How well does OPNsense work with an XBOX if you don't enable upnp?

[comet]

Hi. I recently tried that other firewall software (the non-open source one) and found out that port forwarding doesn't work like it does on a normal router, and that my XBOX reported a strict NAT type even though I opened the same ports that I have previously opened on the port forwarding page in an inexpensive store-bought router to make it work.  It mystifies me why simply forwarding those ports to the XBOX creates an open NAT type for the XBOX on the router, even without enabling upnp, but opening the exact same ports in that other software seemingly has no effect.

So in my search for software that might actually work the way it's supposed to, I came across OPNsense, and I would like to know if it would work any better.  So if you have an XBOX and you do not enable upnp, are you able to get your XBOX to report the NAT type as open rather than strict, just by port forwarding the specific ports that the XBOX uses?  If not, were you able to do something else that made it work, without enabling upnp?

[weust]

I recently sold my Xbox One, but I had Open NAT working just fine.
Same for my PlayStation 3 and 4, and certain PC games.
I never use PnP.

This tutorial might help: https://forum.opnsense.org/index.php?topic=3521.0

[comet]

Thanks for the response.  I may give OPNsense a try this weekend then, if time allows.

[weust]

Forgot if it's in the tutorial or not, but I can advise to make use of aliases.
I like to combine TCP and UDP ports per service.
Keeps it a bit more clean in the overview.

Also keep in mind that a developer might mention the use of certain ports for their game that are also used for Xbox Live.
I know Bungie does it for PSN. So I separated those.

If you like, I can post a screenshot or two of how I did it.

[comet]

Forgot if it's in the tutorial or not, but I can advise to make use of aliases.
I like to combine TCP and UDP ports per service.
Keeps it a bit more clean in the overview.

Also keep in mind that a developer might mention the use of certain ports for their game that are also used for Xbox Live.
I know Bungie does it for PSN. So I separated those.

If you like, I can post a screenshot or two of how I did it.

Thanks very much for the additional information.  Yes, please on the screenshots, they would be a huge help!

[xinnan]

upnp works.
DMZ the xbox works.
Port forward every port for every game you may eve desire to play...   Works...
I don't think upnp is evil.  Put the xbox on an isolated subnet and run it with upnp. 

[comet]

upnp works.

Did you even read my original post in this thread?

DMZ the xbox works.

Sure, because I want to let every hacker in the world have open access to the XBOX.  Oh wait, no I don't.

Port forward every port for every game you may eve desire to play...   Works...

That doesn't seem to work in that other firewall software, which is why I asked about it here.  I wanted to find out if it works in OPNsense.

I don't think upnp is evil.  Put the xbox on an isolated subnet and run it with upnp.

You quite obviously don't care much about security.  I do.  upnp may not be "evil" but it is a security risk because it basically allows any software running on any computer on your network to open incoming ports.  I'm guessing you don't see why that could be a problem.

If there were a way to restrict the use of upnp to a specific device on the network (so, for example, only the XBOX could use it but no other computer or device could) then it might not be quite so objectionable, but as far as I know, if you enable upnp you enable it for the entire LAN, and that's not something I'm willing to risk.

[weust]

Exactly the reasons why I don't like UPnP.
I can't take someone serious when they consciously use a firewall/router, and then let it allow to have a device open it up anyway they like.

Sony, in the past, even wanted ports 80, 443 and 53 open. No way any of my consoles will ever be either a webserver or DNS server for the internet.
They probably meant just outbound, but they didn't specify anything. Just port numbers.

[weust]

Below are some screenshots of my setup, regarding PlayStation 4 and Destiny 2 for PS4 and PC.
The alias for the desktop is missing, but it's Qube. (it's early here, and my Paint skills have a limit so early in the morning).

I'm re-doing things here, so the Destiny 2 PS4 portforwarding isn't in place yet.
Nasty thing is I have to disable/enable either PC or PS4 when I want to play the other, since they use overlapping ports, and I only have one public IP address.
Hope that makes sense.

Anyway, it-works-for-me(tm).

PS: you might have to open/download the pictures first to see them fully.

[comet]

Thanks very much, the images help a lot.  I just hope it will work as well for the XBOX.  I probably won't have time to try it until the weekend.

Microsoft is another one that wants you to have ports 53 and 80 open: https://support.xbox.com/en-US/xbox-360/networking/network-ports-used-xbox-live

They also don't say for sure which ports need to be open for inbound and which only need outbound connectivity.  I had read somewhere in the last day or two that 3074 and maybe 1863 are the only ones that really need to be open for inbound traffic.  The real problem is when the XBOX reports the dreaded NAT type "strict", which means that multiplayer gaming won't work correctly, then people just try whatever Microsoft says to do in order to try to get the NAT type to change to "open".

Thank you again, this really helps!

[xinnan]

An open port is an open port.  Doesn't matter how it gets to be open.

Now, if you have your entire network on 192.168.20.0/24 with upnp not active for that subnet

and then you have your xbox on 192.168.21.0/24 and you have upnp active for that, or you have some ports opened manually or its dmzed (its all just opened ports if you ask me)

and then your firewall rules are set to prevent xbox subnet from talking to other subnets you will be fine.

This assumes you don't have your xbox and everything else using the same dumb switch.

This is the way I do it.  I use upnp for the xbox myself. 

In my case the cat6 that goes to the switch that connects to the loft where all the gaming happens gets 1 interface on the back of the firewall/router.

The cat6 that goes to the rest of the computers in the house gets another interface on the back of the firewall/router.

The wireless gets its own interface on the back of the firewall/router.

And finally, my computer-illiterate tenant and her daughter gets her own interface...

If you don't have a bunch of ports on the back of your opnsense, you can use a managed switch with vlans to do the same thing. 

