Hello All,
I have just bought my son an Xbox One X and am trying to get it set up so he can play Fortnite. I did some forum checking and found this:
https://forum.opnsense.org/index.php?topic=3521.0
where there was supposed to be a guide on how to get open NAT for the xbox one, unfortunately its been removed and then moved to the FAQ section but without any guide to follow. Does anyone have a guide that can be posted up or could someone update that thread? I could use trial and error but 10 year olds are not the most patient creatures on earth.
Thanks
Short Version:
- Give your XB1 (or PS4, same process required) a static IP
- Install/Enable UPNP
- Set "User Specified Permissions" to "allow 88-65535 10.1.1.x/32 88-65535", where 10.1.1.x is the static ip of the XB1/PS4
- Firewall>NAT>Outbound - Set to Hybrid/Manual rule generation
- Create a rule with the following set: "Source Address - Single Host or network - 10.1.1.x" & "Static Port - Checked"
- Do a hard-reboot of your XB1/PS4 (shutting it down and pulling the power for 2 mins will do"
You should now have a NAT Type of Moderate (XB1), or Type 2 (PS4).
Brilliant. That has worked. ;D Thanks for the help.
I confirm this works for PS4. It even didn't take PS4 reboot, just going to menu showed it's Type2.
I opened only ports > 1024 for upnp, and it worked even with that.
Thanks!
Tried these instructions and nothing... I also tried the following:
I have the same issue.
I've created a Alias and added my xbox's IPs as the content.
created a WAN Rule to allow any port connection to the Alias
created a WAN Rule to allow any port connection to the xbox IPs
created a Outbound NAT for the Alias
created a Outbound NAT for the xbox IPs
So far nothing I do seems to work for me. I pull up my xbox and see
NAT Type: Strict
UPnP not successful
Quote from: blackdwarf on June 02, 2018, 08:52:01 PM
Short Version:
- Give your XB1 (or PS4, same process required) a static IP
- Install/Enable UPNP
- Set "User Specified Permissions" to "allow 88-65535 10.1.1.x/32 88-65535", where 10.1.1.x is the static ip of the XB1/PS4
- Firewall>NAT>Outbound - Set to Hybrid/Manual rule generation
- Create a rule with the following set: "Source Address - Single Host or network - 10.1.1.x" & "Static Port - Checked"
Thank you so much. Please disregard my previous message, I had to reboot my entire OPNsense box for the changes to take but I am good now.
- Do a hard-reboot of your XB1/PS4 (shutting it down and pulling the power for 2 mins will do"
You should now have a NAT Type of Moderate (XB1), or Type 2 (PS4).
Quote from: blackdwarf on June 02, 2018, 08:52:01 PM
Short Version:
- Give your XB1 (or PS4, same process required) a static IP
- Install/Enable UPNP
- Set "User Specified Permissions" to "allow 88-65535 10.1.1.x/32 88-65535", where 10.1.1.x is the static ip of the XB1/PS4
- Firewall>NAT>Outbound - Set to Hybrid/Manual rule generation
- Create a rule with the following set: "Source Address - Single Host or network - 10.1.1.x" & "Static Port - Checked"
- Do a hard-reboot of your XB1/PS4 (shutting it down and pulling the power for 2 mins will do"
You should now have a NAT Type of Moderate (XB1), or Type 2 (PS4).
UPnP is a pretty bad security risk unless there's been some recent mitigation I'm not aware of. It effectively lets any LAN host open whatever port they want on the firewall. I've run without UPnP for years using Meraki gear and have open NAT on two Xbox One's, only specifying the needed ports for the devices. OPNSense is also a stateful firewall just like my MX64; there's no reason why you can't get open NAT without effectively putting your XB1 in a DMZ and without UPnP.
Quote from: JdeFalconr on September 15, 2019, 10:10:31 PM
Quote from: blackdwarf on June 02, 2018, 08:52:01 PM
Short Version:
- Give your XB1 (or PS4, same process required) a static IP
- Install/Enable UPNP
- Set "User Specified Permissions" to "allow 88-65535 10.1.1.x/32 88-65535", where 10.1.1.x is the static ip of the XB1/PS4
- Firewall>NAT>Outbound - Set to Hybrid/Manual rule generation
- Create a rule with the following set: "Source Address - Single Host or network - 10.1.1.x" & "Static Port - Checked"
- Do a hard-reboot of your XB1/PS4 (shutting it down and pulling the power for 2 mins will do"
You should now have a NAT Type of Moderate (XB1), or Type 2 (PS4).
UPnP is a pretty bad security risk unless there's been some recent mitigation I'm not aware of. It effectively lets any LAN host open whatever port they want on the firewall. I've run without UPnP for years using Meraki gear and have open NAT on two Xbox One's, only specifying the needed ports for the devices. OPNSense is also a stateful firewall just like my MX64; there's no reason why you can't get open NAT without effectively putting your XB1 in a DMZ and without UPnP.
