UPnP - Multiple Xbox One Gaming Consoles & NAT

[e38BimmerFN]

Been mentioned here:
https://www.reddit.com/r/xboxone/du...ome_small_but_interesting_networking_changes/

I guess those in the preview program depending on levels have it already. One user has already posted pictures about it earlier in this thread.

Hope this will help.

Just wanted to let you know that in the update Xbox One will receive this Fall, Microsoft will allow you to change the online gaming port from 3074 to a few others (from a list). This should help make the NAT Open if you have multiple consoles connected to the same router.

 

[BiggShooter]

Can you test with two BO3s running?

I think I sold my second copy of BO3 - can't seem to find it.

 

[e38BimmerFN]

Can you find one to barrow or get on loan? Testing NAT on consoles is important as well, however in game too.

 

[BiggShooter]

Can you find one to barrow or get on loan? Testing NAT on consoles is important as well, however in game too.

Send me your copy

 

[e38BimmerFN]

Suppose i'll go get a ASUS router at Best Buy.

 

[Vexira]

Suppose i'll go get a ASUS router at Best Buy.

i thought u had a gt 5300, if I can get a scrip working for full cone test it on that lol

 

[e38BimmerFN]

Did, had to return it.

Besides, the GT doesn't support 3rd party FW so I couldn't gets your script. I'm thinking about getting the RT-3100 to demo as that does support Merlin then I can do more testing with scripts....

i thought u had a gt 5300, if I can get a scrip working for full cone test it on that lol

 

[Vexira]

I helped set up a network for a friend a while back where this was his #1 requirement. Two Xbox ones where he & his wife would keep open nat. I ended up on the phone with the retention department of his isp/tv provider & ended up getting him 2 static ip's and a bigger discount. 2 IP's fixed the problem at hand & ended up costing nothing.

Another way I've seen done is with a
tg862g modem/router/voip combo device
And
docsis 3.1 modem + Asus 5300. They own both devices. Comcast lets you add a telephone capable device in addition to your modem. Data works on both (monthly 1tb combined cap) & both have separate ips's. i can think of a few ways to link the networks.


When I've had luck doing it on my home network, I turn off instant on mode & manually forward all relevant ports to the old launch day console and let up upnp forward ports to the new 4k Xbox one. I've seeen in the Merlin asuswrt system log-port forwards that it remaps various external ports of 3074 & 3076 for the second consoleView attachment 10114the top four are redirecting various ports to the same 3076 internal port...which is call of duty IW.

I mentioned this in another thread, but Asus came out with a beta firmware a while back.
ASUS RT-AC66U Firmware version 9.0.0.4.380.2695
[Beta release]
New Features
- Supported auto dynamic port changing of UPnP server when ports conflict

I personally think that the idea of auto dynamic port changing may the solution. Jut not sure how well it works or if its going to need Sony and Microsoft to do something on there end for it to work seamlessly with ipv4. Ill be glad when IPv6 fixes this issue all together--and yes, this will make this a non-issue

might need to ask asus if that feature carried over the f/w versions, I highly suspect it there

 

[Vexira]

Did, had to return it.

Besides, the GT doesn't support 3rd party FW so I couldn't gets your script. I'm thinking about getting the RT-3100 to demo as that does support Merlin then I can do more testing with scripts....

what was wrong with it?

 

[e38BimmerFN]

Too spendy for what it was and I needed. Just wanted to demo it at least to see what it could do. Nice router. Can't do multiple game consoles tough. I like the UI and it's very snappy. Hope they open it up for 3rd party FW sometime.

what was wrong with it?

 

[Vexira]

