pfSense: Step by Step Guide to Multiple Xbox One's Open NAT + Play Together (2.3.x)

Discussion in 'Networking Guides' started by Nimrod, Mar 23, 2017.

  1. Nimrod

    Nimrod Exotic Vendor

    Jun 1, 2007
    Likes Received:
    London, United Kingdom
    This step by step guide will talk you through a working setup for allowing Multiple Xbox One's in the same network to get a fully Open NAT and be able to play together in the same games/parties all behind a pfSense Router/Firewall.

    pfSense is a great piece of software for running on your own hardware (or theirs) to make a secure and high throughput Router at home. I myself found that with the growing number of IoT devices and wireless devices in my home that no matter what consumer router I used, it just struggled under the load. As more and more devices get online from Alexa's, Google Home, Lightbulbs, Alarms, Sensors and the lot; that you may find yourself in a similar situation and needing something with a bit more power behind your Internet Routing which is where pfSense is perfect. However out of the box, working with Xbox One's (and 360's) with Xbox Live is a nightmare, you get a Strict NAT by default. Even following many guides online both from the official pfSense Forum and other blogs, you may get yourself in a position where you can get one or two open; however you then find problems joining eachothers games if you have more than one Xbox for example.

    This guide was put together by two of our own members who both use pfSense, and both have a number of Xbox's. We did like everyone else and tried to ask for help on pfSense forums, browsed so many sites but could never find one perfect guide which actually works with the latest version of pfSense (2.3.x). Many of the guides either referred to the previous pfSense (2.2.x) which has a totally different GUI and setup phase and in some cases when on the official pfSense forum got told a lot of rubbish including that its the Xbox's fault or that enabling IPv6 is the answer (It's not, more information later). So here we are, we solved it ourselves and fully documented it and in this guide will not only get all your Xbox devices online with Open NAT, but allow everyone to play together in the same Games/Parties to in homes where multiple Xbox's are in use.

    This has been fully tested on the latest pfSense at time of writing (2.3.3-release-p17) and in multiple setups. I for example, run it on a Dedicated hardware using a PPPoE connection (So like BT Infinity, Sky Fibre etc) and the other author uses it in a Virtual Environment (Esxi) and uses a more traditional cable modem. Both of us have managed to achieve this; so we know it works in the real world.

    Essential, there is three components required to achieve a successful open NAT and we will talk you through each one; one by one below. So let's begin!

    Static IP's and Static Port

    The first part to getting an Xbox One or 360 online is to give it some Static Port rules on the outbound NAT. This mean that if an Xbox goes out to the internet on port 3307 for example, the Router will honour it instead of changing the port when it goes across the NAT. Changing the port is done as a security feature; however it causes the Xbox trouble when its connecting back and fourth between services and players.

    To achieve this, first we need to give all the Xbox's in the home a static IP address. If you are using DHCP to automatically hand out IP's its simple to give the Xbox a static one. First browse to Services > DHCP Server like so and make sure you are displaying it for the LAN in question (if you have multiple):

    Screen Shot 2017-03-23 at 13.27.51.png

    Then scroll to the bottom and click 'Add' under Static Mappings. You can then proceed to give your Xbox a dedicated IP every time it asks. Say for example you used the out the box pfSense settings which means your LAN is on the 192.168.1.x range, and gives Dynamic IP's out on 100-200. You could like I've done in the example below give it a static IP of as it is outside the default pool, but still within the range that can connect to the router out of the box.

    Screen Shot 2017-03-23 at 13.28.09.png

    If you don't know the Xbox's MAC Address, you can get it by firing up the Xbox and going into Network Settings and it will display it to you.

    Set the static IP and click Save and apply the changes. You may need to hard reset your Xbox for it to ask for a new IP straight away (Hold power button for 10 seconds). Once it's back online, check again in its Network Settings and make sure its using the new IP you assigned it.

    The next step is to allow Static Ports on your NAT. To do this, browse to Firewall > NAT. Once it's loaded, make sure to click on Outbound like below:

    Screen Shot 2017-03-23 at 13.29.01.png

    You need to change the mode for Outbound from automatic, to Hybrid like shown above.

