Last updated on January 6, 2009
(UPDATE: This issue has been worked around / resolved. Please see Xbox Live Open NAT Using pf on OpenBSD.)
I rather enjoy turn-based artillery games like Worms, Scorched Earth (and Scorch 2000 and Scorched 3D), and GORILLA.BAS, so when I found out that Worms for Xbox Live Arcade was available, I purchased it.
A few months ago, before Microsoft released NXE, or the New Xbox Experience, I had no problems playing Worms online when using my Trashwall set up with the Microsoft proscribed forwards of 88/udp, 3074/udp, and 3074/tcp. However, after NXE was released it seemed to stop working. The Xbox LIVE test would consistently tell me that I have “Strict” NAT settings and that some things won’t work. I was unable to host private or public games. Xbox LIVE supposedly works best with either a direct internet connection or a firewall which implements UPnP, so I set to implementing UPnP on my pf-based firewall.
In order to do so I compiled and set up miniupnpd per the directions, but I ran into a whole bunch of weirdness along the way. I eventually got it working, getting an occasional successful Xbox LIVE test (as seen above) which indicates “Open” NAT, and I was able to play a private game against
Below the cut I’ll document what I’m been seeing.
First, I put compiled miniupnpd on the firewall and set up pf.conf for it:
rdr-anchor "miniupnpd"
anchor miniupnpd
I then set up its config file, /etc/miniupnpd.conf:
# WAN network interface
ext_ifname=gem0# LAN network interfaces IPs / networks
# there can be multiple listening ips for SSDP traffic.
# should be under the form nnn.nnn.nnn.nnn/nn
# HTTP is available on all interfaces
listening_ip=192.168.0.1/24#listening_ip=
# port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.
port=0# enable NAT-PMP support (default is no)
enable_natpmp=no# enable UPNP support (default is yes)
enable_upnp=yes# bitrates reported by daemon in bits per second
bitrate_up=1000000
bitrate_down=10000000# "secure" mode : when enabled, UPnP client are allowed to add mappings only
# to their IP.
secure_mode=no# report system uptime instead of daemon uptime
system_uptime=yes# notify interval in seconds. default is 30 seconds.
notify_interval=60# unused rules cleaning.
# never remove any rule before this threshold for the number
# of redirections is exceeded. default to 20
#clean_ruleset_threshold=10
# clean process work interval in seconds. default to 0 (disabled).
# a 600 seconds (10 minutes) interval makes sense
clean_ruleset_interval=600# make filter rules in pf quick or not. default is yes
# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
quickrules=yes# uuid : generate your own with "make genuuid"
uuid=767e113a-ba6c-11dd-908b-0002a5dae400# serial and model number the daemon will report to clients
# in its XML description
serial=12345678
model_number=1# UPnP permission rules
# (allow|deny) (external port range) ip/mask (internal port range)
# A port range is- or if there is only
# one port in the range.
# ip/mask format must be nn.nn.nn.nn/nn
# it is advised to only allow redirection of port above 1024
# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
allow 0-65535 192.168.0.0/24 0-65535
deny 0-65535 0.0.0.0/0 0-65535
This seemed to work fine, as I could add, list, and remove rules using the MiniUPnP client for Windows from an XP VM. However, the first bit of weirdness I ran into was that I could not do so from my work laptop.
I next tried the Xbox 360, and this is where the weirdness began. On the first Xbox Live test I saw no output from miniupnpd (running in debug mode), and the Xbox simply told me that the test failed, and I’m using “Strict” NAT. It then suggested that I reboot the router or modem. Immediately hitting OK would cause the test to run, I would then see output from miniupnpd, a forwarding rule would be set up, and the holy grail of Xbox LIVE testing, the success screen shown above, would be displayed. This screen indicates that NAT is what is known as “Open”, or as permissible as possible, with UPnP working.
What’s even stranger is that running the test again, it would fail. After this second test I was offered the previous suggestion, which was to reboot the router or modem. Again choosing the option to indicate that I did this resulted in a successful test. However, this time the output from miniupnpd indicated that the rule already existed so it wasn’t added.