All these are segregated by firewall rules.  I like xbox to have upnp so that it works the way it should.  Not sure what a hacker could do with it isolated the way it is. 

There is a difference between imagined security and actual security.  You want security, isolate your xbox, any computer kids, wives, visitors, friends etc etc touch (because they will bring in malware) from your important computers and devices.  Don't hamstring your poor xbox's ability to forward ports it needs.

[weust]

I didn't forward, or open, ports 80, 443 and 53 inside.
Xbox Live worked fine. Played some Destiny with it.

I may have an old configuration I could check.
Should have everything you need.

[comet]

One reason I am sometimes reluctant to use open forums to get help is because it seems like there is one guy in every forum that likes to give bad or incomprehensible advice, and to just muddy up ongoing discussions.

An open port is an open port.  Doesn't matter how it gets to be open.

Now, if you have your entire network on 192.168.20.0/24 with upnp not active for that subnet

and then you have your xbox on 192.168.21.0/24 and you have upnp active for that, or you have some ports opened manually or its dmzed (its all just opened ports if you ask me)

Nobody asked you and if you are trying to explain how to do something, you are failing miserably. And your assertion that "An open port is an open port.  Doesn't matter how it gets to be open" is the dumbest statement I have read in a long time.  Of course it matters.  It matters whether your XBOX opened the valid ports it needs to allow you to play a game, or some piece of malware on another computer on your network used upnp to conveniently open a port to send all your personal data back to whatever hackers created it.

and then your firewall rules are set to prevent xbox subnet from talking to other subnets you will be fine.

So your solution is to make everything much more complicated than it needs to be.  Yeah, brilliant (that's sarcasm if you can't tell).

This assumes you don't have your xbox and everything else using the same dumb switch.

This is the way I do it.  I use upnp for the xbox myself. 

In my case the cat6 that goes to the switch that connects to the loft where all the gaming happens gets 1 interface on the back of the firewall/router.

The cat6 that goes to the rest of the computers in the house gets another interface on the back of the firewall/router.

The wireless gets its own interface on the back of the firewall/router.

And finally, my computer-illiterate tenant and her daughter gets her own interface...

If you don't have a bunch of ports on the back of your opnsense, you can use a managed switch with vlans to do the same thing.

And where are the clear and simple instructions for doing all this in OPNsense?  Not that I would want to do it this way anyway; it should be entirely possible to open ports to the XBOX only without having to go through some convoluted process such as you have described above.  A standard off-the-shelf router that you buy at a big box store can handle this easily (WITHOUT using upnp), and that's why I was so shocked when that other firewall software couldn't.  Now you come along and tell about this overly complicated setup that you have, and that is fine if you know how to do it, but the problem is that if you are coming from the world of off-the-shelf routers like I am, and you have not had a college-level course in networking, you're doing good to make your WAN and LAN work like they are supposed to.  I'm not saying that the way you are doing it might not be arguably better (except that you are using upnp), but it sure sounds complicated to set up and I'm not at that level yet.

All these are segregated by firewall rules.  I like xbox to have upnp so that it works the way it should.  Not sure what a hacker could do with it isolated the way it is.

Keep using upnp and you just might find out.  And an XBOX will work the way it should without using upnp, provided the router software handles port forwarding correctly.  You seem to have convinced yourself that using upnp is the right way to do it, well it is your system and it is your choice to make, but you are compromising the security of your system by using upnp.  And you don't need a college degree in networking to know that, all you have to have done is read any of the several articles about the dangers of using upnp that have been published over the past few years, such as https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/

Again, my #1 objection to upnp is that once you configure it, any piece of software on any computer on your local network can use it (unless you set up some overly complicated setup that the average user would never be able to understand).  My wish would be that you could create a list of specific machines (by IP address or MAC address) that are allowed to use upnp.  ONLY those machines could use it, anything else on your network would be blocked from using upnp.  That way, if some piece of malware on your desktop computer or your Android device tries to open ports using upnp it would get nowhere.  This won't stop all kinds of attacks, but at least it closes off that one avenue that can effectively circumvent your firewall.

There is a difference between imagined security and actual security.  You want security, isolate your xbox, any computer kids, wives, visitors, friends etc etc touch (because they will bring in malware) from your important computers and devices.  Don't hamstring your poor xbox's ability to forward ports it needs.

So to get back to my opening paragraph, I have you pegged as the bad advice guy in this forum, or what I sometimes call the forum "know-it-all".  The typical forum know-it-all is very opinionated and sometimes very wrong, and offers their bad advice whether anyone wants it or not.  You think your security is fine, but I cannot take anyone seriously who believes that using upnp isn't a security risk, or that believes that making some convoluted network is the right way to get around the security issues associated with upnp.

I'm not the moderator so I can't ask you to stop pushing upnp in this thread, but just to make it clear, I have no intention of doing what you're doing (specifically I am NOT going to use upnp) so you might as well give it up.  And you should have known that from the thread title: "How well does OPNsense work with an XBOX if you don't enable upnp?"  So are you just trolling?

Now having said all that, I realize there are situations where users may be forced to use upnp, such as if you have multiple XBOX users on the same network that want to use their XBOXes at the same time.  But it's still a security risk, and I'm not in that situation because I only have one XBOX.  And that is a situation that would not be as big of a problem if you could limit the use of upnp to the XBOXes only, and deny it to everything else on the network.

[comet]

I didn't forward, or open, ports 80, 443 and 53 inside.
Xbox Live worked fine. Played some Destiny with it.

I may have an old configuration I could check.
Should have everything you need.

Thanks again for all your help.  If you can find it I would really like to see it; anything that you think might be helpful in making this work would be greatly appreciated!

[weust]

You're in luck. Happen to have one config backup left from before I started messing around.
So behold my, again, l33t Paint skills.

Good luck.