pfSense and Multiple Xbox Ones: Open NAT Guide

Upon turning on my Xbox One after several months, I was greeted by “Strict NAT” (which only allows you to play and communicate with “Open NAT” players and prohibits you from hosting games) when trying to play. My son had complained some time ago about seeing “Strict NAT,” so I enabled UPnP for the gaming VLAN, which at least got him to “Moderate NAT.” After reading several bulletin boards and watching multiple YouTube videos on the subject, I finally got “Open NAT” on both Xbox Ones. Here is how I accomplished it in pfSense:

  1. Services > DHCP Server > VLAN_for_your_gaming_devices; create static entries for your Xbox One(s). If you haven’t created a separate VLAN for your gaming devices, stop here and refer to one of @LTS_Tom’s videos on how to do that in pfSense… never enable UPnP on a “flat” network.

  1. Firewall > Aliases; create an entry for your Xbox One(s).

  1. System > Advanced > Firewall and NAT; change “NAT Reflection mode for port forwards” to “Pure NAT” and check “Automatic create outbound NAT rules that direct traffic back out to the same subnet it originated from” (this allows multiple consoles to join the same server).

  1. Firewall > NAT > Outbound; create an entry for your Xbox One(s):

Notice the “/32” subnet mask. Make sure “Static Port” is ticked.

  1. Firewall > NAT > Outbound; tick “Hybrid Outbound NAT rule generation. (Automatic Outbound NAT + rules below).”

  1. Services > UPnP and NAT-PMP; tick the first three boxes, highlight only your gaming VLAN, then tick the “Deny access to UPnP & NAT-PMP by default” box.

  1. At the bottom of the same page, create rules similar to these:

For those three lines under “ACL Entries,” I actually “stole” those from the config.gateway.json file I used with a UniFi USG Pro for the same issue (Open NAT with multiple Xbox Ones). Note that you want to block port 3074, which forces the Xbox One(s) to use different ports for Xbox Live and allows multiple Xbox Ones to have Open NAT. This rule must be the first entry in the list. The “/24” applies the rule to the entire subnet. The “/32” in the other two entries indicates individual hosts, which are the only ones on the network allowed to access UPnP (this overrides the “Deny access to UPnP & NAT-PMP by default” setting in step 6).

  1. Make sure your Xbox One(s) is/are completely shut down (when in doubt, unplug it/them). In pfSense, Diagnostics > States > Reset States; tick the “Reset the firewall state table,” then click on the “Reset” button. You’ll need to re-connect to pfSense after that.

  2. Turn on your Xbox One(s) and wait for them to boot. In pfSense, Status > UPnP & NAT-PMP, you should see entries similar to this:

Enjoy your “Open NAT” and the ability to play in the same server (if using multiple Xbox Ones).

Some games also require additional ports. I remember playing Call of Duty Infinite Warfare; it also required port 3076, and I was only able to obtain Open NAT (this was with a UniFi USG) on one console at a time (the other indicated Moderate NAT) while in the actual game. The Xbox Ones themselves, however, indicated Open NAT.

Here is a list of ports used by various Call of Duty games: https://support.activision.com/articles/en_US/FAQ/Ports-Used-for-Call-of-Duty-Games

5 Likes

This is similar to how i go a Moderate NAT for gaming on PC when i still played games, yours is a bit further in depth then what i did but you also got to open. im certain that other then having to discover the ports this should work for most nat related issues

I am going to try this as soon as I get home! I have spent a whole year trying to get this to work right. To this day I am able to get both Xboxes to show open NAT but when both of them cannot successfully join a game together on several games (Apex COD to name a few).

I believe that deny entry is what I missing all along. I am so excited to try this. Thanks so much for the time you put into making this!

@tbigs2011

Step 3 is what enables multiple consoles to join the same server; I just edited the original post to “reflect” that.

Would this work if I used manual outbound NAT instead of hybrid? Is it safe to assume that doesn’t matter as long as the actual rule is correct?

