Quick Overview

On my home network, I am running a dedicated OpenBSD 5.4 box as my router. On this box I use pf to handle firewalling (NAT and port forwarding) for the various public servers that I have on my LAN.

While I am mostly a PC gamer, I do have an Xbox One and an Xbox 360. I have spent years dealing with a NAT Type of ‘Strict’.

This page will go over how I finally got a NAT Type of ‘Open’ with just a few lines in my pf.conf file. This guide will also mostly be applicable to FreeBSD, however the pf version on FreeBSD is behind that of OpenBSD. As such the syntax is slightly different and some tweaks will be needed.

pf.conf

This is a subset of my live pf.conf file - I have removed the port forwards for the other servers on my nework.

int_if="fxp0"
ext_if="vr0"
xbox_live_tcp_ports = "{ 53, 80, 3074 }"
xbox_live_udp_ports = "{ 53, 88, 500, 3074, 3544, 4500, 8083, 1780, 49164 }"
# My xbox has a DHCP reservation, giving it a static IP address.
xbox = "192.168.11.5"

# options
set block-policy return
set loginterface egress
set skip on lo0

# Perform source-port randomization for all hosts which are not the xbox
match out log on egress from !$xbox to any nat-to ($ext_if:0) port 1024:65535
# Do not perform source-port randomization for the xbox - IMPORTANT
match out log on egress from  $xbox to any nat-to ($ext_if:0) static-port

# Block all packets in - even from the LAN
block in log

# Allow all packets out
pass out quick

# Spoofed address protection
antispoof quick for { lo $int_if }

# Allow SSH into the firewall
pass in on egress inet proto tcp from any to (egress) port ssh

# Port forward the necessary ports to the xbox
pass in quick on egress proto tcp from any to (egress) port $xbox_live_tcp_ports rdr-to $xbox
pass in quick on egress proto udp from any to (egress) port $xbox_live_udp_ports rdr-to $xbox

# Allow ping
pass in inet proto icmp all icmp-type echoreq

# Allow traffic out to the internet
pass in on $int_if

And that is it. If you already have a pf.conf file, the import bits are the two match-out lines as well as the two Port forward the necessary ports to the xbox lines.

One important note: After making these changes and reloading pf.conf, I found that a full power cycle of the xbox was necessary for the NAT Type to go to Open. That is, the ‘Test network connection’ and ‘Test multiplayer connection’ options under Settings -> Network did not change the NAT Type from Strict to Open.