Here is my quick & easy guide to getting OPEN NAT inside your network for multiple XBOX’s and inside a PFSENSE FIREWALLED network.
- all Xboxes must be configured with a STATIC IP.
- under the Xbox Settings, Network, Advanced settings, I use MANUAL IP address setting.
- put a static IP inside the range of your network.
- as an example:
- IP: 192.168.100.20
- Subnet: 255.255.255.0
- Gateway: 192.168.100.1
- DNS: Point it at your PFSENSE box. 192.168.100.1
- Secondary DNS: Use Google: 126.96.36.199
- Alternate PORT: not needed // leave at default
- clear any alternate MAC addresses.
- Save these settings and SHUT DOWN your XBOX.
- Pull the plug
- Go log into your PFSENSE firewall
- I am using a beta version of PFSENSE 2.5.0.a.20200401.1515
- You should try to be using as current a version as possible to avoid any issues with outdated PFSENSE code.
- Inside PFSENSE, go to Services/ UPnP & NAT-PMP
- Setup your settings like this (click image for larger version):
- under ACL ENTRIES, each XBOX’s STATIC IP address must be on it’s own line here. If you have multiple XBOX’s, create one line entry for each XBOX and edit the IP ADDRESS
- HIT SAVE to save your settings here.
- Go to Firewall / NAT / Outbound
- Make sure that the MODE is set to Hybrid Outbound NAT rule generation.
- Add a mapping (see below, click for larger image)
- under SOURCE, you must put the IP address for your XBOX here.
- Repeat and add mappings for EACH XBOX (and IP ADDRESS) inside your LAN
- SAVE CHANGES
- Plug the power back into your Xbox
- Power it on
- Once it is booted, go to NETWORK / SETTINGS.
- RE-RUN NAT TYPE test
- RE-RUN MULTIPLAYER test
- you should now have “OPEN” NAT
PFSense 2.3.x and up have removed the PPTP tab, and PPTP passthru options. This is because PPTP has been depreciated and it not considered 100% safe anymore.
For those of you still in need of using PPTP passthru to allow Windows VPN remote users into your LAN, here is the easy workaround.
- Firewall, NAT, Port forward.
- add port forward from WAN (presumably your outside interface name)
- WAN ADDRESS
- DEST PORT RANGE=PPTP 1723
- REDIRECT TARGET IP=the internal IP of your Windows RRAS server.
- REDIRECT TARGET PORT=1723
- Allow it to ADD ASSOCIATED FILTER RULE for this entry
- add another rule, exactly the same as above EXCEPT for GRE. All the same settings, but use GRE
- Once that is complete, go look at your WAN firewall rules. You should have two new auto-created rules. One for PPTP and one for GRE.
- Remote users should now be able to connect just fine through PFSENSE 2.3.x into your Windows RRAS server.
Remember, using PPTP in 2016 is considered a risk, so do it at your own risk. Please consider moving towards a newer VPN standard with better security.
We recently added a second xbox 360 into our house and came across the dreaded NAT TYPE “moderate”. I needed both xbox’s to get to “OPEN” NAT type so that online multiplayer games will function perfectly, but had to invest multiple hours of time into the process to work it all out.
The main factor for me is that I need a firewall that supports both multiple game consoles, as well as the ability to do site-to-site VPN via the firewall.
I tried the following firewall setups:
- Watchguard XTM 33-W (latest firmware as of 12-31-2012). No Go. Tried multiple configurations, not able to get both XBOX’s to “open”. This included port mapping, adjusting content filtering, etc.
- Monowall. Latest version as of 12-31-2012. No go.
- Smoothwall Express 3 SP 3. No go.
- pfsense 2.02 – WORKED!
- Here is what I did:
- Install SATA drive into an Optiplex 745. Installed two Intel 1000GT desktop adapters.
- Download the pfsense LIVE ISO image and burn to a CD. In my case, the image name was pfSense-LiveCD-2.0.2-RELEASE-i386.iso.gz
- Boot the CD and install pfsense to the SATA drive.
- Configure pfsense (set the WAN and LAN adapters)
- boot pfsense, log into the web admin and make sure the house has internet connectivity. (it did).
- Make sure your xboxes are on DHCP (obtain IP automatically)
- in the web admin of pfsense, go to SERVICES->UPNP and configure as follows:
- click CHANGE.
- you can now play 2 or more Xbox 360’s inside your LAN without a problem.
- To look at the UPNP status, go to STATUS->UPNP. when your Xbox’s are online, you will see entries here for UPNP port mapping.
- Note: This will also work fine for the SONY PLAYSTATION PS3.
- To configure/Enable UPNP for the PS3:
- Settings/Network Settings/Internet Connection Settings/Yes
- Custom (Setting Method)
- Go through all menus (to the right) and the last page is ENABLE UPNP. Enable it.
- Test the connection and you should now have NAT TYPE 2.
- As far as the SONY PLAYSTATION VITA goes, I have not yet been able to get that to “NAT TYPE 2” — it does not as of firmware 2.02 on the Vita support UPNP, and I cannot use port mapping/port forwarding as that would interfere with the PS3 setup.
If you are able to get a Playstation Vita working with NAT TYPE 2 using PFSENSE I would appreciate knowing your exact setup.
UPDATE April 26, 2013:
Upgraded to PFSense 2.0.3.
My current configuration (Which is working perfectly) is as follows:
1) DHCP server ON inside PFSENSE. Both XBOX’s assigned a static IP (VIA DHCP MAC ADDRESS RESERVATION) so that their internal IP’s stay fixed. (Note: One of my XBOX’s is a newer black wireless model, the other is an older White model with the USB Microsoft Wireless adapter). I use a high end MERAKI wireless access point to get them into my LAN.
2) These are my UPNP Mappings (note my two XBOX’s are 192.168.6.234 and .234).
These settings work perfectly – OPEN NAT and my kids have played HOURS on this configuration.