I followed your steps to the letter and I’m still getting moderate. I wonder if it could be anything else. I’m not seeing any snort alerts. Anything I’d need to do with my switch?

Do you have any other firewall rules for your gaming VLAN? I also only got Moderate NAT until I disabled the RFC1918 rule I had in place.

The “Block XBN to LAN” rule could be the problem. Disable that rule, completely shut down your Xbox Ones (by holding the power button until they shut off), and in pfSense, Diagnostics > States > Reset States; tick the “Reset the firewall state table,” then click on the “Reset” button. I mentioned an issue with a similar rule in my third post in this thread.

1 Like

I fixed it!!! Basically I had to create a vlan like you recommended in the first part of the guide. Dedicated upnp to the Xbox vlan only. I also had to change the upnp rules from 53-65535 to 0-65535. Also hybrid Nat rules is the only one that gives consoles both open nats. Manual doesn’t work.

I also had to disable DNS resolving entirely, remove all the DNS servers in general settings and setup encrypted DNS on port 883 using custom rules to go to cloudflair 1.1.1.1 with firewall rules on LAN and the vlan to route any unencrypted DNS to a dead end, then setting a firewall rule for wan to drop all DNS packets on port 53. This confusing solution finally fixed my dns leaking to my VPN provider. No matter what I did before, i was always somehow getting some ip addresses from my vpn provider’s DNS server instead of the specified opendns server I had. This forces cloudflair, a much better solution.

Anyways I fixed it this way, and isolating using a vlan was the main solution. Encrypting the dns

was the final fix

@TheAlmightyOgreLord

I’m glad you figured it out, and thanks for posting the steps you took to get it working. I’m having “Strict NAT” issues with the “Xbox Console Companion” that’s included with Windows 10:

xbox_companion_strict

I tried changing the ports as described here, yet “Strict” is still indicated. pfSense shows the port being used (54026 is the port [among others I tried] I set, using the instructions in aforementioned YouTube video):

I’m not particularly concerned about it, however, since I’m only using the Windows app for chat and such.

1 Like

UPDATE:

If you have multiple Xbox Ones on your network, another option to achieve Open NAT (in lieu of blocking port 3074 in the UPnP rules) is to set the ports manually on the consoles themselves:

Network > Advanced settings > Alternate port selection (make sure the consoles are all set to use different ports)

1 Like

Ok I was really dumb. I use an openwrt router as an ap and another as a repeater. I somehow forgot to disable the firewall, DHCP and upnp services from starting on the openwrt ap :triumph: :face_with_symbols_over_mouth:

This whole time I’ve been troubleshooting, encrypting my DNS, worrying about conflicting firewall rules. It was all because my wireless AP was creating a double firewall :man_facepalming:t2:

Good news:
I am able to achieve an open nat on both consoles with automatic port mapping WITH my [deny vlan -> lan] rule, as well as my [deny vlan -> openvpn] rule.

I also found out through my testing that open nat also works with encrypted upstream DNS!

So not only is the nat open for both xbox’s; they’re being routed to a privacy-friendly anonymous encrypted DNS server (1.1.1.1), through an upstream encrypted TLS tunnel with zero DNS leaks to my ISP. The vlan is sandboxed completely from openvpn and the lan network giving me the most secure setup. :fist:t2:

How to achieve an Open NAT for PfSense + OpenWRT users:

If you’re using an OpenWRT router as an AP with your PfSense environment like me, Go to the LuCi configuration page for your AP. Make sure that dnsmasq, firewall, and odhcpd are all set to disabled in system -> startup. Then go to Network -> DHCP and DNS -> make sure ‘Authoritative’ is checked, hit save and apply. Then reboot the AP. Do this for every OpenWRT repeater you have as well, otherwise you’ll get stuck with an unavailable nat.

This works 100% of the time for 2 Xbox One’s (Xbox One S and Xbox One)