Multiple Xbox Ones with uPnP problem.
So, I've been racking my brain trying to figure out an answer to this problem. It appears to come down to either pfSense missing something in it's miniupnpd implementation or Microsoft doing their usual and making their own "standards", I'm thinking the latter.
In a nutshell, I have 2 Xbox ones. One I have all the required ports forwarded to it, it works, mostly. The other is relying entirely on uPnP as is the nature of having 1 WAN IP.
Also, the error code on the xbox is that it can't get a teredo IP. Which is required for back channeling most of the services such as voice and other player data. It also lists a strict NAT, trying to at least get it to a moderate or cone NAT at best.
I can post detailed configs if requested, for now I'll keep it short-ish and sweet.
User specified permissions to allow anything on LAN subnet to get a port.
Removed all other uPnP devices from network.
"Static" DHCP addresses for both boxes.
LAN rules that allow 239/8 and 224/8 IPv4* for multicast for uPnP. The default LAN any/any rule is for TCP/UDP.
Snort is running on WAN interface - fairly conservative, no blocks/alerts for this found - also tried with it off.
PfBlocker is running on WAN interface - allows the US, no blocks for this found - also tried with it off.
Even did something silly and setup outbound NAT on the WAN interface for 188.8.131.52/32 (uPnP broadcast address) as a wild stab
What I've seen during all the troubleshooting:
There is apparently a bug in XBox where it won't re-request uPnP ports when it comes out of sleep mode. No worries, hard reboot or a "check multiplayer connection" fixes this.
The Xbox will, occasionally, get a port to open and called it Teredo
The xboxs will open ports 1200 and 1201, occasionally
Tried blocking port 3074 from uPnP passing it out in the attempt to make xbox realize it can't have that port and grab another. It did, but still doesn't work. After this post I may add a deny in uPnP for all microsoft's required ports and see if it can't negotiate all of them.
Realized that uPnP rules are above firewall port forwarding rules.
Using uTorrent's built-in "test" with an random port yields success 100% of the time. Even just clicking "random port" -> Apply then looking at the uPnP status page and it's instantly there.
Gameplay on both Xboxs is moderately decent if you reboot pfSense then both xboxes
Online multiplayer in it's base form works 90% of the time, however, any voice or other exchange between you and another player is a crap shoot with loaded dice
I did a packet capture during the "check multiplayer", boy, does that pull a lot of data. But I did see where pfsense attempts a uPnP handshake on 2869, I don't know if this is a typical port, but it comes up in every capture. The handshake "appears" to be normal with an http /1.1 200
When uPnP starts on pfSense I see it starts on port 5351
The uPnP service itself has no errors in the logs, and from all tests, appears completely normal.
The uPnP status page shows the same mappings as pfctl -sn… and pfctl -sr...
Using the uPnP port mapper from sourceforge (java app) it gets all ports that are forwarded and even says tests are successful, however, I did notice in the debug it complains that it found a service of the wrong type. It found urn…MediaServer:1 and is expecting urn...InternetGatewayDevice:1 not sure what that is about. It doesn't tell me where it found that device (IP) just that it "found" it.
The uPnP system logs under routing occasionally show "Connection reset by peer" or "Operation timed out". The operation time out seems to be the xbox requesting something, only going halfway with it, then pulling out, leaving pfSense twiddling it's thumbs waiting for it to get back to the conversation before pfsense takes its ball and goes home.
Things I have not tried.
Have not tried this one method I found where you setup another internal router/firewall, setup a new subnet, point the xbox's gateway at it, then do static port maps with NAT translastions on the other side. This whole idea, while seems clever, also appears to be completely asinine.
Have not tried contacting my ISP to see if I can get 3 IP's from them on my home internet as that would be an extra $40 per month plus additional hardware. As it also seems I can't do multiple IP's on a single WAN interface the way I want, especially since they would be 3 DHCP addresses.
Done a factory reset on the xbox like one guy suggested who had a single xbox with moderate NAT already. :o
Sacrificing various lifestock in the attempt to appease the Xbox Network gods.
Questions you will probably ask.
Have you looked at XYZ post about uPnP/Port forwarding/etc for Xbox One?
Chances are I have, but my problem is that I have multiple xboxs, every guide I've found online about uPnP and Xbox are about single xbox's getting an open NAT, not multiples. I've spent an inordinate amount of time scouring pfSense forums, generic networking forums, xbox forums, google searches that returned only 5 results and nothing has gotten me any further along than not having any of the settings I've added in place for this.
