OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: comet on October 30, 2017, 06:35:17 am

Title: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on October 30, 2017, 06:35:17 am
Hi. I recently tried that other firewall software (the non-open source one) and found out that port forwarding doesn't work like it does on a normal router, and that my XBOX reported a strict NAT type even though I opened the same ports that I have previously opened on the port forwarding page in an inexpensive store-bought router to make it work.  It mystifies me why simply forwarding those ports to the XBOX creates an open NAT type for the XBOX on the router, even without enabling upnp, but opening the exact same ports in that other software seemingly has no effect.

So in my search for software that might actually work the way it's supposed to, I came across OPNsense, and I would like to know if it would work any better.  So if you have an XBOX and you do not enable upnp, are you able to get your XBOX to report the NAT type as open rather than strict, just by port forwarding the specific ports that the XBOX uses?  If not, were you able to do something else that made it work, without enabling upnp?
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: weust on October 30, 2017, 07:57:50 am
I recently sold my Xbox One, but I had Open NAT working just fine.
Same for my PlayStation 3 and 4, and certain PC games.
I never use PnP.

This tutorial might help: https://forum.opnsense.org/index.php?topic=3521.0

Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 01, 2017, 03:55:40 pm
Thanks for the response.  I may give OPNsense a try this weekend then, if time allows.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: weust on November 01, 2017, 04:39:23 pm
Forgot if it's in the tutorial or not, but I can advise to make use of aliases.
I like to combine TCP and UDP ports per service.
Keeps it a bit more clean in the overview.

Also keep in mind that a developer might mention the use of certain ports for their game that are also used for Xbox Live.
I know Bungie does it for PSN. So I separated those.

If you like, I can post a screenshot or two of how I did it.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 01, 2017, 11:30:21 pm
Forgot if it's in the tutorial or not, but I can advise to make use of aliases.
I like to combine TCP and UDP ports per service.
Keeps it a bit more clean in the overview.

Also keep in mind that a developer might mention the use of certain ports for their game that are also used for Xbox Live.
I know Bungie does it for PSN. So I separated those.

If you like, I can post a screenshot or two of how I did it.

Thanks very much for the additional information.  Yes, please on the screenshots, they would be a huge help!
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 01, 2017, 11:41:21 pm
upnp works.
DMZ the xbox works.
Port forward every port for every game you may eve desire to play...   Works...
I don't think upnp is evil.  Put the xbox on an isolated subnet and run it with upnp. 
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 02, 2017, 07:20:38 am
upnp works.
Did you even read my original post in this thread?

DMZ the xbox works.
Sure, because I want to let every hacker in the world have open access to the XBOX.  Oh wait, no I don't.

Port forward every port for every game you may eve desire to play...   Works...
That doesn't seem to work in that other firewall software, which is why I asked about it here.  I wanted to find out if it works in OPNsense.

I don't think upnp is evil.  Put the xbox on an isolated subnet and run it with upnp.
You quite obviously don't care much about security.  I do.  upnp may not be "evil" but it is a security risk because it basically allows any software running on any computer on your network to open incoming ports.  I'm guessing you don't see why that could be a problem.

If there were a way to restrict the use of upnp to a specific device on the network (so, for example, only the XBOX could use it but no other computer or device could) then it might not be quite so objectionable, but as far as I know, if you enable upnp you enable it for the entire LAN, and that's not something I'm willing to risk.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: weust on November 02, 2017, 08:05:39 am
Exactly the reasons why I don't like UPnP.
I can't take someone serious when they consciously use a firewall/router, and then let it allow to have a device open it up anyway they like.

Sony, in the past, even wanted ports 80, 443 and 53 open. No way any of my consoles will ever be either a webserver or DNS server for the internet.
They probably meant just outbound, but they didn't specify anything. Just port numbers.

Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: weust on November 02, 2017, 08:19:25 am
Below are some screenshots of my setup, regarding PlayStation 4 and Destiny 2 for PS4 and PC.
The alias for the desktop is missing, but it's Qube. (it's early here, and my Paint skills have a limit so early in the morning).

I'm re-doing things here, so the Destiny 2 PS4 portforwarding isn't in place yet.
Nasty thing is I have to disable/enable either PC or PS4 when I want to play the other, since they use overlapping ports, and I only have one public IP address.
Hope that makes sense.

Anyway, it-works-for-me(tm).

PS: you might have to open/download the pictures first to see them fully.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 02, 2017, 10:47:20 am
Thanks very much, the images help a lot.  I just hope it will work as well for the XBOX.  I probably won't have time to try it until the weekend.

Microsoft is another one that wants you to have ports 53 and 80 open: https://support.xbox.com/en-US/xbox-360/networking/network-ports-used-xbox-live

They also don't say for sure which ports need to be open for inbound and which only need outbound connectivity.  I had read somewhere in the last day or two that 3074 and maybe 1863 are the only ones that really need to be open for inbound traffic.  The real problem is when the XBOX reports the dreaded NAT type "strict", which means that multiplayer gaming won't work correctly, then people just try whatever Microsoft says to do in order to try to get the NAT type to change to "open".

Thank you again, this really helps!
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 02, 2017, 11:16:26 am
An open port is an open port.  Doesn't matter how it gets to be open.

Now, if you have your entire network on 192.168.20.0/24 with upnp not active for that subnet

and then you have your xbox on 192.168.21.0/24 and you have upnp active for that, or you have some ports opened manually or its dmzed (its all just opened ports if you ask me)

and then your firewall rules are set to prevent xbox subnet from talking to other subnets you will be fine.

This assumes you don't have your xbox and everything else using the same dumb switch.

This is the way I do it.  I use upnp for the xbox myself. 

In my case the cat6 that goes to the switch that connects to the loft where all the gaming happens gets 1 interface on the back of the firewall/router.

The cat6 that goes to the rest of the computers in the house gets another interface on the back of the firewall/router.

The wireless gets its own interface on the back of the firewall/router.

And finally, my computer-illiterate tenant and her daughter gets her own interface...

If you don't have a bunch of ports on the back of your opnsense, you can use a managed switch with vlans to do the same thing. 

All these are segregated by firewall rules.  I like xbox to have upnp so that it works the way it should.  Not sure what a hacker could do with it isolated the way it is. 

There is a difference between imagined security and actual security.  You want security, isolate your xbox, any computer kids, wives, visitors, friends etc etc touch (because they will bring in malware) from your important computers and devices.  Don't hamstring your poor xbox's ability to forward ports it needs.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: weust on November 02, 2017, 11:46:33 am
I didn't forward, or open, ports 80, 443 and 53 inside.
Xbox Live worked fine. Played some Destiny with it.

I may have an old configuration I could check.
Should have everything you need.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 02, 2017, 10:28:29 pm
One reason I am sometimes reluctant to use open forums to get help is because it seems like there is one guy in every forum that likes to give bad or incomprehensible advice, and to just muddy up ongoing discussions.

An open port is an open port.  Doesn't matter how it gets to be open.

