HOWTO: XBOX One and Open NAT

KOM

do i have to use the /32 mask or can i use my /24

You might want to do some reading on subnet masks and bit counts.  A single host is a /32, a network of 256 addresses is a /24.  You want /32.

https://en.wikipedia.org/wiki/Subnetwork

https://en.wikipedia.org/wiki/IPv4_subnetting_reference

_ToXIc_

@KOM:

do i have to use the /32 mask or can i use my /24

You might want to do some reading on subnet masks and bit counts.  A single host is a /32, a network of 256 addresses is a /24.  You want /32.

https://en.wikipedia.org/wiki/Subnetwork

https://en.wikipedia.org/wiki/IPv4_subnetting_reference

oh.. never looked up what the /32 was just thought it was some other  mask. thx man..

EvilUnicorn

Great! Worked like a charm and changed strict to open in a few clicks, thanks…

Does the changing of the Outbound NAT setting from automatic to manual have an impact on other settings?

Glo8al

I did the above and it worked but also found the below page
https://thepracticalsysadmin.com/fix-xbox-strict-nat-on-pfsense/
which has screen shots if it helps anyone?

cabldevil

Worked perfectly! Thank you….

I only set the UPNP rules and it didnt work all the time (strict).

The NAT/ Firewall setting made it all preform as it should.

ty

Maxamoto

Perfect guide, concise and to the point. I went from strict NAT to open in less than 5 minutes. I also had to reboot everything (3 switches, the firewall and a wireless AP) before it would show open, so yes, established sessions need to be killed before it will update. Great job, OP!

captainshiner

Hey guys. I'm new to the forum, but I just wanted to share my experience getting my multiple XB1s to work with Open NAT. I'm running the latest build (2.3-RELEASE (amd64) ), and this guide just wasn't working for me. I wasn't about to give up and go back to a crummy off the shelf router/firewall, so I kept pushing foward! Here is what I did to make it work… and it's much simpler than the guide above with this latest release.

First, set your Xbox / Game Consoles to a static IP, or static DHCP address. This will make things much easier. After that, just copy my screenshots below, and that is all there is too it.
-Enable UPnP service
-Select Hybrid Outbound NAT
-Create a Outbound NAT rule for each device  ( DeviceIP/32 - even if you are on a /24) I won't go into explaining subnetting..

Even with the NAT rules enabled, the only way I would get Open NAT was by selecting Hybrid Outbound NAT . Any other option would immediately throw it back to Strict.

I hope this helps, and takes some of the pain out of deploying pfSense at home for gamers. Everything else has just worked out of the box  8)

arsenic32

Have you tried joining multiplayer games together with this configuration? I tried setting a static nat path for both of my xbox and it worked to get them to report "Open Nat", but they were unable to join the same online multiple game together.

Also, what is the purpose of setting a static NAT for any outbound request for port 500?

sulrich

I found after much frustration, opening up the xboxes to everything (DMZ) and doing the above (thanks for this btw) - taking the xbox one offline, turning off UpnP, putting it back online, test multiplayer connection - front bumper and triggers, then take offline again, turn on Upnp, then test multiplayer connection, front bumper and triggers….and finally got open NAT.

its sort of Hit and Miss with the buggy xbox one code.  Have no probs with two xbox 360s on the same network running at same time, playing halo reach.

mhab12

Original guide worked for me.  Just left the XBox One powered down completely for a period of time which must have been long enough to let the states reset.  Powered up and my nat showed as open.  Thanks!

jgkpffrm

Nice writeup but i have a few questions to the community on tightening this down.

I noticed after implementing the ACLS to allow that a few other devices with uPNP enabled showed up. Once i checked the box to Default Deny, only the XBOX One showed up. Some devices you cannot turn uPNP off and so I would prefer to not allow them to register.  Does this behavior I see mean that without that box checked, the ACLs arent really denying other addresses?

ACL Entries
allow 88 192.168.1.18/32 88
allow 3074 192.168.1.18/32 3074
allow 53 192.168.1.18/32 53
allow 80 192.168.1.18/32 80
allow 500 192.168.1.18/32 500
allow 3544 192.168.1.18/32 3544
allow 4500 192.168.1.18/32 4500

Until my son comes home from school though all i can tell is the Xbox Status now says Open.  What I am not sure of is:

1. I read elsewhere that only 3074 is needed. the rest are outbound ports. Anyone confirm?
2. Should the allow be 1024-65535 ip/32 3074 ?  I would think the remote clients source port would vary but the incoming port be the same.

thanks,

mhab12

I think your/our understanding of the default deny box is correct.

I have mine setup as follows using just one rule and a range of ports as different games (FIFA 16 & 17) were having different issues.  My friends and I don't call it an XBox as it really only serves one purpose…we call it the FIFA machine.

Perhaps your method would be more secure, but this worked for me.

default deny

ACL Rules: allow 53-30009 192.168.1.9/32 53-30009

Double K

I'm assuming the ACL entries that you are referring to are the uPnP entries.  I'm also assuming you only have 1 xbox one, and no other gaming consoles or PCs that need uPnP…because these instructions are only for a 1 xbox home.

Here's what you want;

default deny

ACL Rules:
allow 1024-65535 192.168.1.18/32 1024-65535

The result / what you'll see in /var/etc/miniupnpd.conf is;
allow 1024-65535 192.168.1.18/32 1024-65535
deny 0-65535 0.0.0.0/0 0-65535

So here's what this does;
allow 1024-65535 192.168.1.18/32 1024-65535 - This allows this one client, the xbox one, to acquire any port it wants in the range 1024-65535 internally AND 1024-65535 externally for Teredo traffic (and in your Outbound NAT rules, you force these to match).  This is important because the xbox one first tries to get 3074 for Teredo traffic, and if it can't (which sometimes happens with miniupnpd not clearing old sessions properly), it will try to get a port in the dynamic range (49152-65535).  (Source: https://www.microsoft.com/en-us/download/details.aspx?id=40339).  The reason why you allow more than just the dynamic range is for apps on xbox one that also use uPnP (like Skype).

