Achieve full open NAT with port forwarding for Xbox live via Opnsense

How to achieve full open NAT status with Xbox Live with Opnsense without using UPnP

To fully utilise Xbox Live features, you’ll need to make sure your NAT types is Open; not Moderate or Strict.

The official port listing for Xbox Live has a large selection of ports you should open, but in practice it seems you only really need to open one, the Xbox Live port 3074 (TCP/UDP)

You could use UPnP, but there are negative security implications.  The 4 step method below works without the risk of adding UPnP to your Opensense setup.

Steps

  1. Give the Xbox a static IP.
    (I prefer to set static leases via Opensense rather than the device)
  2. Setup firewall alias’s for the static Xbox and the Xbox Live port
  3. Forward the Xbox Live port to the static Xbox
    (with NAT reflection / hairpinning)
    • Check auto created firewall rules
  4. Allow outbound NAT from the static Xbox

Set static IP on LAN for Xbox

Opnsense > Services > DHCPv4 > Leases

Set the IP to something outside your pool of regular DHCP addresses or you could have a conflict in the future.

Add a static IP for the Xbox on your LAN

Create Xbox Live TCP/UDP port Alias.

Opnsense > Firewall > Alias

Create an Alias for the Xbox live port 3074

Create Alias for Xbox static IP

Opnsense > Firewall > Alias

It’s a good idea to use an alias for devices as descriptive names are easier to work with and remember. It also allows the IP of the device to be changed and you not have to edit any existing firewall rules

Create an Alias for the Xbox device so you do not need to remember the static IP address

Port forward Xbox live to the Xbox

Opnsense > Firewall > NAT > Port Forward

Create the rule to forward traffic on the Xbox live port to the static IP of the Xbox

Port Forward – NAT Reflection: Enable

NAT Reflection (sometimes called hairpinning) detects the traffic to the public IP is actually from a device inside the local LAN and re-writes the flow of the traffic using the internal IP.

Port forward rule complete
Port forward rule once added and enabled

Check auto created firewall rules

(As the rule is autogenerated you cannot edit it directly, only delete it)

The auto generated WAN firewall rule

Allow outbound NAT

Opnsense > Firewall > NAT > Outbound

First, set and save the mode to “Hybrid”

Create the rule to allow outbound NAT of the Xbox live port from the Xbox

Outbound NAT – Static Port: ticked

By default Opnsense will rewrite and randomise the source port on outgoing traffic.  This is to reduce IP spoofing and prevent fingerprinting of the devices behind the firewall.  Also, when there are many devices trying to connect to the same remote IP and port, the randomness allows NAT to properly segregate and handle these connections to different LAN clients

Xbox Live is particularly picky about the source port being what it expects (3074, unless you have altered it in the settings) If you happen to not tick ‘Static Port’ you will be given a NAT type of Moderate on Xbox Live as the packet filter will assign a random port which Xbox Live does not like.

Outbound NAT rule complete
Outbound NAT rule once added and enabled along with Mode set to Hybrid

Reference

https://docs.opnsense.org/manual/nat.html

Leave a Reply

Your email address will not be published. Required fields are marked *