Now, if you have your entire network on 192.168.20.0/24 with upnp not active for that subnet

and then you have your xbox on 192.168.21.0/24 and you have upnp active for that, or you have some ports opened manually or its dmzed (its all just opened ports if you ask me)

Nobody asked you and if you are trying to explain how to do something, you are failing miserably. And your assertion that "An open port is an open port.  Doesn't matter how it gets to be open" is the dumbest statement I have read in a long time.  Of course it matters.  It matters whether your XBOX opened the valid ports it needs to allow you to play a game, or some piece of malware on another computer on your network used upnp to conveniently open a port to send all your personal data back to whatever hackers created it.

and then your firewall rules are set to prevent xbox subnet from talking to other subnets you will be fine.

So your solution is to make everything much more complicated than it needs to be.  Yeah, brilliant (that's sarcasm if you can't tell).

This assumes you don't have your xbox and everything else using the same dumb switch.

This is the way I do it.  I use upnp for the xbox myself. 

In my case the cat6 that goes to the switch that connects to the loft where all the gaming happens gets 1 interface on the back of the firewall/router.

The cat6 that goes to the rest of the computers in the house gets another interface on the back of the firewall/router.

The wireless gets its own interface on the back of the firewall/router.

And finally, my computer-illiterate tenant and her daughter gets her own interface...

If you don't have a bunch of ports on the back of your opnsense, you can use a managed switch with vlans to do the same thing.

And where are the clear and simple instructions for doing all this in OPNsense?  Not that I would want to do it this way anyway; it should be entirely possible to open ports to the XBOX only without having to go through some convoluted process such as you have described above.  A standard off-the-shelf router that you buy at a big box store can handle this easily (WITHOUT using upnp), and that's why I was so shocked when that other firewall software couldn't.  Now you come along and tell about this overly complicated setup that you have, and that is fine if you know how to do it, but the problem is that if you are coming from the world of off-the-shelf routers like I am, and you have not had a college-level course in networking, you're doing good to make your WAN and LAN work like they are supposed to.  I'm not saying that the way you are doing it might not be arguably better (except that you are using upnp), but it sure sounds complicated to set up and I'm not at that level yet.

All these are segregated by firewall rules.  I like xbox to have upnp so that it works the way it should.  Not sure what a hacker could do with it isolated the way it is.

Keep using upnp and you just might find out.  And an XBOX will work the way it should without using upnp, provided the router software handles port forwarding correctly.  You seem to have convinced yourself that using upnp is the right way to do it, well it is your system and it is your choice to make, but you are compromising the security of your system by using upnp.  And you don't need a college degree in networking to know that, all you have to have done is read any of the several articles about the dangers of using upnp that have been published over the past few years, such as https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/

Again, my #1 objection to upnp is that once you configure it, any piece of software on any computer on your local network can use it (unless you set up some overly complicated setup that the average user would never be able to understand).  My wish would be that you could create a list of specific machines (by IP address or MAC address) that are allowed to use upnp.  ONLY those machines could use it, anything else on your network would be blocked from using upnp.  That way, if some piece of malware on your desktop computer or your Android device tries to open ports using upnp it would get nowhere.  This won't stop all kinds of attacks, but at least it closes off that one avenue that can effectively circumvent your firewall.

There is a difference between imagined security and actual security.  You want security, isolate your xbox, any computer kids, wives, visitors, friends etc etc touch (because they will bring in malware) from your important computers and devices.  Don't hamstring your poor xbox's ability to forward ports it needs.

So to get back to my opening paragraph, I have you pegged as the bad advice guy in this forum, or what I sometimes call the forum "know-it-all".  The typical forum know-it-all is very opinionated and sometimes very wrong, and offers their bad advice whether anyone wants it or not.  You think your security is fine, but I cannot take anyone seriously who believes that using upnp isn't a security risk, or that believes that making some convoluted network is the right way to get around the security issues associated with upnp.

I'm not the moderator so I can't ask you to stop pushing upnp in this thread, but just to make it clear, I have no intention of doing what you're doing (specifically I am NOT going to use upnp) so you might as well give it up.  And you should have known that from the thread title: "How well does OPNsense work with an XBOX if you don't enable upnp?"  So are you just trolling?

Now having said all that, I realize there are situations where users may be forced to use upnp, such as if you have multiple XBOX users on the same network that want to use their XBOXes at the same time.  But it's still a security risk, and I'm not in that situation because I only have one XBOX.  And that is a situation that would not be as big of a problem if you could limit the use of upnp to the XBOXes only, and deny it to everything else on the network.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 02, 2017, 10:30:55 pm
I didn't forward, or open, ports 80, 443 and 53 inside.
Xbox Live worked fine. Played some Destiny with it.

I may have an old configuration I could check.
Should have everything you need.
Thanks again for all your help.  If you can find it I would really like to see it; anything that you think might be helpful in making this work would be greatly appreciated!
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: weust on November 02, 2017, 10:53:49 pm
You're in luck. Happen to have one config backup left from before I started messing around.
So behold my, again, l33t Paint skills.

Good luck.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 02, 2017, 11:57:27 pm
Thank you again.  Unless something unexpected comes up, I'll likely give this a try this weekend.

I do wonder about port 3544, though.  That's not a port I've had to open in the past, and when I looked it up on Wikipedia it referred me to this page:

https://en.wikipedia.org/wiki/Teredo_tunneling

After reading that I sure hope that I can get this working without having to open port 3544, because that page contains a rather ominous section on Security Considerations:

https://en.wikipedia.org/wiki/Teredo_tunneling#Security_considerations

Nothing in my local network currently supports ipv6 because of the difficulties in enforcing security (plus it's a bit of inertia; everything has always worked without enabling ipv6 so why change?) but it seems like this Teredo Tunneling tries to circumvent that.  The XBOX I have has never required port 3544 to be open, so I hope that's still the case under OPNsense.

Your screenshots are a big help and I really do appreciate the effort.  Many thanks!
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: weust on November 03, 2017, 12:05:05 am
No problem. The Toredo port I got from the link in my first post.
You can see a post by me mentioning to check it out.

Also, there is a doc download link with info.

I will have a look at me into tomorrow, if I have the time.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 03, 2017, 12:43:22 am
Toredo is often something that is resorted to when ports are closed and upnp is shut off or broken...

If upnp is a mild cold then toredo is the spanish flu. 

Teredo increases the attack surface by assigning globally routable IPv6 addresses to network hosts behind NAT devices, which could otherwise be unreachable from the Internet. By doing so, Teredo potentially exposes any IPv6-enabled application with an open port to the outside. Teredo tunnel encapsulation can mask the contents of the IPv6 data traffic from packet inspection, enabling the spread of both IPv6 and even some IPv4 malware.[3] US CERT has published a paper, on the risks of malware using IPv6 tunneling.[3] Teredo also exposes the IPv6 stack and the tunneling software to attacks should they have any remotely exploitable vulnerability.

The cure is worse than the sickness in this case.  Better to not break NAT and upnp.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: MasterXBKC on November 03, 2017, 07:09:08 am
So much infosec fail in this thread, i actually had to drop a comment.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: weust on November 03, 2017, 07:21:01 am
Typical. Say it's a fail, but leave us n00bs still clueless...
That's a fail on its own.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 03, 2017, 08:23:03 am
Typical. Say it's a fail, but leave us n00bs still clueless...
That's a fail on its own.
Exactly.  You said this better (and a lot more concisely) than I could have.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 03, 2017, 09:41:37 am
As far as the fail, he could have been talking about me also...   Never can tell.  It wasn't directed. 
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: weust on November 03, 2017, 10:05:31 am
He/she mentioned "thread", meaning in general in this case.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 03, 2017, 10:27:02 am
Well, he is a Member of FBIs Infragard Program.  Maybe he knows something we don't.