Now ... what are the required ports?
Hi,
I'm facing a similar issue, looking to open NAT by putting my PS4 in DMZ. Would one provide a step-by-step guide?
Thanks!
Followed instructions exactly as printed and NAT is showing as strict. Where does one troubleshoot?
There are good reasons to not want to use UPnP IMO but what option is the best I wont comment further on. I will however add how it is possible to get the same result (NAT type 2) without installing UPnP via
Hybrid outbound NAT.
- Change IP to static on Xbox/Playstation
- Firewall -> NAT -> Outbound: Set Mode to Hybrid outbound NAT rule generation
- Add a new rule just below (See attached screenshot for options)
- Make sure the Xbox/Playstation is allowed to communicate on the interface it is connected to (likely LAN).
That's it.
@TheForumTroll: Thanks a lot. I did not want to enable UPNP but with your solution it works and now I have a happy kid playing with his gaming devices :-)
@TheForumTroll Thanks mate, these instructions also resolved my Local Game Server issue (UDK/Steam hosted Game server) :) :) :) :) :)
Any updates to these instructions as it doesnt seem to work for me? Still strict.
Quote from: supercm on February 16, 2023, 09:39:49 PM
Any updates to these instructions as it doesnt seem to work for me? Still strict.
This has been discussed a few times and I can confirm you just need the Outbound NAT rule, have a read also here: https://forum.opnsense.org/index.php?topic=25473.msg131300
What else should I do then, as I have set up the outbound nat rule and it is still not working.
I will add that this shows up in my firewall log when I test the nat type
Quote from: supercm on February 20, 2023, 06:13:51 PM
What else should I do then, as I have set up the outbound nat rule and it is still not working.
I also have a static port NAT for TCP/UDP 3074 mapped to my XBox dhcp lease reservation IP. This plus the Outbound NAT for the XBox IP and the Static-port is all that was required for my stock OPNsense config. That's all I need. No UPnP. Set that, reboot the XBox, Network Test and it is completely happy and shows "Open NAT".
This is how I set mine up, and I have OPEN NAT status on my Xbox all the time, including Call of Duty
I highly recommend that you use wired networking with an Xbox and NOT WiFi.
Get some Info from the Xbox and select an Alternate port
- On your Xbox go into Settings / Network Settings / Advanced Settings
- Write down the MAC address - Use wired if possible, otherwise write down the wireless address
- Alternate port selection
- Select an Alternate port and write that number down
Go into OPNsense
Create static IP address for Xbox
- Services / DHCP
- Create a new static IP address
The only relevant thing you need to make sure of is that you use the
MAC address that you wrote down earlier and that you type in an IP
address that works on that subnet that is not part of your DHCP pool.
Create Aliases - This is optional but it does make things a bit easier
- Firewall / Aliases
- Hit the plus to add an Alias
- Give the alias a name like Xbox_One
- Type: host(s)
- Content: The IP address you just created for the Xbox
- Save
- Hit the plus to create a new alias
- Name: Xbox_Live_Port
- Type: Port(s)
- Content: Alternate port you selected in step 3 at the top
- Save
Create Inbound NAT Mapping- Firewall / NAT / Port forward
- Hit the Plus to create a new port map
- Interface: WAN
- Protocol: TCP / UDP
- Destination: WAN Address
- Destination Port Range
from:
Xbox_Live_Port(number)
to:
Xbox_Live_Port(number)
- Redirected Target: Xbox_One
- Redirected Target Port: Xbox_Live_Port(number)
- Save
The reason why the port range is labeled as a "Destination" - is because you have to think about the packet entering in from the Internet and arriving at the WAN port on the firewall... so its destination is the WAN interface where from that point, it will end up being Redirected to the redirected Target.
Reboot your xbox (A warm reboot will be fine) so that it picks up the static IP address.
When you go back into Networking, it should show your NAT status as OPEN. If not, give it some time like 5 minutes and check it again.
You don't have to set an alternate port unless you have multiple Xboxes.
I also had to add an outbound NAT rule:
Firewall / NAT / OutboundSelect
Hybrid outbound NAT rule generation then click
Save.
In the
Manual rules section click the plus to add a new rule.
- Interface: WAN
- Protocol: TCP/UDP
- Source address: Xbox
- Source port: Xbox_Live_Port
- Static-port: ENABLE
- Save
- Apply
Here's an important tip: in between changing these settings and retesting open NAT status on the Xbox, you have to clear firewall states for the Xbox or it will continue to report strict NAT. Under
Firewall / Diagnostics / States search for the static IP of the Xbox. A red X button will pop up to clear all states for the matched IP address, click it, then retest NAT status on the Xbox. This tripped me up big time.