XBox Live - NAT Type Strict

ChildOTK · February 28, 2012, 3:07am

Good Day,

I have a Routerboard 600 and am trying to get my XBox NAT Type away from “Strict”.

I have done some reading and tried different dst-nat rules and have not had success. Tried also enabling upnp but also had no success.

Does anybody have a good guide on how to get this working properly. The best I can get is using a simple masquerade rule for the network my XBox is currently on. It is connected wirelessly and is on a static IP address.

I am on the very latest version, just upgraded it tonight to 5.14.

Any help will be greaty appreciated.

Thank you!1

cbrown · February 28, 2012, 12:45pm

Change the IP with the IP of your xbox and change the in interface to the interface of your WAN connection.

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address-type="" dst-port=3074 \
    in-interface=ether1 protocol=udp to-addresses=192.168.8.107
add action=dst-nat chain=dstnat disabled=no dst-port=3074 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.8.107
add action=dst-nat chain=dstnat disabled=no dst-port=88 in-interface=ether1 \
    protocol=udp to-addresses=192.168.8.107

brandonrossl · February 28, 2012, 1:27pm

And note those rules will only let 1 xbox work properly. To get more than 1 going at a time, you must enable upnp.

ChildOTK · February 28, 2012, 4:53pm

Thank you so much. I will try those and see what happens.

ChildOTK · February 28, 2012, 9:16pm

Okay, so this didn’t work for me…

I tried moving the rules up and down in order in Winbox, and noticed that the amount of packets and bytes that these rules processed was 0. So they were not doing anything.

My WAN interface is ether1, which is connected to the wall in my apartment. I stay on a school’s campus and they provide the internet. So there is no DSL modem or anything that I use.

A friend of mine though, also stays in the same building and has a Cisco / Linksys router, and he got his setup to work with two XBoxes, so I know it’s not the school’s connection.

Any advice?

Engitech · February 28, 2012, 9:32pm

Can you give me the Firewall filter rules that you use.

ChildOTK · February 28, 2012, 9:48pm

Sure, this is what I have setup right now:

0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough to-addresses=0.0.0.0 

 1 X chain=dstnat action=dst-nat to-addresses=192.168.0.253 protocol=tcp src-address=10.10.10.175 dst-address=10.10.51.55 in-interface=ether1 

 2 X chain=dstnat action=dst-nat to-addresses=192.168.0.253 protocol=udp src-address=10.10.10.175 dst-address=10.10.51.55 in-interface=ether1 

 3   chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=0.0.0.0/0 

 4 X chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=0.0.0.0/0 

 5   chain=srcnat action=masquerade src-address=192.168.60.0/24 dst-address=0.0.0.0/0 

 6   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp dst-address-type="" in-interface=ether1 dst-port=3074 

 7   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=3074 

 8   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=80

192.168.60.0 is my wireless network, the XBox has a manually configured IP address of 192.168.60.15. Should this be DHCP with a reservation instead?

192.168.0.0 is my wired network on ether2, and 192.168.1.0 is my second wired network on ether3 which I am not using right now.

ether1 is plugged into the wall which I am getting a static IP based on a reservation from the campus servers of 10.10.51.55. Rule 1 and 2 is what I use to access my PC from my office as I work on campus as well.

Engitech · February 28, 2012, 10:04pm

that’s the nat rules … give me the filter rules.

ChildOTK · February 28, 2012, 10:07pm

Sorry, about that..

I do not have any filter rules setup..