    Once done, on the Mappings just below it, click Add to Create a new one. This is where you will be defining the Static Port rule on the NAT just for the Xbox One.

    In the below example, you will see the rule I made. Place the Xbox's IP in the Source Port and then under Translation make sure to tick the Static Port like so:

    Screen Shot 2017-03-23 at 13.29.18.png

    Finish it off by giving the Rule a name and click Save. You can then apply the changes.

    You will need to either repeat this for other devices/IP's, or you could for example use the Alias Feature if you wanted to do one rule for them all like below by using Firewall > Aliases feature. This is totally optional however and makes no sense if you only have one.

    Screen Shot 2017-03-23 at 13.42.05.png

    This then allows one rule for them all by setting it in the NAT Firewall Rule:

    Screen Shot 2017-03-23 at 13.42.31.png

    Either way, once done, you should end up with your rule in the Outbound NAT like so:

    Screen Shot 2017-03-23 at 13.42.39.png

    You are now set and ready to proceed to the next step below.

    UPnP / NAT-PMP

    UPnP is a solution made many years ago which is now pretty much a standard for home networking. It effectually allows a device on the home network to request a Port Forward automatically from the Router. NAT-PMP is an improvement on the standard further; however tends to live more on Apple based products at the moment. The Xbox One fully supports both of these protocols.

    Again I must stress; if you don't have only trusted devices in your home network; turning this on does have its risk as it effectively overrules any Firewall based restrictions you may have allowing any devices to make itself public on a specific port on your WAN. In a business environment again it is a no go which is why pfSense does not have it on by default; but in your own home assuming you look after all your devices and trust those connected it is safe to turn on. It is turned on by default on most home routers.

    To turn it on, go to Services > UPnP & NAT-PMP and enable the three tick boxes like so:

    Screen Shot 2017-03-23 at 13.17.43.png

    Make sure your interface is selected as your LAN and your External Interface is set to your WAN.

    Once done, click Save and you are set. Your Xbox can now open the ports it needs on demand.
    There is alternatives like manually opening the known ports; however this doesn't work when you have Multiple Xbox's in your own home as they cannot use the same ports. The way this works, is if Xbox 1 is using one of the ports, Xbox 2 will then pick another allowing both to keep an Open NAT at all times.

    NAT Reflection

    NAT Reflection is a vital component for when you have more than one Xbox One or 360 in the same home wishing to join eachothers games and parties. If you however only have one, you can skip this step.

    To understand the problem heres the scenario. You host a game of Destiny and your IP is say Someone else in your house then fires up there Xbox and tries to join your game by the friends list. Xbox Live will tell your friend to join via say for example which is your external IP and Port to connect to the game (the same way, other players outside your home will connect). Their Xbox will then connect to that via the pfSense Router; however the router will end up going out of the local LAN and looping back into itself via the external WAN. Out of the box, pfSense will block this on the grounds of security of trying to traverse internal connections across the WAN. The same applies to parties and other network services.

    The only way around this, is to enable a feature called NAT Reflection. Some people would argue this is a security risk; however pretty much every consumer router allows it out of the box. In a business environment where security is key (which is where pfSense is aimed) its understandable to block it. So please make your own judgement on this.

    Out of the box, pfSense supports two modes, one is called Pure NAT in which the firewall rules are re-written to allow it and the behaviour is accepted and one is called NAT + Proxy in which a helper daemon is run and when it picks up the traffic it re-writes it and sends it back down the LAN interface. Both work, however Pure NAT is the preferred if it works in your environment due to less overhead.

    To enable NAT Reflection, go to System > Advanced > Firewall & NAT like below:

    Screen Shot 2017-03-23 at 13.03.05.png

    Scroll down to Network Address Translation and change NAT Reflection from disabled to Pure NAT. You also need to tick the box 'Enable Automatic outbound NAT for Reflection' like so:

    Screen Shot 2017-03-23 at 13.03.12.png

    Once done, click Save. At this point, you need to flush all the routes from the pfSense and also hard reset your Xbox. The best thing to do here is go and press the power button on the Xbox for 10 Seconds so it FULLY turns off (not just sleep mode where the network is still active). Then tell your pfSense box to Reboot and then fire up your Xbox. You should then find you can join eachothers games and parties like normal.

