Yeah, I was allowing all so I could reduce the acl entries just to see if it actually worked. Now that I know it does, I will tick that box again and throw in the allows for my devices.
Cheers,
1 Like
Really hope someone can help me with this. I know just enough about these things to get myself into trouble, but I’m no expert. I’ve got PFSense + PFBlockerNG up and running and have the gaming consoles on vlan30. The switch is a managed Netgear.
I’ve followed these instructions to the letter (including both denying 3074 and having each xbox select a port in the xbox menu). Both systems show open NAT and in testing Gears of War 5 multiplayer and co-op campaign both work.
However, I am having a problem with For Honor. If one xbox is already connected, the other one cannot play. It returns a “Connection Failed. Server are unreachable” error message.
Any ideas how to fix this? Ubisoft says
Below are the ports you need for *For Honor* :
**TCP** : 80, 443
**UDP** : 1000, 1001, 6200, 6300
I thought the UPNP I set up took care of this? Any help is much appreciated.
Bump on this. Any ideas?
The UPnP is an has an ACL feature on it. If you are not specifying the port/port range with the destination/IP range then it just straight up won’t work. What does your UPnP config look like?
Make sure you don’t have pfblockerNG running on the vlan you have your xbox on. I had to disable mine before I could get the xbox to say open nat.
When in doubt, simplify and remove any variables. Often going back to the default setup then configuring from there helps in finding the problem.
Your ISP has to be IPV6 capable, yes? Is that correct, Ogre?
Yes you would need an ipv6 address from your ISP
Thanks OgreLord. I have 3 Xbox One’s on my network and it’s been a pain in the rear keeping them connected with Destiny 2.
It seems like IPV6 would solve my issues; and I’d love to convert it, but my ISP is still IPV4 with no plans for an upgrade ATM.
I’m a noob, but I wonder if it would be possible to utilize a 6in4 tunnel which would tunnel IPV6 addresses to my network through my IPV4 only ISP? I found this page which talks about the setup using a tunnel broker.
I’m curious if: a) it would solve ‘open’ NAT problem; and b) what sort of overhead it would present if using tunneling + traffic shaping?
Follow the PDF link on the site:
Open NAT for Xbox using OpenWRT.
I don’t believe it would work, because if your Xbox still needs to go through an ipv4 network address xbox live will require UPNP on their end to connect your Xbox’s to other players.
Have you thought about switching your WAN network to a tethered phone with an unlimited data plan? Almost every mobile carrier out there fully supports ipv6. Android 11 allows you to tether to an ethernet adapter which could go straight to the pfsense wan port.
You could also run a second wan port in pfsense dedicated to an Xbox VLAN so you could completely isolate the ipv6 mobile network.
Thanks for the write up. Easy to follow. Have 2 xboxes on open NAT !!
2 Likes
OK I’m going to delete my past posts in favor of this one because they all lead to dead ends. I finally figured out what the problem was and why it seemed like 90% of the time my Xbox’s wouldn’t want to connect to UPNP. I knew it had something to do with the NAT because UPNP wasn’t being forwarded correctly to either Xbox.
A tiny little detail that I missed: (that is in the OP)
When setting an outbound NAT rule for your Xbox One alias, MAKE SURE you have /32 subnet mask selected for your alias under the source section. I had /24 selected (the default) this entire time. 
I also placed the outbound NAT rule at the top of the hybrid outbound NAT table to make sure its loaded first.
Both Xbox’s instantly gained open ports automatically without having to clear the state table more than once and reboot pfsense a million times. 
I can confirm this works perfectly with firewall rules denying VLAN to LAN (to create a secure iot sandbox) and another rule to reject ipv6 packets, as well as using a more conservative UPNP allow rule: 53-65535 instead of 0-65535 to give the xbox’s a little more security.
Good luck with your configuration, friends!
I’ve been dealing with a few issues regarding this as well. Thanks for that clarification. I ended up removing my aliases and just putting each ip address in there individually with a /32 before I read this, so I pretty much arrived at the same point.
