XBox Live - NAT Type Strict

ChildOTK · Tue Feb 28, 2012 5:07 am

Good Day,

I have a Routerboard 600 and am trying to get my XBox NAT Type away from "Strict".

I have done some reading and tried different dst-nat rules and have not had success. Tried also enabling upnp but also had no success.

Does anybody have a good guide on how to get this working properly. The best I can get is using a simple masquerade rule for the network my XBox is currently on. It is connected wirelessly and is on a static IP address.

I am on the very latest version, just upgraded it tonight to 5.14.

Any help will be greaty appreciated.

Thank you!1

cbrown · Tue Feb 28, 2012 2:45 pm

Change the IP with the IP of your xbox and change the in interface to the interface of your WAN connection.

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address-type="" dst-port=3074 \
    in-interface=ether1 protocol=udp to-addresses=192.168.8.107
add action=dst-nat chain=dstnat disabled=no dst-port=3074 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.8.107
add action=dst-nat chain=dstnat disabled=no dst-port=88 in-interface=ether1 \
    protocol=udp to-addresses=192.168.8.107

brandonrossl · Tue Feb 28, 2012 3:27 pm

And note those rules will only let 1 xbox work properly. To get more than 1 going at a time, you must enable upnp.

ChildOTK · Tue Feb 28, 2012 6:53 pm

Thank you so much. I will try those and see what happens.

ChildOTK · Tue Feb 28, 2012 11:16 pm

Okay, so this didn't work for me...

I tried moving the rules up and down in order in Winbox, and noticed that the amount of packets and bytes that these rules processed was 0. So they were not doing anything.

My WAN interface is ether1, which is connected to the wall in my apartment. I stay on a school's campus and they provide the internet. So there is no DSL modem or anything that I use.

A friend of mine though, also stays in the same building and has a Cisco / Linksys router, and he got his setup to work with two XBoxes, so I know it's not the school's connection.

Any advice?

Engitech · Tue Feb 28, 2012 11:32 pm

Can you give me the Firewall filter rules that you use.

ChildOTK · Tue Feb 28, 2012 11:48 pm

Sure, this is what I have setup right now:

0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough to-addresses=0.0.0.0 

 1 X chain=dstnat action=dst-nat to-addresses=192.168.0.253 protocol=tcp src-address=10.10.10.175 dst-address=10.10.51.55 in-interface=ether1 

 2 X chain=dstnat action=dst-nat to-addresses=192.168.0.253 protocol=udp src-address=10.10.10.175 dst-address=10.10.51.55 in-interface=ether1 

 3   chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=0.0.0.0/0 

 4 X chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=0.0.0.0/0 

 5   chain=srcnat action=masquerade src-address=192.168.60.0/24 dst-address=0.0.0.0/0 

 6   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp dst-address-type="" in-interface=ether1 dst-port=3074 

 7   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=3074 

 8   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=80

192.168.60.0 is my wireless network, the XBox has a manually configured IP address of 192.168.60.15. Should this be DHCP with a reservation instead?

192.168.0.0 is my wired network on ether2, and 192.168.1.0 is my second wired network on ether3 which I am not using right now.

ether1 is plugged into the wall which I am getting a static IP based on a reservation from the campus servers of 10.10.51.55. Rule 1 and 2 is what I use to access my PC from my office as I work on campus as well.

Engitech · Wed Feb 29, 2012 12:04 am

that's the nat rules ... give me the filter rules.

ChildOTK · Wed Feb 29, 2012 12:07 am

Sorry, about that..

I do not have any filter rules setup..

Engitech · Wed Feb 29, 2012 12:22 am

the ports that sould be redirected:

Port 88 (UDP)

Port 3074 (UDP and TCP)

Port 53 (UDP and TCP)

Port 80 (TCP)

so you crrently have:

6 ;;; XBox Live
chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp dst-address-type="" in-interface=ether1 dst-port=3074

7 ;;; XBox Live
chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=3074

8 ;;; XBox Live
chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=80

you need:

8 is wrong -> you need tcp -> chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=80

7 is not enough you need too:
9: chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=3074 (erase the 6)

and you need too:

10: chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=88

11: chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=53

12: chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=53

test again with these

ChildOTK · Wed Feb 29, 2012 12:47 am

Thanks for your help...so now I have:

Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough to-addresses=0.0.0.0 

 1 X chain=dstnat action=dst-nat to-addresses=192.168.0.253 protocol=tcp src-address=10.10.10.175 dst-address=10.10.51.55 in-interface=ether1 

 2 X chain=dstnat action=dst-nat to-addresses=192.168.0.253 protocol=udp src-address=10.10.10.175 dst-address=10.10.51.55 in-interface=ether1 

 3   chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=0.0.0.0/0 

 4 X chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=0.0.0.0/0 

 5   chain=srcnat action=masquerade src-address=192.168.60.0/24 dst-address=0.0.0.0/0 

 6 X ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp dst-address-type="" in-interface=ether1 dst-port=3074 

 7   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=3074 

 8   chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=3074 

 9   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=80 

10   chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=88 

11   chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=53 

12   chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=53

I switched 8 and 9 around just to keep them together.

