What's new

UPnP - Multiple Xbox One Gaming Consoles & NAT

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Been mentioned here:
https://www.reddit.com/r/xboxone/du...ome_small_but_interesting_networking_changes/

I guess those in the preview program depending on levels have it already. One user has already posted pictures about it earlier in this thread.

Hope this will help.

Just wanted to let you know that in the update Xbox One will receive this Fall, Microsoft will allow you to change the online gaming port from 3074 to a few others (from a list). This should help make the NAT Open if you have multiple consoles connected to the same router.
 
Can you find one to barrow or get on loan? Testing NAT on consoles is important as well, however in game too. :rolleyes:
 
Suppose i'll go get a ASUS router at Best Buy. o_O
 
Did, had to return it.

Besides, the GT doesn't support 3rd party FW so I couldn't gets your script. I'm thinking about getting the RT-3100 to demo as that does support Merlin then I can do more testing with scripts....

i thought u had a gt 5300, if I can get a scrip working for full cone test it on that lol
 
I helped set up a network for a friend a while back where this was his #1 requirement. Two Xbox ones where he & his wife would keep open nat. I ended up on the phone with the retention department of his isp/tv provider & ended up getting him 2 static ip's and a bigger discount. 2 IP's fixed the problem at hand & ended up costing nothing.

Another way I've seen done is with a
tg862g modem/router/voip combo device
And
docsis 3.1 modem + Asus 5300. They own both devices. Comcast lets you add a telephone capable device in addition to your modem. Data works on both (monthly 1tb combined cap) & both have separate ips's. i can think of a few ways to link the networks.


When I've had luck doing it on my home network, I turn off instant on mode & manually forward all relevant ports to the old launch day console and let up upnp forward ports to the new 4k Xbox one. I've seeen in the Merlin asuswrt system log-port forwards that it remaps various external ports of 3074 & 3076 for the second consoleView attachment 10114the top four are redirecting various ports to the same 3076 internal port...which is call of duty IW.

I mentioned this in another thread, but Asus came out with a beta firmware a while back.
ASUS RT-AC66U Firmware version 9.0.0.4.380.2695
[Beta release]
New Features

- Supported auto dynamic port changing of UPnP server when ports conflict

I personally think that the idea of auto dynamic port changing may the solution. Jut not sure how well it works or if its going to need Sony and Microsoft to do something on there end for it to work seamlessly with ipv4. Ill be glad when IPv6 fixes this issue all together--and yes, this will make this a non-issue
might need to ask asus if that feature carried over the f/w versions, I highly suspect it there
 
Did, had to return it.

Besides, the GT doesn't support 3rd party FW so I couldn't gets your script. I'm thinking about getting the RT-3100 to demo as that does support Merlin then I can do more testing with scripts....
what was wrong with it?
 
Too spendy for what it was and I needed. Just wanted to demo it at least to see what it could do. Nice router. Can't do multiple game consoles tough. I like the UI and it's very snappy. Hope they open it up for 3rd party FW sometime.

what was wrong with it?
 
