Xbox One / Xbox 360 and Open NAT using m0n0wall and pfsense
Hey! So this is where my background in network security and building computer games and back-end networks for MMOs come together. Recently I got an Xbox One and started to play Destiny. Don’t judge me. Destiny, like any multiplayer game, works best when the game consoles can talk directly to one another.
Microsoft, as well as many other companies, have tried to help the home consumer by using a bit of network technology called uPNP. In general, this is a nasty little protocol that can configure your home firewall (often mistakenly called a “router” by many people.) For those of us who are actual network engineers, and especially for those of us who specialize in computer security… uPNP is evil. If you find that you have to reboot your home firewall (“router”) as well as your game console from time-to-time because you went from having an Open NAT to a restricted one… it’s because the uPNP has gotten all messed up on your firewall and the only way to reset it on your consumer-grade firewall is to reboot it. That alone should be the reason you stop using this kind of setup; the fact that a device on your home network can auto-magically reconfigure your only line of defense should be your true reason. Either way… let’s talk about how to use a real firewall for your home, like m0n0wall or pfsense, to setup a true Open NAT so that you no longer have any problems. I will address possible work-around methods using DLink, Linksys/Cisco, and other similar consumer-grade firewalls at the end of this blog.
You want to play a multiplayer game such as Destiny on your Xbox One or Xbox 360 (herein simply “Xbox”) and you find that you cannot join your friends in an active game, or you find that you cannot join their party and thus cannot speak with anyone. After some quick Google-Fu you find that there are various levels of “NAT Modes” and your Xbox is either Open, Moderate, or Strict. These are varying degrees of fun from “YEA! I can do anything anytime!” to “I can mostly only play by myself and this is totally not fun.” So, we want to have “Open” NAT. You will also read that you can enable everything from uPNP to various other things on your home firewall and this should “fix” things. There are also methods where you try to connect, then reset you firewall, then reconnect again and you are good for the duration of the game. Um… this is not fixing the problem, it’s getting around a symptom for a short period of time and frankly, that’s not how we do things around my house.
Yes, solutions, as in several are possible. I refer to these as “building your home network correctly.” And that is absent of the idea that uPNP is something we want to use. With that said, let’s review the proper ways to architect your home network so that servers, or workstations in this case, that need to have inbound traffic from random sources on the Internet is totally possible, and secure.
Before we get to the solutions, let’s talk about static vs. dynamic IP addresses both on your LAN and for your Internet connection. If you have read any number of other blogs about getting your Xbox NAT to be “Open” you almost always see that people tell you to set a static IP address for your Xbox. I agree, because this makes writing rules easier, and it insures that the rules you write today will work in the future because your Xbox will never have a different IP address. For instructions on how to do this on your Xbox consult Microsoft’s technical documentation. To be honest, I use static DHCP assignment rather than hard coding each network device in my house with a static IP. The reason I do this, I never know when I have to renumber my network or I might want to move things around in my network scope without having to go touch each network appliance. And with the “Internet of Things” this might be an overall smart move. To do this, I add the MAC addresses of each appliance to my DHCP server and assign the IP Address it will issue the device. Now when the device asks for an IP addres, it always gets the same one. If I ever need to change things, I can just update the DHCP server and the device will be assigned the new IP address the next time it asks for one. If you are a serious gamer or a hardcore network user – chances are you have already arranged with your ISP to have a small number of external static IP addresses. Now is the time to use one more of them. If you don’t have static IP addresses… it’s probably the best investment you can make on your home ISP account. It’s a few dollars more a month in most cases, and it really enables you do to a lot more things with your home network connection. For example, with the “Internet of Things” you can start controlling home devices from the road using your smartphone without needing to use different services. Example: I can run my own VPN server at my house, and then use it from anywhere I travel in the world to protect my privacy.
One-to-One NAT (Server NAT) –
The first option is the ultimate fix for this. It will allow your Xbox to work on the Internet as if it was directly connected to the Internet and everything will be amazingly simple for you in life after you set this up correctly. The downside to this, your Xbox is on the Internet and is a bit naked with regard to its overall security. But, it’s a gaming console and not your home computer so the risk is minimal.
To use this option you will need a second IP address from your Internet service provider (ISP.) The first IP address will remain the NAT address for all your other computers on your home network, and we will use the second IP address as a one-to-one NAT for the Xbox. (In terms of m0n0wall and pfsense we will be using “Server NAT” and not “1:1” because we are going to do a bit of outbound NAT configuration – and I like to do it this way more than just a 1:1.) It’s best to use static IP addresses for this, but it is totally possible with dynamic IP addresses.
Note: There was a time where all Xbox games would use very specific ports as outlined by Microsoft. You could simply open firewall rules for these ports and all games should have worked correctly. But the complexity of today’s games is requiring larger ranges of ports, and you have one of two options. One, you can keep up with each new game you want to play and add those ports to the firewall as you need them. Two, setup this one-to-one configuration and decide that any and all ports can talk to your Xbox because well… it’s an Xbox. Yes, a security guy just said it’s fine to open all ports to your Xbox ad never worry about it again. But I truly mean, just to your Xbox.
Follow these steps:
First, we need to create a Proxy Arp. This allows the firewall to have another IP address on a physical port. E.g., a second, third, fourth… IP address. Under Services click “Proxy ARP” and then the + button to add one. You will need the external IP address you want to use, and the interface you want to use is WAN. Leave it set to “Single Address” and add a note reminding yourself what this is for. I used “Xbox One.” Then click Save.. and apply the change.
