How well does OPNsense work with an XBOX if you don't enable upnp?

[comet]

MasterXBKC, thank you for the clarification and for explaining the issues with upnp, the DMZ, and IPv6.  At present I don't use any of those, and never intend to if I can possibly help it.  It's really easy for people who aren't security conscious to recommend "quick fixes" that can turn around and bite you down the road.

[packet loss]

I had no issue with obtaining an open NAT without having to use UPNP or DMZ with an IPv4 IP address. This applies to XBOX Live since each game has one or more ports that may need to be forwarded unforuntely. My tutorial should work fine. I'm currently using OpenBSD now though as my main firewall with pf handling the 2 below necessities. I'm obtaining an open NAT without any issues.

• port 3544 forwarded in to destination port 3074
• static outbound ports for XBOX

Here's some good info reference XBOX NAT posted on reddit by an XBOX engineer:

https://www.reddit.com/r/xboxone/comments/5og87g/psa_networking_info_part_2_nat_dns_upnp_wtf/

View some of his other posts as well. Valuable info.

[xinnan]

azdps

Forwarded ports plus static outbound NAT is good.  Doesn't address security, but it works.

This topic is really very old.  The first time I ran into this was about 2010?

https://www.youtube.com/watch?v=Q5U0nj9oaZY  (This fix applies very well to opnsense, although the menus are different, assuming you forward all needed ports)

However, no suggested fix will work with opnsense in this configuration:

https://forum.opnsense.org/index.php?topic=6320.msg26798#msg26798    (in case its still that way)

[packet loss]

Forwarded ports plus static outbound NAT is good.  Doesn't address security, but it works.

This will get you an address restricted open NAT. Subnet isolation can help but yes opening port(s) is necessary to obtain an open NAT. And yes, you would need to sacrifice security to achieve this.

This topic is really very old.  The first time I ran into this was about 2010?

https://www.youtube.com/watch?v=Q5U0nj9oaZY  (This fix applies very well to opnsense, although the menus are different, assuming you forward all needed ports)

He just set all outbound ports to static for his console. There's no inbound port forwarding. This will get you a port restricted moderate NAT. This is probably the most secure method but will lead to random connection failures.

However, no suggested fix will work with opnsense in this configuration:

https://forum.opnsense.org/index.php?topic=6320.msg26798#msg26798    (in case its still that way)

My old setup was: cable modem --> OPNsense --> ASUS router (access point). Don't want to double NAT with the router so having it as an access point only will do. comet's setup with having the ASUS router before OPNsense is quite interesting though.

[xinnan]

Yeah - Most people don't have too many problems forwarding ports but the static nat configs seem to trip people up the 1st time, so I sent the video addressing only that.  I'm pretty sure he worked out port forwarding already.  I suspect the guy in the video didn't bother with forwarding ports because he was running upnp. 

[packet loss]

So much infosec fail in this thread, i actually had to drop a comment.

You've pointed out some security implications. So we know using UPNP, DMZ is bad but can you please address how one can solve console NAT issues? This is essentially what comet wanted to know how OPNsense works with an XBOX (open, moderate or strict NAT). Can one obtain an open NAT without compromising security. I would say no. Please explain. Chiming in and just saying don't do this and that without providing a possible solution isn't very helpful.

[comet]

• port 3544 forwarded in to destination port 3074

Oh HELL no to port 3544!!!

https://en.wikipedia.org/wiki/Teredo_tunneling#Security_considerations

I do not need to enable port 3544 to make my XBOX work when using my Asus router and there is no way in hell I will open it under OPNsense or any other router software.  If you have taken pains to disable IPv6 on your local network, this is Microsoft's way to defeat that.  Opening that port is playing with fire!

People really should read what ports are used for before blindly forwarding them, even if it's someone from Microsoft telling you to do it.  Do you really think Microsoft cares that much about the security of your home network?  They were late to the game in taking the security of Windows seriously!

[xinnan]

Forward the ports you need and enable static outbound NAT.  It will work if you do it right.
You shouldn't need to open a Teredo port if you do it right.

[comet]

comet's setup with having the ASUS router before OPNsense is quite interesting though.

Just to be clear, that's only to facilitate initial configuration.  Right now there is absolutely nothing connected to the LAN side.  Once I get it fully configured, it will replace the Asus router (so the Asus won't be in the picture at all) and the rule that allows access to the GUI from the WAN side will be removed.  This assumes that port forwarding to the XBOX will work, in the same way it did in the Asus. If I can't get the XBOX to work without using upnp or forwarding port 3544 then using OPNsense will be a failed experiment.

P.S. I really only have the weekends to work on this stuff; this past weekend I started configuration and probably could have got further if I hadn't wasted three or four hours trying to figure out how to get access to the GUI from the WAN side temporarily.  So now the earliest I will be able to try this with the XBOX will be next weekend.

[xinnan]

The assus has a less secure type of NAT, so that definitely will work easier.  But Opnsense will work. 
The beauty is that once you get it working it will get regular updates and patches and stay secure without much work at all, whereas the assus would be a lot of trouble to keep current.  Initial setup is more difficult though. 

[packet loss]

comet your XBOX will connect fine but you will end up with a moderate NAT at best unless you use port forwarding. I have an IPv4 network not an IPv6 network so the only means I've found what to port forward 3544 to 3074 to obtain an OPEN NAT. It's easy to obtain a moderate NAT open on the other hand isn't. IPv6 network should not need the port forwarded.