I'd ask him what he thinks.  I like criticism.  Its how I learn.
I've noticed that since I enabled hurricane electric IPV6 on that interface used by X-Box nothing from X-Box ever requests anything from upnp.  Everything seems to prefer IPV6 and there is no NAT involved.  Still waiting for skype to get a clue. 
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: weust on November 03, 2017, 10:33:00 am
I never dived in very deep to figure out which exact ports are used.
Just looked up some info from Sony and Bungie for firewall settings.
Bungie actually has a nice page displaying which ports are needed open, and forwarded per platform.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 03, 2017, 10:45:45 am
IPV6, if fully enabled and implemented well, should allow it to not need upnp.  Actually, same is true for all sites and applications that fully support IPV6.

I could have my son check the NAT Status to see if X-Box is happy or sad without upnp on IPV4/IPV6 dual stack.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: weust on November 03, 2017, 10:47:44 am
I'm still waiting for my ISP to finally roll out IPv6.
And my PS4 Pro doesn't support that AFAIK.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 03, 2017, 10:54:47 am
Go figure. 

I've got IPV6 from Hurricane Electric and assigned a /64 to interfaces that I want to have it, precisely because of NAT.  I'm pretty sure X-Box loves it or my kid would be screaming.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: MasterXBKC on November 05, 2017, 03:51:25 am
Typical. Say it's a fail, but leave us n00bs still clueless...
That's a fail on its own.

As "weust" suspected, i was not singling out a specific statement or user, it was a statement based cumulatively on this thread, and the woeful security lapses several of the recommendations in here would create.

Do not enable UPNP unless you would like your network readily accessible as soon as your programs start to open a growing number of holes in your firewalls.

Do not DMZ any device on your network unless it is actually in a separate subnet/vlan/etc that is completely segregated from the rest of your network, and EVEN THEN, do it only as a last resort, and dont leave it that way, disable it as soon as its no longer needed.  With a device set to the DMZ on a home/smb router, you have essentially put it wide open on the internet with zero security precautions, if someone pops it using a zero day or gets lucky with a password guess they now have a foothold inside your network, from there they can attempt to break into the rest of it, or if they dont care about your network, they will just use the device they poped to send spam, or to breach others, or even as a zombie in a ddos for hire botnet, etc, making the ISP think you are the one doing it.

Take heed of my advise.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: MasterXBKC on November 05, 2017, 04:05:25 am
Everything seems to prefer IPV6 and there is no NAT involved.  Still waiting for skype to get a clue.

This is actually a bad thing, as unless you have defined security policies on the IPv6 traffic at the router/firewall, your devices are working without nat, and are directly internet addressable, this makes them work better as they dont have a firewall to punch through, but this leaves them horribly insecure.

Also, anything made by Microsoft does default to using IPv6 if it is available because this was their policy decision which in some cases is actually ill-advised since IPv6 support is spotty at best in most cases.   Defaulting to IPv6 is not happenning because it is better, but rather because Microsoft has programmed it to do this due to their own policies.

A good portion of IPv6 traffic coming from ISPs is still forced to go through IPv6-to-IPv4 conversion at least once to get to the proper destination and back again, sometimes several times depending on how properly, improperly, or partial their IPv6 deployment is.

Do not presume that IPv6 is more secure based on design or function as i assure you it is not.  You must still be very carefull and put into place proper security policies, rules, etc to prevent potential breaches.

I personally will continue to operate IPv4 on my internal networks, using NAT as this also inhibits any outside systems or people monitoring the traffic from easily determining how many or what type of devices you have behind your NAT.    I will never have devices inside my LANs internet addressable using public ips, for any reason, because if you do, a 30 second wireshark will reveal every device on the LANs existence just by catching the list of IPv6 addresses flowing from your network.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 05, 2017, 07:20:52 pm
MasterXBKC, thank you for the clarification and for explaining the issues with upnp, the DMZ, and IPv6.  At present I don't use any of those, and never intend to if I can possibly help it.  It's really easy for people who aren't security conscious to recommend "quick fixes" that can turn around and bite you down the road.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: packet loss on November 06, 2017, 07:53:49 am
I had no issue with obtaining an open NAT without having to use UPNP or DMZ with an IPv4 IP address. This applies to XBOX Live since each game has one or more ports that may need to be forwarded unforuntely. My tutorial (https://forum.opnsense.org/index.php?topic=3521.0) should work fine. I'm currently using OpenBSD now though as my main firewall with pf handling the 2 below necessities. I'm obtaining an open NAT without any issues.


Here's some good info reference XBOX NAT posted on reddit by an XBOX engineer:

https://www.reddit.com/r/xboxone/comments/5og87g/psa_networking_info_part_2_nat_dns_upnp_wtf/

View some of his other posts as well. Valuable info.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 06, 2017, 11:46:56 am
azdps

Forwarded ports plus static outbound NAT is good.  Doesn't address security, but it works.

This topic is really very old.  The first time I ran into this was about 2010?

https://www.youtube.com/watch?v=Q5U0nj9oaZY  (This fix applies very well to opnsense, although the menus are different, assuming you forward all needed ports)

However, no suggested fix will work with opnsense in this configuration:

https://forum.opnsense.org/index.php?topic=6320.msg26798#msg26798    (in case its still that way)
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: packet loss on November 06, 2017, 02:44:17 pm
Forwarded ports plus static outbound NAT is good.  Doesn't address security, but it works.

This will get you an address restricted open NAT. Subnet isolation can help but yes opening port(s) is necessary to obtain an open NAT. And yes, you would need to sacrifice security to achieve this.

Quote
This topic is really very old.  The first time I ran into this was about 2010?

https://www.youtube.com/watch?v=Q5U0nj9oaZY  (This fix applies very well to opnsense, although the menus are different, assuming you forward all needed ports)

He just set all outbound ports to static for his console. There's no inbound port forwarding. This will get you a port restricted moderate NAT. This is probably the most secure method but will lead to random connection failures.

Quote
However, no suggested fix will work with opnsense in this configuration:

https://forum.opnsense.org/index.php?topic=6320.msg26798#msg26798    (in case its still that way)

My old setup was: cable modem --> OPNsense --> ASUS router (access point). Don't want to double NAT with the router so having it as an access point only will do. comet's setup with having the ASUS router before OPNsense is quite interesting though.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 06, 2017, 02:54:12 pm
Yeah - Most people don't have too many problems forwarding ports but the static nat configs seem to trip people up the 1st time, so I sent the video addressing only that.  I'm pretty sure he worked out port forwarding already.  I suspect the guy in the video didn't bother with forwarding ports because he was running upnp. 
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: packet loss on November 06, 2017, 04:13:59 pm
So much infosec fail in this thread, i actually had to drop a comment.