ASUSWRT-Merlin RT-AC88U 380.68-0 Fri Aug 18 21:41:25 UTC 2017
vexira@RT-AC88U-7CC0:/tmp/home/root# iptables -t nat -D POSTROUTING ! -s $(nvram
get wan0_ipaddr) -o $(nvram get wan0_ifname) -j MASQUERADE
vexira@RT-AC88U-7CC0:/tmp/home/root# iptables -t nat -A POSTROUTING ! -s $(nvram
get wan0_ipaddr) -o $(nvram get wan0_ifname) -j MASQUERADE --random
vexira@RT-AC88U-7CC0:/tmp/home/root# iptables-save
# Generated by iptables-save v1.4.14 on Thu Aug 24 16:44:30 2017
*raw
REROUTING ACCEPT [345239:83870473]
:OUTPUT ACCEPT [8448:8251461]
COMMIT
# Completed on Thu Aug 24 16:44:30 2017
# Generated by iptables-save v1.4.14 on Thu Aug 24 16:44:30 2017
*nat
REROUTING ACCEPT [6:1680]
:INPUT ACCEPT [2:113]
:OUTPUT ACCEPT [1:61]
OSTROUTING ACCEPT [0:0]
NSFILTER - [0:0]
:LOCALSRV - [0:0]
CREDIRECT - [0:0]
UPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -d 1.43.254.50/32 -j VSERVER
-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE
-A POSTROUTING ! -s 1.43.254.50/32 -o eth0 -j MASQUERADE --random
-A DNSFILTER -m mac --mac-source 00:0B:82:9E:1A:A8 -j RETURN
-A DNSFILTER -m mac --mac-source B8:27:EB:FC:EF:30 -j RETURN
-A DNSFILTER -j DNAT --to-destination 192.168.1.1
-A VSERVER -j VUPNP
-A VUPNP -p udp -m udp --dport 22345 -j DNAT --to-destination 192.168.1.43:22345
-A VUPNP -p tcp -m tcp --dport 22345 -j DNAT --to-destination 192.168.1.43:22345
-A VUPNP -p udp -m udp --dport 3074 -j DNAT --to-destination 192.168.1.58:3074
COMMIT
# Completed on Thu Aug 24 16:44:30 2017
# Generated by iptables-save v1.4.14 on Thu Aug 24 16:44:30 2017
*mangle
REROUTING ACCEPT [344448:83636056]
:INPUT ACCEPT [11290:1849787]
:FORWARD ACCEPT [333083:81782949]
:OUTPUT ACCEPT [8143:8160420]
OSTROUTING ACCEPT [341615:90085656]
:BWDPI_FILTER - [0:0]
-A PREROUTING -i eth0 -p udp -j BWDPI_FILTER
-A FORWARD -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MARK --set-xmark 0x1/0x 7
-A BWDPI_FILTER -i eth0 -p udp -m udp --sport 68 --dport 67 -j DROP
-A BWDPI_FILTER -i eth0 -p udp -m udp --sport 67 --dport 68 -j DROP
COMMIT
# Completed on Thu Aug 24 16:44:30 2017
# Generated by iptables-save v1.4.14 on Thu Aug 24 16:44:30 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5011:2109414]
:ACCESS_RESTRICTION - [0:0]
:FUPNP - [0:0]
:INPUT_ICMP - [0:0]
:NSFW - [0:0]
Controls - [0:0]
TCSRVLAN - [0:0]
TCSRVWAN - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FUPNP -d 192.168.1.43/32 -p udp -m udp --dport 22345 -j ACCEPT
-A FUPNP -d 192.168.1.43/32 -p tcp -m tcp --dport 22345 -j ACCEPT
-A FUPNP -d 192.168.1.58/32 -p udp -m udp --dport 3074 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequen ce --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence - -log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Thu Aug 24 16:44:30 2017
vexira@RT-AC88U-7CC0:/tmp/home/root#
this is for symmetric nat

 

[Vexira]

rebooted xbox says cone nat, nat test says same results mabye I need to reboot the pc

 

[Vexira]