Would you consider giving up on this until microsoft fixes their uPnP code.
I'd love to if I could.
So, with all that, does anyone have any insight into what I may do to get multiple xboxes working on the same network with pfSense handling uPnP?
edit: Added some missing pertinent information.
I believe I am having a similar problem…
2 xbones on my LAN
XB1 - 10.200.0.1
XB2 - 10.200.0.2
The way I was able to get NAT open on both consoles was by modifying UPnP (See screenshots)
Now with those settings alone present both the consoles are able to join parties and multiplayer games such as cod ghost or forza. With Black ops 3, we a single xbox is on nat is open. However when XB1 launches blops3 first, it can connect with open nat and XB2 connects with moderate NAT and we cannot join games. not even with a 3rd party host. When XB2 launches the game first it connects with open ports and XB1 can't even talk to cod servers at all. We can't even play a LAN game....But we can play rainbow six siege together, but only terrorist hunt not multiplayer and we can play with randoms on terrorist hunt.
SO what I tried to day just to see was to manually add the port forwading to my LAN. That worked and allowed XB1 to join blops 3 multiplayer anytime but with moderate NAT; still can't join games together. But when XB2 gets offline XB1 can't do party chat. So I disabled those ports. And that static NAT screenshot, I read online somewhere to do that but it didn't do anything so I left it alone.
Those are basically the same exact settings I have, except you have it down to single IP's where my ACL's are /24s, including the outbound NAT static ports.
I did notice something though, it seems games do their own thing when it comes to uPnP or requesting ports via XB1 system calls.
First, the game we're having the most trouble with is Destiny. It only appears to open ports 1200 and 1201 via uPnP. However, there are 2 teredo mappings that the XB1's just seem to map. One XB1 has 3074 NAT'd directly to it, the other relies on uPnP. If the first XB1 fails, I've noticed the second will grab 3074 out from under the first.
The thing I can't get past is the strict NAT, and both boxes saying they have one and both unable to get a teredo IP. However, I've found that if the first XB1 with the NAT'd ports boots up first, then the second, it works better in all XBLive services. Meanwhile the other XB1 is lucky to get XBLive party chat working.
I know Destiny has weird network issues, but the core XB services failing is another issue that highlights a problem with all games in my situation.
Oh, and another thing that is completely odd, and has happened more than once. In this, XB1A is the one with the manual NATs, XB1B is the redheaded stepchild fathered by uPnP. All references to party chat is referring to XBLive party chat, not ingame.
XB1A in party chat with 8ish other people, works fine.
XB1B starts up, can't join party (regardless of party leader)
XB1A and XB1B are in party chat together, just 2 of them. Invite 3rd person, works. Begin playing Destiny.
4th, sometimes 5th or 6th, joins party. Destiny quits to title screen with network error, person that joined gets disconnected from party chat by their XB1.
XB1A and B are in party chat with 2-3 others. Playing just fine. Suddenly, at random, get network error in Destiny, can't reconnect to each other in game, can still talk in party chat.
If either XB1A or XB1B leaves party chat at this point, they cannot get back into the party. Same goes for if both leave.
Hard Reset both XB1s, no luck. Reboot pfSense, then hard reset both XB1s, everything is back to "normal". Normal being mostly works until it magically doesn't.
Those scenarios might give a better example as to what I'm going through. I can't blame any one thing and figure out how to fix it.
I have 3 variables, pfSense, Multiple XB1s and Destiny.
Destiny I believe has an underlying cause with XB1, mostly, but I didn't write their netcode so can't say for certain.
XB1 seems to be failing because microsoft makes their own standards. Hell, even Apple makes their own standards and says "use it this way or it won't work", Microsoft says, "Here's 92.6% of the accepted standard with some flavor thrown in, enjoy."
pfSense appears to have a solid uPnP implementation, everything that is not an XB1 that I've tested with uPnP has 0 issues. I don't know if this is something the devs would even consider looking into given that pfSense seems to be used more in the office than at home, and on top of that, working with microsoft on integration is just you sitting there walking through traces and reverse engineering until you find something that works.
Something has really got to give, it's hard selling a console and saying, "Oh, sorry, it only works with these 3 routers and try not to have more than 1 turned on at the same time"
As a side note, something I'm considering trying.