    If however you find problems; you should full back to the backup option which is 'NAT + Proxy'. This works better in examples where the rules load before the connection is established. The overhead is a little more; but won't likely cause an issue in most builds. Then repeat the step above resetting both your pfSense Box and your Xbox.


    Once you have completed all three Steps, you should be good to go and find all the Xbox's in your home network are all reporting OPEN NAT Types and play together in online gaming.

    For the more advanced users out there, you could consider using the learnings from this guide and build a different setup. One idea which we have tested ourselves is to make a second LAN interface (assuming your pfSense has another NIC free) and making these changes for the Xbox ONLY on that specific LAN. That way you can mix and match the security for your network; by having business grade security on your normal devices, and having the Xbox's in there own LAN network with the changes detailed in this guide to make it more like a home router.

    Another interesting point is as the IPv6 Roll out continues, eventually these won't be an issue however based on the current speed of ISP's across the world rolling out it looks like it will be another good five or six years until we are at that stage. However the benefit of IPv6 is every device in the home can have its own external IP address, taking away all the Port Forwarding / NAT related issues. The Xbox One does support IPv6 out the box; but unlike what some unhelpful members on the pfSense forum keep saying - that isn't the solution for pfSense and Xbox Live right now. Unless every player in your Game, plus every Party member plus the Game Server itself is using and has an open IPv6 - the Xbox will always fall back to IPv4 so having your IPv4 NAT Open is essential right now in Xbox Live.

    Final interesting point - This may very well also work for the Playstation 4 (PS4). However neither of us own one (let alone two) to test with it and make sure it works perfectly. So if anyone reading this does have them and can give it a test; please let us know in the comments and we can always update the guide with Playstation specifics. Reading about it on the internet though; it does seem to have similar issues on pfSense and it is likely this setup will also work for them.

    Hope this helps, and of course any questions just ask below and we will be happy to help!
    Credits to Digiex Member @InsaneNutter to; for his part in helping with the setup and testing with his also.
    InsaneNutter likes this.
  2. bvDrax

    bvDrax New Member

    Apr 24, 2017
    Likes Received:
    What a great article! Thank you for taking the time to test and document this.
  3. wrldwzrd89

    wrldwzrd89 Well-Known Member

    Apr 16, 2017
    Likes Received:
    Good old pfSense, so many uses for it. Thanks for making a great guide!
  4. Marc05

    Marc05 New Member

    May 22, 2017
    Likes Received:
    I have set up static ports, upnp, nat reflection, static dhcp mapping, and have a separate vlan for the consoles. I tried both on 2.3.4 and 2.4. For whatever reason, the PS4's will not dynamically assign another port for use whenever another PS4 is using it.

    I can clear all port mappings, turn on one PS4 and see UPnP at work on the status page, then turn on a second PS4, but no new port mapping is made. This makes it so I can't play either Ghost Recon or Battlefield 1. What am I missing? I may end up downgrading to 2.2.6 and trying that if I can't fix it.
  5. Marc05

    Marc05 New Member

    May 22, 2017
    Likes Received:
    Double-post since can't edit:

    It turns out, there's an issue with routing UPnP traffic on VLAN's either through the consumer netgear switches I have, or through pfSense itself, or maybe even due to virtualization setup. I've reverted back temporarily to no VLAN's until I can sort it out.
  6. Forever1337

    Forever1337 New Member

    Aug 28, 2017
    Likes Received:
    I have followed every step in this to the letter and even double checked everything. Last night when I first set it up I got moderate NAT instead of open, I double checked everything and did a couple restarts of the pfsense box and Xbox one. To no avail it was still moderate, it was midnight and I was tired so I called it a night. Now I got up this morning and the Xbox is reporting a strict NAT again , I made sure nothing had changed in the PFSense settings (which it was all the same) did a couple restarts and it is still strict now. I even went as far as to port forward all the Xbox Live ports listed on their site to the Xbox aliases I have said up in the fire wall and it is still strict. I am at a loss and can't for the life of me even get it to go back to moderate. Please help! I'm running PFSense 2.3.4-Release P1

Share This Page