HOWTO: XBOX One and Open NAT

ZachGold · Mar 27, 2017, 1:46 PM

I have been trying to fix my new XBOX ONE having a "Strict" NAT. I have tried to follow all the posts here and on other sites, but none of them a very clear and detailed enough for beginners to pfsense, so here is a guide that I used to get an "open" NAT with a XBOX ONE. I do have a XBOX 360, that was working fine without all these changes needed, and I have not had a chance to see what affect these changes have had on the NAT status of that box. (might try and update this guide at a later time)

First, I suggest you first run the detailed XBOX diagnostics to see what type of NAT you have. This guide is quite good in explaining the NAT issue from MS
https://support.xbox.com/en-AU/xbox-one/networking/nat-error-solution

From the Network settings screen, select Test multiplayer connection.
After the test is complete, you will need to pull and hold both triggers and both bumpers on your controller. This will display a "Detailed network statistics" screen.

My setting was "Your network is behind a port-symmetric NAT"

A few notes:
Make sure your XBOX is OFF completely. Not in sleep mode.
Reboot pfsense after you make any changes.
Reboot any additional network hardware after any changes. (for some reason, after these changes, I could not connect to my wireless network, until I rebooted all the switches and WAP's - I have 2 x 24 port Cisco switches and 7 x Cisco WAP's and a 8 port switch with VLAN's after the pfsense box connecting directly into a fiber internet connection. I had to reboot everything before it would all work)

Steps:

I created a DHCP Static Mapping for the XBOX ONE.
Go to Services: DHCP Server: and right down the bottom, you will see the DHCP Static Mappings. You will need to know the MAC Address of your XBOX ONE

Create an Alias for the XBOX ONE (Only if you are OCD and need everything cleanly documented)

Select Firewall: NAT: Outbound tab: and select “Manual Outbound NAT” and the Save.
This will create some default entries. Just ignore them.

Add a new mapping and change the following
Interface: WAN
Source: Change to the IP or Alias of the XBOX ONE and /32
Translation: Select “Static Port”
Description: Add something for OCD reasons

I did not change any other settings on this page, so suggest you see my screencap just in case yours is different.

Once this is created, it will be at the bottom of those automatically added Mappings. You now need to move it to the top of the mapping list. Select the rule and the click the “rewind” button on the right of the top most mapping. (I question if this is really needed, but I did it and it works)

Go to Services: UPnP & NAT-PMP and check the following:
Enable UPnP & NAT-PMP
Allow UPnP Port Mapping
External interface: WAN
Interfaces: LAN
User specified permissions 1: allow 88-65535 192.168.1.45/32 88-65535 (you need to change this to your XBOX ONE IP Address)

Reboot everything and you should have OPEN NAT.

Good luck

And just as a FYI - Here is a good site discussing the different types of NAT.
"Types Of NAT Explained (Port Restricted NAT, etc)"
http://think-like-a-computer.com/2011/09/16/types-of-nat/

Thanks. been looking for this thing for almost a year now. Always a bit laggy in games lacking dedicated servers. Bookmarking it… gonna give it a try this Sat.

Napsterbater · Apr 10, 2017, 7:34 PM

XboxOne itself only uses one 1 port for inbound comms UDP 3074 and it is for the IPv6 teredo tunnel, if 3074 is not available it will pick another random port.

So if you have 1 XboxOne you just need.

allow 3074<xboxip>/32 3074

Or if you have more then one,

allow 1-65535 <xboxip>/32 1-65535 for each Xbox IP.

