HOW-TO: Multiple XBox One's with Open NAT

  • NOTE: I literally just got this working according to XBox multiplayer tests. I haven't played any games yet to verify full functionality. Chances are there will need to be some tweaks. If this works for anyone else, please post that it does. Once we have enough successes/verification of others, I'll remove this note.

    I have been working on getting an open NAT on multiple XBoxes behind 1 IP for a long time. I may have finally found an answer.

    pfSense Version: 2.2.5-RELEASE

    Assumptions made on who is reading this:

    Preliminary Setup

    Forward Ports for the Primary XBox
    This may not be required, but I have things configured such that we have a primary with secondary XBoxes

    Go to Firewall -> NAT (Make sure you are on the PortForward tab) then click the plus button the far right.
    Set up the port forwarding for each port listed at
    Note: Microsoft is bad about saying which ports need to be forwarded. A lot of those ports are just for outbound. I added them all in case they did something weird and I didn't have any conflicts with other running systems on my network.
    Do this for each port listed on microsoft's page.
    Another Note: Each game may have a different port or range needed. Forward their defaults. For the secondary XBoxes I'll explain in the uPnP section.

    Outbound NAT
    The XBox is kind of bad about port randomization, as in, it doesn't like it. So we need to set static ports on the Outbound NAT so that Port X on the inside translates to Port X on the outside, otherwise you could get an internal port of 5000 with and external port of 43054. This tends to confuse XBox.

    Go to Firewall -> NAT Click on the Outbound Nat tab at the top.
    You'll need to change the setting from Automatic Outbound NAT to Manual Outbound Nat
    I deleted all the rules the automatic created and just put in one rule for my whole network. I'm not too worried about security since this is a home network and I have Snort and pfBlocker running.
    Click the + sign on the right to add a rule.
    Set your network's CIDR address on the WAN interface to any on everything, make sure to click the Static Port checkbox in the rule under Translation
    It should look like this when done (for your network obviously).
    Also, you don't have to use a /24 or whatever your network is on, you can use the individual addresses for the XBoxes, but you still need an outbound NAT rule for your whole network, it just needs to be last and the Static port is optional there.

    You may want to go into XBox -> All Settings -> Network -> Test Multiplayer Connection to verify everything for the primary is working. If it doesn't, test 2 more times. The XBox doesn't always make the proper requests when it comes out of sleep mode. Testing the multiplayer connection usually forces it to re-make these requests. Also, hard resetting the XBox will refresh and resend all requests needed. If that still doesn't work, continue this HOW-TO and test at the end. I'm not backing out all my changes to test the primary at this point, but I believe it should work.

    uPNP Settings
    Since that's all done, now we configure uPnP for the other Xboxes
    First, we set up a firewall rule to allow the broadcast.
    Note: I've read this was now done automatically in pfSense when enabling uPnP, but I still did it just to be sure.

    Go to Firewall -> Rules -> LAN Add a new rule with the + sign. We'll be adding 2 rules.
    Set it to IPv4, protocol to ANY, the network to leave everything else as blank or any.
    Save and click the + sign on the rule you just added to "copy" it.
    Set the network on this one to then click Save.
    Apply changes at the top.

    It should look something like this:

    Now for the uPnP Service.
    Go to Services -> uPnP & NAT-PMP. This is where the magic happens and the configuration gets a little weirder than what we did so far.
    Click the top 3 check boxes, I'm not entirely sure NAT-PMP needs to be enabled, but if you have apple devices, you may need it.
    Click the the middle check boxes, leave everything else blank with WAN and LAN checked on the interfaces respectively. If you have settings there already, you know what you're doing, keep doing it.
    With that first and last checkbox we effectively turned on uPnP then disabled it, so we need custom user permissions to turn it back on.

    A little explanation as to why I did it this way. When you have 1 external IP, you can't really forward the same ports to more than 1 internal device and expect it to work.
    So, what I did was set a specific range of ports that my secondary xbox could request, this way I have more control over it in the port forwarding rules.

    So, first user permission (This is for Destiny, your game may need others, you don't have to use this port)
    I noticed that Destiny would request a specific port in uPnP or the next one in line if it was unavailable. in this case, 1200 is the default, 1201, 1202, etc were the next ones.
    Secondary XBox A
    allow 1201 1201 This forces that xbox to get 1201 from destiny.
    Second user permission for Secondary XBox A
    allow 56000-56100 56000-56100 This forces the teredo Xbox uses into this port range. You DO NOT have to use this range, it's just the one I picked and gave it 100 ports for good measure.
    Third user permission for Primary XBox
    allow 1-65535 1-65535 This allows the primary xbox to get any port it wants.
    Fourth user permission, this one is not needed, I set it up for network that excludes my secondary xbox so other devices on the network can get a port. If you have devices that need uPnP, I recommend reserving them into a range that gives 64 addresses, or a /26 network and keeping the secondary xbox(s) out of that range. There is a reason for this.

