Multiple Xbox Ones - Open NAT using pfSense



  • Hi Everybody,

    I am newer to pfSense and I am still working on learning the Interface and pfSense configuration since I have more experience as a Windows Admin and little experience with Linux. We all have to start somewhere. I replaced my SonicWALL Router that I was using the pfSense. My pfSense is a VM on a vmware esxi Host with 6 Physical Connection. Currently I am using 2 connections for my Setup WAN & LAN.
    My Network looks like this

    WAN Setup
    Comcast Modem with 5 Static IP's (Inside House) –-> Cat 6 Ethernet to Outside 4 Port Office Switch --> Cat 6 Patch Cable to ESXI Host in Rack NIC labeled as WAN Network

    LAN Setup
    ESXi Host with Physical NIC Labeled LAN --> Cat 6 Cable to 48 Port Switch --> Cat 6 Cable to House with inside 12 Port Switch

    My Objective/Goal is to setup an Open Nat on all 3 Xbox Ones for being able to connect to Xbox Live Servers and play with Friends & Family. I have tried several configurations in this forum & on the Web to get an Open NAT and can successfully see OPEN NAT on all Xboxes however when a single Xbox Joins a Server lets say Rainbow Six Siege they can play just fine but whenever the Second or Third Xbox Attempts to Join the Rainbow Six Siege we receive a Connection Error. Here is my current Config:

    Static DHCP mapping for All xboxes 10.5.65.97-10.5.65.99 for the XBox One
    Firewall: NAT: Outbound and select Manual Outbound NAT and hit save.  This should at default create two entries a LAN mapping and a Localhost mapping.
    Outbound NAT has 3 Rules created for each Xbox One IP Address with a /32 mask bit in the Source section.  In the Translation section of this mapping, select the "Static Port" checkbox. These Rules are at the very top of the page

    Services: UPnP & NAT-PMP: upnp and nat-pmp is enabled, allow upnp port mapping is checked, external interface, WAN, interfaces, LAN, user specified permissions
    1, allow 88-65535 10.5.65.97/32 88-65535 
    2, allow 88-65535 10.5.65.98/32 88-65535   
    3, allow 88-65535 10.5.65.99/32 88-65535

    Again this allows all Xboxes to have Open NAT'S but they are unable to join the same Game Servers together so that they can play together I think this is because of the Static Port Checkbox.

    I would appreciate any help to resolve this issue. Thanks.



  • The Static Port option just prevents pfsense from randomizing the source port, which apparently doesn't work well with gaming.  It's not what's preventing your three consoles from joining the same game.  More likely it's NAT reflection, where console A is trying to talk to console B via your WAN IP, but because console A is inside your network trying to talk to your network it doesn't go out and back in through the port forwarding rules.  You can enable in System -> Advanced -> Firewall / NAT -> "NAT Reflection mode for port forwards".  Set it to "Enable (Pure NAT)".

    Also, you don't need to allow privileged ports below 1024 for your UPnP rules.  1024-65535 would be sufficient.



  • @Raproductions:

    Hi Everybody,

    I am newer to pfSense and I am still working on learning the Interface and pfSense configuration since I have more experience as a Windows Admin and little experience with Linux. We all have to start somewhere. I replaced my SonicWALL Router that I was using the pfSense. My pfSense is a VM on a vmware esxi Host with 6 Physical Connection. Currently I am using 2 connections for my Setup WAN & LAN.
    My Network looks like this

    WAN Setup
    Comcast Modem with 5 Static IP's (Inside House) –-> Cat 6 Ethernet to Outside 4 Port Office Switch --> Cat 6 Patch Cable to ESXI Host in Rack NIC labeled as WAN Network

    LAN Setup
    ESXi Host with Physical NIC Labeled LAN --> Cat 6 Cable to 48 Port Switch --> Cat 6 Cable to House with inside 12 Port Switch

    My Objective/Goal is to setup an Open Nat on all 3 Xbox Ones for being able to connect to Xbox Live Servers and play with Friends & Family. I have tried several configurations in this forum & on the Web to get an Open NAT and can successfully see OPEN NAT on all Xboxes however when a single Xbox Joins a Server lets say Rainbow Six Siege they can play just fine but whenever the Second or Third Xbox Attempts to Join the Rainbow Six Siege we receive a Connection Error. Here is my current Config:

    Static DHCP mapping for All xboxes 10.5.65.97-10.5.65.99 for the XBox One
    Firewall: NAT: Outbound and select Manual Outbound NAT and hit save.  This should at default create two entries a LAN mapping and a Localhost mapping.
    Outbound NAT has 3 Rules created for each Xbox One IP Address with a /32 mask bit in the Source section.  In the Translation section of this mapping, select the "Static Port" checkbox. These Rules are at the very top of the page

    Services: UPnP & NAT-PMP: upnp and nat-pmp is enabled, allow upnp port mapping is checked, external interface, WAN, interfaces, LAN, user specified permissions
    1, allow 88-65535 10.5.65.97/32 88-65535 
    2, allow 88-65535 10.5.65.98/32 88-65535   
    3, allow 88-65535 10.5.65.99/32 88-65535

    Again this allows all Xboxes to have Open NAT'S but they are unable to join the same Game Servers together so that they can play together I think this is because of the Static Port Checkbox.

    I would appreciate any help to resolve this issue. Thanks.

    Were you able to figure this out? I'm running into the same situation where only the 1st console can connect the the game server, but console 2 or 3 can't connect. I noticed once I uncheck static port they all can connect, but they lose the Open NAT and go into Strict NAT which causes other issues.



  • I have a friend i was trying to help out with a very similar issue but it was involving 2 ps3s connecting to the same server at the same time. If there is a solution for this that works i would like to know as well.



  • I am attempting somewhat of the same thing with setting up a subset for my 3 xbox ones with upnp enabled.  Not much luck.

    This look related, but I am not sure on all the details.

    https://forum.pfsense.org/index.php?topic=103901.0


Log in to reply