Xbox (360 & One) Nat Problems



  • Hi Guys,

    I've been using PFSense for a couple of years now, and have a nice home server rack with switching, etc.

    I also have 3 x Fibre ISP's giving me a total bandwidth of 220mb/s down and around 30mb/s up.

    The only problem I've not been able to solve is a strange NAT issue with the Xbox consoles.

    I don't personally game on them, but my brother has both a 360 and an Xbox one.

    I managed to more or less get the 360 running fine by enabling UPnP on PFsense and setting it to run via the default GW.

    However the Xbox One is a major pain in the a**.

    I've tried forwarding ports:

    Port 88 (UDP)
    Port 3074 (UDP and TCP)
    Port 53 (UDP and TCP)
    Port 80 (TCP)
    Port 500 (UDP)
    UDP Port 3544 (UDP)
    UDP Port 4500 (UDP)

    as per Microsoft's recommendations.

    Unfortunately all of these still yield a "Strict" NAT type with UPnp on or off.

    I've even tried forwarding ports 1-65535 TCP&UDP to the Xbox One as I gave up hope, but alas, still a strict NAT type.

    Funnily enough the moment I got a cheap TP-Link router connected the LAN side to the Xbox One and the WAN to my ISP side (bypassing the PFSense Box)
    It worked fine after setting the DMZ to the Xbox One's IP.

    Can someone shed a little light on to what the issue is here?

    I've tried doing a packet capture on the Xbox One and it seems to want port 443 to enable TLS encryption between sessions, but this still yields a strict NAT type when forwarded.

    Many Thanks.



  • A guess - You have multiple gateways?

    Maybe do something to make sure your game consoles only use one gateway?

    I'm trying to imagine u-pnp or even port forwards with multiple gateways if there is load balancing going on.  Not sure but perhaps can cause issue.



  • Aye, I have forced the Consoles, to use a single gateway that I'm forwarding the ports on via the firewall rules, but no luck. :(



  • I have also noticed that SOME UDP services get broken by the auto rewriting and randomization of packets that happens in a default config.

    SIP especially.

    Wonder if game consoles traffic also?

    I use manual outbound NAT and set static port (prevents rewrite of source port) when I have connectivity issues.



  • Indeed, I also have a PBX behind another of my gateways using SIP but that doesn't have an issue, neither does 20 or so other NAT'd ports I use for remote admin such as SSH and RDP, etc.

    Even games on the PC via steam seem to use UPnP to successfully request open UDP ports without an issue.

    But the Xbox One seems to be quite stubborn when it comes to open ports, even during the PCAP there were successful TCP/UDP streams going on, nothing that would appear to be "one-way traffic" e.g. the Xbox one trying to speak on a port with no response.

    It truly is odd. I have my Outbound NAT rules set to Auto right now.



  • xbox has a long history of being painful - At my kids house behind pfsense its fine but I am running manual outbound there and only one WAN.



  • I can believe it… Do you have any particular rules setup for the manual outbound NAT?



  • Tons…

    I made that entire LAN segment static port, for one thing...  All hosts, all ports.



  • I'll give it a try as static port is set to "NO" at the moment, thanks :)



  • Hope it helps.  Let me know how it goes.



  • Well, that seems to have fixed it.

    All I did was allow static outbound NAT mappings for my LAN subnet out to the ISP the console is set to go out of and it works and now gives an OPEN NAT type.

    Weirdly enough it seems to now also be requesting port 1200 UDP via UPnP which it wasn't doing before.

    Many thanks for your help :)



  • No problem - Glad it was an easy fix for you.


Log in to reply