” button on the right of the top most mapping. (I question if this is really needed, but I did it and it works)
Go to Services: UPnP & NAT-PMP and check the following:
Enable UPnP & NAT-PMP
Allow UPnP Port Mapping
External interface: WAN
Interfaces: LAN
User specified permissions 1: allow 88-65535 192.168.1.45/32 88-65535 (you need to change this to your XBOX ONE IP Address)Reboot everything and you should have OPEN NAT.
Good luck
And just as a FYI - Here is a good site discussing the different types of NAT.
"Types Of NAT Explained (Port Restricted NAT, etc)"
http://think-like-a-computer.com/2011/09/16/types-of-nat/
-
UPDATE
After finding some new documentation and with the release of Titanfall, I have adjusted the upnp "User specified permissions 1" to lower the port range down from 88 to 53.
allow 53-65535 192.168.1.45/32 88-65535 (you need to change this to your XBOX ONE IP Address)
I changed this based on the following links
https://support.xbox.com/en-US/xbox-one/networking/network-ports-used-xbox-live
http://help.ea.com/en/article/online-ports-to-open-for-titanfall/Which state:
Xbox Live requires the following ports to be open:
Port 88 (UDP)
Port 3074 (UDP and TCP)
Port 53 (UDP and TCP)
Port 80 (TCP)
Port 500 (UDP)
UDP Port 3544 (UDP)
UDP Port 4500 (UDP)and for Titanfall
All Players
TCP/HTTP: 443; 25000-25099; 30000 – 30099
UDP: 8125; 25000-25099; 30000 – 30099Xbox 360 & Xbox One players
UDP: 53; 88; 3074
TCP: 53; 80; 3074
Xbox 360 Players only:
UDP: 3000-3999; 27015-27045; 443
TCP: 3000-3999; 27015-27045; 443Based on this, you could actually change the range to 53-30099, to limit the number of ports open.
After making the change, I still have open nat, but not sure if anything has changed.
-
Hey there
Thanks for this information by the way. I did it and I get my NAT to moderate. So now I need some help to get to open.
1. How important is the first step? (DHCP Lease assigning for the XBOX ONE)
The reason I ask is because I have the DHCP server turned off, I have a DHCP server running on a seperate server running Server 2012. Also the Xbox one has a static IP address assign to it.
2. Do I need to do any other steps prior to this as far as rules?
By the way I am running 2 WAN and 1 LAN. But everything is essentially running off WAN 1 for now need to learn more about failover and traffic shaper.
3. Also if are a long time user can I pick your brain on the best way for me to set up my pfsense to get the best use?
-
Hi
No its not important as you are already using a static IP (That step is just forcing DHCP to assign a static to the XBOX)
The only thing I can suggest it just recheck all the settings, reboot everything. Make sure the IP address in the NAT rule matches your static IP of the XBOX.
I am definitely not long time or experienced in PFSense, so cant really help. But maybe as you have 2 WAN, the XBOX is getting confused. (assume both are live?) can you remove one of the WAN's and test?
Hey there
Thanks for this information by the way. I did it and I get my NAT to moderate. So now I need some help to get to open.
1. How important is the first step? (DHCP Lease assigning for the XBOX ONE)
The reason I ask is because I have the DHCP server turned off, I have a DHCP server running on a seperate server running Server 2012. Also the Xbox one has a static IP address assign to it.
2. Do I need to do any other steps prior to this as far as rules?
By the way I am running 2 WAN and 1 LAN. But everything is essentially running off WAN 1 for now need to learn more about failover and traffic shaper.
3. Also if are a long time user can I pick your brain on the best way for me to set up my pfsense to get the best use?
-
No luck still at moderate. I think I may need to rebuild the all the rules and interfaces in my pfsense that may be the problem.
Question: I just realize the my pfsense box is on a /16 subnet (10.0.0.1) and everything else behind (my network) is on a /24 subnet (10.0.10.x) could this be cause the problem? But Everything seem to be working fine with the exception of the nat for the Xbox.
-
Hey just wanted to say thanks I got it working using you method. I also believe its a problem with the load balancing and fail over setting was causing an issue. I reset my pfsense then only use one internet provider and set up the way you said and it came on. I also did not realize how much slower my internet was before, man now it loads stuff instantly…..
Thanks
-
The real question is, why does the XBox One require the "static port" NAT option while the 360 doesn't? My 360s have never had problems with NAT and always reported "open" with only UPnP enabled.
Unless the 360s actually do have problems, but their NAT test isn't as thorough as the XBone?
