To fully utilise Xbox Live features, you’ll need to make sure your NAT types is Open; not Moderate or Strict.
The official port listing for Xbox Live has a large selection of ports you should open, but in practice it seems you only really need to open one, the Xbox Live port 3074 (TCP/UDP)
You could use UPnP, but there are negative security implications. The 4 step method below works without the risk of adding UPnP to your Opnsense setup.
Steps
- Give the Xbox a static IP.
(I prefer to set static leases via Opnsense rather than the device) - Setup firewall alias’s for the static Xbox and the Xbox Live port
- Forward the Xbox Live port to the static Xbox
(with NAT reflection / hairpinning)- Check auto created firewall rules
- Allow outbound NAT from the static Xbox
Set static IP on LAN for Xbox
Opnsense > Services > DHCPv4 > Leases
Set the IP to something outside your pool of regular DHCP addresses or you could have a conflict in the future.
Create Xbox Live TCP/UDP port Alias.
Opnsense > Firewall > Alias
Create Alias for Xbox static IP
Opnsense > Firewall > Alias
It’s a good idea to use an alias for devices as descriptive names are easier to work with and remember. It also allows the IP of the device to be changed and you not have to edit any existing firewall rules
Port forward Xbox live to the Xbox
Opnsense > Firewall > NAT > Port Forward
Port Forward – NAT Reflection: Enable
NAT Reflection (sometimes called hairpinning) detects the traffic to the public IP is actually from a device inside the local LAN and re-writes the flow of the traffic using the internal IP.
Port forward rule complete
Check auto created firewall rules
(As the rule is autogenerated you cannot edit it directly, only delete it)
Allow outbound NAT
Opnsense > Firewall > NAT > Outbound
First, set and save the mode to “Hybrid”
Outbound NAT – Static Port: ticked
By default Opnsense will rewrite and randomise the source port on outgoing traffic. This is to reduce IP spoofing and prevent fingerprinting of the devices behind the firewall. Also, when there are many devices trying to connect to the same remote IP and port, the randomness allows NAT to properly segregate and handle these connections to different LAN clients
Xbox Live is particularly picky about the source port being what it expects (3074, unless you have altered it in the settings) If you happen to not tick ‘Static Port’ you will be given a NAT type of Moderate on Xbox Live as the packet filter will assign a random port which Xbox Live does not like.
You just saved me hours of head-smashing. Thank you 🙂
Thanks for taking the time to write this up, it helped me conquer Strict NAT on PC – your piece about the static port setting was exactly what I needed to learn.
Thanks for the guide!
But sadly, its not working on my Series X.
Is there a way to test the ports?
Also, per MS, the following ports also needs to be open:
Port 88 (UDP)
Port 3074 (UDP and TCP)
Port 53 (UDP and TCP)
Port 80 (TCP)
Port 500 (UDP)
Port 3544 (UDP)
Port 4500 (UDP)
I added those to your guide, but still coming up as Strict.
Suggestions?
As I mentioned, MS suggest those other ports, but others and I have found that you only really need the Xbox Live port 3074 open.
I would always suggest going with as few open ports as needed; it’s less to manage and more secure.
There are services out there you can use to test to see if your own IP has ports open, but the best test is the Xbox network NAT test.
I would suggest re-checking the guide, be particularly careful to make sure “Static-port” is ticked for the Firewall: NAT: Outbound rule.
If not too inconvenient reset your Opnsense device to defaults as I always write and test guides on my spare ‘default’ device to make sure none of my own settings get in the way for most users.
Guide worked quite good. But to see the changes in the Xbox Interface one has to refresh the nat port on the xbox itself.
Settings –> Network Settings –> Advanced Settings –> Alternative port selection –> manual –> Use another port –> Continue –> Alternative port selection –> Automatic –> Back –> Test NAT type
Restarting may help as well. I just wondered why it didn’t work until I saw the NAT test packages were fine in the firewall log.
I managed to get open NAT on my series X but failing to achieve the same result on my son’s Xbox one S. Both consoles connected through VLAN with a physical connection through ethernet. Any pointers?
Tismo, I think (but cannot confirm) that if you have more than one Xbox device on the network, you need to set the Xbox Live port (3074) to something else on one of the devices in the machine settings.
You would then need to create the same rules again for the 2nd device using this new port in place of 3074.
This effectively created two separate pathways for the two different devices on the LAN.
I just wanted to say thanks for this, this guide helped a lot, there was one thing the guide is missing, my Xbox even after setting this all up states the NAT type was still stricted. I was about to pull my hair out to out of the blue think what if I reset my Xbox and sure enough that fixed it.
So I wanted to add here this too for anyone that might run into this issue, a reboot of Opnsense and your Xbox might be needed.
Also if you want to enable UPnP to work with your Xbox this is a great guide too, maybe you could add this to yours as well, worked for me in allowing UPnP only on my Xbox.
https://forum.opnsense.org/index.php?topic=22591.0
For XBox One users, you have to go into Network Settings under Advanced settings and choose an Alternate port … doesn’t matter which one, just chose one and save it, Next:
1 – Create an Alias for the port called AlternatePort
2 – Under Firewall/NAT/Port Forward, create a new rule:
– Interface: WAN
– Proto: TCP/UDP
– Dest: WAN net
– Range: AlternatePort to AlternatePort
– Redirected Target IP XboxSeriesX (or whatever name you gave it before)
– NAT Reflection Enabled
– Filter Rule Association: None
Save and apply and do a NAT type test on the box under network settings and it should come back as Open.