Title: Firewall-Packet Filter on Opnsense 18.1.4 blocking PC/Xbox Live and XBOX.
Post by: Professor_Rat on March 17, 2018, 08:51:05 pm
Hello all I am extremity new here and thanks for taking the time to read over my issue and here is some background info on myself and the issue I am having.

I do work on Technology and am still trying to find my nitch in the job sector as I learned Networking/CISCO, Windows Desktop, and Windows Server; getting around usually is not a issue. But since moving off psSense it’s been a rocky road for my home network as I like to run custom gear and not off the self consumer stuff.

I recently made the decision to dump pfSense as it was giving me headaches every time it updated and it started to block my computers running anything Xbox or Xbox Live related thus my change to Opnsense as it was excellent fork to switch to given pfSense's over commercialization of the OS/Source code.

On that subject I am going to list things I have used before to give everyone a idea where I am at; some I uses while they were young distributions others were more mature.

Sophos UTM Home Edition

My big question is is there a way to go into the Firewall/Packet filter to allow the game consoles and PC's to get to XBOX Live without breaking everything else or causing a big security hole. I do have UPNP; but it is used sparingly on the game systems only.
My previous setup had a static port for Xbox and static address, so the packet filter and NAT did not effect the Xbox One traffic; but it would continue to block bad inbound traffic. UPNP was Deny unless static IP was used. My PC was never affected by pfSense on Xbox Live. More then likely Opnsense blocks something that was not blocked before. 

I did run tests on Opnsense with only UPNP on\static IP only; but my NAT/Network on both XBOX Live on PC and XBOX still give Strict/Blocked.

Tried some firewall rules and NAT rules like my old build; but no luck on that end. Got Screenshots of both my PC and XBOX One.

Post by: rwtsk8 on March 24, 2018, 04:10:21 am
I presume from the way that you describe your situation that you have already installed the os-upnp plugin but you continue to be restricted.  The only way I have got my PlayStation to Type 2 (I believe what you are looking for but in different lingo) was to create a firewall rule that allows all ports outbound from my PlayStation (the LAN interface).  I didn't need to change any NAT from the default configuration.

As you can see from the screenshot, I reworked that idea a bit because I got nervous having a device exposed like that.  What I ended up doing is creating an alias for my PlayStation's static IP, giving that access to the firewall (because it uses it for DNS) and then gave it all port access to anything that wasn't a RFC1918 address (anything else in my network). You might have to retool it a bit if you need access from your PC to other devices but my PS didn't need access to anything but the outside world.  There also may be a better way to do this but it is working for my needs right now.  The PlayStation is exposed but it cannot be used to communicate with the rest of my network if it is ever compromised. 

I am also learning this system as I have spent the entirety of my career working for an ISP as a router engineer so I never had to go beyond making devices communicate.  Security was someone else's responsibility.  I was needing to branch out a bit because my wife's small business added a second location so the easy, off the shelf, Netgear wireless routers weren't meeting their needs.  I started out using pfSense because I had a lot of trouble getting opnSense installed (turned out it was my issue) but once I did get opnSense up and running, I haven't looked back.
Post by: Professor_Rat on March 24, 2018, 05:01:22 am
I will definitely implement this rwtsk8 and retool my OpnSense for the PS and see how it works out. Then I’ll see if I can get Xbox working as well. I had Pfsense working and fairly secure; but as mentioned It had terrible update break everything, so OpnSense will be my new setup. Also is it ok to turn IP6 back on or should I continue to leave it blocked and disabled?

I agree with you on not letting the tech. have it’s way on a network. Mine is a home net with a overkill setup that I want to improve on may try to get my hardware to 10GB once I get my routing and firewall issues ironed out.. I have OpnSense on a dedicated box with a Gigabit+ certified Cable modeml DOCIS 3.0 . 😀

My WiFi is a Unifi AC PRO series unit and a control unit. (consumer gear just stunk) plus 3 dumb Gigabit 8 port pro netgears that have kept on trucking for me.

Again thanks for the help and guidance rwtsk8. Will post up again once I can make changes; testing on weekends when famly/company is coming usually is not the time to tweek the router lol.

Post by: slickdakine on March 24, 2018, 05:29:01 am
