Microsoft XBox and NAT

Microsoft's current generation games console, the XBox One, is known to often have trouble operating through a NAT router. This problem is not exclusive to FireBrick or even to NAT; this problem may even occur if the XBox is on a real IP address, but with inbound firewalling enabled.

The definitive list

Microsoft publishes a list of ports that are needed, inbound, to the IP address the XBox is using. The important bit is :

  • Port 88 (UDP)
  • Port 3074 (UDP and TCP)
  • Port 53 (UDP and TCP)
  • Port 80 (TCP)
  • Port 500 (UDP)
  • Port 3544 (UDP)
  • Port 4500 (UDP)

Creating a filter ruleset and some rules within it

First create a ruleset to contain the rules that do the remapping. You need to know a few pieces of information before you proceed.

  • Firstly you need to know what IP address your FireBrick has on its external side.
  • And secondly you need to know what IP address your XBOX has on the internal network.

The ruleset matches anything to the external IP address, and then the individual rules more specifically match the different traffic types and ports, and actually do the mapping.

Mapping access to the FireBrick itself

Be careful not to lock yourself out of the FireBrick if you are accessing it remotely over the port which you're about to portmap! eg port 80 or 443. You can have the FireBrick's web interface listen on a different IP address, so check that you have that working before forwarding yourself out of the FireBrick.

The ruleset will look something like this :

ruleset definition

And then within that ruleset you need to create rules that handle TCP and UDP :

TCP UDP rules list

Then within each of these you need to set the ports, traffic type, and the address to rewrite to :

TCP rules



Going Further - specific requirements

WISP - not enough real addresses?

If you are running this in an ISP context (for example a WISP) where each customer may not necessarily have their own 'real' external IPv4 address. This creates a problem if two of your downstream customers both have XBoxes. Provided you have enough address space to enable each customer with an XBox to be allocated their own external address, for that purpose, then this is simply done by adding an extra local address (within the routing section), and then setting up the mappings on a per customer basis.

Static DHCP for the XBox

DHCP may mean that if an XBox isn't used for a long period of time, it get allocated a different address than the one the port maps are configured against. You can protect against this by simply setting up a specific DHCP rule matching the XBox's MAC address.

Sales & Dealer Enquiries

phone 01344 400 500
Mon - Fri, 9am-5pm,
calls are recorded
sms 01344 400 500

Support Contact

phone 01344 400 500
Mon-Fri 9am-5pm,
calls are recorded
sms 01344 400 500