Achieve full open NAT with port forwarding for Xbox live via Opnsense

How to achieve full open NAT status with Xbox Live with Opnsense without using UPnP

To fully utilise Xbox Live features, you’ll need to make sure your NAT types is Open; not Moderate or Strict.

The official port listing for Xbox Live has a large selection of ports you should open, but in practice it seems you only really need to open one, the Xbox Live port 3074 (TCP/UDP)

You could use UPnP, but there are negative security implications.  The 4 step method below works without the risk of adding UPnP to your Opnsense setup.

Steps

  1. Give the Xbox a static IP.
    (I prefer to set static leases via Opnsense rather than the device)
  2. Setup firewall alias’s for the static Xbox and the Xbox Live port
  3. Forward the Xbox Live port to the static Xbox
    (with NAT reflection / hairpinning)
    • Check auto created firewall rules
  4. Allow outbound NAT from the static Xbox

Set static IP on LAN for Xbox

Opnsense > Services > DHCPv4 > Leases

Set the IP to something outside your pool of regular DHCP addresses or you could have a conflict in the future.

Add a static IP for the Xbox on your LAN

Create Xbox Live TCP/UDP port Alias.

Opnsense > Firewall > Alias

Create an Alias for the Xbox live port 3074

Create Alias for Xbox static IP

Opnsense > Firewall > Alias

It’s a good idea to use an alias for devices as descriptive names are easier to work with and remember. It also allows the IP of the device to be changed and you not have to edit any existing firewall rules

Create an Alias for the Xbox device so you do not need to remember the static IP address

Port forward Xbox live to the Xbox

Opnsense > Firewall > NAT > Port Forward

Create the rule to forward traffic on the Xbox live port to the static IP of the Xbox

Port Forward – NAT Reflection: Enable

NAT Reflection (sometimes called hairpinning) detects the traffic to the public IP is actually from a device inside the local LAN and re-writes the flow of the traffic using the internal IP.

Port forward rule complete
Port forward rule once added and enabled

Check auto created firewall rules

(As the rule is autogenerated you cannot edit it directly, only delete it)

The auto generated WAN firewall rule

Allow outbound NAT

Opnsense > Firewall > NAT > Outbound

First, set and save the mode to “Hybrid”

Create the rule to allow outbound NAT of the Xbox live port from the Xbox

Outbound NAT – Static Port: ticked

By default Opnsense will rewrite and randomise the source port on outgoing traffic.  This is to reduce IP spoofing and prevent fingerprinting of the devices behind the firewall.  Also, when there are many devices trying to connect to the same remote IP and port, the randomness allows NAT to properly segregate and handle these connections to different LAN clients

Xbox Live is particularly picky about the source port being what it expects (3074, unless you have altered it in the settings) If you happen to not tick ‘Static Port’ you will be given a NAT type of Moderate on Xbox Live as the packet filter will assign a random port which Xbox Live does not like.

Outbound NAT rule complete
Outbound NAT rule once added and enabled along with Mode set to Hybrid

Reference

https://docs.opnsense.org/manual/nat.html

9 thoughts on “Achieve full open NAT with port forwarding for Xbox live via Opnsense

  1. Thanks for taking the time to write this up, it helped me conquer Strict NAT on PC – your piece about the static port setting was exactly what I needed to learn.

  2. Thanks for the guide!
    But sadly, its not working on my Series X.

    Is there a way to test the ports?

    Also, per MS, the following ports also needs to be open:

    Port 88 (UDP)

    Port 3074 (UDP and TCP)

    Port 53 (UDP and TCP)

    Port 80 (TCP)

    Port 500 (UDP)

    Port 3544 (UDP)

    Port 4500 (UDP)
    I added those to your guide, but still coming up as Strict.

    Suggestions?

    1. As I mentioned, MS suggest those other ports, but others and I have found that you only really need the Xbox Live port 3074 open.

      I would always suggest going with as few open ports as needed; it’s less to manage and more secure.

      There are services out there you can use to test to see if your own IP has ports open, but the best test is the Xbox network NAT test.

      I would suggest re-checking the guide, be particularly careful to make sure “Static-port” is ticked for the Firewall: NAT: Outbound rule.
      If not too inconvenient reset your Opnsense device to defaults as I always write and test guides on my spare ‘default’ device to make sure none of my own settings get in the way for most users.

  3. Guide worked quite good. But to see the changes in the Xbox Interface one has to refresh the nat port on the xbox itself.

    Settings –> Network Settings –> Advanced Settings –> Alternative port selection –> manual –> Use another port –> Continue –> Alternative port selection –> Automatic –> Back –> Test NAT type

    Restarting may help as well. I just wondered why it didn’t work until I saw the NAT test packages were fine in the firewall log.

  4. I managed to get open NAT on my series X but failing to achieve the same result on my son’s Xbox one S. Both consoles connected through VLAN with a physical connection through ethernet. Any pointers?

    1. Tismo, I think (but cannot confirm) that if you have more than one Xbox device on the network, you need to set the Xbox Live port (3074) to something else on one of the devices in the machine settings.
      You would then need to create the same rules again for the 2nd device using this new port in place of 3074.
      This effectively created two separate pathways for the two different devices on the LAN.

  5. I just wanted to say thanks for this, this guide helped a lot, there was one thing the guide is missing, my Xbox even after setting this all up states the NAT type was still stricted. I was about to pull my hair out to out of the blue think what if I reset my Xbox and sure enough that fixed it.

    So I wanted to add here this too for anyone that might run into this issue, a reboot of Opnsense and your Xbox might be needed.

    Also if you want to enable UPnP to work with your Xbox this is a great guide too, maybe you could add this to yours as well, worked for me in allowing UPnP only on my Xbox.
    https://forum.opnsense.org/index.php?topic=22591.0

  6. For XBox One users, you have to go into Network Settings under Advanced settings and choose an Alternate port … doesn’t matter which one, just chose one and save it, Next:

    1 – Create an Alias for the port called AlternatePort
    2 – Under Firewall/NAT/Port Forward, create a new rule:
    – Interface: WAN
    – Proto: TCP/UDP
    – Dest: WAN net
    – Range: AlternatePort to AlternatePort
    – Redirected Target IP XboxSeriesX (or whatever name you gave it before)
    – NAT Reflection Enabled
    – Filter Rule Association: None

    Save and apply and do a NAT type test on the box under network settings and it should come back as Open.

Leave a Reply

Your email address will not be published. Required fields are marked *