Open NAT on XBox One?

Not sure I have things setup right, especially since I can’t seem to get NAT into OPEN mode on an XBox One game console.

I have the typical home internet setup, cable modem, and internet home router. The wrinkle is that I have behind this an ipFire firewall, so the network between the internet router and in front of the ipFire firewall is RED zone, and behind the ipFire firewall, GREEN zone.

I have rules for the XBox communication setup to direct said port traffic only to the XBox console on ipFire. The issue is that my internet home router can’t port forward to an IP address behind the ipFire, to the GREEN zone. Thus I have forwarded the traffic from the home router to the RED interface on ipFire, letting the rules handle the forwarding to the actual XBox console IP address.

This seems right, but obviously something is not quite right, or it would be working as expected, in reference to the Xbox NAT mode being OPEN versus STRICT mode.

Internet->ISP->Cable Modem->Home Router (x.x.0.251)->RED (x.x.0.91)->GREEN (x.x.1.91)->Xbox (x.x.1.38)

Documented port forwarding for XBox Live

Port 88 (UDP)
Port 3074 (UDP and TCP)
Port 53 (UDP and TCP)
Port 80 (TCP
Port 500 (UDP)
Port 3544 (UDP)
Port UDP 4500 (UDP) 

IpFire Rules

I guess the first question is, should the XBox Live rules reflect the original source, i.e. .0.251, or the RED interface as .0.91?

I’m really astonished to see into XBox ports the long known UDP ports for IPSec.
And this is really a not good info, for me.

Is your ipfire in a DMZ of your ISP router?

It is not as yet. But I was leaning in that direction, it makes sense. I wanted to keep the XBox as secure as possible, without establishing a 2nd firewall, leaving it on GREEN0. But… the best possible scenario would be, to establish a separate network just for the XBOX. Say, BLACK0, that is DMZ connected and of course separate from my current RED0, and GREEN0 segments on the original firewall.

IPSec? Yes, I did not realize this until you noted it, UDP 500 and UDP 4500. Not to defend Microsoft at all, but is it not common for other ports to be used for IPSec in actual implementation? The 500 and 4500 UDP are defaults only. As I recall, Cisco suggests not using the default IPSec ports. That said, I also found the following… https://community.ui.com/questions/Xbox-Live-Port-Forwarding-conflicts-with-IPsec/a88ea150-6eae-4dcb-9fd0-253e0529ed4e. Suggestion that XBOX Live can work without the conflicting default IPSEC ports. I have not tested this as yet, but maybe worth doing.

I am not sure that is a “default” only or mandatory for the protocol.
Never seen on any device i’ve used/configure the chance to change IPSec ports for IKE and NAT-T, but i’ve seen several distros and devices allowing to change port for OpenVPN.
AFAIK, IPSec is quite a part of TCP/IP Protocol, instead o OpenVPN that rely and depends on it.
I would never “assign” IPSec ports to an XBox, and i’m… quite scared that it might be a VPN endpoint. It’s firmware is big enough to contain a lot of not nice things, and these findings make believe that put Xbox into Blue or better Orange network should be a safe idea.

Consider all above words only as my opinion, don’t take all that for a fact. I have no evidence about the eventual nastiness of XBox Operating system or the necessity to put the device outside a “private” network segment for security reasons.

You need port 500.
And other ports that are game specific.
Lots of ports.
Multiple XBOXs even worst.
Also thought of moving XBOX to blue with upnpd.for Blue or Orange
And use the mac filter if on Blue

Interesting, because others have said 500 is not required. But I am sure testing will illustrate either way. I tested connected to the DMZ port of my router, with the given port forwarding as recommended. This is done by most XBOX players or similar to it. With millions(?) of XBOX users out there, most I suspect with no understanding of UPNP, firewalls, etc., clearly are playing games and functional. This is not to suggest that better security is not a good thing, only that that something is working and working well enough to work for most users with minimum security beyond what the XBOX OS provides.

I know for a fact, that every single default port value (via forwarding, reassignment, code change, etc)… is changed by some organizations. That the default port values are never used. This is not a simple task, but it is done by some.

This is not a suggestion that XBOX be given default control of said ports, but clearly Microsoft does not see an issue with using 500 and 4500. I could find no documentation from Microsoft on how to avoid this overlap at all.

Nor did I have any conflicts with my corporate hardware based VPN device. So clearly, my corporate VPN and my XBOX void any direct conflict.

There are two options, as far as i can imagine.

  • your VPN device do not use any of these ports for receving data
  • your VPN device is closest to the internet connection than the console, and when XBOX asks for these ports, the answer is something like “$cr3w you!”

Sorry for starting and feeding the OT… Let’s try to back in track of the topic, please :slight_smile:

My point in mentioning the corporate VPN… is to illustrate my point that port reassignment does happen, and is done by many entities. Any port below 1024 is supposed to be reserved, true. But there is no effective way to police the situation at this point. And, I don’t see any issue with discussing this in the context of XBOX port use, it is part of the environment applicable. But, agreed the topic how to provide XBOX open NAT connectivity through the various possible firewall designs is or should be the focus.

I see two options for my XBOX configuration:

  1. Use the DMZ port on my internet router, and set a 2nd ipfire wall in place, and then behind that, my XBOX. Since there are multiple XBOXes in the house, this is not a great solution. But for now, only my XBOX needs open NAT. This does device and network isolation, which I like. I just can’t run cabling all over the house to create completely separate physical DMZ rail.

  2. Set up an additional zone and set my XBOX in that new zone. Separate from my internal LAN (GREEN), WiFi (BLUE), and RED which is between router and firewall, and otherwise empty of devices.

I am not considering any type of internal VPN or tunneling layer, option 2 would use port-forwarding from router to firewall. That is what I would like to get working initially just to understand the applicable configuration and functionality of such.

So my original question is, if my router is (RED) 0.251, and (RED) 0.91 is the firewall, do I set router port-forwarding to 0.91, or to the final destination IP (GREEN)? My router will not forward beyond its immediate IP range. So I guess I must port forward to the firewall RED port. Thus, I set the forwarding to 0.91, are the rules I illustrated above incorrect, they need the source to be 0.91 or source router IP of 0.251?

Have you sorted this out?
We have 1 XBOX one X and it is a PITA.
The xbox 1’s in the house have no problem!?
I have my IPFIRE in the ISP router DMZ.and have an Open Nat.

Right, I have the one XBOX (mine) on the DMZ port of my router for now. But the other XBOX units are behind my wall, and in strict mode. Fortunately, for the rest of the house, strict NAT is ok, sufficient. But my long term goal is to get all the XBOXes behind as separate ipfire wall, separate from other devices in my home network. But to do this, I need to setup a separate wired network over time. Just as I have two separate WiFi networks… one for media devices and one for home automation devices.