    My Settings look like this:

    Firewall Rules and NAT for Secondary XBox
    Something to note on pfSense NAT and uPnP. uPnP requested ports are placed above the firewall rules in the processing engine, or so I've read in the docs. You can't change this, and what this means is if you have a manual port NAT'd to say, if another device uPnP requests port 5000, like say it will win and port 5000 will stop working for that .50 device and be forwarded to .100.

    Now with that said, there appears to be a possible bug in pfSense or maybe it's working as intended. Either way, the user permissions and weird uPnP settings will now make sense.

    Go to Firewall -> NAT -> Port Forward again. Add a new rule.
    WAN TCP/UDP DestPort Range: 56000 and 56100. Redirect target IP: Secondary XBox. Target port: 56000 (it will fill in the range automatically)
    Do this same thing again for the additional Game ports you may have specified in user permission 1 above.
    Save and apply changes.

    Add another rule, this time it's for the Primary XBox.
    Same as before, except this time, I did ports 1-65535 and use the primary XBoxes IP address. Also, since this is a firewall and matches the first rule from top to bottom, make sure this rule is at the bottom

    Sample Rule

    Now, we need to go back into the firewall rules themselves.
    Go to Firewall -> Rules -> WAN
    Make sure that the new rules generated by the NAT rules are in the proper order and at the bottom, especially the 1-65535 rule, that can break things.

    Testing the Xboxes
    When testing the XBoxes, I hard reset and cleared the NAT table in Status -> NAT & NAT-PMP
    Go into each XBox's network settings and test multiplayer. I had to run it twice on the secondary XBox before it opened up.
    Both should test successfully at this point.

    Final Comments
    Prior to this config, I was only getting "Can't get teredo IP address" from XBox and multiplayer was shotty at best.
    I had uPnP enabled for the entire network and uPnP was supposed to take care of the inbound NAT and firewall rules automatically.
    Then I had a crazy idea, limit the secondary XBox to a port range it can request, then NAT that port range to that XBox. This is where the potential pfSense bug comes in, or, it's working as intended and is a security feature. Either way, once I did this and NAT'd those ports, the secondary XBox reported and Open NAT and that all network settings were good.

    If you're like me and were banging your head against a wall trying to figure it out, try the above config or a variation on it to force uPnP into a controllable range you can NAT.

  • OK, so after I posted this I found out 2 things.
    Older model XBox One's seem to have a uPnP problem that slightly newer ones do not, even when microsoft says there is only 1 generation of XBox One.
    The second thing is that the first XBox to boot will grab the default ports via uPnP and steal port forwards you manually have set up.

    So what I found:
    If you have an XBox One, purchased within 3 months of it's initial release (it may be longer, but this is from my experience) it MUST be the first one to boot and be on the network so it can grab the default ports via uPnP. Default ports being 3074 mainly.

    We have 2 (obviously from this whole post) and one was purchased about a year and half after the initial release of the XBox One. What I found, with my config that has been outlined in the OP. Is that the older XBox must be the one that get's the default ports. The newer one will successfully negotiate the ports it needs and will be happy.

    How the boot order affected me:
    Boot new xbox, then boot old xbox: New one has open NAT, old one has strict.
    Boot old xbox, then boot new one: Old one has open NAT, new one has open NAT.
    These 2 scenarios happen without fail, so, I don't believe there is any issue with pfSense itself, but rather, something goofy microsoft did to the xbone in later hardware releases. Possibly a newer network driver because obviously the underlying OS "should" be the same across all.

    With that said, if you are still having issues, try booting the oldest console first, then the newest.

    As a side note, I didn't find this out until after I bought an additional router (LinkSys EA6400 AC1600) and put both XBoxes on the other side of the firewall.
    So it goes Internet -> Linksys -> pfSense. I had to put in static routes obviously so things could reach the firewall from the outside and I had to double NAT from the outside for non-XBox stuff. But that's how I have it currently configured.

    Given what I know now, I'll most likely move everything back behind the pfSense box and go with the "correct boot order" method on the XBoxes while using the OP How-To config, just tweaked and swapping the IPs. My OP config has the newer xbox getting all the default ports.

  • I copied this config set by set, for my two Xbox ones. Now I don't get any NAT as my Xbox cannot get a Teredo IP