Engitech · February 28, 2012, 10:22pm

the ports that sould be redirected:

Port 88 (UDP)

Port 3074 (UDP and TCP)

Port 53 (UDP and TCP)

Port 80 (TCP)

so you crrently have:

6 ;;; XBox Live
chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp dst-address-type=“” in-interface=ether1 dst-port=3074

7 ;;; XBox Live
chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=3074

8 ;;; XBox Live
chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=80

you need:

8 is wrong → you need tcp → chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=80

7 is not enough you need too:
9: chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=3074 (erase the 6)

and you need too:

10: chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=88

11: chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=53

12: chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=53

test again with these

ChildOTK · February 28, 2012, 10:47pm

Thanks for your help…so now I have:

Flags: X - disabled, I - invalid, D - dynamic 
 0 X ;;; place hotspot rules here
     chain=unused-hs-chain action=passthrough to-addresses=0.0.0.0 

 1 X chain=dstnat action=dst-nat to-addresses=192.168.0.253 protocol=tcp src-address=10.10.10.175 dst-address=10.10.51.55 in-interface=ether1 

 2 X chain=dstnat action=dst-nat to-addresses=192.168.0.253 protocol=udp src-address=10.10.10.175 dst-address=10.10.51.55 in-interface=ether1 

 3   chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=0.0.0.0/0 

 4 X chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=0.0.0.0/0 

 5   chain=srcnat action=masquerade src-address=192.168.60.0/24 dst-address=0.0.0.0/0 

 6 X ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp dst-address-type="" in-interface=ether1 dst-port=3074 

 7   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=3074 

 8   chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=3074 

 9   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=80 

10   chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=88 

11   chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp in-interface=ether1 dst-port=53 

12   chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=53

I switched 8 and 9 around just to keep them together.

ChildOTK · February 29, 2012, 3:28am

In testing on my XBox I still get strict NAT and only rule 9 shows movement.

chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp in-interface=ether1 dst-port=80

I moved the rules to the top and tried again, same result. I don’t get it.

cbrown · February 29, 2012, 11:20am

Use the rules I originally gave you. They work, I use them everyday. Except this time don’t mess up when you put them in. You used port 80 instead of 88 with my rules.

53 and 80 are DNS and HTTP traffic and will have no effect on your NAT type (they don’t on mine anyway).

ChildOTK · February 29, 2012, 3:53pm

Oh wow, I didn’t pick that up! I’m sorry..I have redone the rules and will try again..thank you!

ChildOTK · February 29, 2012, 6:35pm

Okay, so i’ve tried this now on my XBox and still have Strict NAT. Checking the NAT rules I still see no traffic on them. 0 bytes and 0 packets.

Am I missing something? With the previous rule set I had the same thing and only the rule for port 80 showed packets. But why not the rest?

ChildOTK · February 29, 2012, 6:37pm

These are my latest NAT rules:

Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp 
     dst-address-type="" in-interface=ether1 dst-port=3074 

 1   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=tcp 
     in-interface=ether1 dst-port=3074 

 2   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=192.168.60.15 protocol=udp 
     in-interface=ether1 dst-port=88 

 3 X chain=dstnat action=dst-nat to-addresses=192.168.0.253 protocol=tcp 
     src-address=10.10.10.175 dst-address=10.10.51.55 in-interface=ether1 

 4 X chain=dstnat action=dst-nat to-addresses=192.168.0.253 protocol=udp 
     src-address=10.10.10.175 dst-address=10.10.51.55 in-interface=ether1 

 5   chain=srcnat action=masquerade src-address=192.168.0.0/24 
     dst-address=0.0.0.0/0 

 6   chain=srcnat action=masquerade src-address=192.168.60.0/24

Still nothing in my filter rules.

w0lt · February 29, 2012, 7:23pm

Have you tried activating UPnP? It seems to work nicely on my RB751U for a customer.

ChildOTK · February 29, 2012, 7:25pm

I did try before but I don’t think I had any NAT rules with it. uPNP is currently off..

How should I go about enabling uPNP? Like would ether1 be my ‘outside’ interface and wlan1 my internal?

brandonrossl · February 29, 2012, 8:07pm

I only had to set an external and it was good to go.

ChildOTK · February 29, 2012, 8:12pm

Okay, thanks. I will set that up then and give it another try.