Congrats! Your firewall now has two external IP addresses and later you will find there is a virtual external interface for the second IP address.
Second, we need to define a NAT on the firewall. Go to Firewall, and NAT and then click the “Server NAT” tab. Once again, enter the external IP Address you used in the Proxy arp, and enter a note to remind yourself what this is for – I again used “Xbox One” as my note. Save this and apply the change.
Third, we now need to do some outbound NAT kung-fu. Up until now, your entire home network probably uses one NAT and there has never been a need for you to do what I am about to explain. But, now we are moving on to our yellow belt in network address translation and it’s time to show some off some mad skills. Click the tab “Outbound” from the same menu options as the last step. We are going to add TWO rule to this. The first is the rule for all your other computers and devices on your network, and the second is for your Xbox. Why two rules? Well, once we turn on this feature, if you don’t define the rule for all your other stuff – they will not get automatically NATed anymore. For my example, I am assuming you are using a 24-bit subnet for your home (e.g., your subnet mask is 255.255.255.0) This is how most home networks are setup, and if you are different then you probably already know this. So the first rule looks like this: Interface is WAN, Source is your home network with a zero (0) as the last octet and 24 selected as your netmask. Leave destination set to “any” target should be blank, you might want to disable port mapping or not – doesn’t matter to most people and you know if you need it or not. And provide a description. This might be something like “All outbound NAT.” Okay… save that. Now you have setup the rule that your firewall previously did by de facto. Add a new rule. This time it should be setup as follows: Interface = WAN, Source is the INTERNAL IP address of your Xbox and the subnet mask needs to be set to /32. Destination is Any, Target is the EXTERNAL IP address that you created in the Proxy Arp section. Do yourself a total favor and check “Avoid port mapping” and enter a note, I suggest “Outbound for Xbox One.” Save this. On the main Outbound NAT page, check the box that says “Enable advanced outbound NAT.” and apply the changes. Now, everything in your home other than the Xbox will be represented on the Internet as one external IP and the Xbox will be represented as the other IP address. We are almost finished!
Now we are going to do two things at once and fix our NAT issues for multiplayer games. We are going to setup an inbound NAT rule, and have that inbound NAT rule create a firewall rule allowing traffic through. To do this: Click the “Inbound” tab on the same NAT configuration screen. And then add a new rule. Configure it as follows: Interface = WAN, External Address (it’s a drop-down) select the IP address you set as the Proxy Arp (It will show your note for that proxy arp, mine says “Xbox One.”) Protocol, set it to TCP/UDP. External port range, enter a one (1) in the first box, and 65535 in the second box. This is all but one port (0) opened up. NAT IP – this is the INTERNAL IP address of your Xbox. Local port, select “other” from the drop-down and then enter a one (1) in the text box. This opens the same range as defined as the external port range. For description, I used “Xbox One inbound port forward.” Just above the “Save” box is “auto-add a firewall rule to permit traffic through this NAT rule.” Check that, then click save, now apply the save, and you are done! Congrats!
If your Xbox is using the static INTERNAL IP address you used in the setup above, you are good to go. Checking it now will show that you have an Open (aka “Cone”) NAT. From now on, you will be able to join anyone online without a problem. And if your friends have more restrictive NAT setups, you can host the Game and Party and everyone will be able to play and talk openly.
Inbound NAT Rules –
Let’s just say you have no static IP addresses, and you really don’t want to do advanced outbound NAT and all that stuff above. Okay, easy enough. What we can do is set inbound NAT rules (and thus firewall rules) to allow people to reach your Xbox using your external IP used for all your other network devices.
We can do this two ways. One, the super easy but totally sledgehammer-like approach whereby we assume no other servers/services are needed on your external IP address. E.g., no torrent servers, web servers, etc. To do this, we simply make an Inbound NAT rule and have it create the firewall rule. Under Firewall, select NAT, and then click the Inbound Tab. Create a new rule and use the following settings: Interface = WAN. External Address (flip-down) select Interface Address (This means we don’t care if the external interface of the firewall is static or dynamic, it will always use whatever that IP address is regardless.) Protocol, TCP/UDP. External port range, enter one (1) in the first box and 65535 in the second box. NAT IP = the INTERNAL IP address of the Xbox. Local port, just put a one (1) in the box. Add a description, and then check the box “auto-add a firewall rule to permit traffic through this NAT rule.” Save and apply the changes and you are done. Your Xbox using a static IP address internally will now have an “Open” NAT to the Internet. But, as stated before, this is kind of a sloppy way of doing this. The more “neat” way is to setup specific inbound rules where the TCP/UDP ranges are specific to your game needs. This may take you setting up six to a dozen rules. This is only needed if you have other inbound services that have to talk to other LAN devices from the Internet. Hint: You would have had setup similar rules for them in the past so you know if you need this or not. Chances are, if you have never setup inbound port forwarding rules, you don’t need them. So go crazy and point everything as I showed you at your Xbox and start gaming.
Just as in the more “neat” way of the setup above, you could be very specific with the first firewall NAT rules we used in the Server NAT / 1:1 setup. It all comes back to how paranoid you are, and how much time you want to invest into the project.
I keep my Xbox One and Xbox 360 on a DMZ using a separate internal network interface on my firewall than the rest of my home. So worst case my Xbox gets hacked and it can only really see the other Xbox. There are no rules allowing those devices to talk with the rest of my network.