Moderate NAT:

• static outbound ports

Open NAT:

• static outbound ports
• inbound port forwarding

If you figure out something valuable please share your finding. I'm looking forward to your testing results.


xinnan do you have an XBOX? If so what are your settings and what type of NAT does the XBOX show you have?

weust why did you sell your XBOX one? Looks like you use a PS4 pro.

[weust]

I am using a PS4 Pro, and a PC. So for Destiny 2 I need to switch forwarding using enable/disable. Pretty annoying.

Only bought the Xbox One for two games.
Quantum Break did so poorly in reviews I never bought it, and the other was Recon.
The latter was so f*cking annoying at a boss fight I quit there.

Sold it last week, or week before.

[comet]

comet your XBOX will connect fine but you will end up with a moderate NAT at best unless you use port forwarding.

That's what I do now on the Asus, but...

I have an IPv4 network not an IPv6 network so the only means I've found what to port forward 3544 to 3074 to obtain an OPEN NAT.

... what I do (on the Asus) is forward port 3074 and some other ports directly through to the XBOX, with no remapping of port numbers.  Basically I am following the instructions on this page:

https://support.xbox.com/en-US/xbox-360/networking/network-ports-used-xbox-live

The five ports shown there (the four in the list plus 1863 as mentioned in the paragraph after the list) are what I have been forwarding to the XBOX.   I have not and will not forward port 3544; that is such a huge security risk that I don't know why anyone would do that.

Simply forwarding the ports shown on that page is all I've ever had to do under the Asus to get the XBOX to work.  If you guys are having to use port 3544, it may work, but it's a huge fail from a security standpoint.  It particularly makes no sense for those who disable IPv6 on their LAN's to avoid the security headaches of dealing with IPv6, because as I understand it port 3544 creates an IPv6 tunnel into your system that may not have any line of defense at all against the bad guys.  And my point all along has been that if just forwarding those ports mentioned in the Microsoft document works with nearly every home router you might buy, and also when using router firmware like DD-WRT (which it does), then forwarding those same ports is all that ought to be necessary when using a software package such as OPNsense.  And unless something comes up, I should know after this coming weekend whether it does.

I don't understand why remapping port 3544 to port 3074 works for anyone; if all the documentation is to be believed those ports have two entirely different purposes, and that's not what Microsoft is telling people to do (at least not on the above-mentioned page).  I won't argue about it's effectiveness because if someone says it works for them, and they don't care about the security risk, all I can do is just shrug my shoulders and go "huh?".  But to me it doesn't make any sense.

Anyway, I really hope that simple port forwarding does work under OPNsense.  Guess I'll know next weekend.

[comet]

The assus has a less secure type of NAT, so that definitely will work easier.

Less secure in what way?  Just that it doesn't get updated as often?

But Opnsense will work. 
The beauty is that once you get it working it will get regular updates and patches and stay secure without much work at all, whereas the assus would be a lot of trouble to keep current.  Initial setup is more difficult though.

Yes, that's what I'm discovering.  I'm actually running the Merlin build of Asuswrt on the Asus, so it does get updated a bit more often than the stock Asus firmware.  Used to run DD-WRT until they screwed something up so that after upgrading the firmware it went into an endless reboot loop.  By the way, either of those firmwares allow the XBOX to work great with just the port forwarding.

The regular updates and patches are part of the appeal of OPNsense, and also that you can use much better hardware than what you get in an off-the-shelf router.  Also, if I can get past the initial hurdles and get it to work without causing problems for connected equipment, then I would like to try enabling the intrusion detection, assuming I can figure out how that works (and at the moment I don't understand that feature much at all, but no point asking about it until I see if I can get the basics working).

The biggest problem I've been having is finding documentation that I can understand.  I get that coders would much rather write software than documentation, but for certain features just a bit better documentation (written in such a way that new users can understand it) would go a long way in helping avoid posts in this forum from people just trying to make it all work (I know some wise guy will probably suggest that maybe I should contribute documentation, but unless I understand what I am doing, that would just be the blind leading the blind.  And right now the parts I'm having the most trouble understanding are the parts that aren't documented all that that well, and by not that well I mean it's either non-existent or too sparse, or it assumes knowledge on the part of the reader that I don't have, so it's way over my head).

[xinnan]

Well, the Opnsense NAT is symmetric NAT, like your friend was saying earlier.  It's Strict NAT.  So, in the cases of gaming and VOIP, it's easier to get something like your assus working. 

DD-WRT (I use it for some things even today), is less strict but also its less secure and less full-featured.  For instance, it can turn IPV6 on but then its not so easy to secure it.  Opnsense allows very safe use of IPV6.

However, if you:

1st Forward the ports you need to X-Box.
2nd Sort of follow along with that video to get your static outbound NAT configured.
3rd Save it to use hybrid outbound NAT (Not automatic or Manual)

Remember to save and apply.

It should work.  If it's not working like you want after that, I'd be surprised. 

As far as the lack of documentation, Opnsense is a work in progress and I'm sure the devs would be the first people to agree the documentation needs further developing.  Takes time.  People just like you do contribute to the documentation though.  Not being sarcastic at all.