Achieve full open NAT with port forwarding for Xbox live via Opnsense

How to achieve full open NAT status with Xbox Live with Opnsense without using UPnP

To fully utilise Xbox Live features, you’ll need to make sure your NAT types is Open; not Moderate or Strict.

The official port listing for Xbox Live has a large selection of ports you should open, but in practice it seems you only really need to open one, the Xbox Live port 3074 (TCP/UDP)

You could use UPnP, but there are negative security implications.  The 4 step method below works without the risk of adding UPnP to your Opnsense setup.


  1. Give the Xbox a static IP.
    (I prefer to set static leases via Opnsense rather than the device)
  2. Setup firewall alias’s for the static Xbox and the Xbox Live port
  3. Forward the Xbox Live port to the static Xbox
    (with NAT reflection / hairpinning)
    • Check auto created firewall rules
  4. Allow outbound NAT from the static Xbox

Set static IP on LAN for Xbox

Opnsense > Services > DHCPv4 > Leases

Set the IP to something outside your pool of regular DHCP addresses or you could have a conflict in the future.

Add a static IP for the Xbox on your LAN

Create Xbox Live TCP/UDP port Alias.

Opnsense > Firewall > Alias

Create an Alias for the Xbox live port 3074

Create Alias for Xbox static IP

Opnsense > Firewall > Alias

It’s a good idea to use an alias for devices as descriptive names are easier to work with and remember. It also allows the IP of the device to be changed and you not have to edit any existing firewall rules

Create an Alias for the Xbox device so you do not need to remember the static IP address

Port forward Xbox live to the Xbox

Opnsense > Firewall > NAT > Port Forward

Create the rule to forward traffic on the Xbox live port to the static IP of the Xbox

Port Forward – NAT Reflection: Enable

NAT Reflection (sometimes called hairpinning) detects the traffic to the public IP is actually from a device inside the local LAN and re-writes the flow of the traffic using the internal IP.

Port forward rule complete
Port forward rule once added and enabled

Check auto created firewall rules

(As the rule is autogenerated you cannot edit it directly, only delete it)

The auto generated WAN firewall rule

Allow outbound NAT

Opnsense > Firewall > NAT > Outbound

First, set and save the mode to “Hybrid”

Create the rule to allow outbound NAT of the Xbox live port from the Xbox

Outbound NAT – Static Port: ticked

By default Opnsense will rewrite and randomise the source port on outgoing traffic.  This is to reduce IP spoofing and prevent fingerprinting of the devices behind the firewall.  Also, when there are many devices trying to connect to the same remote IP and port, the randomness allows NAT to properly segregate and handle these connections to different LAN clients

Xbox Live is particularly picky about the source port being what it expects (3074, unless you have altered it in the settings) If you happen to not tick ‘Static Port’ you will be given a NAT type of Moderate on Xbox Live as the packet filter will assign a random port which Xbox Live does not like.

Outbound NAT rule complete
Outbound NAT rule once added and enabled along with Mode set to Hybrid


5 thoughts on “Achieve full open NAT with port forwarding for Xbox live via Opnsense

  1. Thanks for taking the time to write this up, it helped me conquer Strict NAT on PC – your piece about the static port setting was exactly what I needed to learn.

  2. Thanks for the guide!
    But sadly, its not working on my Series X.

    Is there a way to test the ports?

    Also, per MS, the following ports also needs to be open:

    Port 88 (UDP)

    Port 3074 (UDP and TCP)

    Port 53 (UDP and TCP)

    Port 80 (TCP)

    Port 500 (UDP)

    Port 3544 (UDP)

    Port 4500 (UDP)
    I added those to your guide, but still coming up as Strict.


    1. As I mentioned, MS suggest those other ports, but others and I have found that you only really need the Xbox Live port 3074 open.

      I would always suggest going with as few open ports as needed; it’s less to manage and more secure.

      There are services out there you can use to test to see if your own IP has ports open, but the best test is the Xbox network NAT test.

      I would suggest re-checking the guide, be particularly careful to make sure “Static-port” is ticked for the Firewall: NAT: Outbound rule.
      If not too inconvenient reset your Opnsense device to defaults as I always write and test guides on my spare ‘default’ device to make sure none of my own settings get in the way for most users.

  3. Guide worked quite good. But to see the changes in the Xbox Interface one has to refresh the nat port on the xbox itself.

    Settings –> Network Settings –> Advanced Settings –> Alternative port selection –> manual –> Use another port –> Continue –> Alternative port selection –> Automatic –> Back –> Test NAT type

    Restarting may help as well. I just wondered why it didn’t work until I saw the NAT test packages were fine in the firewall log.

Leave a Reply

Your email address will not be published.