At this point I decided to fire up Worms and see if inviting
Here’s some info as things went along showing it being weird:
Starting out, showing nothing in the in the miniupnpd anchors:
trashwall# pfctl -a miniupnpd -s nat
trashwall# pfctl -a miniupnpd -s rules
trashwall#
From the XP VM I can see that the IGD (Internet Gateway Device) is present and contains no forwards:
C:\Documents and Settings\c0nsumer\Desktop\miniupnpd>upnpc-shared.exe -l
upnpc : miniupnpc library test client. (c) 2006-2008 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
desc: http://192.168.0.1:30239/rootDesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1Found valid IGD : http://192.168.0.1:30239/ctl/IPConn
Local LAN ip address : 192.168.0.25
Connection Type : IP_Routed
Status : Connected, uptime=542063, LastConnectionError : ERROR_NONE
MaxBitRateDown : 10000000 bps MaxBitRateUp 1000000 bps
ExternalIPAddress = 69.244.128.183
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)C:\Documents and Settings\c0nsumer\Desktop\miniupnpd>
I would now turn on the 360, test the connection, and watch it fail saying that the NAT type is “Strict”, all without seeing any output from miniupnpd. As described above, saying that I’ve rebooted my router or modem would then produce the following output from miniupnpd:
miniupnpd[11100]: HTTP connection from 192.168.0.7:47933
miniupnpd[11100]: HTTP REQUEST : GET /rootDesc.xml (HTTP/1.1)
miniupnpd[11100]: HTTP connection from 192.168.0.7:8577
miniupnpd[11100]: HTTP REQUEST : POST /ctl/IPConn (HTTP/1.1)
miniupnpd[11100]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetStatusInfo
miniupnpd[11100]: HTTP connection from 192.168.0.7:52543
miniupnpd[11100]: HTTP REQUEST : POST /ctl/IPConn (HTTP/1.1)
miniupnpd[11100]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
miniupnpd[11100]: AddPortMapping: ext port 3074 to 192.168.0.7:3074 protocol UDP for: Xbox (192.168.0.7:3074) 3074 UDP
miniupnpd[11100]: UPnP permission rule 0 matched : port mapping accepted
miniupnpd[11100]: redirecting port 3074 to 192.168.0.7:3074 protocol UDP for: Xbox (192.168.0.7:3074) 3074 UDP
Look at that. XP can now see that there’s a port forward:
C:\Documents and Settings\c0nsumer\Desktop\miniupnpd>upnpc-shared.exe -l
upnpc : miniupnpc library test client. (c) 2006-2008 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
desc: http://192.168.0.1:30239/rootDesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1Found valid IGD : http://192.168.0.1:30239/ctl/IPConn
Local LAN ip address : 192.168.0.25
Connection Type : IP_Routed
Status : Connected, uptime=542527, LastConnectionError : ERROR_NONE
MaxBitRateDown : 10000000 bps MaxBitRateUp 1000000 bps
ExternalIPAddress = 69.244.128.183
0 UDP 3074->192.168.0.7:3074 'Xbox (192.168.0.7:3074) 3074 UDP' ''
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)C:\Documents and Settings\c0nsumer\Desktop\miniupnpd>
pf can also see that it has both the redirect and filter rules:
trashwall# pfctl -a miniupnpd -s nat
rdr on gem0 inet proto udp from any to any port = 3074 label "Xbox (192.168.0.7:3074) 3074 UDP" -> 192.168.0.7 port 3074
trashwall# pfctl -a miniupnpd -s rules
pass in quick on gem0 inet proto udp from any to any port = 3074 flags S/SA keep state label "Xbox (192.168.0.7:3074) 3074 UDP"
trashwall#
However, if I try the test again, it fails. Selecting the option to see the previous suggestion (rebooting the router or modem) and confirming that I did again causes the test to pass, with the Xbox 360 attempting to recreate the rule. As it already exists it isn’t created. The test will again pass:
miniupnpd[11100]: HTTP connection from 192.168.0.7:64273
miniupnpd[11100]: HTTP REQUEST : GET /rootDesc.xml (HTTP/1.1)
miniupnpd[11100]: HTTP connection from 192.168.0.7:47982
miniupnpd[11100]: HTTP REQUEST : POST /ctl/IPConn (HTTP/1.1)
miniupnpd[11100]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetStatusInfo
miniupnpd[11100]: HTTP connection from 192.168.0.7:23290
miniupnpd[11100]: HTTP REQUEST : POST /ctl/IPConn (HTTP/1.1)
miniupnpd[11100]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
miniupnpd[11100]: AddPortMapping: ext port 3074 to 192.168.0.7:3074 protocol UDP for: Xbox (192.168.0.7:3074) 3074 UDP
miniupnpd[11100]: UPnP permission rule 0 matched : port mapping accepted
miniupnpd[11100]: ignoring redirect request as it matches existing redirect
Just to confirm, here’s the original manual rules I was using prior to NXE when I was able to use Worms and play against others online:
rdr pass on $ext_if proto { udp } to port 88 -> $xbox360
rdr pass on $ext_if proto { tcp, udp } to port 3074 -> $xbox360pass in on $ext_if inet proto { tcp udp } from any to ($ext_if) port 3074 keep state
pass in on $ext_if inet proto { udp } from any to ($ext_if) port 88 keep state
(UPDATE: This issue has been worked around / resolved. Please see Xbox Live Open NAT Using pf on OpenBSD.)