You've pointed out some security implications. So we know using UPNP, DMZ is bad but can you please address how one can solve console NAT issues? This is essentially what comet wanted to know how OPNsense works with an XBOX (open, moderate or strict NAT). Can one obtain an open NAT without compromising security. I would say no. Please explain. Chiming in and just saying don't do this and that without providing a possible solution isn't very helpful.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 06, 2017, 08:41:51 pm
  • port 3544 forwarded in to destination port 3074
Oh HELL no to port 3544!!!

https://en.wikipedia.org/wiki/Teredo_tunneling#Security_considerations

I do not need to enable port 3544 to make my XBOX work when using my Asus router and there is no way in hell I will open it under OPNsense or any other router software.  If you have taken pains to disable IPv6 on your local network, this is Microsoft's way to defeat that.  Opening that port is playing with fire!

People really should read what ports are used for before blindly forwarding them, even if it's someone from Microsoft telling you to do it.  Do you really think Microsoft cares that much about the security of your home network?  They were late to the game in taking the security of Windows seriously!
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 06, 2017, 08:50:01 pm
Forward the ports you need and enable static outbound NAT.  It will work if you do it right.
You shouldn't need to open a Teredo port if you do it right.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 06, 2017, 09:06:59 pm
comet's setup with having the ASUS router before OPNsense is quite interesting though.
Just to be clear, that's only to facilitate initial configuration.  Right now there is absolutely nothing connected to the LAN side.  Once I get it fully configured, it will replace the Asus router (so the Asus won't be in the picture at all) and the rule that allows access to the GUI from the WAN side will be removed.  This assumes that port forwarding to the XBOX will work, in the same way it did in the Asus. If I can't get the XBOX to work without using upnp or forwarding port 3544 then using OPNsense will be a failed experiment.

P.S. I really only have the weekends to work on this stuff; this past weekend I started configuration and probably could have got further if I hadn't wasted three or four hours trying to figure out how to get access to the GUI from the WAN side temporarily.  So now the earliest I will be able to try this with the XBOX will be next weekend.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 06, 2017, 09:29:38 pm
The assus has a less secure type of NAT, so that definitely will work easier.  But Opnsense will work. 
The beauty is that once you get it working it will get regular updates and patches and stay secure without much work at all, whereas the assus would be a lot of trouble to keep current.  Initial setup is more difficult though. 
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: packet loss on November 06, 2017, 09:45:20 pm
comet your XBOX will connect fine but you will end up with a moderate NAT at best unless you use port forwarding. I have an IPv4 network not an IPv6 network so the only means I've found what to port forward 3544 to 3074 to obtain an OPEN NAT. It's easy to obtain a moderate NAT open on the other hand isn't. IPv6 network should not need the port forwarded.

Moderate NAT:
Open NAT:

If you figure out something valuable please share your finding. I'm looking forward to your testing results.


xinnan do you have an XBOX? If so what are your settings and what type of NAT does the XBOX show you have?

weust why did you sell your XBOX one? Looks like you use a PS4 pro.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: weust on November 06, 2017, 10:33:25 pm
I am using a PS4 Pro, and a PC. So for Destiny 2 I need to switch forwarding using enable/disable. Pretty annoying.

Only bought the Xbox One for two games.
Quantum Break did so poorly in reviews I never bought it, and the other was Recon.
The latter was so f*cking annoying at a boss fight I quit there.

Sold it last week, or week before.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 06, 2017, 11:24:59 pm
comet your XBOX will connect fine but you will end up with a moderate NAT at best unless you use port forwarding.

That's what I do now on the Asus, but...

I have an IPv4 network not an IPv6 network so the only means I've found what to port forward 3544 to 3074 to obtain an OPEN NAT.

... what I do (on the Asus) is forward port 3074 and some other ports directly through to the XBOX, with no remapping of port numbers.  Basically I am following the instructions on this page:

https://support.xbox.com/en-US/xbox-360/networking/network-ports-used-xbox-live

The five ports shown there (the four in the list plus 1863 as mentioned in the paragraph after the list) are what I have been forwarding to the XBOX.   I have not and will not forward port 3544; that is such a huge security risk that I don't know why anyone would do that.

Simply forwarding the ports shown on that page is all I've ever had to do under the Asus to get the XBOX to work.  If you guys are having to use port 3544, it may work, but it's a huge fail from a security standpoint.  It particularly makes no sense for those who disable IPv6 on their LAN's to avoid the security headaches of dealing with IPv6, because as I understand it port 3544 creates an IPv6 tunnel into your system that may not have any line of defense at all against the bad guys.  And my point all along has been that if just forwarding those ports mentioned in the Microsoft document works with nearly every home router you might buy, and also when using router firmware like DD-WRT (which it does), then forwarding those same ports is all that ought to be necessary when using a software package such as OPNsense.  And unless something comes up, I should know after this coming weekend whether it does.

I don't understand why remapping port 3544 to port 3074 works for anyone; if all the documentation is to be believed those ports have two entirely different purposes, and that's not what Microsoft is telling people to do (at least not on the above-mentioned page).  I won't argue about it's effectiveness because if someone says it works for them, and they don't care about the security risk, all I can do is just shrug my shoulders and go "huh?".  But to me it doesn't make any sense.

Anyway, I really hope that simple port forwarding does work under OPNsense.  Guess I'll know next weekend.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 06, 2017, 11:50:53 pm
The assus has a less secure type of NAT, so that definitely will work easier.

Less secure in what way?  Just that it doesn't get updated as often?

But Opnsense will work. 
The beauty is that once you get it working it will get regular updates and patches and stay secure without much work at all, whereas the assus would be a lot of trouble to keep current.  Initial setup is more difficult though.

Yes, that's what I'm discovering.  I'm actually running the Merlin build of Asuswrt on the Asus, so it does get updated a bit more often than the stock Asus firmware.  Used to run DD-WRT until they screwed something up so that after upgrading the firmware it went into an endless reboot loop.  By the way, either of those firmwares allow the XBOX to work great with just the port forwarding.

The regular updates and patches are part of the appeal of OPNsense, and also that you can use much better hardware than what you get in an off-the-shelf router.  Also, if I can get past the initial hurdles and get it to work without causing problems for connected equipment, then I would like to try enabling the intrusion detection, assuming I can figure out how that works (and at the moment I don't understand that feature much at all, but no point asking about it until I see if I can get the basics working).

The biggest problem I've been having is finding documentation that I can understand.  I get that coders would much rather write software than documentation, but for certain features just a bit better documentation (written in such a way that new users can understand it) would go a long way in helping avoid posts in this forum from people just trying to make it all work (I know some wise guy will probably suggest that maybe I should contribute documentation, but unless I understand what I am doing, that would just be the blind leading the blind.  And right now the parts I'm having the most trouble understanding are the parts that aren't documented all that that well, and by not that well I mean it's either non-existent or too sparse, or it assumes knowledge on the part of the reader that I don't have, so it's way over my head).
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 07, 2017, 01:26:55 am
Well, the Opnsense NAT is symmetric NAT, like your friend was saying earlier.  It's Strict NAT.  So, in the cases of gaming and VOIP, it's easier to get something like your assus working. 

DD-WRT (I use it for some things even today), is less strict but also its less secure and less full-featured.  For instance, it can turn IPV6 on but then its not so easy to secure it.  Opnsense allows very safe use of IPV6.

However, if you:

1st Forward the ports you need to X-Box.
2nd Sort of follow along with that video to get your static outbound NAT configured.
3rd Save it to use hybrid outbound NAT (Not automatic or Manual)

Remember to save and apply.

