Having trouble with setup and UPnP

RouterOS Beginner Basics
1

I am helping a friend of mine, very remotely as he is in Toronto and I am in Oregon, attempting to get his hEX set up. I am not figuring a few things out very well for the UPnP settings in reguard to his XBones getting an Open NAT.

Setup info and assumptions

HomeHub2000 router

  • Fiber setup, and has family requirements to keep this in place to keep TV/Phone/WiFi
    All but his gaming room is running normally through this setup
    Doesn’t allow he and his son to use XBones at same time if they want to interact (i.e. can’t play together, cant be in same voice channels, etc.)

MikroTik hEX (v6.36.# firmware)

  • Connected to HomeHub2000 with PPPoE, connects correctly and gets its own external IP address, status: connected
    This allows us to create a subnet just for his XBones to take the serious issues from his HomeHub out of the equation
    XBones are up with static IP addresses reservations in DHCP.
    UPnP with external interface ether1-master and an internal interface ether2-master.
    UPnP is enabled
    UPnP show-dummy-rule is enabled

This is where being a little less versed in the *nix arts gets me, and the fact of not being too familiar with RouterOS… I am not sure how to open up the firewall settings correctly.

Our setup computer can browse from the hEX LAN, but the XBones come back as Moderate NAT: restricted NAT settings. So setting up UPnP wasn’t all I needed to enable…

On my own home network, I made a DIY and have have pfSense set up and working with multiple consoles, Ooma, IP-TVs, etc. but am not sure how to translate the ACL entries I have into the Firewall/NAT settings for the hEX.

  • Example XBone config for ACL rules on my pfSense:
    Format: [allow or deny] [ext port or range] [int ipaddr or ipaddr/CIDR] [int port or range]
deny 3074 192.168.1.51/32 3074
deny 3074 192.168.1.52/32 3074
allow 53-65535 192.168.1.51/32 53-65535
allow 53-65535 192.168.1.52/32 53-65535

How do I translate this into setting up the firewall and NAT policies?

FYI: We found that blocking the 3074 port on all XBones made them renegotiate and have Open NAT, this trick doesn’t seem to work on XBones that were sold initially but as long as you don’t have more than one of those it is easy enough to work around.

2

Since your wan uplink is a pppoe tunnel over the physical interface,
you need to specify the pppoe interface as “external”.
Currently (afaik) routeros doesn’t support acls for upnp limiting,
so you either allow all upnp use or use the firewall to limit access.
Xboxes should’nt need any special rules to play nice,
other than the usual allow established/related, drop invalid, allow whatever needed (usually lan traffic), drop/log all.
All that assuming that with the pppoe connection you get a public ip on the interface.
If not you are double-natting and i’m afraid that upnp won’t help.

3

Re-reading your post.
Xboxes can be a pain to play together/co-op behind a single ip,
since both will try to use/forward the same ports.
Optimally you would want to route public ips to each console if this is an option.
Alternatively if ipv6 is supported by M$/xbox (i have no idea…) and available from the isp,
you could try eliminating natting and use ipv6 instead.

4

@Netstumble Thanks for the quick response.

pppoe interface as external, got it. I was confused as to which interface to bind. Thanks.
pppoe is getting an external public IP. I know that part is working and I was way ahead of the double+ NAT issues, common pitfall for people since their “browsing seems to work, why doesn’t xyz?”

Single XBone working is initial target. If that works well, I will add the second XBone. Will follow your lead on the IPv6 (heard that works for M$ and Sony both, just need to see if his provider has it working in his area). Will default to public IPs as last resort.

Thanks again.