Riftcore

Without pfsense my Xbox one gets 200mb download with pfsense I get 20mb. Ive done everything in post one and I still get this shitty downloading speed any ideas why?

ZachGold

@iculookn:

I have been trying to fix my new XBOX ONE having a "Strict" NAT. I have tried to follow all the posts here and on other sites, but none of them a very clear and detailed enough for beginners to pfsense, so here is a guide that I used to get an "open" NAT with a XBOX ONE. I do have a XBOX 360, that was working fine without all these changes needed, and I have not had a chance to see what affect these changes have had on the NAT status of that box. (might try and update this guide at a later time)

First, I suggest you first run the detailed XBOX diagnostics to see what type of NAT you have. This guide is quite good in explaining the NAT issue from MS
https://support.xbox.com/en-AU/xbox-one/networking/nat-error-solution

From the Network settings screen, select Test multiplayer connection.
After the test is complete, you will need to pull and hold both triggers and both bumpers on your controller. This will display a "Detailed network statistics" screen.

My setting was "Your network is behind a port-symmetric NAT"

A few notes:
Make sure your XBOX is OFF completely. Not in sleep mode.
Reboot pfsense after you make any changes.
Reboot any additional network hardware after any changes. (for some reason, after these changes, I could not connect to my wireless network, until I rebooted all the switches and WAP's - I have 2 x 24 port Cisco switches and 7 x Cisco WAP's and a 8 port switch with VLAN's after the pfsense box connecting directly into a fiber internet connection. I had to reboot everything before it would all work)

Steps:

I created a DHCP Static Mapping for the XBOX ONE.
Go to Services: DHCP Server: and right down the bottom, you will see the DHCP Static Mappings. You will need to know the MAC Address of your XBOX ONE

Create an Alias for the XBOX ONE (Only if you are OCD and need everything cleanly documented)

Select Firewall: NAT: Outbound tab: and select “Manual Outbound NAT” and the Save.
This will create some default entries. Just ignore them.

Add a new mapping and change the following
Interface: WAN
Source: Change to the IP or Alias of the XBOX ONE and /32
Translation: Select “Static Port”
Description: Add something for OCD reasons

I did not change any other settings on this page, so suggest you see my screencap just in case yours is different.

Once this is created, it will be at the bottom of those automatically added Mappings. You now need to move it to the top of the mapping list. Select the rule and the click the “rewind” button on the right of the top most mapping. (I question if this is really needed, but I did it and it works)

Go to Services: UPnP & NAT-PMP and check the following:
Enable UPnP & NAT-PMP
Allow UPnP Port Mapping
External interface: WAN
Interfaces: LAN
User specified permissions 1: allow 88-65535 192.168.1.45/32 88-65535 (you need to change this to your XBOX ONE IP Address)

Reboot everything and you should have OPEN NAT.

Good luck

And just as a FYI - Here is a good site discussing the different types of NAT.
"Types Of NAT Explained (Port Restricted NAT, etc)"
http://think-like-a-computer.com/2011/09/16/types-of-nat/

Thanks. been looking for this thing for almost a year now. Always a bit laggy in games lacking dedicated servers. Bookmarking it… gonna give it a try this Sat.

Napsterbater

XboxOne itself only uses one 1 port for inbound comms UDP 3074 and it is for the IPv6 teredo tunnel, if 3074 is not available it will pick another random port.

So if you have 1 XboxOne you just need.

allow 3074<xboxip>/32 3074

Or if you have more then one,

allow 1-65535 <xboxip>/32 1-65535    for each Xbox IP.

Also in the Outbound NAT you should enable "Static Port" for the range the Xbox will be in, or make a rule to match the Xbox IPs to have them enabled.</xboxip></xboxip>

comet424

is this still working for you guys... I had this working... but I noticed now she back to Double Nat or Moderate... I know it was working maybe 3 Pfsense updates ago.. but I never really thought about checking till yesterday... and I was re going over this as I hadn't changed nothing... wanted to know if yours are still staying Open

iculookn

I just updated my system to a new XG-7100, so time for an update with latest 2.4.4 screenshots, plus I have taken into consideration everyone's comments and updates.

so main changes needed are

1. Use Hybrid Outbound NAT instead of Manual
2. Check Default Deny under UPnP to only have the XBOX use UPnP.
3. Closed up the ports opened with the ACL to "allow 1024-65535 XboxIP/32 1024-65535"

The last 2 changes are just to make it more secure, so the original settings should still work.

login-to-view

login-to-view

login-to-view

NogBadTheBad

@iculookn said in HOWTO: XBOX One and Open NAT:

so main changes needed are

Use Hybrid Outbound NAT instead of Manual
Check Default Deny under UPnP to only have the XBOX use UPnP.
Closed up the ports opened with the ACL to "allow 1024-65535 XboxIP/32 1024-65535"

The last 2 changes are just to make it more secure, so the original settings should still wor

There's no need for IPv4+IPv6 in your outbound NAT entry, just use IPv4.

thunderman

Hello,

I did a full howto for Xbox One without UPnP/DMZ.

Topic : https://forum.netgate.com/topic/144291/howto-multiples-xbox-play-together-without-upnp-dmz
Howto : pdf : https://forum.netgate.com/assets/uploads/files/1560932072924-pfsense_multiples_xboxone_v0.1.zip