How well does OPNsense work with an XBOX if you don't enable upnp?

[comet]

Thank you again.  Unless something unexpected comes up, I'll likely give this a try this weekend.

I do wonder about port 3544, though.  That's not a port I've had to open in the past, and when I looked it up on Wikipedia it referred me to this page:

https://en.wikipedia.org/wiki/Teredo_tunneling

After reading that I sure hope that I can get this working without having to open port 3544, because that page contains a rather ominous section on Security Considerations:

https://en.wikipedia.org/wiki/Teredo_tunneling#Security_considerations

Nothing in my local network currently supports ipv6 because of the difficulties in enforcing security (plus it's a bit of inertia; everything has always worked without enabling ipv6 so why change?) but it seems like this Teredo Tunneling tries to circumvent that.  The XBOX I have has never required port 3544 to be open, so I hope that's still the case under OPNsense.

Your screenshots are a big help and I really do appreciate the effort.  Many thanks!

[weust]

No problem. The Toredo port I got from the link in my first post.
You can see a post by me mentioning to check it out.

Also, there is a doc download link with info.

I will have a look at me into tomorrow, if I have the time.

[xinnan]

Toredo is often something that is resorted to when ports are closed and upnp is shut off or broken...

If upnp is a mild cold then toredo is the spanish flu. 

Teredo increases the attack surface by assigning globally routable IPv6 addresses to network hosts behind NAT devices, which could otherwise be unreachable from the Internet. By doing so, Teredo potentially exposes any IPv6-enabled application with an open port to the outside. Teredo tunnel encapsulation can mask the contents of the IPv6 data traffic from packet inspection, enabling the spread of both IPv6 and even some IPv4 malware.[3] US CERT has published a paper, on the risks of malware using IPv6 tunneling.[3] Teredo also exposes the IPv6 stack and the tunneling software to attacks should they have any remotely exploitable vulnerability.

The cure is worse than the sickness in this case.  Better to not break NAT and upnp.

[MasterXBKC]

So much infosec fail in this thread, i actually had to drop a comment.

[weust]

Typical. Say it's a fail, but leave us n00bs still clueless...
That's a fail on its own.

[comet]

Typical. Say it's a fail, but leave us n00bs still clueless...
That's a fail on its own.

Exactly.  You said this better (and a lot more concisely) than I could have.

[xinnan]

As far as the fail, he could have been talking about me also...   Never can tell.  It wasn't directed. 

[weust]

He/she mentioned "thread", meaning in general in this case.

[xinnan]

Well, he is a Member of FBIs Infragard Program.  Maybe he knows something we don't.

I'd ask him what he thinks.  I like criticism.  Its how I learn.
I've noticed that since I enabled hurricane electric IPV6 on that interface used by X-Box nothing from X-Box ever requests anything from upnp.  Everything seems to prefer IPV6 and there is no NAT involved.  Still waiting for skype to get a clue. 

[weust]

I never dived in very deep to figure out which exact ports are used.
Just looked up some info from Sony and Bungie for firewall settings.
Bungie actually has a nice page displaying which ports are needed open, and forwarded per platform.

[xinnan]

IPV6, if fully enabled and implemented well, should allow it to not need upnp.  Actually, same is true for all sites and applications that fully support IPV6.

I could have my son check the NAT Status to see if X-Box is happy or sad without upnp on IPV4/IPV6 dual stack.

[weust]

I'm still waiting for my ISP to finally roll out IPv6.
And my PS4 Pro doesn't support that AFAIK.

[xinnan]

Go figure. 

I've got IPV6 from Hurricane Electric and assigned a /64 to interfaces that I want to have it, precisely because of NAT.  I'm pretty sure X-Box loves it or my kid would be screaming.

[MasterXBKC]

Typical. Say it's a fail, but leave us n00bs still clueless...
That's a fail on its own.

As "weust" suspected, i was not singling out a specific statement or user, it was a statement based cumulatively on this thread, and the woeful security lapses several of the recommendations in here would create.

Do not enable UPNP unless you would like your network readily accessible as soon as your programs start to open a growing number of holes in your firewalls.

Do not DMZ any device on your network unless it is actually in a separate subnet/vlan/etc that is completely segregated from the rest of your network, and EVEN THEN, do it only as a last resort, and dont leave it that way, disable it as soon as its no longer needed.  With a device set to the DMZ on a home/smb router, you have essentially put it wide open on the internet with zero security precautions, if someone pops it using a zero day or gets lucky with a password guess they now have a foothold inside your network, from there they can attempt to break into the rest of it, or if they dont care about your network, they will just use the device they poped to send spam, or to breach others, or even as a zombie in a ddos for hire botnet, etc, making the ISP think you are the one doing it.

Take heed of my advise.

[MasterXBKC]

Everything seems to prefer IPV6 and there is no NAT involved.  Still waiting for skype to get a clue.

This is actually a bad thing, as unless you have defined security policies on the IPv6 traffic at the router/firewall, your devices are working without nat, and are directly internet addressable, this makes them work better as they dont have a firewall to punch through, but this leaves them horribly insecure.

Also, anything made by Microsoft does default to using IPv6 if it is available because this was their policy decision which in some cases is actually ill-advised since IPv6 support is spotty at best in most cases.   Defaulting to IPv6 is not happenning because it is better, but rather because Microsoft has programmed it to do this due to their own policies.

A good portion of IPv6 traffic coming from ISPs is still forced to go through IPv6-to-IPv4 conversion at least once to get to the proper destination and back again, sometimes several times depending on how properly, improperly, or partial their IPv6 deployment is.

Do not presume that IPv6 is more secure based on design or function as i assure you it is not.  You must still be very carefull and put into place proper security policies, rules, etc to prevent potential breaches.

I personally will continue to operate IPv4 on my internal networks, using NAT as this also inhibits any outside systems or people monitoring the traffic from easily determining how many or what type of devices you have behind your NAT.    I will never have devices inside my LANs internet addressable using public ips, for any reason, because if you do, a 30 second wireshark will reveal every device on the LANs existence just by catching the list of IPv6 addresses flowing from your network.