Thread Info
  • Locked Locked
  • Replies 3 replies
  • Subscribers 4 subscribers
  • Views 13422 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best Practices for Opening Ports for Multiple XBOXs on Network?

JoshRathke

Hey Everyone,

I have given this several hours and have gotten one XBOX on our network to have an open NAT. I did this by creating a DNAT for each port needing to be opened that translated back to the XBOX. Below is a screenshot of one of the 10 Port openings needed to get the XBOX to respond with "Open" when tested.

I have about 10 of these and they work! Great right? Here's where my question comes in. Since about half of our campus is residential, this won't be the last time this comes up. We have a group of Hosts called "Entertainment Consoles" that skip a lot of they security stuff so that Netflix can run smoothly, but is there a way to bulk define several ports to be open to hosts within a group? We have loved being able to address "laggy Netflix" requests with a simple "give us your MAC" and we'll clear it up solution. But having to open 10 ports for every persons XBOX could get messy. In all reality it wouldn't be that bad, I am just wondering if there is a cleaner way using service and host groups.

My other question is if this will actually work once we have multiple XBOXs in there? Won't this send all of the traffic on those ports to the first XBOX in the list, so none of the other XBOX's would get any incoming traffic on these ports???? Or am I crazy?

I have tried using a rule that replaces the incoming service port with a group of all of the XBOX Live service ports, then defining the host, and leaving the translation service port blank, but it didn't seem to work.

Thanks everyone!



This thread was automatically locked due to age.
Parents
  • If you are trying to NAT traffic inbound using DNAT, then you should only be able to port forward one port or range of ports to one device on the internal network unless you have multiple external addresses. For example:

    Port 80 -> Public IP 1.1.1.1 -> Port Forward 80 -> Private IP 10.10.10.10

    You can't port forward port 80 to 10.10.10.10, 10.10.10.11, 10.10.10.12, etc, unless you have more available public IP addresses (i.e. 1.1.1.2, 1.1.1.3, etc) that can be utilized.

    It wouldn't surprise me if these rules are being hit. To be sure, you may want to review the logs. Otherwise, you may have a bunch of useless rules in play.

    Likely, you just need to ensure you are bypassing the Web Protection module for XBoxs with a Network Group object (you may want to bypass the IPS for source traffic in this group as well).
  • in reply to Euphrates
    Awesome, that clarifies that I was right in assuming that rule was affecting all traffic coming through on those ports and not just the XBOX's traffic.

    I have already made sure that the Xbox's on the network bypass....well.... pretty much everything. Webfilter, IPS, etc. But when there are no NAT rules the NAT on the Xbox still reports as Moderate. So I guess back to my original question, how can I make sure that the NAT is not shutting those ports down?

    Sorry if this should be simple, I am still learning about how all of the different parts of the UTM interact.
  • in reply to JoshRathke
    NAT isn't likely shutting those ports down, however, if something attempts to communicate on one of those ports (think my previous example) then your port forward rule will port forward it to the device you specified.

    Keep in mind what I originally posted. You can only port forward one port one port or a group of ports to one device only. You can't port forward all the xbox ports to all the xboxes unless you have a separate public IP address for each xbox.

    Also, the first rule that is matched is the first rule that is used so if traffic matching the first rule is seen, it will be processed by the first NAT rule and not be any subsequent rules.

    In case this is still confusing, please post examples of the other rules you have in place for your xboxes.
Reply
  • in reply to JoshRathke
    NAT isn't likely shutting those ports down, however, if something attempts to communicate on one of those ports (think my previous example) then your port forward rule will port forward it to the device you specified.

    Keep in mind what I originally posted. You can only port forward one port one port or a group of ports to one device only. You can't port forward all the xbox ports to all the xboxes unless you have a separate public IP address for each xbox.

    Also, the first rule that is matched is the first rule that is used so if traffic matching the first rule is seen, it will be processed by the first NAT rule and not be any subsequent rules.

    In case this is still confusing, please post examples of the other rules you have in place for your xboxes.
Children
No Data