I know this was from Feb, but I'm hoping you're still around.
I've been using pfSense for a while now, but I am by no means an expert with it. I believe that you can create vlans and separate your xbox from the rest of your lan, create your upnp settings on the vlan with your xbox and leave upnp disabled for you other vlan.
HOWEVER - This is just based off my knowledge of enterprise firewalls - I have no earthly clue how to get this to actually work with pfSense. Or at least what would appear to be the logical steps for this setup don't seem to work for me.
I can't even get an open NAT with one xbox, let alone two - Granted, I haven't spent but about 10 minutes on trying to get it to work, but my question for you = how did you get it to work with multiple xboxes?
I'm suspicious of my hardware with its vlan support. It supports vlans, but so far the results have been sketchy. I'm using an asus nettop with only one jmicron nic. I think the jmicron might be the source of most of my problems. Anyway - how?