Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 31 replies
  • Answers 2 answers
  • Subscribers 34 subscribers
  • Views 145042 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Port Forwarding Xbox Live Services to Xbox One Results 'Strict NAT'.

ChrisLynch

Happy New Year everyone.

I have 2 Business Rules setup on my brand new Sophos XG firewall (Firmware 15.01.0):

 

However, when I do various tests on my Xbox One, it always shows as "NAT Type: Strict".

The UDP Ports are 88, 500, 3074, 3544 and 4500.  TCP Ports are 88 and 3074.

I really wish Sophos would add uPNP support for situations like this.  Yes, I'm fully aware of the security implications of uPNP, but for home users (especially with multiple Xbox's like me), setting up Port Forwarding isn't a fun thing to do.

Am I missing something here?



This thread was automatically locked due to age.
  • 0

    Thanks for those that have replied.  However, please know that I have used Sophos (formally Astaro) on and off for the past 13+ years.  I asked a question on the original Astaro Community 13 years ago about adding uPNP support.  Yes, what I'm asking about is a feature for home use only, and would never be used in the Enterprise or for  business use.  I'm well aware of that fact.  I don't really want to use another firewall product, as I love the Sophos UI and features offered for other security features that wouldn't be used for online gaming with consoles (Xbox or even Sony).

    That being said, implementing a single NAT rule for outbound connectivity isn't what I'm asking for.  Connecting to Xbox Live Services is certainly outbound, and the default policy is sufficient enough for 1 or more consoles.  The problem is with Multiplayer and Xbox Live Party (XBL) services.  If you never plan on hosting an XBL (for chat and multiplayer gaming), then nothing further must be done.  However, I game a lot and host a lot of XBL parties and multiplayer games.  If NAT Connection is "Strict", which mine is currently, then I can't host XBL Multiplayer game sessions.  Plus, certain games require non-XBL ports to be forwarded (Destiny and Call of Duty games are on the top of the list currently).  This is why a DANT rule is needed.

    Here is the complete Firewall Policy I have configured:

  • 0 in reply to Timothy Stewart
    Correct. uPNP is REQUIRED for multiple Consoles (regardless if Xbox or PlayStation) to support multiplayer gaming and game chat.
  • 0 in reply to Scott_Klassen
    Yes, XG is a commercial system, and Sophos grants Home Users rights to use it in a limited capacity. I would also entertain and even look at a proper Home Subscription model that would add more "home" features, like adding uPNP as a feature for "home use only".
  • 0 in reply to ChrisLynch
    I am sorry but I don't understand what your saying here. I have 3 XBox here behind XG and I don't have any port forwarding rules created and they work fine even 'call of duty' The only thing I did was create a policy for gaming and disable http & https scanning and turn off the 'web filter' and everything seems to be working fine.
  • 0 in reply to Big Ray
    Go to your Xbox One, All Settings, select Network then Network Settings. What is the NAT Type on your console? If you aren't doing any Port Forwarding, it will be 'Strict', which both of my consoles report. Which means you will have connectivity problems to Multiplayer (especially if YOU are hosting a match, i.e. you are the leader of the Xbox Live Party) and even with XBL Chat with a party. This is a fact on how connectivity works, especially with multiple consoles on the same network, sharing the same Internet Connection.
  • 0 in reply to ChrisLynch
    Chris, Your request is absolute opposite to XG goals. I don't think they will ever add UPNP to XG.

    You can do something different. Buy a router which you will be able to reflash to OpenWRT or is advanced enough to support static routing. Connect the router to the ISP and put XBoxes on that network. Then connect XG to the network but don't use NAT, just static routing. You will end up with two network segments. One for gaming and the second secure where you can put your more valuable resources. This will be a little bit more expensive but I think it is reasonable trade-off.
  • 0 in reply to Slawski
    I agree with everything you say. There is no way Sophos would ever add UPnP and for good reason. Just hang one router off a DMZ of the other router and call it a day. This is what I do with FiOs and it works great however I don't do any VPN and I have heard 'double NAT' can cause problems with 'double NAT' but not for all.
  • 0 in reply to Slawski
    Sorry, but DD-WRT is not maintained very well, and I have had challenges with it in my fast experience with firewalls of all sizes (Cisco PIX/AS, Netscreen, Astaro, Watchgaurd, Checckpoint, DD-/Open-WRT, IPCOP, etc.) I also disagree with your assertion that some security vendor should never do something people obviously want. The request for uPNP support on Sophos' UserVoice site has quite a large number of up votes. And no average home user will ever want to buy multiple firewall/UTM devices. That isn't practical, let alone realistic.

    It is sad to see the negatively around this feature. Heck, pfSense (which is what I have replaced Sophos AG with BTW), supports uPNP, and is aimed at Commercial AND Home use. Plus, it has two nifty security feature for those of you saying uPNP should never be implemented: 'By default deny access to UPnP & NAT-PMP' and 'User specified permissions'.

    So yes, I have moved on from Sophos. I would have really liked to use the product, and would even pay for a home user license that had home user specific features.
  • 0 in reply to ChrisLynch
    Chris - you should read the post carefully. I didn't mention DD-WRT, but OpenWRT and it is maintained quite well. Of course you always will have some challenges so you have with Sophos XG.

    And... there is no negative voice about the feature request just cold reasoning. XG is not an OpenSource product like pfSense. It is commercial product targeted at Businesses and Enterprises and they really don't need UPNP. Sophos is not making any money from home XG users so I don't think they will invest time in implementing and testing such a feature.

    I agree that there are some folks who would pay for such an advanced home router but I doubt it would be a commercial success. The device which would be powerful enough to support modern home use (100Mbps to 1Gbps Internet link), fast WiFi cost about 2-3 times more than most advanced home routers based on ARM platform. So if you think that no home user will buy multiple firewall devices why do you think he would buy one but at 3x price ?
  • 0 in reply to Slawski

    Well said. The only option to get the best of both worlds is a hybrid setup aka duel routers, One for devices that need/want UPnP and one for security purposes. Gaming is not my top priority here, Protecting my servers and sensitive data it and there is no better protection for that then Sophos in my humble opinion. Give me a nice Asus router for protecting my other devices like gaming consoles and you get the best of both worlds.