It should work.  If it's not working like you want after that, I'd be surprised. 

As far as the lack of documentation, Opnsense is a work in progress and I'm sure the devs would be the first people to agree the documentation needs further developing.  Takes time.  People just like you do contribute to the documentation though.  Not being sarcastic at all.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 08, 2017, 12:26:28 am
Well, the Opnsense NAT is symmetric NAT, like your friend was saying earlier.  It's Strict NAT.  So, in the cases of gaming and VOIP, it's easier to get something like your assus working.

DD-WRT (I use it for some things even today), is less strict but also its less secure and less full-featured.  For instance, it can turn IPV6 on but then its not so easy to secure it.

I guess this is one of those areas where I don't really understand the difference.  As far as I've known, NAT is NAT, and I've never really understood normal NAT very well, because I've never had to in order to make a router work.  Like I've said, this is the really the first time I'm trying to use anything other than an off-the-shelf router with either its stock firmware or a modified version thereof, or DD-WRT (oh, and a long time ago I tried installing Tomato on a router but the less said about that, the better!).

I suppose that part of the reason that I am having so much trouble understanding this is because I had thought that installing OPNsense really didn't require much knowledge above and beyond what you'd need when setting up an off-the-shelf router, at least to get it to function in a similar manner to one of those routers.  I thought that it would only get tricky when trying to use some of the addons.  I did not for a moment imagine before I started that if I ran into trouble and asked a question in the forum, more than half the time at least a portion of the answer would be nearly incomprehensible to me.  I had no idea that OPNsense might use a different type of NAT from an off-the-shelf router; now you are saying it does but I still have no real understanding of what the difference is or why it would affect something as seemingly simple as port forwarding.


Opnsense allows very safe use of IPV6.

I would suppose that's true if (and only if) you actually know anything about IPv6, which I don't.  I mean, I obviously know it exists and I know that it has a much larger address space than IPv4, but I would have no idea how to construct effective firewall rules for IPv6.  Because it's something I don't understand, and because I don't need it for any of the devices on my local network, I always disable it.

Don't mean to wander off topic too much but I will just say that the proponents of IPv6 have done a very poor job in educating the general public about how it works.  For example, many people now know that their local network is 192.168.1.0 - 192.168.1.255, but I'll bet not 1 in 100 people who know that have any idea what their local network would be in IPv6.  I sure don't. And yes, I suppose the answer is "whatever you set it to" but I would not even have any idea what are the allowable ranges for a local IPv6 network (what is the IPv6 equivalent of 192.168.x.x, for example?).

However, if you:

1st Forward the ports you need to X-Box.
2nd Sort of follow along with that video to get your static outbound NAT configured.
3rd Save it to use hybrid outbound NAT (Not automatic or Manual)

Remember to save and apply.

It should work.  If it's not working like you want after that, I'd be surprised.

I hope it is that simple, but I'm still not sure why you'd need to set the static outbound NAT, since you don't need to do anything like that in an off-the-shelf router.  But I'm not sure I would understand if you tried to explain it to me.  I'll give it a try, though.

As far as the lack of documentation, Opnsense is a work in progress and I'm sure the devs would be the first people to agree the documentation needs further developing.  Takes time.  People just like you do contribute to the documentation though.  Not being sarcastic at all.

I realize that, I'm just saying you can't document something if you don't first understand it yourself.  And there's a whole lot about this that I just don't understand.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: hutiucip on November 08, 2017, 02:10:57 pm
Quote
(what is the IPv6 equivalent of 192.168.x.x, for example?)

There isn't! (!)

Because IPv6 is a very, very (very) much larger IP addresses space, you don't need "private - aka non-routable - IP Address range(s)".
Neither NAT.

In IPv6 ALL and EVERY IP address is (or at list, is intended to be) public/ routable. No portion of IPv6 address space is reserved as "private range", so there isn't an equivalent of 10.0.0.0/8 & 172.16.0.0/12 & 192.168.0.0/16!

And here comes many people lack of understanding: there is the possibility to implement IPv4 things (like NAT, port fwd etc) to IPv6 standard, mainly but not only for security or/ and IP range isolation/ filtration purposes, but IPv6 is made to be used, preferably, only with route, without NAT etc.

Hope this helps.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 08, 2017, 04:41:57 pm
Quote
(what is the IPv6 equivalent of 192.168.x.x, for example?)

There isn't! (!)

Because IPv6 is a very, very (very) much larger IP addresses space, you don't need "private - aka non-routable - IP Address range(s)".
Neither NAT.

In IPv6 ALL and EVERY IP address is (or at list, is intended to be) public/ routable. No portion of IPv6 address space is reserved as "private range", so there isn't an equivalent of 10.0.0.0/8 & 172.16.0.0/12 & 192.168.0.0/16!

And here comes many people lack of understanding: there is the possibility to implement IPv4 things (like NAT, port fwd etc) to IPv6 standard, mainly but not only for security or/ and IP range isolation/ filtration purposes, but IPv6 is made to be used, preferably, only with route, without NAT etc.

Hope this helps.

This begs so many questions, but I guess my first would be, let's say that sometime in the future you have a pure IPv6 network - how do you keep all your local network devices together?  Who assigns the IPv6 addresses?

Put it this way - if my local network is in the 192.168.1.x range and my ISP changes my WAN IP address, or I get a new ISP that assigns me a different IP, my local network for the most part doesn't care - it still keeps using the same local IP addresses.  Let's say I had to go without any Internet access at all for a few days; the devices on my local network will still happily communicate.  But if there is no such thing as a local IP address in IPv6, then who assigns the IP addresses so that there are no conflicts, and how do the ISP's know how to route traffic to any given IPv6 address?  If it is the responsibility of the ISP's to assign addresses then if you get a different ISP or move, everything would change.  If each networked device has an IPv6 address assigned at time of creation, then how would an ISP know how to route traffic there, given that the device might move around between networks or even be part of an isolated network?  Or, if you just get to arbitrarily assign an IPv6 address, then what's to keep you from stepping on someone else's IPv6 address?

I just can't conceive of not having a local network where you can keep all of your devices grouped together.  I can see why IPv6 hasn't been catching on!
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: ChrisH on November 08, 2017, 05:12:59 pm
Okay, very simply explained: (see e.g. Wikipedia for more details):

The first half (usually) of an IPv6 address specifies the network and gets assigned by your ISP. That can change and your devices don't care. Think of this as your IPv4 WAN address.

The second half of an IPv6 address specifies the device in the network and gets assigned by a router in your network (DHCPv6), or manually by the admin, or automatically by the device itself (because there are so many addresses in every single network to choose from, this is the default and you don't need a DHCP server). That part is fairly static. Think of it as your LAN address.

The nice thing about IPv6 is that it combines both things: You know how to get to the network (first part) and then to the specific device (second part).

In addition to that there are local IPv6 addresses, so devices on a network will be able to communicate even without an internet connection. Every IPv6 interface automatically has one of those (called link-local) and this is also how they find there local router automatically without DHCP.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 08, 2017, 05:19:25 pm
Comet: What you just asked about is very insightful for someone who claims to know nothing about IPV6.

