Forwarded ports plus static outbound NAT is good. Doesn't address security, but it works.
This topic is really very old. The first time I ran into this was about 2010? https://www.youtube.com/watch?v=Q5U0nj9oaZY (This fix applies very well to opnsense, although the menus are different, assuming you forward all needed ports)
However, no suggested fix will work with opnsense in this configuration:https://forum.opnsense.org/index.php?topic=6320.msg26798#msg26798 (in case its still that way)
So much infosec fail in this thread, i actually had to drop a comment.
port 3544 forwarded in to destination port 3074
comet's setup with having the ASUS router before OPNsense is quite interesting though.
comet your XBOX will connect fine but you will end up with a moderate NAT at best unless you use port forwarding.
I have an IPv4 network not an IPv6 network so the only means I've found what to port forward 3544 to 3074 to obtain an OPEN NAT.
The assus has a less secure type of NAT, so that definitely will work easier.
But Opnsense will work. The beauty is that once you get it working it will get regular updates and patches and stay secure without much work at all, whereas the assus would be a lot of trouble to keep current. Initial setup is more difficult though.