Gaming Challenges and Open NAT

My son has a number of game consoles and has really been into his XBOX 360 of late.  He recently acquired a new title that was complaining about our network configuration and refused to let him play.

After hearing his description of the message, I figured the issue had something to do with my very tight firewall configuration.  I went up and had a look at the error and sure enough, the complaint was regarding my NAT (Network Address Translation) configuration which it wanted me to resolve by enabling UPnP (Universal Plug and Play). I’m not a gamer but I know that many of the gaming platforms make extensive use of UPnP to ease firewall configuration by automatically port forwarding the ports needed for their particular platform. Since I have so much of my home “wired” to the internet, I’m pretty particular about my configuration and refuse to allow automatic rule insertions on my firewall regardless of how benign they might be.  That meant Microsoft’s suggestion to enable UPnP was not an option.

XBox Error Message
XBox Error Message

If you read this blog with any regularity, you know that I am fond of the DIY approach to meeting my family’s technology needs.  That means I tend to build many of the solutions that we use every day, including my router, which I built using a small form factor Shuttle case and then installing pfSense which is a BSD based router distribution. If you use a Linksys or Netgear router, you may find options in the configuration menu specifically for gaming, however no such options exist in pfSense.

My first thought was to figure out what ports the XBOX was wanting to use then login to my router and set up NAT rules for those ports.  One way to figure out what ports I would need to focus on would be to fire up an instance of Wireshark and analyze the traffic from the XBOX, but since the XBOX 360 is such a mainstream device I figured this would be a pretty common problem and a quick Google search would turn up the needed information. Just as I suspected, the port information was readily available, but there was plenty of conflicting data that, in this case, centered around single ports versus port ranges. To test whether or not a few simple port forwarding rules would work, I did the following:

  1. Set up a static DHCP lease for the XBOX so I could ensure that the device always had the same IP address
  2. Set up a rule to port forward ports 87-89 UDP and port 3073-3075 TCP/UDP from the WAN interface to the XBOX

After a quick test, we found that the problem persisted.  At this point I started to focus on the text of the error message that mentioned “Open NAT” … what the heck is that!?  I’m not a networking expert, but I certainly know my way around a router and know my networking terms but I had never heard of “Open NAT” so I started to poke around and couldn’t find anything that really explained that term.  Finally I ran across a site that explained that they were Microsoft terms that were slight variations of already existing open standards; no wonder I couldn’t find any explanatory information … makes you wonder why Microsoft didn’t just use the existing terms :) 

Microsoft Term Standard Term
Strict Symmetric NAT
Moderate Cone shaped NAT with port filtering or with UPnP turned off
Open Cone shaped NAT with no port filtering or with UPnP turned on

Now that I knew that the I needed a Full-Cone NAT setup, I had to figure out how to change these settings on my router.

By default pfSense is configured for what it calls “Automatic outbound NAT rule generation (IPsec passthrough)”.  This setting causes the ports the be “scrambled” which, in turn, causes many games for the XBOX 360 and other platforms to fail.  The other option is to tell the router to use “Manual Outbound NAT rule generation (Advanced Outbound NAT (AON))” which will allow port information to flow in and out of the router without needing any kind of translation.

After making this change we performed another test and voilà – it worked!

Remember the conflicting information that I mentioned earlier regarding ports? I didn’t want to just let that go, so I then went back and performed a number of tests and found that we were able to get by with only forwarding ports 88 and 3074. 

Note that this configuration may not work on networks with multiple XBOXs but if you have a single XBOX and have been struggling with NAT errors, this solution works like a charm.

Geek out!