XboX One and NAT

[stark]

Hello All,

I have just bought my son an Xbox One X and am trying to get it set up so he can play Fortnite.  I did some forum checking and found this:

https://forum.opnsense.org/index.php?topic=3521.0

where there was supposed to be a guide on how to get open NAT for the xbox one, unfortunately its been removed and then moved to the FAQ section but without any guide to follow.  Does anyone have a guide that can be posted up or could someone update that thread?  I could use trial and error but 10 year olds are not the most patient creatures on earth.

Thanks

[blackdwarf]

Short Version:

• Give your XB1 (or PS4, same process required) a static IP
• Install/Enable UPNP
• Set "User Specified Permissions" to "allow 88-65535 10.1.1.x/32 88-65535", where 10.1.1.x is the static ip of the XB1/PS4
• Firewall>NAT>Outbound - Set to Hybrid/Manual rule generation
• Create a rule with the following set: "Source Address - Single Host or network - 10.1.1.x" & "Static Port - Checked"
• Do a hard-reboot of your XB1/PS4 (shutting it down and pulling the power for 2 mins will do"

You should now have a NAT Type of Moderate (XB1), or Type 2 (PS4).

[stark]

Brilliant.  That has worked.    Thanks for the help.

[ikkeT]

I confirm this works for PS4. It even didn't take PS4 reboot, just going to menu showed it's Type2.

I opened only ports > 1024 for upnp, and it worked even with that.

Thanks!

[R@sM!ke]

Tried these instructions and nothing... I also tried the following:

I have the same issue.


I've created a Alias and added my xbox's IPs as the content.
created a WAN Rule to allow any port connection to the Alias
created a WAN Rule to allow any port connection to the xbox IPs
created a Outbound NAT for the Alias
created a Outbound NAT for the xbox IPs

So far nothing I do seems to work for me. I pull up my xbox and see

NAT Type: Strict
UPnP not successful

[R@sM!ke]

Short Version:

• Give your XB1 (or PS4, same process required) a static IP
• Install/Enable UPNP
• Set "User Specified Permissions" to "allow 88-65535 10.1.1.x/32 88-65535", where 10.1.1.x is the static ip of the XB1/PS4
• Firewall>NAT>Outbound - Set to Hybrid/Manual rule generation
• Create a rule with the following set: "Source Address - Single Host or network - 10.1.1.x" & "Static Port - Checked"

Thank you so much. Please disregard my previous message, I had to reboot my entire OPNsense box for the changes to take but I am good now.

• Do a hard-reboot of your XB1/PS4 (shutting it down and pulling the power for 2 mins will do"

You should now have a NAT Type of Moderate (XB1), or Type 2 (PS4).

[JdeFalconr]

Short Version:

• Give your XB1 (or PS4, same process required) a static IP
• Install/Enable UPNP
• Set "User Specified Permissions" to "allow 88-65535 10.1.1.x/32 88-65535", where 10.1.1.x is the static ip of the XB1/PS4
• Firewall>NAT>Outbound - Set to Hybrid/Manual rule generation
• Create a rule with the following set: "Source Address - Single Host or network - 10.1.1.x" & "Static Port - Checked"
• Do a hard-reboot of your XB1/PS4 (shutting it down and pulling the power for 2 mins will do"

You should now have a NAT Type of Moderate (XB1), or Type 2 (PS4).

UPnP is a pretty bad security risk unless there's been some recent mitigation I'm not aware of. It effectively lets any LAN host open whatever port they want on the firewall. I've run without UPnP for years using Meraki gear and have open NAT on two Xbox One's, only specifying the needed ports for the devices. OPNSense is also a stateful firewall just like my MX64; there's no reason why you can't get open NAT without effectively putting your XB1 in a DMZ and without UPnP.

[jimjohn]

Short Version:

• Give your XB1 (or PS4, same process required) a static IP
• Install/Enable UPNP
• Set "User Specified Permissions" to "allow 88-65535 10.1.1.x/32 88-65535", where 10.1.1.x is the static ip of the XB1/PS4
• Firewall>NAT>Outbound - Set to Hybrid/Manual rule generation
• Create a rule with the following set: "Source Address - Single Host or network - 10.1.1.x" & "Static Port - Checked"
• Do a hard-reboot of your XB1/PS4 (shutting it down and pulling the power for 2 mins will do"

You should now have a NAT Type of Moderate (XB1), or Type 2 (PS4).

UPnP is a pretty bad security risk unless there's been some recent mitigation I'm not aware of. It effectively lets any LAN host open whatever port they want on the firewall. I've run without UPnP for years using Meraki gear and have open NAT on two Xbox One's, only specifying the needed ports for the devices. OPNSense is also a stateful firewall just like my MX64; there's no reason why you can't get open NAT without effectively putting your XB1 in a DMZ and without UPnP.

Now … what are the required ports?

[vdmann]

Hi,

I'm facing a similar issue, looking to open NAT by putting my PS4 in DMZ. Would one provide a step-by-step guide?

Thanks!

[supercm]

Followed instructions exactly as printed and NAT is showing as strict. Where does one troubleshoot?

[TheForumTroll]

There are good reasons to not want to use UPnP IMO but what option is the best I wont comment further on. I will however add how it is possible to get the same result (NAT type 2) without installing UPnP via Hybrid outbound NAT.

• Change IP to static on Xbox/Playstation
  
• Firewall -> NAT -> Outbound: Set Mode to Hybrid outbound NAT rule generation
• Add a new rule just below (See attached screenshot for options)
• Make sure the Xbox/Playstation is allowed to communicate on the interface it is connected to (likely LAN).

That's it.

[RamSense]

@TheForumTroll: Thanks a lot. I did not want to enable UPNP but with your solution it works and now I have a happy kid playing with his gaming devices :-)

[benbateson]

@TheForumTroll Thanks mate, these instructions also resolved my Local Game Server issue (UDK/Steam hosted Game server) 

[supercm]

Any updates to these instructions as it doesnt seem to work for me? Still strict.

[hushcoden]

Any updates to these instructions as it doesnt seem to work for me? Still strict.

This has been discussed a few times and I can confirm you just need the Outbound NAT rule, have a read also here: https://forum.opnsense.org/index.php?topic=25473.msg131300