Getting another wireless router that supports DD-WRT. Plugging it into the modem, then into the pfSense box (it will act as a first hop for the pfSense box) and then connecting the XBones to it's wifi so it all get's placed on the other side of the firewall and it can uPnP and be as insecure as it's little heart desires. Though, I don't like adding more single points of failure to the home internet, but it may be the only thing that works.
I got it working, posted a HOW-TO here:
A lot of the trick to getting NAT to at least Moderate is using advanced outbound NAT and insuring that your XBoxen are going out the same ports as they think they are. (By default, pf will randomize outbound traffic and apparently this causes problems for the Xbox, even though it shouldn't.) Using AON rules you can insure static outbound ports.
If you don't want to individually add multiple static port mappings, consider setting your consoles up with DHCP reservations within a contiguous subnet. Whip out a subnet calculator website if you're not an IP nerd. ;) E.g. My network is 192.168.42.0/24. My Xboxes (Ones and 360s) all have IP's inside 192.168.42.32/29. I have a single AON static rule for that subnet, which saves me from having to add individual mappings per xbox.
The other thing that has helped for me is a UPnP Deny rule that blocks 3074 - by default the first xbox to boot will try to snag that port. if you have two of them, they fight over it and it can complicate matters. By denying that port in UPnP, neither of them can have it, so they both have to pick a random higher port instead.
All of the garbage with ports like 53 and 88 is just that - garbage. The Xboxes don't map those ports. They need to pass traffic out TO those ports at MS or whatnot, but as long as you're using a default pfsense setup (allowing all outbound LAN traffic) you don't need any of that. They won't map those ports inbound, and that's all that UPnP is designed for. I actually have a UPnP DENY rule for 1-1024 across my whole LAN subnet, because I don't want anything trying to open those common low ports. (Some NASes will try to open port 80 to themselves… I prefer to use a VPN or at least an alternate high port for stuff like that.)
It would be very helpful if the pfSense devs would note what version their miniupnpd comes from. The original developer is actually fairly active and there has been work recently to help miniupnpd play better with XBox One. I tried to figure out what version pfsense is using and it doesn't display anything, and I have no clue how often they update their codebase (assuming they've got a forked copy and aren't building from miniupnpd's active tree).
So, I got both XB1's on an open NAT, and things work, for the most part, without having to reboot pFsense.
First, I tried adding an additional router (Linksys EA6400 AC1900). Basically it went Modem -> Linksys -> pfSense -> internal network.
The linksys had wifi enabled and a hardline to the XB1's. Only enabled uPnP, no port forwarding. During that, I found that XB1 boot order mattered. /boggle
Anyway, so i wondered, if this works, what i move everything back behind pfSense and get rid of that extra hop. So I did.
Lo and behold, using the "proper" boot order does matter, at least for me.
A little more about that magical boot order:
I have both XB1s set to energy saver in power options, so they completely shutdown.
One XB1 (XBA) was bought within 3 months of XB!'s release.
The other (XBB) was bought about a year after release. Don't ask why this matters, even microsoft is "dunno"
So, If I boot XBA (the older one) first, THEN boot XBB (the newer) both get an open NAT, and everything works great.
If i boot them in the opposite order,XBA gets strict and XBB gets open.
I have no idea why this matters aside from the older XB1 will get the default ports and the other relies solely on uPnP.
Side note from Microsoft, aka hill-billy tech support:
When I first talked with them about what ports should be forwarded, they could only say "follow this guide and make sure ports yada yada were open".
Given that (Like Bradenmcg says) ports 53, 88, etc are garbage ports, everyone allows those outbound. I asked microsoft, "OK, make sure the ports are open… So, which direction and which protocols?"
I asked that 3 times, kept ignoring the question, finally they said, (after dropping packet capture results, basic networking rules, etc on the poor guy) he said "I'm sorry, but what you're talking about is beyond my ability."
It just so happened that during the chat session I found the "proper" boot order for my XB1s. Told chat about it, asking if there was a known problem with what I was calling Gen1 XB1s, because obviously, there is a problem. They said there is only 1 generation of XB1. They said the last resort was to reset it to factory defaults (Sorry, I don't feel like downloading 120GB of data tonight and re-setting everything back up, fix your networking) and see if that fixed the problem.
Finally after getting both working with open NAT on that boot order thing, they asked if there was anything else they could help me with... lets say i really wanted the ability to post a Jackie Chan meme in the chat box.