Do you have any other firewall rules for your gaming VLAN? I also only got Moderate NAT until I disabled the RFC1918 rule I had in place.
The “Block XBN to LAN” rule could be the problem. Disable that rule, completely shut down your Xbox Ones (by holding the power button until they shut off), and in pfSense, Diagnostics > States > Reset States; tick the “Reset the firewall state table,” then click on the “Reset” button. I mentioned an issue with a similar rule in my third post in this thread.
1 Like
I’m glad you figured it out, and thanks for posting the steps you took to get it working. I’m having “Strict NAT” issues with the “Xbox Console Companion” that’s included with Windows 10:
I tried changing the ports as described here, yet “Strict” is still indicated. pfSense shows the port being used (54026 is the port [among others I tried] I set, using the instructions in aforementioned YouTube video):
I’m not particularly concerned about it, however, since I’m only using the Windows app for chat and such.
1 Like
UPDATE:
If you have multiple Xbox Ones on your network, another option to achieve Open NAT (in lieu of blocking port 3074 in the UPnP rules) is to set the ports manually on the consoles themselves:
Network > Advanced settings > Alternate port selection (make sure the consoles are all set to use different ports)
1 Like
Ok I was really dumb. I use an openwrt router as an ap and another as a repeater. I somehow forgot to disable the firewall, DHCP and upnp services from starting on the openwrt ap 
This whole time I’ve been troubleshooting, encrypting my DNS, worrying about conflicting firewall rules. It was all because my wireless AP was creating a double firewall 
Good news:
I am able to achieve an open nat on both consoles with automatic port mapping WITH my [deny vlan → lan] rule, as well as my [deny vlan → openvpn] rule.
I also found out through my testing that open nat also works with encrypted upstream DNS!
So not only is the nat open for both xbox’s; they’re being routed to a privacy-friendly anonymous encrypted DNS server (1.1.1.1), through an upstream encrypted TLS tunnel with zero DNS leaks to my ISP. The vlan is sandboxed completely from openvpn and the lan network giving me the most secure setup. 
How to achieve an Open NAT for PfSense + OpenWRT users:
If you’re using an OpenWRT router as an AP with your PfSense environment like me, Go to the LuCi configuration page for your AP. Make sure that dnsmasq, firewall, and odhcpd are all set to disabled in system → startup. Then go to Network → DHCP and DNS → make sure ‘Authoritative’ is checked, hit save and apply. Then reboot the AP. Do this for every OpenWRT repeater you have as well, otherwise you’ll get stuck with an unavailable nat.
This works 100% of the time for 2 Xbox One’s (Xbox One S and Xbox One)
1 Like
Update for Open NAT with OpenWRT AP
Don’t forget to also disable sysntpd from startup in system → startup inside the LuCi configuration page, and reboot OpenWRT afterwards. Do the same for every OpenWRT repeater you have. Was causing ntp conflicts with the parent pfsense interface.
I come here with one final tip for you guys.
Setting the pfsense firewall’s congestion algorithm to “Conservative” seems to keep the NAT open indefinitely.
I came across this solution from another user on a different tech forum. Nonetheless it works. You can even leave the Xbox One on power saving mode, no long startup is necessary, no toggling wifi. It just works once the NAT is made open.
Thanks for the additional information, @TheAlmightyOgreLord. I have a feeling this thread will [unfortunately] get more views in light of current events.
1 Like
Here is what Xbox Live looks like in Wireshark:
Notice the “Port A” column, which would normally indicate 3074.
1 Like
Excellent write-up!! I am having issues getting any of it to work consistently though, and I’m no dummy when it comes to this stuff. I will only see UPnP connections from time to time, it’s not consistent at all. It seems to just do straight up NAT Outbound and disregards my UPnP rules.
I play Destiny 2 among other things which works fine until we try to team up in the same game. There are 3 gaming PCs, an Xbox One, and an XBOX 360 on network among a whole slew of other non-gaming type devices.
I have denied ports 3074 and 3097 via UPnP. Outbound NAT is wide open though for my gaming devices.
It baffles me that this doesn’t seem to work. I have even excluded the port that I am blocking from the Allowed ranges:
The game shows it as moderate NAT on port 3074:3074; the exact port I am trying to block. The States table (cleared before testing) shows that as being true. What the heck is going on?
This is frustrating, I hope you have some insight!
Did you separate the Xbox to a physical VLAN port? It’s known that if you use an Xbox One on the same physical network as your other devices with different firewall rules, it will use uPnP to ignore the firewall rules you set.
I achieved this seamlessly by using an OpenWRT router of mine and two separate WiFi networks through the built in switch on the consumer router.
It is also known that one Xbox of the two will say the port is unavailable but is indeed being forwarded ports 0-65535, and play online as if it has an open port. The other Xbox will say open.
Also you don’t need to exclude the port 3074 from the allowed ranges, since the first rule you have being executed is to deny 3074. It overrides the below rules, making your setup redundant… The Xbox needs the port range open to trigger an open nat
I have actually completely redone my network configuration. I run 4 VLANs now, LAN, GAMING, IOT, and DMZ. UPnP is only allowed on LAN and GAMING (soon to remove from LAN). It’s still a bit strange how it behaves, but at least I’m getting some UPnP action and Moderate/Open NAT for most things. I’m happy with how it’s performing, yet I’m still interested in figuring out why it doesn’t like to obey the UPnP deny entries.
There’s no longer a need to block 3074 in the firewall:
In the Xbox One interface, Network > Advanced settings > Alternate port selection (make sure the consoles are all set to use different ports)
Also, I see from your screenshot that “Deny access to UPnP & NAT-PMP by default” is not checked; you should check that so only authorized devices can use UPnP.
Yeah, I was allowing all so I could reduce the acl entries just to see if it actually worked. Now that I know it does, I will tick that box again and throw in the allows for my devices.
Cheers,
1 Like
Really hope someone can help me with this. I know just enough about these things to get myself into trouble, but I’m no expert. I’ve got PFSense + PFBlockerNG up and running and have the gaming consoles on vlan30. The switch is a managed Netgear.
I’ve followed these instructions to the letter (including both denying 3074 and having each xbox select a port in the xbox menu). Both systems show open NAT and in testing Gears of War 5 multiplayer and co-op campaign both work.
However, I am having a problem with For Honor. If one xbox is already connected, the other one cannot play. It returns a “Connection Failed. Server are unreachable” error message.
Any ideas how to fix this? Ubisoft says
Below are the ports you need for *For Honor* :
**TCP** : 80, 443
**UDP** : 1000, 1001, 6200, 6300
I thought the UPNP I set up took care of this? Any help is much appreciated.
Bump on this. Any ideas?
The UPnP is an has an ACL feature on it. If you are not specifying the port/port range with the destination/IP range then it just straight up won’t work. What does your UPnP config look like?
Make sure you don’t have pfblockerNG running on the vlan you have your xbox on. I had to disable mine before I could get the xbox to say open nat.
When in doubt, simplify and remove any variables. Often going back to the default setup then configuring from there helps in finding the problem.
Your ISP has to be IPV6 capable, yes? Is that correct, Ogre?