Upon turning on my Xbox One after several months, I was greeted by “Strict NAT” (which only allows you to play and communicate with “Open NAT” players and prohibits you from hosting games) when trying to play. My son had complained some time ago about seeing “Strict NAT,” so I enabled UPnP for the gaming VLAN, which at least got him to “Moderate NAT.” After reading several bulletin boards and watching multiple YouTube videos on the subject, I finally got “Open NAT” on both Xbox Ones. Here is how I accomplished it in pfSense:
- Services > DHCP Server > VLAN_for_your_gaming_devices; create static entries for your Xbox One(s). If you haven’t created a separate VLAN for your gaming devices, stop here and refer to one of @LTS_Tom’s videos on how to do that in pfSense… never enable UPnP on a “flat” network.
- Firewall > Aliases; create an entry for your Xbox One(s).
- System > Advanced > Firewall and NAT; change “NAT Reflection mode for port forwards” to “Pure NAT” and check “Automatic create outbound NAT rules that direct traffic back out to the same subnet it originated from” (this allows multiple consoles to join the same server).
- Firewall > NAT > Outbound; create an entry for your Xbox One(s):
Notice the “/32” subnet mask. Make sure “Static Port” is ticked.
- Firewall > NAT > Outbound; tick “Hybrid Outbound NAT rule generation. (Automatic Outbound NAT + rules below).”
- Services > UPnP and NAT-PMP; tick the first three boxes, highlight only your gaming VLAN, then tick the “Deny access to UPnP & NAT-PMP by default” box.
- At the bottom of the same page, create rules similar to these:
For those three lines under “ACL Entries,” I actually “stole” those from the config.gateway.json file I used with a UniFi USG Pro for the same issue (Open NAT with multiple Xbox Ones). Note that you want to block port 3074, which forces the Xbox One(s) to use different ports for Xbox Live and allows multiple Xbox Ones to have Open NAT. This rule must be the first entry in the list. The “/24” applies the rule to the entire subnet. The “/32” in the other two entries indicates individual hosts, which are the only ones on the network allowed to access UPnP (this overrides the “Deny access to UPnP & NAT-PMP by default” setting in step 6).
Make sure your Xbox One(s) is/are completely shut down (when in doubt, unplug it/them). In pfSense, Diagnostics > States > Reset States; tick the “Reset the firewall state table,” then click on the “Reset” button. You’ll need to re-connect to pfSense after that.
Turn on your Xbox One(s) and wait for them to boot. In pfSense, Status > UPnP & NAT-PMP, you should see entries similar to this:
Enjoy your “Open NAT” and the ability to play in the same server (if using multiple Xbox Ones).
Some games also require additional ports. I remember playing Call of Duty Infinite Warfare; it also required port 3076, and I was only able to obtain Open NAT (this was with a UniFi USG) on one console at a time (the other indicated Moderate NAT) while in the actual game. The Xbox Ones themselves, however, indicated Open NAT.
Here is a list of ports used by various Call of Duty games: https://support.activision.com/articles/en_US/FAQ/Ports-Used-for-Call-of-Duty-Games