Also in the Outbound NAT you should enable "Static Port" for the range the Xbox will be in, or make a rule to match the Xbox IPs to have them enabled.</xboxip></xboxip>

comet424 · Feb 5, 2019, 1:34 PM

is this still working for you guys... I had this working... but I noticed now she back to Double Nat or Moderate... I know it was working maybe 3 Pfsense updates ago.. but I never really thought about checking till yesterday... and I was re going over this as I hadn't changed nothing... wanted to know if yours are still staying Open

iculookn · Jun 12, 2019, 1:54 PM

I just updated my system to a new XG-7100, so time for an update with latest 2.4.4 screenshots, plus I have taken into consideration everyone's comments and updates.

so main changes needed are

Use Hybrid Outbound NAT instead of Manual
Check Default Deny under UPnP to only have the XBOX use UPnP.
Closed up the ports opened with the ACL to "allow 1024-65535 XboxIP/32 1024-65535"

The last 2 changes are just to make it more secure, so the original settings should still work.

login-to-view

NogBadTheBad · Jun 12, 2019, 3:25 PM

@iculookn said in HOWTO: XBOX One and Open NAT:

so main changes needed are

Use Hybrid Outbound NAT instead of Manual
Check Default Deny under UPnP to only have the XBOX use UPnP.
Closed up the ports opened with the ACL to "allow 1024-65535 XboxIP/32 1024-65535"

The last 2 changes are just to make it more secure, so the original settings should still wor

There's no need for IPv4+IPv6 in your outbound NAT entry, just use IPv4.

thunderman · Jun 19, 2019, 9:15 AM

Hello,

I did a full howto for Xbox One without UPnP/DMZ.

Topic : https://forum.netgate.com/topic/144291/howto-multiples-xbox-play-together-without-upnp-dmz
Howto : pdf : https://forum.netgate.com/assets/uploads/files/1560932072924-pfsense_multiples_xboxone_v0.1.zip

Nyarlathotep · Sep 12, 2019, 3:22 AM

@iculookn

Add a "deny" rule to the top of the UPnP rules to block port 3074; doing so will force the consoles to use different ports for Xbox Live. Here are my rules:

login-to-view

Here is what happens when port 3074 is blocked:

login-to-view

Those are the same rules I used with a UniFi USG Pro, and they also work well with pfSense (both Xbox Ones show "Open NAT").

mike3y · Jan 23, 2020, 8:11 PM

I know this is a stale topic, but I've followed this. Both appear to only show Open NAT within games.

I'm not able to join two consoles to the same GTA 5 session.

Any advice?

rajeshh · Aug 29, 2020, 4:45 PM

@thunderman
Thank you for your guide. I tried following many of the other usual guides that involve uPnP and yours is the simplest of all.

sikita · Sep 29, 2020, 6:20 AM

Hi, just for those who is looking for solution of OPEN NAT in pfSense 2.4.5 and could not get it working with private IP on WAN (192.168..., 10.10..., 172.16...) using UPNP. You are behind second NAT of your internet provider and you have to add this line to /var/etc/miniupnpd.conf with your public IP:

ext_ip=XXX.XXX.XXX.XXX (<=write your public IP here)

setting manual PORT in console advanced network settings and opening that port in NAT is also recommended.

LakeWorthB · Nov 10, 2020, 4:12 PM

I am trying to set this up, but am failing on the uPnP step. On the xbox I get "uPnP not succesfull" any ideas? I don't see where in the logs it would log communications for uPnP

LakeWorthB · Nov 13, 2020, 1:55 PM

@LakeWorthB So I fixed the uPnP issue, as I had to override WAN address. But still in Moderate NAT type. One thing I notice is in the uPnP status, I only get one port 3074 for the xbox series s. Shouldn't I see all the various ports?

WaxBear_79 · Dec 31, 2020, 12:37 PM

login-to-view
I've had to allow uPnP (ports 5351, 1900 and 2189 to the firewall) and IGMP (to 224.0.0.2) to make this work, since my Xbox resides on my IoT VLAN which has limited access.

Following the manual on https://www.amixa.com/blog/2020/04/02/how-to-get-open-nat-with-xbox-or-xbox-one-and-pfsense-firewall/ and adding these rules now NAT is detected as open by the Xbox.