Hi Guys

I am trying to get my Xbox One NAT to be "OPEN" and having some grief in the process. I have done this previously on TP Link and Netgear routers, but hoping to get some assistance with my MikroTik.

The first issue I have, is the fact that my Xbox insists that "uPnP is not successful". But I have ticked the uPnP checkbox on the router and rebooted the router and the xbone, just to be sure. I suspect there is an issue with the INTERFACES, as i am not sure. What should these be configured to ? The current physical setup I have is as below :

• Fibre from the street comes into a fibre box

• CAT5 cable running from my fibre box into MikroTik ETHER1

• CAT5 cable running out of ETHER2 to my TV room

Normally, this goes to a TP-link W8960N that is being used as a switch for my various devices. But for the purpose of trying to get my Xbox NAT open, i removed that variable and connected the CAT5 from MikroTik directly to the XBOX.

How should the interfaces be configured to get uPnP working ? I want to try and get this sorted if possible. If it still doesn't work, then I will once again try Port Forwarding . On that front, I had setup a static IP on the console and then gone to IP/Firewall and done some port forwarding. But I suspect I did something wrong, as it did not work, hence my desire to first try and get uPnP working.

Ticking UPNP is not enough. I posted this earlier today which will help you, there is also a video;
https://www.steveocee.co.uk/mikrotik/upnp/

I found in my case that only enable / configure UPnP alone did not do it, had to add rule in firewall filter to have "Open NAT" on XBoxOne:

Is this solved? I myself got a headache with this, being a certified MK consultant with years of experience I was starting to doubt my abilities. What solved for me was a simple rule. The big problem with this thing is that Microsoft doesn't show on it's support page the correct ports to be redirected. All it needed was port 56102 UDP, and that can be customized on the Xbox itself by going to network advanced settings.

Here is the rule that I created on my RB and it's working. If your case isn't solved yet I hope this comes in a good way for you.

Hi Guys

I am trying to get my Xbox One NAT to be "OPEN" and having some grief in the process. I have done this previously on TP Link and Netgear routers, but hoping to get some assistance with my MikroTik.

The first issue I have, is the fact that my Xbox insists that "uPnP is not successful". But I have ticked the uPnP checkbox on the router and rebooted the router and the xbone, just to be sure. I suspect there is an issue with the INTERFACES, as i am not sure. What should these be configured to ? The current physical setup I have is as below :

• Fibre from the street comes into a fibre box

• CAT5 cable running from my fibre box into MikroTik ETHER1

• CAT5 cable running out of ETHER2 to my TV room

Normally, this goes to a TP-link W8960N that is being used as a switch for my various devices. But for the purpose of trying to get my Xbox NAT open, i removed that variable and connected the CAT5 from MikroTik directly to the XBOX.

How should the interfaces be configured to get uPnP working ? I want to try and get this sorted if possible. If it still doesn't work, then I will once again try Port Forwarding . On that front, I had setup a static IP on the console and then gone to IP/Firewall and done some port forwarding. But I suspect I did something wrong, as it did not work, hence my desire to first try and get uPnP working.

What IP address do you have in your router from ISP? Is it from
10.0.0.0 - 10.255.255.255
100.64.0.0 - 100.127.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255 range?

Good morning people.
I have an equal problem. I have an Xbox One on my network, and it is showing strict double Nat, I already applied UpNp rules on Mikrotik and the WiFi Router too, but to no avail. I applied rules on Mikrotik:


/ip firewall nat
add action=dst-nat chain=dstnat comment="XBOX" disabled=no dst-port=3074 protocol=udp to-ports=3074
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=3074 protocol=tcp to-ports=3074
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 protocol=udp to-ports=53
add action=dst-nat chain=dstnat comment="" disabled=no dst-port=53 protocol=tcp to-ports=53

/ip firewall filter
add action=accept chain=forward comment="XBOX LIVE" disabled=no dst-port=3074 protocol=tcp
add action=accept chain=forward comment="" disabled=no dst-port=3074 protocol=udp
add action=accept chain=forward comment="" disabled=no dst-port=53 protocol=udp
add action=accept chain=forward comment="" disabled=no dst-port=53 protocol=tcp
add action=accept chain=forward comment="" disabled=no dst-port=88 protocol=udp
add action=accept chain=forward comment="" disabled=no dst-port=88 protocol=tcp

/ip firewall mangle
add action=accept chain=forward comment="PORTAS XBOX" disabled=no dst-port=3074 protocol=tcp
add action=accept chain=forward comment="" disabled=no dst-port=3074 protocol=udp
add action=accept chain=forward comment="" disabled=no dst-port=53 protocol=udp
add action=accept chain=forward comment="" disabled=no dst-port=53 protocol=tcp

/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=yes
/ip upnp interfaces
add disabled=no interface=vivo type=external
add disabled=no interface=local type=internal
-----------------------------------------------------------------------------------------------------------------------
but I also could not get NAT Open.
I use balance with two links, and I use pppoe as a service. What could be happening? Thanks in advance.

Is this solved? I myself got a headache with this, being a certified MK consultant with years of experience I was starting to doubt my abilities. What solved for me was a simple rule. The big problem with this thing is that Microsoft doesn't show on it's support page the correct ports to be redirected. All it needed was port 56102 UDP, and that can be customized on the Xbox itself by going to network advanced settings.

Here is the rule that I created on my RB and it's working. If your case isn't solved yet I hope this comes in a good way for you.

Code: Select all

/ip firewall nat
      chain=dstnat action=dst-nat to-addresses='IP-XBOX' to-ports=56102 
      protocol=udp dst-address='IP-WAN' dst-port=56102 log=no log-prefix=""

Thank you very much for the tip friend.
I did the same on my MK and it worked perfectly.

I am a tad confused by that NAT rule.
Specifically why is their a destination address in the rule??
I think the reason I am asking is because I use in-interface-list=WAN on my dst nat rules.

I would like to assume both accomplish basically the same thing but just want to make sure!

(PS the too ports part is not required as its detailed in the destination port and if there is no port translation, the TOO port is assumed to be the same as the dest port).

@anav: It's quite difficult to find something specific in my own older posts, but I can't shake off the feeling that I already explained this to you, and maybe even more than once.

When forwarding port, you want it forwarded from public address to some internal address. The dst-address=<public address> is correct solution, because it does exactly what you want, nothing less and nothing more. The in-interface=<WAN> is simple shortcut, it works too, but it assumes that you have only one address on WAN interface, and you don't have any subnet routed to you from there. Which is true for average home user. But it can bite you if you use it without thinking what it does, and then you happen to come across some more complex config. Even the simplest case where you would have two public addresses on WAN interface. If you use dstnat with in-interface=<WAN>, ports will be forwarded from both to same internal device. Probably not what you'd want.

In short, keep using in-interface=<WAN> if you want, it's ok. Great advantage is that it automatically handles dynamic addresses. But understand what it does.

In my case, no matter where such rule goes, it never gets a single packet through it (so totally unused & not needed)

so I keep reading how UPnP can be a security risk...

I have Xbox connected to ether9, WAN via ether1.

If I enable UPnP for just external port=ether1 and internal port=ether9, would it still be considered a security risk since UPnP is only enabled for the xbox and therefore can't effect any other LAN devices?

OR, theoretically, could the Xbox still open ports using UPnP to other LAN IPs on the network that are connected to say, ether2..?