33
I’m always up for playing with new toys, and this time I did build a firewall using pfSense. I wanted to play with OpenVPN and my NetGear R7000 Nighthawk(running Asus xWRT)capped out at 5Mbps. So I migrated to pfSense.
However, doing so, my XBox One decided to not like this and detected STRICTNAT– which results in limitations with online gaming.
In this article I’ll show you how I fixed this withpfSenseso NAT now shows as OPEN(keep in mind that I’m NOT an expert).
Note:This may apply to PlayStation 3, PlayStation 4, XBox 360 and other consoles as well.
What is pfSense?
Well, if you are unfamiliar withpfSense, then this article may not be for you … unless you want to go build your own firewall as well of course.
OPNSense is a great pfSense alternative!
OPNSense is just as good (IMO) as pfSense – after years of using pfSense, OPNSense has now become my favorite though.
Both are great firewalls though and in my case I initially only switched to OPNSense because of its WireGuard support (by the time you read this, pfSense will probably support WireGuard just as well, I think).
In shot : Everything described here works just as well withOpenSense. (they do have history together 
).
pfSense is one of the most used open source firewallswhich runs on it’s own dedicated hardware. Having played with it, and using it right now: it’s awesome!
The common “at home” setup for pfSense is shown below, I even included the XBox One – which initially showed STRICT NAT … (drawn with Draw.io)
In this diagram you’ll see the pfSense firewall as a separate box, which indeed the case in my setup. I’ve used a small computer for this.
The ISP Modem is set in bridge mode, so it’s basically a dumb device translating the signals from the ISP (cable, fiber, ISDN, etc) to network signals. So no DHCP, no Firewall, etc. – pfSense handles it all.
pfSense – Network Diagram
Off the bat, pfSense is configured pretty good. Just one problem I ran into … my XBox One was very limited when it comes to online gaming due to a STRICT NAT. This implies that you can join a multiplayer game and that you can chat … but you cannot host a multiplayer game. Not to mention all kinds of unexpected errors making live miserable.
pfSense – How to fix STRICT NAT
There are several ways to fix the STRICT NAT situation.
Placing the XBox One in a DMZ (DeMilitarized Zone), means that your XBox will be exposed to the Internet without any protection – which actually may be fine. I used a small computer with 4 Ethernet port (network) ports. One port used for WAN (Internet) and one for LAN (my devices). I could use one of the remaining ports specifically forDMZ purposes. If you’re interested in this approach then consider reading this article:How to create a DMZ with pfSense 2.4.2.
Personally I try to avoid using the DMZ approach if I can. Just feels like I’m opening more than I should to make things work. But … it most certainly is an option.
My preferred method is by setting the appropriate rules and only allow and open what is really needed – there is no need to leave the door wide open.
pfSense – OPEN NAT for your XBox One
The following method should work for the XBox One to get rid of STRICT NAT and end up with an OPEN NAT, and can be applied for multiple XBox One devices.
Unfortunately, I do not have other consoles like the Play Station 4 or the Nintendo Switch (nasty thing with money – you can spend only once).
From what I have seen; this most likely works with other consoles as well. Your milage may vary.
Not a Firewall Expert
Just a warning: I’m most certainlynot a firewall or a pfSense expert.
Everything presented here is from what I have read and tested on my own setup.
Suggestions, and improvements are most welcome.
Step 1: Give your XBox One a fixed IP address in pfSense
We are going to be adding some rules to the pfSense firewall. To make sure these rules apply to the right devices, we must have a known IP address for our XBox One device(s).
This can be done it two ways: either you assign a static IP address to your XBox One or you reserver the IP address for you XBox One in the DHCP of your pfSense setup.
Since I use DHCP for my network, I decided to use the most obvious: tell my DHCP to use a fixed IP address for my XBox One. You can apply this to all your XBox One devices in case you have multiple.
Determine an IP Address for your XBox One
Note: I assume that your LAN connection is called “LAN” in your pfSense enviroment.
In pfSense go toServices DHCP Server LAN.
Go to the “General Options” and take note of the range used by your DHCP – we will need this to pick an IP address.
pfSense – IP range used by your DHCP
You will have to determine what the fixed IP address of your XBox One should be.
Make sure you pick an IP address that does not fall in the range used by your DHCP!
As example:
The example DHCP uses the range 192.168.2.10 – 192.168.2.150.
So for our XBox we should pick an IP address lower than 192.168.2.10, greater than 192.168.2.150, and not yet in use by another device.
In my example I picked 192.168.2.239.
Note: If you have more than one XBox One, pick a unique IP address for those as well.