ChildOTK · Wed Feb 29, 2012 5:28 am

In testing on my XBox I still get strict NAT and only rule 9 shows movement.

chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=80

I moved the rules to the top and tried again, same result. I don't get it.

cbrown · Wed Feb 29, 2012 1:20 pm

Use the rules I originally gave you. They work, I use them everyday. Except this time don't mess up when you put them in. You used port 80 instead of 88 with my rules.

53 and 80 are DNS and HTTP traffic and will have no effect on your NAT type (they don't on mine anyway).

ChildOTK · Wed Feb 29, 2012 5:53 pm

Oh wow, I didn't pick that up! I'm sorry..I have redone the rules and will try again..thank you!

ChildOTK · Wed Feb 29, 2012 8:35 pm

Okay, so i've tried this now on my XBox and still have Strict NAT. Checking the NAT rules I still see no traffic on them. 0 bytes and 0 packets.

Am I missing something? With the previous rule set I had the same thing and only the rule for port 80 showed packets. But why not the rest?

ChildOTK · Wed Feb 29, 2012 8:37 pm

These are my latest NAT rules:

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp 
     dst-address-type="" in-interface=ether1 dst-port=3074 

 1   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp 
     in-interface=ether1 dst-port=3074 

 2   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp 
     in-interface=ether1 dst-port=88 

 3 X chain=dstnat action=dst-nat to-addresses=192.168.0.253 protocol=tcp 
     src-address=10.10.10.175 dst-address=10.10.51.55 in-interface=ether1 

 4 X chain=dstnat action=dst-nat to-addresses=192.168.0.253 protocol=udp 
     src-address=10.10.10.175 dst-address=10.10.51.55 in-interface=ether1 

 5   chain=srcnat action=masquerade src-address=192.168.0.0/24 
     dst-address=0.0.0.0/0 

 6   chain=srcnat action=masquerade src-address=192.168.60.0/24

Still nothing in my filter rules.

w0lt · Wed Feb 29, 2012 9:23 pm

Have you tried activating UPnP? It seems to work nicely on my RB751U for a customer.

ChildOTK · Wed Feb 29, 2012 9:25 pm

I did try before but I don't think I had any NAT rules with it. uPNP is currently off..

How should I go about enabling uPNP? Like would ether1 be my 'outside' interface and wlan1 my internal?

brandonrossl · Wed Feb 29, 2012 10:07 pm

I only had to set an external and it was good to go.

ChildOTK · Wed Feb 29, 2012 10:12 pm

Okay, thanks. I will set that up then and give it another try.

letabawireless · Tue Jul 02, 2013 10:00 am

Hi there.

The problem is, if you are a WISP, and you give a best effort type service, you can't give every client behind the system a public IP. So, how do we resolve that ? It looks to me that, for any of these games consoles, or even from a PC for that matter with Steam etc, you need to have a public IP, to get by this "strict" NAT issue.

Please assist if someone found a solution since the last post.

Wimpie

francisuk24 · Sat Apr 05, 2014 12:22 am

just to add, you need port 88 UDP

/ip firewall nat
add chain=dstnat action=dst-nat to-addresses=192.168.1.2 protocol=udp in-interface=InternetWAN dst-port=88

Also see the network ports been used by Xbox Live on Xbox One and also for Xbox One S
http://support.xbox.com/en-GB/xbox-one/ ... -xbox-live

Call Of Duty network issues?
https://community.callofduty.com/t5/Cal ... -p/9269615

Nice post from Knomax over on the netduma forums has a hint to get it going
""So with Instant mode "on" XboxOne will not do port mapping.....Soooo will not change NAT.....shutdown it again ...and again...and again will not change anything unless you change it in "Energy saver" mode""
http://forum.netduma.com/topic/18942-in ... e-and-ps4/

saki8b · Tue Sep 12, 2017 12:10 pm

Thanks for your help...so now I have:

Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough to-addresses=0.0.0.0 

 1 X chain=dstnat action=dst-nat to-addresses=192.168.0.253 protocol=tcp src-address=10.10.10.175 dst-address=10.10.51.55 in-interface=ether1 

 2 X chain=dstnat action=dst-nat to-addresses=192.168.0.253 protocol=udp src-address=10.10.10.175 dst-address=10.10.51.55 in-interface=ether1 

 3   chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=0.0.0.0/0 

 4 X chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=0.0.0.0/0 

 5   chain=srcnat action=masquerade src-address=192.168.60.0/24 dst-address=0.0.0.0/0 

 6 X ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp dst-address-type="" in-interface=ether1 dst-port=3074 

 7   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=3074 

 8   chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=3074 

 9   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=80 

10   chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=88 

11   chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=53 

12   chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=53

I switched 8 and 9 around just to keep them together.

I have to add all of them ? and the addresses that mentioned 192.168.60.15 will I have to write the same address? or it will be my internal static router IP ?

sscholle · Mon Sep 03, 2018 12:32 am

Does not work for me.

NAT goes unavaliable seemingly all the time.

tried upnp, nat rules, nothing seems to work

Anumrak · Mon Sep 03, 2018 12:17 pm

What address you got from your ISP?