I'm going to turn this on tonight for all of my xboxen (I already use static DHCP mappings on all of my gaming systems anyway). If this fixes things, 1000 points for you!
One further thing - the XBox shouldn't need ports below 1025 available in UPnP. Port 53 and 88 only need to be open for outbound traffic, which most people already allow (if you have a default LAN -> Any rule that will cover it). The XBox never attempts to receive inbound traffic from other systems on 53 or 88… 53 is actually the port for DNS, and 88 is typically used for Kerberos (an authentication scheme).
3074 is the default port it will try to listen for inbound connections from other systems, for things like chat, etc. When you have multiple Xboxen on the same network, each will use a different port via UPnP - that's the entire purpose of UPnP. ;) The first system will typically grab 3074, but others will usually open something up in the 20-30k range for themselves.
-
Thank you! What is in the initial instructions worked flawlessly.
But you only need to shut down xbox and then go to pfsense dashboard (first page after loging in) then click on show states then use the reset states tab. No need to reboot firewall.
Also i did a network test and it said open then did a multiplayer test with the buttons held down and got that my router does "cone nat".I did NOT need to mess with multicast.
Thank you!
pfsense: 2.1.5-RELEASE (amd64) built on Mon Aug 25 07:44:45 EDT 2014 FreeBSD 8.3-RELEASE-p16
on: Intel(R) Atom(TM) CPU D2500 @ 1.86GHz 2 CPUs: 1 package(s) x 2 core(s) -
I did all of the steps above and was stuck on Moderate. I had to also forward all of the Xbox Live ports to obtain an Open NAT.
http://support.xbox.com/en-US/xbox-360/networking/network-ports-used-xbox-live
-
This worked for me. I was going around some other posts and trying their guides but this worked flawlessly. Thanks a lot.
-
A lot of the NAT issues with the Xbox Ones have been traced back to an update that was pushed around October/December last year and has to do with IPV6. I have had a lot of friends that have had this issue here in Germany and the main manufacturer for ADSL modems/routers here in Europe (Fritz!) had issued a firmware patch that fixed the issue on their routers. Not sure exactly what the issue is, but it is directly related to that patch.
-
I followed forum advice on creating a UPnP service and I still had issues. I stumbled upon MDDUBS stating that they had to include the port forwards as well. I did - works like a champ. So I have UPnP service running - an outbound NAT rule - and Port forwards to the XBOX to finally play nice. Thanks for all the input - I would have been totally lost without these posts.
-
did my xbox live nats but still was strict.
added these steps and bam! "open"
thanks OP!
-
follow up question… on this step
Select Firewall: NAT: Outbound tab: and select “Manual Outbound NAT” and the Save.
This will create some default entries. Just ignore them.Add a new mapping and change the following
Interface: WAN
Source: Change to the IP or Alias of the XBOX ONE and /32
Translation: Select “Static Port”
Description: Add something for OCD reasonsdo i have to use the /32 mask or can i use my /24
the reason i'm asking is that if i use /24 it removes the last part of the IP in this case .20 and replaces it with .0
but if i use the /32 it will show the entire IP but with the /32 mask screen shot of what i currently have.which should it be /24 or /32
-
do i have to use the /32 mask or can i use my /24
You might want to do some reading on subnet masks and bit counts. A single host is a /32, a network of 256 addresses is a /24. You want /32.
https://en.wikipedia.org/wiki/Subnetwork
https://en.wikipedia.org/wiki/IPv4_subnetting_reference
-
@KOM:
do i have to use the /32 mask or can i use my /24
You might want to do some reading on subnet masks and bit counts. A single host is a /32, a network of 256 addresses is a /24. You want /32.
https://en.wikipedia.org/wiki/Subnetwork
https://en.wikipedia.org/wiki/IPv4_subnetting_reference
oh.. never looked up what the /32 was just thought it was some other mask. thx man..
-
Great! Worked like a charm and changed strict to open in a few clicks, thanks…
Does the changing of the Outbound NAT setting from automatic to manual have an impact on other settings?
-
I did the above and it worked but also found the below page
https://thepracticalsysadmin.com/fix-xbox-strict-nat-on-pfsense/
which has screen shots if it helps anyone? -
Worked perfectly! Thank you….
I only set the UPNP rules and it didnt work all the time (strict).
The NAT/ Firewall setting made it all preform as it should.
ty
-
Perfect guide, concise and to the point. I went from strict NAT to open in less than 5 minutes. I also had to reboot everything (3 switches, the firewall and a wireless AP) before it would show open, so yes, established sessions need to be killed before it will update. Great job, OP!
