It’s done. My Xbox 360 is now working properly via NAT talking through the Trashwall and using WOW! service.
After getting my previously mentioned pf problem on Trashwall sorted out I tested out the Xbox 360 to see if the network test for Xbox Live would pass. Guess what? It didn’t, continuing to insist that my NAT type is strict.
A bit more research (and information which seems to come from this post at Russ’s Blog) indicates that the Xbox Live uses the following classifications for NAT:
Strict: Symmetric NAT.
Moderate: Cone shaped NAT with port filtering or with UPnP turned off.
Open: Cone shaped NAT with no port filtering or with UPnP turned on.
Cone and symmetric NAT descriptions are formalized in RFC3489, and a bit more digging brought up this general how-to for using OpenBSD’s pf, indicating that the static-port directive on a NAT rule (described here in the POOL OPTIONS section of the pf.conf(5) man page) makes OpenBSD do cone-shaped NAT.
So, overall, what did it take to fix it? Well, it was actually three things:
· I switched to Wide Open West for data service, which gave me three IPs.
· While the whole house was NATted through one of the IPs, the Xbox 360 alone has been bidirectionally NATted through another.
·The magic static-port option on the NAT line for the Xbox 360.
Without a second IP I wouldn’t have been able to forward all ports inbound, which without a UPnP daemon (which didn’t go well before) would have resulted only a NAT setting of Moderate.
All of this has been documented in the updated version of the article on the Trashwall, my home’s a firewall / NAT device / switch / whatever built out of an unwanted PowerMac G4.
(In case you didn’t notice, this photo does a good job illustrating the wire in a aperture grill, such as the one here on an Sony KD-34XBR970 CRT HDTV. If you’d like to see the original without the no sign, here’s the small version and here it is at full res.)
I’m having trouble with xbox live at the moment and was looking for an openbsd solution, so this info is really helpful. The problem that I have is that my wife and I each have a console and our new router doesn’t support us both being connected to live simultaneously, while our old cheap and nasty one did. Time for a new solution.
Instead of having a separate external IP address for your Xbox, do you think it would have been possible simply to put it in a DMZ?
Dave: Hey there… I’m actually not sure what to do about that, to be honest. Do you know what the difference between your old routers was? Maybe the new one does UPnP and the old one just did some manner of NAT which the 360 was able to traverse?
And yes, I could have put it in a DMZ, but that would cause problems with the other inbound port forwards I have, and my desire to have inbound connections default to the Trashwall, because it serves as somewhat of a networking playground at times. I didn’t want to have the default-ness of the DMZ get in the way.
I don’t get any blocked packets with the following PF rules:
rdr pass log on $ext_if inet proto udp from port { 3074, 10000:65535 } \
to ($ext_if:0) port 45000:65535 -> $xbox
All outbound is allowed.
The comms I have seen is the xbox does the auth, http stuff and then connects to xbox live from high ephemeral to 3074 UDP. Other xboxes then connect FROM 3074 to the port my xbox connected to live’s port 3074. Some hosts possibly misconfigured connect from arbitrary UDP to the same high port. I accommodate them because it really makes no difference to my security.
Example:
my xbox 57089 -> xbox live 3074
external xbox 3074 -> my xbox 57089
goofy xbox 16798 -> my xbox 57089
This is all you need for perfect operation, incoming kerberos or connections TO your xbox’ port 3074 never happen outside the initiated state.
I would suggest reading the Xbox 360 section on https://calomel.org/pf_config.html
All I needed to do was open the Xbox Live ports (http://support.xbox.com/en-US/xbox-live/connecting/network-ports-used-xbox-live) and static-port my Xbox on a separate NAT rule. This put everything in my house on symmetric NAT, and only my Xbox on cone-shaped NAT. The whole time using one IP.
If you have multiple Xbox’s, just make a rule for each. Not sure about the exact usage of the Xbox Live port forwarding, Cone-Nat should be enough for multiple Xbox’s to traverse NAT.