The other issue I’ve noticed is specifically regarding Apex Legends. Both XBoxes report open NAT from the network settings screen on the systems. Both have no issues playing online games and using party chat simultaneously. The issue still seems to come in when both systems attempt to connect to the same game at the same time in the same party. One system is always dropped for me with a “code:leaf” error from the game. This is more than likely an issue specific to this game but I wanted to post it just for future reference for others.
This is what I found after NUMEROUS tests/reboots/state clears/etc.:
-When both consoles are setup as above, the hosting console will always get booted before connecting to the match.
-When one console is setup as above and one setup “regular”, if the open NAT console is the host, it will get booted before connecting to the match.
-When one console is setup as above and one setup "regular, if the strict/moderate NAT console is the host, the game will connect properly (albeit laggy at times).
-When both consoles are setup “regular”, both will connect to the match properly (albeit laggy).
Just for reference, I am running on gigabit cable, in a router on a stick setup:
ISP---->Netgear CM1000---->pfSense---->Cisco L3 switch---->XBox consoles
There’s a few other nuances to my setup, such as VLANS and several L2 Cisco switches that connect back to the core switch, but this is the gist of my setup. pfSense just release a new stable build that I’m pretty sure addresses better multi game console handling in a UPNP change, so I will be testing that soon to see if it helps.
@twista0506 I’ve never had the problem you’re facing unfortunately, I don’t use a Cisco switch, instead I use 2 TP Link consumer routers flashed with the latest OpenWRT so I can fine tune what services are running on them and have an easy UI to tag each port on the built in switch of each OpenWRT AP. Does your switch run its own software?
Yes, my Cisco switches are catalyst 2960 series switches on the latest IOS versions they have for them. My core switch acts as my main “router”, so basically in a router on a stick setup (the exceptions are vlans that I want totally isolated and not to touch my transit vlan at all. Devices on those vlans use the pfsense as its gateway). All works fine and is happy regarding several different pieces of hardware playing nice (I also have a few Ubiquiti mini smart switches and am using their APs for wifi) except when it comes to UPnP on the pfsense specifically with 2 XBox consoles.
The new update that was put out did seem to help it run better when using only one console, but it still doesn’t solve the original issue of 2 simultaneously. For now, I’ve resorted to just simply keeping it the same way I had it or at times just disabling UPnP and rolling the dice with strict or moderate NAT. Makes for an unfortunate lag-fest of a time, but at least we can play.
@twista0506 All I can say is maybe your firewall and/or outbound NAT rules are either not configured properly (like the /32 address detail I mentioned above) or they could be out of order. Try placing your Xbox alias rules to the top of the list to ensure they’re loaded first.
I can play with my family on multiple Xbox one’s on the same match together without lag or connection problems. We’re also connected wirelessly, using our own 3rd party high end modem on Comcast.
Here are some screenshots of how I have it set. I had to combine them in one shot since I am only allowed to upload one image per post.
In the alias for game systems, I have removed all other systems except for the two XBox consoles.
I have proper firewall rules (Deny all, allow what’s needed like https, http, dns, etc) set for all of the rest of my VLans EXCEPT for my transit VLan (which my gaming VLan does not use) and my gaming VLan. Those 2 are set basically as allow all, deny none.
It’s confusing. I’m still heavily leaning toward the possibility that this is specific to Apex Legends and EA/Respawn servers not being stable unfortunately.
OK I think I see what your issue is here.
Remove both of your deny rules, and place this one at the top:
deny 3074 10.8.0.0/24 0-65535
You’re adding two deny rules that are being loaded at different times, instead of one rule that’s loaded before all the rest.
1 Like
Thanks for the response. I did take your advice and change the rules as per your suggestion and still had no luck with 2 consoles simultaneously.
I was able to track this down so hopefully this information will help someone else out in a similar position. It unfortunately appears to be specific to Open BSD based devices specifically because of miniupnp:
No, I appreciate you trying to help but that’s what the 3072 deny rule is supposed to fix. You can’t simply blame the entire distribution here when it works perfectly for me with 2+ xbox’s simultaneously.
Have you given thought that it could be your ISP? Even an unstable connection can prevent upnp from working with more than 1 device at a time. It’s not very flexible.
1 Like