Several Questions - New User and brain pain.

[MattRidge]

I am sorry if this has been answered already, but I am struggling to find a coherent answer.  That and I am running off of 3 hours of sleep because my newborn daughter is giving me 1 to 3 hours of sleep a night, so I apologize for any confusion or lack of understanding of what is being said upfront.

I am running OPNSense on a Qotom-Q515G6-S05 Mini PC Barebone with 6 Gigabit Ethernet NIC Intel Celeron 3865U Computer.
https://www.amazon.com/gp/product/B07DLYGZG4

It has 16GB RAM, an Intel Celeron 3865U Processor, and a 1TB M.2 drive.

I believe this is sufficient enough to run as a firewall, but I am having an issue with ports. 

I want to know two things.

1. Is there a way to allow a port to be used between an XBox and PC (and only these two) so that I am no longer having Strong NAT warnings?

2. Can we crack open these ports without actually exposing the hardware?

If there is an answer to these, can someone please explain them in simple terms? I am sadly a neophyte to OPNSense, and the steps I have found online on how to "open ports" on Youtube, etc. seem to jump over things and I don't seem to have a truly functioning firewall because of it.

Any help would be greatly appreciated, I have tried to follow the Online manual to no prevail, which is why I am writing an SOS request here.

I really wish there was a one-page interaction and the complex stuff was done in the background (with an advance feature that want to toy around with the complexities) but I digress. 

Any help would be greatly appreciated... Thanks again.

[CJ]

Can you back up and give an overview of what you're trying to accomplish?  It sounds like you have an XY problem.

Additionally, can you provide a diagram of your existing setup?

[MattRidge]

Basically it comes down to this:

Internet ---> ISP Box ---> Router --> XBox (Wired) & PC (Wireless)

Both XBox and PC are on the same 192.168.1.x They both have a Static IP.


What I want to do is this... make it so I can open the same port on the PC and XBox to play games with my son.

[franco]

That and I am running off of 3 hours of sleep because my newborn daughter is giving me 1 to 3 hours of sleep a night

Congrats! Take good care of her. Eventually the sleep pattern will improve. But you will never ever get that sleep deficit of roughly 1-2 years back ;)


Cheers,
Franco

[MattRidge]

That and I am running off of 3 hours of sleep because my newborn daughter is giving me 1 to 3 hours of sleep a night

Congrats! Take good care of her. Eventually the sleep pattern will improve. But you will never ever get that sleep deficit of roughly 1-2 years back ;)


Cheers,
Franco

Oh, I know, I have a son who is eight years old... but he slept through the night... girls are an entirely different beast... she is literally the princess and the pea.

[franco]

No, our son was like that too. When he was year older... waking up a couple of hours before dawn...ready to play. Just tough luck but it got better eventually. :)

But I digress. The Qotoms have been quite popular. Good milage for the price.


Cheers,
Franco

[cookiemonster]

Ah the joys of newly born. Glad mine is grown now.
Anyways. Disclaimer: I don't do gamins so this is out of my experience. That said isn't the strong NAT a thing about the console/pc needing some way to connect and be connectable with some ports on the game platform?
I seem to recall a number of threads with works/doesn't work for port forwards and nats as workarounds to upnp.

[CJ]

Unfortunately, I'm with CM.  I don't use xbox and I'm usually the only one gaming.  That said, I assume the warning you're getting is Strict NAT and not Strong NAT?

Have you made any changes to the defaults?  I assume by static ips you mean static dhcp leases.

It looks like one of MS solutions is to do port forwarding for both systems and configure one to use custom ports.  I dislike this as you then have open ports connected directly to machines on your lan.  This is also why I dislike upnp.  I have a friend that got hacked because they didn't realize their nas had open ports to the internet.

Are you able to see something besides Strict NAT if you just have the pc or xbox on after rebooting OPNSense?

[MattRidge]

Ah the joys of newly born. Glad mine is grown now.
Anyways. Disclaimer: I don't do gamins so this is out of my experience. That said isn't the strong NAT a thing about the console/pc needing some way to connect and be connectable with some ports on the game platform?
I seem to recall a number of threads with works/doesn't work for port forwards and nats as workarounds to upnp.

Strong NAT has to do with blocked ports, they can be accessed because the user allowed an app to run, but it's not visible by the outside so your latency/interaction with said program is slower than it should be.

It is like opening port 80 on a firewall. 

I want to know if it's possible to allow access to a port without actually puncturing a hole in the firewall. If not, how do I do it safely?

And yeah, having a young kid wasn't in the cards, I will be changing diapers well past my 50th birthday now :P

[MattRidge]

Unfortunately, I'm with CM.  I don't use xbox and I'm usually the only one gaming.  That said, I assume the warning you're getting is Strict NAT and not Strong NAT?

Have you made any changes to the defaults?  I assume by static ips you mean static dhcp leases.

It looks like one of MS solutions is to do port forwarding for both systems and configure one to use custom ports.  I dislike this as you then have open ports connected directly to machines on your lan.  This is also why I dislike upnp.  I have a friend that got hacked because they didn't realize their nas had open ports to the internet.

Are you able to see something besides Strict NAT if you just have the pc or xbox on after rebooting OPNSense?

I've made no changes as of yet, I am still working with a virgin system as it stands now, I am afraid to make a mistake and have my firewall scream to the world "I'm used by an idiot, abuse me!"