Note: If the range prevents you from picking one outside of the range, then please change your DHCP range to make some room.
Define a fixed IP Address for your XBox One
Next; scroll all the way to the bottom (under “DHCP Static Mappings for this Interface“) and click the “Add” button. A new page will load.
Here we will need the MAC address of your XBox One – you can find this in the network details of your XBox One, or in the DHCP log of pfSense (menu: Status DHCP Leases).
Fill in the form as shown below, and make sure you pick the IP address you selected for your XBox One.
- The MAC address of your XBox One,
- A name or Client identifier for your XBox One (avoid using single or double quotes!!),
- The IP address you picked for your XBox One (192.168.2.239 in my example),
- A Hostname for your XBox One (this can be anything, just do not use special characters or spaces, and keep it short),
- Optional: description so you can recognize the device in pfSense lists and log. For example “XBox One X Livingroom”.
- Click the “Save” button.
pfSense – Define Fixed IP Address for your XBox One
After click the “Save” button you will get a message, stating that static mapping has changed. Click the “Apply Changes” button.
pfSense – Apply Changes
Repeat these steps for additional consoles devices.
Step 2: EnableUPnP & NAT-PMP in pfSense
The next step is to enable UPnP in your pfSense setup, to do this, go to:Services UPnP & NAT-PMP.
In the image below, we did the following settings:
- Check “Enable UPnP & NAT-PMP“,
- Check “Allow UPnP Port Mapping“,
- Check “Allow NAT-PMP Port Mapping“,
- Select your WAN at the “External Interface“,
- Select your LAN at the “Interfaces” list,
- Check “Deny access to UPnP & NAT-PMP by default“
- At “ACL Entries” we will need to add an entry for each of your XBox Device in the following format, where a.b.c.d should be replaced with the IP address we just set for our XBox One:
allow 53-65535 a.b.c.d/32 53-65535.
So in my example this is:allow 53-65535 192.168.2.239/32 53-65535.
This says:
for the specific IP address 192.168.2.239, UPnP can be used for any target (/32) and for the external ports “53-65535” and internal ports “53-65535”. - Click the “Add” button,
- Click “Save” when done.
Note: repeat steps 7 and 8 for each additional XBox One you have.
pfSense – Enable UPnP for your XBox One
Step 3: Configure Outbound NAT for pfSense
We’re almost done, we just need to modify our NAT settings a little bit.
In pfSense go toFirewall NAT Outbound. Don’t forget to click “Outbound”!
First we need to set our outbound NAT to Hybrid:
pfSense – Set NAT to Hybrid
We additionally need to add a so called mapping rule:click under “Mappings” the “Add” button that points up.
Note: Make sure you did NOT check “Disable this rule”.
- Select WAN at the “Interface” field,
- Set “Protocol” to “any“.
- Set “Source” to “Network” and enter the IP address of your Xbox One, and the following field to “/32“,
- Set “Destination” to “any” and leave the other fields as they are,
- Set “Address” to “Interface Address“,
- Check “Static Port” (so the pfSense NAT will not use a different port number),
- Enter some kind of description (so you can find it again later, and recall why you’ve added this rule),
- and finally click the “Save” button.
Note:For additional XBox One devices, rinse an repeat these 8 steps for each console you’d like to add.
pfSense – Outbound NAT rule for XBox One
Step 4: Reboot your devices
Now this may or may not be required, but I did it anyway.
- Shutdown your XBox One – completely so remove the power cord after doing a console shutdown.
- Reboot your pfSense Firewall – this may not be required.
- After reboot verify your XBox One Network details – You should have an OPEN NAT now and STRICT NAT should be an issue of the past.
Tip: Alternative to rebooting …
A great tip from Charles (below) as an alternative to rebooting your Firewall:
You can just flush the active connections: Firewall Diagnostics States Reset.
I did get another tip on this, related to Universal PnP: you can restart the service.
Personally, I’m a little paranoid when it comes to things like that and choose to reboot – it takes only a few seconds on my setup.
Useful resources
A few links that provide useful information related to this topic:
- pfSense Homepage
Truly an awesome firewall, for home or office use.
The Community Edition (free) is the best choice for home use.
For office/professional use, I’d recommend looking into the commercial version. - Netgate pfSense Documentation
Specific XBox STRICT NAT reference in the documentation related to UPnP and the XBox. - Microsoft NAT issues documentation
The support page of Microsoft related to STRICT NAT issues on the XBox One. - ceoS3C – Make a DMZ on pfSense
Alternative approach by creating a DMZ on your pfSense firewall.