XboX One and NAT

stark · June 02, 2018, 08:03:36 PM

Hello All,

I have just bought my son an Xbox One X and am trying to get it set up so he can play Fortnite. I did some forum checking and found this:

https://forum.opnsense.org/index.php?topic=3521.0

where there was supposed to be a guide on how to get open NAT for the xbox one, unfortunately its been removed and then moved to the FAQ section but without any guide to follow. Does anyone have a guide that can be posted up or could someone update that thread? I could use trial and error but 10 year olds are not the most patient creatures on earth.

Thanks

blackdwarf · June 02, 2018, 08:52:01 PM

Short Version:

Give your XB1 (or PS4, same process required) a static IP
Install/Enable UPNP
Set "User Specified Permissions" to "allow 88-65535 10.1.1.x/32 88-65535", where 10.1.1.x is the static ip of the XB1/PS4
Firewall>NAT>Outbound - Set to Hybrid/Manual rule generation
Create a rule with the following set: "Source Address - Single Host or network - 10.1.1.x" & "Static Port - Checked"
Do a hard-reboot of your XB1/PS4 (shutting it down and pulling the power for 2 mins will do"

You should now have a NAT Type of Moderate (XB1), or Type 2 (PS4).

stark · June 02, 2018, 09:33:42 PM

Brilliant. That has worked. ;D Thanks for the help.

ikkeT · July 06, 2019, 05:19:46 PM

I confirm this works for PS4. It even didn't take PS4 reboot, just going to menu showed it's Type2.

I opened only ports > 1024 for upnp, and it worked even with that.

Thanks!

R@sM!ke · August 21, 2019, 07:19:56 AM

Tried these instructions and nothing... I also tried the following:

I have the same issue.

I've created a Alias and added my xbox's IPs as the content.
created a WAN Rule to allow any port connection to the Alias
created a WAN Rule to allow any port connection to the xbox IPs
created a Outbound NAT for the Alias
created a Outbound NAT for the xbox IPs

So far nothing I do seems to work for me. I pull up my xbox and see

NAT Type: Strict
UPnP not successful

R@sM!ke · August 21, 2019, 07:23:04 AM

Quote from: blackdwarf on June 02, 2018, 08:52:01 PM
Short Version:

Give your XB1 (or PS4, same process required) a static IP
Install/Enable UPNP
Set "User Specified Permissions" to "allow 88-65535 10.1.1.x/32 88-65535", where 10.1.1.x is the static ip of the XB1/PS4
Firewall>NAT>Outbound - Set to Hybrid/Manual rule generation
Create a rule with the following set: "Source Address - Single Host or network - 10.1.1.x" & "Static Port - Checked"

Thank you so much. Please disregard my previous message, I had to reboot my entire OPNsense box for the changes to take but I am good now.
Do a hard-reboot of your XB1/PS4 (shutting it down and pulling the power for 2 mins will do"

You should now have a NAT Type of Moderate (XB1), or Type 2 (PS4).

JdeFalconr · September 15, 2019, 10:10:31 PM

Quote from: blackdwarf on June 02, 2018, 08:52:01 PM
Short Version:

Give your XB1 (or PS4, same process required) a static IP
Install/Enable UPNP
Set "User Specified Permissions" to "allow 88-65535 10.1.1.x/32 88-65535", where 10.1.1.x is the static ip of the XB1/PS4
Firewall>NAT>Outbound - Set to Hybrid/Manual rule generation
Create a rule with the following set: "Source Address - Single Host or network - 10.1.1.x" & "Static Port - Checked"
Do a hard-reboot of your XB1/PS4 (shutting it down and pulling the power for 2 mins will do"

You should now have a NAT Type of Moderate (XB1), or Type 2 (PS4).