The way ISPs do it now is they will give you a bunch of dynamically changing and somewhat random looking /64s for the LAN(s).  Pretty useless if you decide to run a server there, which I honestly think is the point.  I think they have gone out of their way to make sure you get usable IPV6 but not something simple to use for a server.  This is why I have static /48s from hurricane electric.  All very nice and neat, and it follows you when you move. And it's free...  Later I suspect for a small fee you will be able to buy a /48 of static IPV6 tunneled on dynamic IPV6.  Now is a good time to learn about this. 

Personally, I see no reason why every man, woman, and child on earth shouldn't have a permanently assigned static /48 for life. 

Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: ChrisH on November 08, 2017, 05:20:51 pm
Personally, I see no reason why every man, woman, and child on earth shouldn't have a permanently assigned static /48 for life.
Have you ever heard the name "Edward Snowden"?
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 08, 2017, 05:22:51 pm
I used to work with him in Hawaii.  Same building anyway.  He was one of many IT guys.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: ChrisH on November 08, 2017, 05:25:01 pm
And you don't see a reason why a personalized static life-long identifier on the internet could be a bad thing?

But we are getting off-topic ;)
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 08, 2017, 05:35:03 pm
Well - You could own it and use it for whatever you want, or not.  You definitely still need access to networks that offer anonymity and privacy.  I effectively do have /48 blocks for life (I hope).  But I still have randomly assigned addresses as well and access to non-personally identifying networks (VPN) if I like. 

Anyway, IPV6 can solve many problems, like Comets NAT problems, and SIP server problems, and "I'd really like to run 10 small low bandwidth servers at my house" problems.  I wouldn't fear it.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 08, 2017, 06:22:43 pm
Comet: What you just asked about is very insightful for someone who claims to know nothing about IPV6.
Even a blind squirrel finds a nut once in a while.

I really don't know anything about IPv6 other than that it exists and that it has a huge number of possible addresses.  The questions I asked were because I have at least a small glimmer into how IPv4 works, but couldn't figure out how what I know about that would work with IPv6 if there are no local networks.  But I couldn't tell you the format of an IPv6 address if my life depended on it, simply because I've never had any need to use them.

My real concern about IPv6 is that I would think setting up proper firewalls would be much more difficult, but maybe that's only because I don't really understand it.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 08, 2017, 06:29:20 pm
Okay, very simply explained: (see e.g. Wikipedia for more details):

The first half (usually) of an IPv6 address specifies the network and gets assigned by your ISP. That can change and your devices don't care. Think of this as your IPv4 WAN address.

The second half of an IPv6 address specifies the device in the network and gets assigned by a router in your network (DHCPv6), or manually by the admin, or automatically by the device itself (because there are so many addresses in every single network to choose from, this is the default and you don't need a DHCP server). That part is fairly static. Think of it as your LAN address.

The nice thing about IPv6 is that it combines both things: You know how to get to the network (first part) and then to the specific device (second part).

In addition to that there are local IPv6 addresses, so devices on a network will be able to communicate even without an internet connection. Every IPv6 interface automatically has one of those (called link-local) and this is also how they find there local router automatically without DHCP.

Thank you for that explanation, it makes more sense when you put it that way.  I will just say that there are a lot of people out there that barely "get" IPv4 and this at first glance seems even more complicated.  Especially when you say "The second half of an IPv6 address specifies the device in the network and gets assigned by a router in your network (DHCPv6), or manually by the admin, or automatically by the device itself (because there are so many addresses in every single network to choose from, this is the default and you don't need a DHCP server)." I don't know but it just seems to me that if devices can assign their own addresses randomly, there is always the possibility of two devices choosing the same address, especially if they are the same make and model device.  Sort of like when you have two TV's of the same brand in adjacent rooms, and find that the remote control for either one triggers both of them.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 08, 2017, 06:30:28 pm
Nope.  It's no more difficult if you ask me.  If you can understand IPV4 you can understand IPV6.  Just a matter of sitting down and giving it a bit of time, exactly the same way you did IPV4.  Your X-Box will thank you.

I'd say its like linux users say windows is hard and windows users say linux is hard. 
Actually, neither is difficult, just need to get familiar. 
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: hutiucip on November 08, 2017, 06:47:03 pm
@comet

Of course there are mechanisms implemented for everything you wonder about, but for the most part IPv6 works on totally different principles and rules than IPv4, and for the least part, there are similarities.

Nobody can teach you IPv6 answering to every question you have, every answer transforming itself  in another 3 questions. Learn IPv6, it's not difficult to understand, especially since you start learning having a clear idea that you should NOT expect IPv6 to be only an increment of IPv4, having (maintaining) most of the principles/ rules/ best practices etc the same.

If it was up to me, I would forbid IPv4 at law level, I would sue anyone (still) using it! (Joking, of course) :)
But I'm very serious when I say it's a dinosaur long due to meet "the asteroid", and the only reason being still used is the inertia and the comfort zone any human being is akin to... ;)

I'm not an expert in every detail regarding IPv6, but as much as I know about it makes me say that, once understood, it simplifies one's life.

Cheers!

Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 09, 2017, 12:16:03 am
Nope.  It's no more difficult if you ask me.  If you can understand IPV4 you can understand IPV6.  Just a matter of sitting down and giving it a bit of time, exactly the same way you did IPV4.  Your X-Box will thank you.
And you were doing SO WELL at not being annoying for a while there.

I've already told you, I'm not using IPv6  or upnp.  I don't even know if my ISP supports IPv6; I rather doubt they do, and even if they do now, I'm pretty certain my cable modem doesn't support it.  Just because I'm maybe trying to grasp some of the concepts doesn't mean I'm in any way ready to use it on my network.  For one thing, I'm still light years from knowing enough about it to properly secure it.  And I'm still hopeful that port forwarding (such as I now use on my Asus router) will be sufficient.  The XBOX can thank me by telling me that the NAT type is open when I am using simple port forwarding!
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 09, 2017, 12:46:11 am
Wasn't trying to not annoy you.  Doesn't even factor into it.  Just rattling off facts as I know them. 

IPV4 wasn't ever meant to be deployed the way it is.  Basically, its a broken protocol really that people sort of force to work.  It was created to work for labs and things like that and not very many of them.  IP exhaustion and reliance on NAT wasn't even a thing.  If you don't like IPV6, I'd say you are screwed long term.  Heck.  If you have a phone the odds are about 100% you are using IPV6 for your most sensitive data already.  Cellular calls, email, SMS, all your personal data that you have stored in the phone and in the clouds.  So its sort of like saying that you trust IPV6 with all your most sensitive and important stuff, but not a game console. 

Anyway, I don't actually need to convince you of this since you are absolutely positively going to get dragged by your heels, perhaps kicking and screaming, into using it, like it or not. 
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 09, 2017, 12:48:25 am
But I'm very serious when I say it's a dinosaur long due to meet "the asteroid", and the only reason being still used is the inertia and the comfort zone any human being is akin to... ;)

That is exactly the problem.  Among typical computer users, networking has always been something of a "black art".  You can be totally comfortable in Windows or MacOS or Linux and still barely know a thing about networking.  I mean, it was probably only two or three years ago that I finally understood that /24 is the same as /255.255.255.0 in a netmask, and I'm still not sure how a netmask works other than that it specifies the range of your network, or how many IP address you can have.  A networking genius, I'm not.  And I'm pretty sure I'm not the only one.  Most computer users know just barely enough to configure their off-the-shelf router, and a lot of times they have to get a techie-type friend to help with that.