[CJ]

Strong NAT has to do with blocked ports, they can be accessed because the user allowed an app to run, but it's not visible by the outside so your latency/interaction with said program is slower than it should be.

It is like opening port 80 on a firewall. 

I want to know if it's possible to allow access to a port without actually puncturing a hole in the firewall. If not, how do I do it safely?

And yeah, having a young kid wasn't in the cards, I will be changing diapers well past my 50th birthday now :P

The MS Xbox NAT page doesn't have an entry for Strong NAT.  Are you sure it says Strong NAT or do you mean Strict NAT?

https://support.xbox.com/en-US/help/hardware-network/connect-network/xbox-one-nat-error

Unfortunately, I'm with CM.  I don't use xbox and I'm usually the only one gaming.  That said, I assume the warning you're getting is Strict NAT and not Strong NAT?

Have you made any changes to the defaults?  I assume by static ips you mean static dhcp leases.

It looks like one of MS solutions is to do port forwarding for both systems and configure one to use custom ports.  I dislike this as you then have open ports connected directly to machines on your lan.  This is also why I dislike upnp.  I have a friend that got hacked because they didn't realize their nas had open ports to the internet.

Are you able to see something besides Strict NAT if you just have the pc or xbox on after rebooting OPNSense?

I've made no changes as of yet, I am still working with a virgin system as it stands now, I am afraid to make a mistake and have my firewall scream to the world "I'm used by an idiot, abuse me!"

The troubleshooting process is definitely helped by you not randomly making changes in order to "fix" things. :)

That said, you didn't answer any of the other questions I asked.  Since I don't think any of us have an xbox or multiple, we're having to debug by proxy and that requires a lot more information.

And no, if you open a port, the port is open to all.  That's why it's not generally recommended and instead you let the firewall only pass through replies to your requests.  upnp works by automatically opening ports without telling the user and that's why it's often recommended as a "fix" and why security conscious people recommend turning it off.

[MattRidge]

Strong NAT has to do with blocked ports, they can be accessed because the user allowed an app to run, but it's not visible by the outside so your latency/interaction with said program is slower than it should be.

It is like opening port 80 on a firewall. 

I want to know if it's possible to allow access to a port without actually puncturing a hole in the firewall. If not, how do I do it safely?

And yeah, having a young kid wasn't in the cards, I will be changing diapers well past my 50th birthday now :P

The MS Xbox NAT page doesn't have an entry for Strong NAT.  Are you sure it says Strong NAT or do you mean Strict NAT?

https://support.xbox.com/en-US/help/hardware-network/connect-network/xbox-one-nat-error

Unfortunately, I'm with CM.  I don't use xbox and I'm usually the only one gaming.  That said, I assume the warning you're getting is Strict NAT and not Strong NAT?

Have you made any changes to the defaults?  I assume by static ips you mean static dhcp leases.

It looks like one of MS solutions is to do port forwarding for both systems and configure one to use custom ports.  I dislike this as you then have open ports connected directly to machines on your lan.  This is also why I dislike upnp.  I have a friend that got hacked because they didn't realize their nas had open ports to the internet.

Are you able to see something besides Strict NAT if you just have the pc or xbox on after rebooting OPNSense?

I've made no changes as of yet, I am still working with a virgin system as it stands now, I am afraid to make a mistake and have my firewall scream to the world "I'm used by an idiot, abuse me!"

The troubleshooting process is definitely helped by you not randomly making changes in order to "fix" things. :)

That said, you didn't answer any of the other questions I asked.  Since I don't think any of us have an xbox or multiple, we're having to debug by proxy and that requires a lot more information.

And no, if you open a port, the port is open to all.  That's why it's not generally recommended and instead you let the firewall only pass through replies to your requests.  upnp works by automatically opening ports without telling the user and that's why it's often recommended as a "fix" and why security conscious people recommend turning it off.

Like I said, excuse my mistakes, and lack of sleep... I got 3 hours today too.. lol. 

And yes, Strict is what I meant to say. And all I am seeing is Strict NAT, nothing else... everything else works fine considering. I am able to play games, etc... but if the port as you called it allowed me to pass through without issues, I would be able to have flawless gameplay, right now my internet connection to the servers it reduced by 25 to 50% normal because of the way MS interacts with OPNSense....

AS you showed with the link (and I have seen it before) It says to "open" the ports, but as I said I don't want to do that, so how to do I set up OPNSense to allow the XBox and PC to (because they use the same ports) to allow throughput instead of punching a hole?

I really wish you could do all of this on one page instead of going to three different tabs (or seems like it) just to allow a piece of hardware to use the firewall correctly and visa versa.

I have a dozen pieces of hardware on the network, none require special treatment, they are all internal only... they don't play with the outside, so none of the hardware on my network gives me any errors or issues. 

What questions specifically do you need me to answer, I only ask because I need you to be specific due to the fact I am new to this system and I may not know the answer... so I may not answer it because I honestly may not know I should have known...

Feel like Dick Cheney during the Gulf War... "We know there are bad guys, but we don't when, we don't know where, but they are there."

I know there are things going on, but I don't know squat on how to make it work... so I apologize if I don't answer clearly because, I honestly am new to OPNSense... and some of the things in it are not as intuitive as I wish it was.

[CJ]

It's fine.  I just wanted to make sure we were talking about the same thing because I don't use an xbox.

If you turn off your computer and all xboxs, then reboot OPNSense, and turn on one xbox only, what does the report say?  Do you get a result other than Strict NAT?