Xbox Live Issues

CHARL13 · Sun Jan 05, 2014 10:54 pm

Ok so historically I've given my Xbox a static IP address and stuck it in the "DMZ" to get an open NAT on Xbox Live.
Now I've got a Mikrotik I'm trying to learn more about networking and the proper way of doing things. My Xbox is currently showing a moderate NAT. I've attempted port forwarding (if that's the correct terminology) with the following NAT rules:

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=srcnat action=masquerade out-interface=pppoe-btinfinity
 1   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=172.16.0.9 to-ports=88 protocol=udp dst-address-type="" in-interface=ether1-gateway dst-port=88
 2   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=172.16.0.9 to-ports=3074 protocol=udp dst-address-type="" in-interface=ether1-gateway dst-port=3074
 3   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=172.16.0.9 to-ports=3074 protocol=tcp dst-address-type="" in-interface=ether1-gateway dst-port=3074
 4   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=172.16.0.9 to-ports=53 protocol=udp dst-address-type="" in-interface=ether1-gateway dst-port=53
 5   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=172.16.0.9 to-ports=53 protocol=tcp dst-address-type="" in-interface=ether1-gateway dst-port=53
 6   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=172.16.0.9 to-ports=500 protocol=udp dst-address-type="" in-interface=ether1-gateway dst-port=500
 7   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=172.16.0.9 to-ports=3544 protocol=udp dst-address-type="" in-interface=ether1-gateway dst-port=3544
 8   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=172.16.0.9 to-ports=4500 protocol=udp dst-address-type="" in-interface=ether1-gateway dst-port=4500
 9   ;;; XBox Live
     chain=dstnat action=dst-nat to-addresses=172.16.0.9 to-ports=80 protocol=tcp dst-address-type="" in-interface=ether1-gateway dst-port=80

And the following filter rules:

[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=input action=accept protocol=icmp
 1   ;;; default configuration
     chain=input action=accept connection-state=established
 2   ;;; default configuration
     chain=input action=accept connection-state=related
 3   chain=input action=accept protocol=udp dst-port=88
 4   chain=input action=accept protocol=udp dst-port=3074
 5   chain=input action=accept protocol=tcp dst-port=3074
 6   chain=input action=accept protocol=udp dst-port=500
 7   chain=input action=accept protocol=udp dst-port=3544
 8   chain=input action=accept protocol=udp dst-port=4500
 9   chain=input action=accept protocol=udp dst-port=53
10   chain=input action=accept protocol=tcp dst-port=53
11   chain=input action=accept protocol=tcp dst-port=80
12 X chain=input action=log log-prefix=""
13   ;;; default configuration
     chain=input action=drop in-interface=pppoe-btinfinity

Am I missing something and is this the best way to go about it?

Thanks

cbrown · Mon Jan 06, 2014 3:50 pm

Prints are not good for diagnostics. Use /export if v6 and /export compact if v5. Here is how I do my nat for my xbox.

/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type="" dst-port=\
    3074,88,500,3544,4500 in-interface=ether1 protocol=udp to-addresses=\
    192.168.8.107

For you firewall, input protects the router itself. You would want to put the rules to protect devices behind your router in the forward chain.

http://wiki.mikrotik.com/wiki/Manual:IP ... ter#Chains

CHARL13 · Mon Jan 06, 2014 4:46 pm

Thanks cbrown, the export option is duly noted. Just so that I get it right would you be able to post the relevant filter rule that you have?

I'll give it a go tonight and report back.

cbrown · Mon Jan 06, 2014 4:52 pm

With your current firewall you will not need to do anything as nothing is blocking anything in the forward chain. Lets see if this works then we can get you setup with an appropriate firewall.

CHARL13 · Tue Jan 07, 2014 1:19 am

Ok I've given the above a go with no joy. Interestingly there is no traffic registering against the NAT rules what so ever,but there is traffic on some of the filter rules.

cbrown · Tue Jan 07, 2014 2:17 am

Post your whole config with export

CHARL13 · Tue Jan 07, 2014 10:58 am

I made some headway late last night and managed to get an open NAT on the Xbox. I didn't get time to investigate different combinations but I will do so this evening and post the final config.
In the end I noticed that the Xbox traffic was passing through the default established connection filter rule even though the Xbox specific rules were above it in the table. I had been power cycling the Xbox after every change thinking that it would force new connections but I was not aware that the Mikrotik was remembering the connections and thus the Xbox was picking up from where it left off.
I put the rules back to how I thought they should be (I'm fairly sure they were correct in the first place but may have been messed up by me implementing IPSEC VPN on UDP 500 and 4500) and rebooted the Mikrotik along with the Xbox and hey presto.

Thanks for your help cbrown

patrikg · Tue Jan 07, 2014 11:09 am

You have a good info here:

What ports used by live and so on.

http://www.orpheusinternet.co.uk/suppor ... ewall.html

ashgromnies · Sat Jan 25, 2014 5:17 am

CHARL13 -- you're bumming me out man, I'm experiencing the same problems, and cbrown's NAT settings have never worked for me.

Can you please post your working settings with export?

cbrown · Tue Jan 28, 2014 3:20 pm

CHARL13 -- you're bumming me out man, I'm experiencing the same problems, and cbrown's NAT settings have never worked for me.

Can you please post your working settings with export?

Post your config with /export compact

letthiswork1 · Mon Apr 28, 2014 2:30 am

HI Guys,

If Anyone is still having this issue i resolved it by making sure my Modem was Birdged to my Mikrotik and removing Double NAT. I also just configured UPNP on my external and internal interface.

adding the WAN IP of my mikrotik do the DMZ on my modem didn't even work

Once i did this i had a full open NAT for my Xbox.

I tried lots of NAT Rules and firewall rules but nothing worked until i did it the above way.

Tue Apr 29, 2014 8:41 am

Hey Cbrown, wat's IP-address is this 192.168.8.107 from the X-box?

Prints are not good for diagnostics. Use /export if v6 and /export compact if v5. Here is how I do my nat for my xbox.
Code: Select all
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type="" dst-port=\
    3074,88,500,3544,4500 in-interface=ether1 protocol=udp to-addresses=\
    192.168.8.107
For you firewall, input protects the router itself. You would want to put the rules to protect devices behind your router in the forward chain.

http://wiki.mikrotik.com/wiki/Manual:IP ... ter#Chains

cbrown · Tue Apr 29, 2014 1:38 pm

192.168.8.107 is my Xbox.

Xbox Live Issues

Xbox Live Issues

Re: Xbox Live Issues

Re: Xbox Live Issues

Re: Xbox Live Issues

Re: Xbox Live Issues

Re: Xbox Live Issues

Re: Xbox Live Issues

Re: Xbox Live Issues

Re: Xbox Live Issues

Re: Xbox Live Issues

Re: Xbox Live Issues

Re: Xbox Live Issues

Re: Xbox Live Issues

Who is online