So now IPv4 has been around long enough that many users sort of "get it", at a very rudimentary level.  By which I mean, they sort of understand how IPv4 addressing works.  They (and I) could not explain to you what magic a router does to direct an incoming packet to a specific device.  There are reasons that there are college level classes in networking; it's not that easy to understand if you really want to get into it (someone in my family took a college course in networking several years ago and they taught him Novell.  What a waste).

So now enough people "get" IPv4 so that they can set up their home routers, and maybe some of them can even set up a decent firewall using iptables or something similar.  Now you want to throw IPv6 into the mix.  But people's attitude is, "My computers work fine with IPv4, and nobody's forcing me to learn IPv6, and everything I access on the Internet uses IPv4, so why should I even bother with it?  Especially since I have no idea how to secure it properly."

I'm not an expert in every detail regarding IPv6, but as much as I know about it makes me say that, once understood, it simplifies one's life.

But how much effort did it take before you understood it, even at the non-expert level?

What is really needed is a wonderfully clear and simple YouTube video that explains everything a user needs to know to set up and secure an IPv6 network WITHOUT a lot of unnecessary history or abstract theory.  I truly believe that most YouTube video creators are in love with the sound of their own voices because they will drone on and on for 45 minutes when what you really want to know could be said in under 5 minutes.  There are exceptions, of course, but anyway what I'm saying is that if they could cut the fluff and stick to practical information only, maybe more people would be willing to watch and try to grasp IPv6.  If you know of such a video, please feel free to post a link to it.  I have watched so many videos about router configuration in the last couple of weeks (including some really terrible ones) that I've developed a bit of a YouTube aversion. :)
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 09, 2017, 12:58:42 am
Wasn't trying to not annoy you.  Doesn't even factor into it.  Just rattling off facts as I know them.

Now if you'd just stopped there, you would have been fine.  But you just couldn't, could you.

IPV4 wasn't ever meant to be deployed the way it is.  Basically, its a broken protocol really that people sort of force to work.  It was created to work for labs and things like that and not very many of them.  IP exhaustion and reliance on NAT wasn't even a thing.  If you don't like IPV6, I'd say you are screwed long term.  Heck.  If you have a phone the odds are about 100% you are using IPV6 for your most sensitive data already.  Cellular calls, email, SMS, all your personal data that you have stored in the phone and in the clouds.  So its sort of like saying that you trust IPV6 with all your most sensitive and important stuff, but not a game console.

You are assuming an awful lot there.  I don't need to go into my cell phone usage but suffice it to say that I still use a desktop computer for anything where security matters, and I don't trust cell phone security any further than I can spit.  I am not one of those people who trades security for convenience.  Anyway, I don't have to configure any networking stuff on my phone, so that's not an issue.

Anyway, I don't actually need to convince you of this since you are absolutely positively going to get dragged by your heels, perhaps kicking and screaming, into using it, like it or not.

Goodness, I didn't realize I was talking to a psychic!  You must see me getting REALLY old in your crystal ball!  ;D
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: franco on November 09, 2017, 01:17:33 am
Please keep this topic on track. Step out for a day if you can’t. Then come back and let this discussion go. It helps...
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: hutiucip on November 09, 2017, 11:46:59 am
I'm only saying that IPv6 is like IPv4 without the need for NAT: because IPv4 was "segmented" in public/routable &&& private/ non-routable IP addr ranges only because it was depleted, and a workaround in prolonging its life was this segmentation.

Now, IPv6 is IPv4 without the need of private IP addr. ranges, rest is more or less the same: you don't secure IPv4 because of it's addressing scheme, you secure it at different/ superior levels.

Cheers!

PS (My last comment on the off-topic matter of IPv4 <-> IPv6 comparison!)
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: ChrisH on November 10, 2017, 10:10:34 am
Quote
(what is the IPv6 equivalent of 192.168.x.x, for example?)

There isn't! (!)
Sure there is. Link-local and ULA.

Quote
Because IPv6 is a very, very (very) much larger IP addresses space, you don't need "private - aka non-routable - IP Address range(s)".
Yes, you do. And that's why they exist in IPv6.

Quote
In IPv6 ALL and EVERY IP address is (or at list, is intended to be) public/ routable. No portion of IPv6 address space is reserved as "private range", so there isn't an equivalent of 10.0.0.0/8 & 172.16.0.0/12 & 192.168.0.0/16!
Wrong.
fe80::/64 is your internal network (segment) and not routable even across other internal networks.
fc00::/7 is explictly reserved for internal and private networks and is not publicly routable.

I don't know if you don't know better or are just trying not to confuse people, but telling wrong facts does not help.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: ChrisH on November 10, 2017, 10:17:20 am
I don't know but it just seems to me that if devices can assign their own addresses randomly, there is always the possibility of two devices choosing the same address, especially if they are the same make and model device.
There isn't. ESPECIALLY if there are the same make. There are 2^64 possible addresses in a single network. Thats 18,446,744,073,709,551,616. Which makes the chances of two devices choosing the same address astronomical. Plus they check if the address is used first.

Quote
Sort of like when you have two TV's of the same brand in adjacent rooms, and find that the remote control for either one triggers both of them.
That's because there are not 2^64 available TV remote codes and neither the TVs nor the remote controls can talk to each other to see if somebody else is already using that code.

I was going to point you to Wikipedia again but I just noticed the German version explains things much better than the English one. Maybe somebody else can suggest a good English source for IPv6 beginners.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: hutiucip on November 10, 2017, 11:05:07 am
I don't know if you don't know better or are just trying not to confuse people, but telling wrong facts does not help.

@ChrisH, thank you very much for clarifications! :)

Personally, still consider fe80::/64 & fc00::/7 different for IPv6 than 10.../8, 172.16.../12 & 192.168.../16 for IPv4, but I'll revise my knowledge, maybe you're right and I'm misinterpreting a few things. Combined with my main purpose of KISS (Keeping It Short & Simple), sorry if my reply doesn't help at all, and maybe even harms!

Cheers! :)
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: ChrisH on November 10, 2017, 11:33:50 am
Cheers as well ;) You are welcome. Thanks for not taking it personally.

fe80::/64 is more like APIPA (169.254.x.y), but it's still local and not routable.
But fc00::/7 is the exact equivalent to the RFC1918 IPs (10./8 etc.). We use this e.g. for transfer networks, secure network segments that must not have internet access, VPN tunnels and the like.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 13, 2017, 06:15:23 pm
However, if you:

1st Forward the ports you need to X-Box.
2nd Sort of follow along with that video to get your static outbound NAT configured.
3rd Save it to use hybrid outbound NAT (Not automatic or Manual)

Remember to save and apply.

It should work.  If it's not working like you want after that, I'd be surprised.

That in fact does appear to be all that was needed.  It did not work until I set the static outbound NAT as shown in the video (https://www.youtube.com/watch?v=Q5U0nj9oaZY), and set it to use hybrid outbound NAT.  But once I did that, the XBOX was happy.

In particular, I did NOT have to use IPv6 in any form, I did NOT need to enable upnp, and I did NOT have to use port 3544 (the horrible Teredo tunneling "fix").