UPnP is a pretty bad security risk unless there's been some recent mitigation I'm not aware of. It effectively lets any LAN host open whatever port they want on the firewall. I've run without UPnP for years using Meraki gear and have open NAT on two Xbox One's, only specifying the needed ports for the devices. OPNSense is also a stateful firewall just like my MX64; there's no reason why you can't get open NAT without effectively putting your XB1 in a DMZ and without UPnP.

jimjohn · July 26, 2021, 09:16:46 PM

Quote from: JdeFalconr on September 15, 2019, 10:10:31 PM
Quote from: blackdwarf on June 02, 2018, 08:52:01 PM
Short Version:

Give your XB1 (or PS4, same process required) a static IP
Install/Enable UPNP
Set "User Specified Permissions" to "allow 88-65535 10.1.1.x/32 88-65535", where 10.1.1.x is the static ip of the XB1/PS4
Firewall>NAT>Outbound - Set to Hybrid/Manual rule generation
Create a rule with the following set: "Source Address - Single Host or network - 10.1.1.x" & "Static Port - Checked"
Do a hard-reboot of your XB1/PS4 (shutting it down and pulling the power for 2 mins will do"

You should now have a NAT Type of Moderate (XB1), or Type 2 (PS4).

UPnP is a pretty bad security risk unless there's been some recent mitigation I'm not aware of. It effectively lets any LAN host open whatever port they want on the firewall. I've run without UPnP for years using Meraki gear and have open NAT on two Xbox One's, only specifying the needed ports for the devices. OPNSense is also a stateful firewall just like my MX64; there's no reason why you can't get open NAT without effectively putting your XB1 in a DMZ and without UPnP.

Now ... what are the required ports?

vdmann · October 29, 2021, 07:43:40 AM

Hi,

I'm facing a similar issue, looking to open NAT by putting my PS4 in DMZ. Would one provide a step-by-step guide?

Thanks!

supercm · December 19, 2021, 02:45:10 AM

Followed instructions exactly as printed and NAT is showing as strict. Where does one troubleshoot?

TheForumTroll · December 27, 2021, 12:04:48 PM

There are good reasons to not want to use UPnP IMO but what option is the best I wont comment further on. I will however add how it is possible to get the same result (NAT type 2) without installing UPnP via Hybrid outbound NAT.

Change IP to static on Xbox/Playstation
Firewall -> NAT -> Outbound: Set Mode to Hybrid outbound NAT rule generation
Add a new rule just below (See attached screenshot for options)
Make sure the Xbox/Playstation is allowed to communicate on the interface it is connected to (likely LAN).

That's it.

RamSense · December 29, 2021, 08:51:56 AM

@TheForumTroll: Thanks a lot. I did not want to enable UPNP but with your solution it works and now I have a happy kid playing with his gaming devices :-)

benbateson · December 12, 2022, 06:51:38 AM

@TheForumTroll Thanks mate, these instructions also resolved my Local Game Server issue (UDK/Steam hosted Game server) :) :) :) :) :)

supercm · February 16, 2023, 09:39:49 PM

Any updates to these instructions as it doesnt seem to work for me? Still strict.

hushcoden · February 20, 2023, 10:58:45 AM

Quote from: supercm on February 16, 2023, 09:39:49 PM
Any updates to these instructions as it doesnt seem to work for me? Still strict.

This has been discussed a few times and I can confirm you just need the Outbound NAT rule, have a read also here: https://forum.opnsense.org/index.php?topic=25473.msg131300

XboX One and NAT

stark

June 02, 2018, 08:03:36 PM

blackdwarf

June 02, 2018, 08:52:01 PM #1

stark

June 02, 2018, 09:33:42 PM #2

ikkeT

July 06, 2019, 05:19:46 PM #3

R@sM!ke

August 21, 2019, 07:19:56 AM #4

R@sM!ke

August 21, 2019, 07:23:04 AM #5

JdeFalconr

September 15, 2019, 10:10:31 PM #6

jimjohn

July 26, 2021, 09:16:46 PM #7

vdmann

October 29, 2021, 07:43:40 AM #8

supercm

December 19, 2021, 02:45:10 AM #9

TheForumTroll

December 27, 2021, 12:04:48 PM #10

RamSense

December 29, 2021, 08:51:56 AM #11

benbateson

December 12, 2022, 06:51:38 AM #12

supercm

February 16, 2023, 09:39:49 PM #13

hushcoden

February 20, 2023, 10:58:45 AM #14