ASUSWRT-Merlin RT-AC88U 380.68-0 Fri Aug 18 21:41:25 UTC 2017
vexira@RT-AC88U-7CC0:/tmp/home/root# iptables -t nat -D POSTROUTING ! -s $(nvram get wan0_ipaddr) -o $(nvram get wan0_ifname) -j MASQUERADE
vexira@RT-AC88U-7CC0:/tmp/home/root# iptables -t nat -I POSTROUTING -o $(nvram get wan0_ifname) -j SNAT --to-source $(nvram get wan0_ipaddr)
vexira@RT-AC88U-7CC0:/tmp/home/root# iptables-save
# Generated by iptables-save v1.4.14 on Thu Aug 24 17:10:29 2017
*raw
REROUTING ACCEPT [78142:12878420]
:OUTPUT ACCEPT [6791:6216349]
COMMIT
# Completed on Thu Aug 24 17:10:29 2017
# Generated by iptables-save v1.4.14 on Thu Aug 24 17:10:29 2017
*nat
REROUTING ACCEPT [3:248]
:INPUT ACCEPT [3:169]
:OUTPUT ACCEPT [1:65]
OSTROUTING ACCEPT [0:0]
NSFILTER - [0:0]
:LOCALSRV - [0:0]
CREDIRECT - [0:0]
UPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -d 1.43.254.50/32 -j VSERVER
-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A POSTROUTING -o eth0 -j SNAT --to-source 1.43.254.50
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE
-A DNSFILTER -m mac --mac-source 00:0B:82:9E:1A:A8 -j RETURN
-A DNSFILTER -m mac --mac-source B8:27:EB:FC:EF:30 -j RETURN
-A DNSFILTER -j DNAT --to-destination 192.168.1.1
-A VSERVER -j VUPNP
-A VUPNP -p udp -m udp --dport 3074 -j DNAT --to-destination 192.168.1.58:3074
-A VUPNP -p udp -m udp --dport 59923 -j DNAT --to-destination 192.168.1.58:59923
-A VUPNP -p tcp -m tcp --dport 59923 -j DNAT --to-destination 192.168.1.58:59923
-A VUPNP -p udp -m udp --dport 22345 -j DNAT --to-destination 192.168.1.43:22345
-A VUPNP -p tcp -m tcp --dport 22345 -j DNAT --to-destination 192.168.1.43:22345
COMMIT
# Completed on Thu Aug 24 17:10:29 2017
# Generated by iptables-save v1.4.14 on Thu Aug 24 17:10:29 2017
*mangle
REROUTING ACCEPT [76782:12631181]
:INPUT ACCEPT [8628:1426406]
:FORWARD ACCEPT [68120:11203307]
:OUTPUT ACCEPT [6448:6133758]
OSTROUTING ACCEPT [74735:17394876]
:BWDPI_FILTER - [0:0]
-A PREROUTING -i eth0 -p udp -j BWDPI_FILTER
-A FORWARD -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MARK --set-xmark 0x1/0x7
-A BWDPI_FILTER -i eth0 -p udp -m udp --sport 68 --dport 67 -j DROP
-A BWDPI_FILTER -i eth0 -p udp -m udp --sport 67 --dport 68 -j DROP
COMMIT
# Completed on Thu Aug 24 17:10:29 2017
# Generated by iptables-save v1.4.14 on Thu Aug 24 17:10:29 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2928:1683603]
:ACCESS_RESTRICTION - [0:0]
:FUPNP - [0:0]
:INPUT_ICMP - [0:0]
:NSFW - [0:0]
Controls - [0:0]
TCSRVLAN - [0:0]
TCSRVWAN - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FUPNP -d 192.168.1.58/32 -p udp -m udp --dport 3074 -j ACCEPT
-A FUPNP -d 192.168.1.58/32 -p udp -m udp --dport 59923 -j ACCEPT
-A FUPNP -d 192.168.1.58/32 -p tcp -m tcp --dport 59923 -j ACCEPT
-A FUPNP -d 192.168.1.43/32 -p udp -m udp --dport 22345 -j ACCEPT
-A FUPNP -d 192.168.1.43/32 -p tcp -m tcp --dport 22345 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Thu Aug 24 17:10:29 2017
vexira@RT-AC88U-7CC0:/tmp/home/root#
Full cone nat

 

[Vexira]

same deal, seems that it needs more than just iptables and a reboot to work possibly?
looks like something else is over riding it, I suspect its adaptive qos.

 

[ColinTaylor]

@Vexira Can you post your router output inside CODE blocks because when you paste it straight into the message it gets messed up and is difficult to read.

 

[e38BimmerFN]

If you change the IPtables to simulate FULL CONE or something other that the default NAT kind on the router, I wonder if the NAT test tool only detects the default NAT kind no matter what you change...

Possible that since the xbox is on the LAN side and the NAT test tool is on the WAN side, maybe the xbox only sees the change from the LAN side while NAT test tool doesn't see the change from the WAN side. Just a thought here.

rebooted xbox says cone nat, nat test says same results mabye I need to reboot the pc

 

[ColinTaylor]

nat test says same results mabye I need to reboot the pc

I've noticed that the online NAT analyser caches it's results, so even after you've made changes to the router rerunning the test gives you the same result. So before every test close your browser completely and then reopen it. Then check that the test ID has changed:

 

[Vexira]

@Vexira Can you post your router output inside CODE blocks because when you paste it straight into the message it gets messed up and is difficult to read.

thatd ssh outputs. And sure

 

[Vexira]

I've noticed that the online NAT analyser caches it's results, so even after you've made changes to the router rerunning the test gives you the same result. So before every test close your browser completely and then reopen it. Then check that the test ID has changed:

View attachment 10216
View attachment 10217

i rebooted the pc as well as my xbox and the router, same results not sure how merlin applied the extra wan rules that fixed 2 pcs for me with cod games, might need to so the same thing to get full cone.

 

[jhferry]

I am experiencing this as well with 2 PS4s as well. Asus A68U with the latest FORK fw. The thing is, we can game but we cannot party chat. I haven't tried anything with QOS, is there a specific thing I can try? Is the beta ASUS fw maybe worth a try?