Initially I used "Pass" as the Filter rule association in the port forwards, and that worked, but I think I can probably go back to using an associated filter rule and I think it will probably still work.  I changed it back to that late last night, so I will know whether it works that way next time the kid tries to play XBOX.  EDIT: Still works fine (XBOX shows open NAT type) using an associated filter rule (the default filter rule association).
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 14, 2017, 04:34:40 am
Yeah - I posted this same thing on the pfsense boards about 5 or 6 years ago, but its sort of a hack to patch a bigger problem, which is having a requirement for NAT at all.  2- 3 more years, won't be an issue anymore.  Glad its working for you.  Same fix works for SIP issues also, in case you ever experience VOIP problems.
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 14, 2017, 08:10:16 am
Yeah - I posted this same thing on the pfsense boards about 5 or 6 years ago, but its sort of a hack to patch a bigger problem, which is having a requirement for NAT at all.  2- 3 more years, won't be an issue anymore.  Glad its working for you.  Same fix works for SIP issues also, in case you ever experience VOIP problems.
Well I wasn't going to bring up SIP but I did find that the same fix worked there, however I also had to go to System: Settings: Administration and put the dynamic DNS address that I use in the "Alternate Hostnames" field, otherwise a non-local extension wouldn't stay connected (it would connect and then almost immediately disconnect).

I suppose the reason you think that the requirement for NAT will disappear in 2-3 years is because you are under some delusion that everyone will be using IPv6 by then, but if you think that you obviously underestimate the lengths people will go to in resisting change.  Even if all ISP's started enforcing the use of IPv6 only to the cable or DSL modem - and my guess would be that won't happen for at least another ten years - there are still a lot of people that would use IPv4 only on their local networks.  Some of these would be security conscious people like me - I don't EVER want every device on my local network to be directly accessible from the Internet - but mostly it will be because there are too many people (also like me) who really just don't understand IPv6 and in particular, don't have a clue how to keep the bad guys out of an IPv6 network.  If every device on a local network has its own IPv6 address, the perception (and maybe the reality) is that anyone on the Internet has a direct superhighway into the weakest device on your network.

The change to IPv6 might be accelerated, though NOT to within 2-3 years, if someone(s) would come up with wonderfully clear and easy to understand explanations of IPv6, and how to secure it, in videos or on web pages.  I see lots of people bemoaning the fact that IPv6 isn't widely adopted, or that no one wants to use it, but that's generally because people are just being told "you should use IPv6."  And the people saying that act as if they think that everyone will suddenly realize it's the right thing to do, and start doing it, even though right now they don't know the first thing about it.

I have yet to see a web page or video that a) doesn't ramble on about irrelevant nonsense (NOBODY wants to read or listen to a long-winded academic explanation of how IPv6 came to be), or b) isn't mind-numbingly boring, like the worst teacher you ever had, or c) doesn't talk so far over the head of the average user that they'd learn just as much watching a video explaining the differences in styles of ancient pottery.

Also, when have you ever seen people do the right thing just because some "experts" told them to?  Compare IPv6 to any important social issue; some people will argue with you that it's not an issue, and even some people who do recognize that it might be an issue nevertheless don't want to make any personal effort (like people who realize we have an epidemic of obesity but can't stop drinking their pop/soda).  It's like the old joke about "How many psychiatrists does it take to change a light bulb?", and the answer is none, because the light bulb has to want to change first.  People are used to using IPv4, they sort of understand it a little (and don't understand IPv6 at all), it's working for them, and they don't want to change to IPv6.  And if you think any of that will magically change in just 2-3 years, I have a friend that really wants some of whatever you're smoking.  ;D
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 14, 2017, 09:03:48 am
The adoption rate is currently on a 2.5x per year rate of increase.  In mathematical terms a curve that is flattening against the Y axis as time on the X axis passes.  The numbers look clear to me.  I'm sure there will be a few hold outs, (lab setups in basements) but it is following the same sort of accelerating curve you see in things like population growth or bacterial growth in nature.  It is extremely predictable once a curve like this is evident. Numbers don't lie.  There are a few things that could stop it...   

Coronal Mass ejection like the one in 1859...   Lets see...   Asteroid collision like the one that wiped out the dinosaurs.   Things like that. 

This graph was produced using regression and curve fitting I'm sure.

(http://ipv4marketgroup.com/wp-content/uploads/2016/09/ipv4-market-group-ipv6-adoption-rate-forecasting-google-results.png)
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 14, 2017, 09:11:52 am
Now - Comparing the mathematical predictions in 2016 to the actual usage all the way to today in Nov 2017, the upward curve remains steady at a slightly higher than predicted rate.  Good news for all gamers and anyone who hates NAT.

https://www.google.com/intl/en/ipv6/statistics.html#tab=ipv6-adoption&tab=ipv6-adoption
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 14, 2017, 06:03:39 pm
Mathematics are not a reliable way to predict the behavior of human beings.  Look at the predictions for many political races vs. the actual outcomes.  And also, nowhere more than in the case of human behavior is the saying "What goes up, can come down" appropriate.

In the case of IPv6, all it would take to sink it for a generation or so would be some major hack where a large number of people have their identity and/or their money stolen, that could be tied directly to IPv6.  And given that so few people know how to secure IPv6, that is not a far-fetched scenario.

I'm sure you could have probably found a similar curve of people who thought that putting their life savings in banks was a good idea, right up until 1929 or thereabouts.  Then after many people suffered loss, it was decided that it might be a good idea to secure people's funds (in the form of insurance on savings), but it took many years before some people would take their "sock money" and put it back in the bank.  This is the big problem with IPv6; it's still relatively insecure compared to IPv4, and nobody seems all that concerned about it (I am not asserting that the protocol itself is any more or less secure than IPv4, I am saying that most people have no idea how to properly secure IPv6 because those few who know how - if anyone really does - haven't seen fit to make that information widely available in such a way that ordinary people can understand it).

As for the accuracy of mathematics, didn't mathematics once "prove" that the bumble bee can't fly?  I think your math just might be counting people who potentially could use IPv6, not necessarily those who actually do.  Sort of like how cable companies sometimes count the number of homes passed by their cable, which gives you no idea of the number of actual subscribers.  Or, it may only be counting the adoption rate of ISPs and large corporations.  How would they even know how many home networks are running IPv6, and how many are running IPv4 only?
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: xinnan on November 14, 2017, 06:05:40 pm
Haha - I feel pretty good about the odds I will win this bet. 
Title: Re: How well does OPNsense work with an XBOX if you don't enable upnp?
Post by: comet on November 14, 2017, 08:16:34 pm
I guess you are entitled to believe whatever lets you sleep well at night.  I think you are trying to wish a particular reality into existence.  Look at the curve on your graph, it never plateaus as real-life graphs often do, and continues to climb past 100% after April of 2020.  It's pure fantasy.

I suspect a lot of people have lost considerable sums in the stock market believing graphs like that one. How does that saying go about "lies, damn lies, and statistics?"  But if you want to believe that everyone in the world will be using IPv6 in only 2½ years, that's your prerogative; I just hope you aren't too disappointed when reality sets in.  Wishing isn't going to make it come true; though helping ordinary people understand IPv6 and how to properly secure it just might make it happen sooner (still not buying that it will happen by April 2020, though).