My dad got this new router which has been an absolute nightmare for me on Xbox Live for the Xbox One. The interface of this router is extremely advanced for me. We had a Linksys before which was much easier to do this with. All I want to do is forward my ports to enable my NAT to be OPEN on XBL because with a Strict NAT, it is troublesome to connect to people’s parties or connect to people’s lobbies. The entire experience is compromised. I googled some guides and proceeded to utilize them to open my ports for my Xbox. These are the links I used. Suggested network ports from Xbox.com -
All of my ports, besides UDP 53 for some reason, report to be opened. But, after testing all of these ports my NAT refuses to change to OPEN and I am stumped as to why. I have tried UPNP and it did not work. I set my WAN interface to be external and my LAN to be internal as a guide suggested to no avail. Some help would be extremely appreciated. Thanks.
I’ve got this working at home so I will grab my config when I’m finished work.
In the meantime, if you think that your filter and nat rules are right, turn off the Xbox, reboot the Mikrotik and then power the Xbox back on.
Because the Mikrotik is stateful it remembers the Xboxs connection (I think for up to 24 hours). I was finding that changing rules and rebooting the Xbox was having no effect, because the original connection state was cached. A reboot of the Mikrotik will clear the cache and regenerate a connection state based on your updated rules.
You can remove connections from the GUI in Winbox by going into IP > Firewall > Connections
Highlight a connection, and click the red minus sign - to remove it.
If you do this, you won’t need to reboot the two devices.
I read something on the Microsoft forums that starts of by saying that enabling UPnP fixes everything, but just in case you don’t have UPnP… (lots of stuff)
chain=dstnat action=dst-nat to-addresses=<XBOX IP ADDRESS> to-ports=3074 protocol=tcp in-interface=<ISP INTERFACE> dst-port=3074
chain=dstnat action=dst-nat to-addresses=<XBOX IP ADDRESS> to-ports=53 protocol=tcp in-interface=<ISP INTERFACE> dst-port=53
chain=dstnat action=dst-nat to-addresses=<XBOX IP ADDRESS> to-ports=80 protocol=tcp in-interface=<ISP INTERFACE> dst-port=80
chain=dstnat action=dst-nat to-addresses=<XBOX IP ADDRESS> to-ports=88 protocol=udp in-interface=<ISP INTERFACE> dst-port=88
chain=dstnat action=dst-nat to-addresses=<XBOX IP ADDRESS> to-ports=3074 protocol=udp in-interface=<ISP INTERFACE> dst-port=3074
chain=dstnat action=dst-nat to-addresses=<XBOX IP ADDRESS> to-ports=53 protocol=udp in-interface=<ISP INTERFACE> dst-port=53
chain=dstnat action=dst-nat to-addresses=<XBOX IP ADDRESS> to-ports=500 protocol=udp in-interface=<ISP INTERFACE> dst-port=500
chain=dstnat action=dst-nat to-addresses=<XBOX IP ADDRESS> to-ports=3544 protocol=udp in-interface=<ISP INTERFACE> dst-port=3544
chain=dstnat action=dst-nat to-addresses=<XBOX IP ADDRESS> to-ports=4500 protocol=udp in-interface=<ISP INTERFACE> dst-port=4500
The in-interface isn’t necessarily the physical interface, depending on your setup. My in-interface is the pppoe interface the routerboard uses to connect to my ISP. Don’t forget to clear down the cached connection before turning the Xbox on.
Second, I imagine that if there is such a thing as “reasonably secure” UPnP that it could be done on Mikrotik.
But…
I’ve seen some interesting exploits using UPnP in Youtube videos from DefCon…
So yeah - leaving it off is probably the best bet.
P.S. To anyone reading this thread as a “how-to” later on, with the static NAT maps, make sure the XBox has a static IP as well, or else the dst-nat pinholes are going to break whenever it gets a new IP
You could also leave the XBox on DHCP and make the lease static in the Mikrotik
IP > DHCP-Server > Leases - double click the XBox’s entry, and press the “Make Static” button.
This is convenient if you take your XBox to other places sometimes, e.g. for LAN parties and stuff, so you don’t have to reconfigure the network in the XBox itself.
