Netgate SG-1000 microFirewall

Author Topic: Multiple Xbox Ones, Open NAT Failure  (Read 480 times)

0 Members and 1 Guest are viewing this topic.

Offline cfran22

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Multiple Xbox Ones, Open NAT Failure
« on: June 15, 2017, 12:20:47 am »
Hey everybody,

I was wondering if anybody is running a similar set up as me and could provide some insight.

I am running pfSense in a Proxmox VM as my router...
From the pfSense LAN, I go to the Nighthawk x6 WAN(using as LAN).
I have the Nighthawk set up as an access point, strictly following these configuration steps:

On pfSense, I have my LAN configured as
I have static DCHP leases for all of the Xboxes, -
I have created a firewall alias for these.

I have a firewall rule set on the LAN to force the Xbox alias over the WAN (I have a VPN client running).

From there, I have enabled the UPnP service, checking off enable, allow UPnP, allow NAT-PMP, with the external interface as WAN, interface as LAN.
Also, I have an ACL deny rule across the LAN on port 3074 as I've heard allowing it can cause Teredo issues.

I have my outbound NAT changed to manual, with a NAT rule at the top as follows: WAN XboxAlias  *  *  *  WAN Address  Static Port checked.

Under System > Advanced > Firewall & NAT, I have the NAT reflection mode set to Pure NAT and I have Enable automatic outbound NAT for Reflection checked.

This was all configured based on the following guide:

With my current setup, all of the Xboxes say NAT unavailable, and when running the multiplayer test, they fail with can't get a teredo IP address.

Sorry if this has been answered elsewhere. I've been plugging at this for the past two days and can't get it to work. My housemates are getting cranky about their strict NAT.


*** Update #1 ***
I turned off the setting allowing UPnP by default and switched to using ACL rules to control which ports each Xbox could request. I have all 3 set to allow 100 port blocks. Then, in Firewall > NAT > Port Forward, I have these blocks port forwarded to their respective Xboxes. This has alleviated the can't get teredo ip issue and brought the NAT type to moderate. However, my housemate has informed me that the multiplayer test reported the slow download speed error and the Xbox store and other things seem not to be loading, however, game play, chat, etc seem to be working fine. I'm getting closer, but still seems that I'm missing something.
« Last Edit: June 15, 2017, 02:06:57 pm by cfran22 »

Offline phobix

  • Newbie
  • *
  • Posts: 5
  • Karma: +0/-0
    • View Profile
Re: Multiple Xbox Ones, Open NAT Failure
« Reply #1 on: July 16, 2017, 12:27:47 pm »
you might try using a static outbound rule.

Offline Napsterbater

  • Newbie
  • *
  • Posts: 23
  • Karma: +1/-0
    • View Profile
Re: Multiple Xbox Ones, Open NAT Failure
« Reply #2 on: September 05, 2017, 03:28:11 pm »
All you need for 1 or more XboxOnes.

This Change helps 1 or more then 1 XboxOne.
Change to Manual Outbound NAT rule generation. Change the Outbound NAT rule "Auto created rule - LAN to WAN" to Static Port. No need to make more than one rule or anything. even notes "Rewriting the source port eliminates these potential (but unlikely) security vulnerabilities."

The above change helps with more then just Xbox, PS4, PC Games, and other apps, hence why its far easier to Static Port the whole LAN, for very little/practically no risk.

This UPNP Rule is only needed for more then 1 Xbox with Open NAT

Then add a UPNP ACL to block 3074.
deny 3074 <LAN SUBNET> 3074
This forces each Xbox to Randomly generate a different port and forwards it. Supposedly upcoming will be an option in Xbox to specify a port, but until the Xbox Must pick a random one when 3074 is blocked or unavailable.

Those 2 steps are all that is needed for 1 or more XboxOnes to get Open NAT. You will likely want to clear states or just reboot pfSense, and reboot the Xbox once the changes are made. Assuming you truly have your public IP on the WAN of pfsense.'