Tag Archives: Watchguard Firewall

How to get multiple xbox 360 consoles inside one LAN working properly

We recently added a second xbox 360 into our house and came across the dreaded NAT TYPE “moderate”.  I needed both xbox’s to get to “OPEN” NAT type so that online multiplayer games will function perfectly, but had to invest multiple hours of time into the process to work it all out.

The main factor for me is that I need a firewall that supports both multiple game consoles, as well as the ability to do site-to-site VPN via the firewall.

I tried the following firewall setups:

  1. Watchguard XTM 33-W (latest firmware as of 12-31-2012).  No Go.  Tried multiple configurations, not able to get both XBOX’s to “open”.  This included port mapping, adjusting content filtering, etc.
  2. Monowall.  Latest version as of 12-31-2012.  No go.
  3. Smoothwall Express 3 SP 3.  No go.
  4. pfsense 2.02 – WORKED!
    1. Here is what I did:
      1. Install SATA drive into an Optiplex 745.  Installed two Intel 1000GT desktop adapters.
      2. Download the pfsense LIVE ISO image and burn to a CD.  In my case, the image name was pfSense-LiveCD-2.0.2-RELEASE-i386.iso.gz
      3. Boot the CD and install pfsense to the SATA drive.
      4. Configure pfsense (set the WAN and LAN adapters)
      5. boot pfsense, log into the web admin and make sure the house has internet connectivity.  (it did).
      6. Make sure your xboxes are on DHCP (obtain IP automatically)
      7. in the web admin of pfsense, go to SERVICES->UPNP and configure as follows:
      8. upnp
      9. click CHANGE.
      10. you can now play 2 or more Xbox 360’s inside your LAN without a problem.
      11. To look at the UPNP status, go to STATUS->UPNP.  when your Xbox’s are online, you will see entries here for UPNP port mapping.
    2. Note:  This will also work fine for the SONY PLAYSTATION PS3.
      1. To configure/Enable UPNP for the PS3:
      2. Settings/Network Settings/Internet Connection Settings/Yes
      3. Custom (Setting Method)
      4. Go through all menus (to the right) and the last page is ENABLE UPNP.  Enable it.
      5. Test the connection and you should now have NAT TYPE 2.
    3. As far as the SONY PLAYSTATION VITA goes, I have not yet been able to get that to “NAT TYPE 2” — it does not as of firmware 2.02 on the Vita support UPNP, and I cannot use port mapping/port forwarding as that would interfere with the PS3 setup.

If you are able to get a Playstation Vita working with NAT TYPE 2 using PFSENSE I would appreciate knowing your exact setup.

UPDATE April 26, 2013:

Upgraded to PFSense 2.0.3.

My current configuration (Which is working perfectly) is as follows:

1) DHCP server ON inside PFSENSE.  Both XBOX’s assigned a static IP (VIA DHCP MAC ADDRESS RESERVATION) so that their internal IP’s stay fixed. (Note:  One of my XBOX’s is a newer black wireless model, the other is an older White model with the USB Microsoft Wireless adapter).  I use a high end MERAKI wireless access point to get them into my LAN.

2) These are my UPNP Mappings (note my two XBOX’s are 192.168.6.234 and .234).

These settings work perfectly – OPEN NAT and my kids have played HOURS on this configuration.

upnp-04-2013

 

How to permit Google Fonts through your Watchguard WebBlocker content filter proxy

Out of the box, the Watchguard Firewall WebBlocker content filter does not permit Google Fonts to download and be viewed through the proxy and into your network.  This creates a problem because a lot of websites now use embedded fonts to properly render the website.

To fix this, do the following:

  1. Log into the Watchguard Firewall
  2. Presuming you have already setup a Firewall proxy and are using the WebBlocker to filter content…
  3. Go to Firewall->Proxy Actions, and EDIT the current proxy you have custom defined.
  4. Go to HTTP RESPONSE->CONTENT TYPES
  5. ADD the following new actions (below).  You will need to add ALL FIVE to make this work properly.
  6. Save

Add the following actions:

googlefonts

How to permit ZIP files through your Watchguard WebBlocker content filter proxy

Out of the box, the Watchguard Firewall WebBlocker content filter does not permit ZIP files to be downloaded inside your network.

To fix this, do the following:

  1. Log into the Watchguard Firewall
  2. Presuming you have already setup a Firewall proxy and are using the WebBlocker to filter content…
  3. Go to Firewall->Proxy Actions, and EDIT the current proxy you have custom defined.
  4. Go to HTTP RESPONSE->CONTENT TYPES
  5. ADD a new action, (ALLOW OR AV SCAN), Pattern match, application/x-zip-compressed
  6. Save
  7. Retry downloading your ZIP file (you may need to close out of your web browser and open it, and try again but this should solve the ZIP file downloading).

How to permit YouTube videos and other videos to play through a Watchguard WebBlocker proxy

Out of the box, the Watchguard Firewall WebBlocker content filter does not permit YouTube (and other streaming videos) to play through the proxy and into your network.

To fix this, do the following:

  1. Log into the Watchguard Firewall
  2. Presuming you have already setup a Firewall proxy and are using the WebBlocker to filter content…
  3. Go to Firewall->Proxy Actions, and EDIT the current proxy you have custom defined.
  4. Go to HTTP RESPONSE->CONTENT TYPES
  5. ADD a new action, (ALLOW OR AV SCAN), Pattern match, video/*
  6. Save
  7. Retry playing your video (you may need to close out of your web browser and open it, and try another video, but this should solve the YouTube and other streaming video issues).

How to allow the YouTube app to play videos through a Watchguard WebBlocker firewall proxy

If you are having problems with iPhones or iPads (or any other device) playing through your Watchguard WebBlocker proxy (via your Watchguard firewall), the fix is very simple.

Presuming you have one of the latest firmwares (11.6.x as of today) and are using WebBlocker with a proxy combined with the content filtering…

Log into the Watchguard

Go to Firewall->Proxy Actions

Select and Edit the proxy setup you are using in your network.  (you must NOT be using a predefined one, you must make your own).

Go to HTTP Proxy Exceptions

add the following:

*.apple.com

*.youtube.com

so that your entries look like this:

proxy action

Save your changes.

Re-test your app and the application should play.

This worked perfectly on our network and our i-Devices.