Messages

[Firewall / NAT / Outbound]

You don't have to set an alternate port unless you have multiple Xboxes.

I also had to add an outbound NAT rule:

Firewall / NAT / Outbound

Select Hybrid outbound NAT rule generation then click Save.

In the Manual rules section click the plus to add a new rule.

• Interface: WAN
• Protocol: TCP/UDP
• Source address: Xbox
• Source port: Xbox_Live_Port
• Static-port: ENABLE
• Save
• Apply

Here's an important tip: in between changing these settings and retesting open NAT status on the Xbox, you have to clear firewall states for the Xbox or it will continue to report strict NAT. Under Firewall / Diagnostics / States search for the static IP of the Xbox. A red X button will pop up to clear all states for the matched IP address, click it, then retest NAT status on the Xbox. This tripped me up big time.

Hello! This took a long time to figure out so I wanted to post a solution here for anyone using multi-WAN in the future who hits the same issue. When using the instructions to set up multi-WAN (https://docs.opnsense.org/manual/how-tos/multiwan.html) by default you won't be able to ping your gateway IP. There was one post here about this years ago without a solution but I can't for the life of me find it.

Also, when you traceroute to your gateway IP, it'll get routed outside the firewall which at first is very concerning!

The hint to the solution is here: https://docs.opnsense.org/manual/how-tos/multiwan.html#step-5-add-allow-rule-for-dns-traffic. Instead of just allowing DNS, I allowed any port / protocol from my internal network. This allows DNS, ping, etc. Traceroute doesn't fully work but it doesn't route outside the network. Otherwise everything works as expected now.