ASUSWRT-Merlin RT-AC88U 380.68-0 Fri Aug 18 21:41:25 UTC 2017
vexira@RT-AC88U-7CC0:/tmp/home/root# iptables -t nat -D POSTROUTING ! -s $(nvram
get wan0_ipaddr) -o $(nvram get wan0_ifname) -j MASQUERADE
vexira@RT-AC88U-7CC0:/tmp/home/root# iptables -t nat -A POSTROUTING ! -s $(nvram
get wan0_ipaddr) -o $(nvram get wan0_ifname) -j MASQUERADE --random
vexira@RT-AC88U-7CC0:/tmp/home/root# iptables-save
# Generated by iptables-save v1.4.14 on Thu Aug 24 16:44:30 2017
*raw
:pREROUTING ACCEPT [345239:83870473]
:OUTPUT ACCEPT [8448:8251461]
COMMIT
# Completed on Thu Aug 24 16:44:30 2017
# Generated by iptables-save v1.4.14 on Thu Aug 24 16:44:30 2017
*nat
:pREROUTING ACCEPT [6:1680]
:INPUT ACCEPT [2:113]
:OUTPUT ACCEPT [1:61]
:pOSTROUTING ACCEPT [0:0]
:DNSFILTER - [0:0]
:LOCALSRV - [0:0]
:pCREDIRECT - [0:0]
:pUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -d 1.43.254.50/32 -j VSERVER
-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE
-A POSTROUTING ! -s 1.43.254.50/32 -o eth0 -j MASQUERADE --random
-A DNSFILTER -m mac --mac-source 00:0B:82:9E:1A:A8 -j RETURN
-A DNSFILTER -m mac --mac-source B8:27:EB:FC:EF:30 -j RETURN
-A DNSFILTER -j DNAT --to-destination 192.168.1.1
-A VSERVER -j VUPNP
-A VUPNP -p udp -m udp --dport 22345 -j DNAT --to-destination 192.168.1.43:22345
-A VUPNP -p tcp -m tcp --dport 22345 -j DNAT --to-destination 192.168.1.43:22345
-A VUPNP -p udp -m udp --dport 3074 -j DNAT --to-destination 192.168.1.58:3074
COMMIT
# Completed on Thu Aug 24 16:44:30 2017
# Generated by iptables-save v1.4.14 on Thu Aug 24 16:44:30 2017
*mangle
:pREROUTING ACCEPT [344448:83636056]
:INPUT ACCEPT [11290:1849787]
:FORWARD ACCEPT [333083:81782949]
:OUTPUT ACCEPT [8143:8160420]
:pOSTROUTING ACCEPT [341615:90085656]
:BWDPI_FILTER - [0:0]
-A PREROUTING -i eth0 -p udp -j BWDPI_FILTER
-A FORWARD -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MARK --set-xmark 0x1/0x 7
-A BWDPI_FILTER -i eth0 -p udp -m udp --sport 68 --dport 67 -j DROP
-A BWDPI_FILTER -i eth0 -p udp -m udp --sport 67 --dport 68 -j DROP
COMMIT
# Completed on Thu Aug 24 16:44:30 2017
# Generated by iptables-save v1.4.14 on Thu Aug 24 16:44:30 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [5011:2109414]
:ACCESS_RESTRICTION - [0:0]
:FUPNP - [0:0]
:INPUT_ICMP - [0:0]
:NSFW - [0:0]
:pControls - [0:0]
:pTCSRVLAN - [0:0]
:pTCSRVWAN - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FUPNP -d 192.168.1.43/32 -p udp -m udp --dport 22345 -j ACCEPT
-A FUPNP -d 192.168.1.43/32 -p tcp -m tcp --dport 22345 -j ACCEPT
-A FUPNP -d 192.168.1.58/32 -p udp -m udp --dport 3074 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequen ce --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence - -log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Thu Aug 24 16:44:30 2017
vexira@RT-AC88U-7CC0:/tmp/home/root#
this is for symmetric nat
 
Last edited:
rebooted xbox says cone nat, nat test says same results mabye I need to reboot the pc
 
ASUSWRT-Merlin RT-AC88U 380.68-0 Fri Aug 18 21:41:25 UTC 2017
vexira@RT-AC88U-7CC0:/tmp/home/root# iptables -t nat -D POSTROUTING ! -s $(nvram get wan0_ipaddr) -o $(nvram get wan0_ifname) -j MASQUERADE
vexira@RT-AC88U-7CC0:/tmp/home/root# iptables -t nat -I POSTROUTING -o $(nvram get wan0_ifname) -j SNAT --to-source $(nvram get wan0_ipaddr)
vexira@RT-AC88U-7CC0:/tmp/home/root# iptables-save
# Generated by iptables-save v1.4.14 on Thu Aug 24 17:10:29 2017
*raw
:pREROUTING ACCEPT [78142:12878420]
:OUTPUT ACCEPT [6791:6216349]
COMMIT
# Completed on Thu Aug 24 17:10:29 2017
# Generated by iptables-save v1.4.14 on Thu Aug 24 17:10:29 2017
*nat
:pREROUTING ACCEPT [3:248]
:INPUT ACCEPT [3:169]
:OUTPUT ACCEPT [1:65]
:pOSTROUTING ACCEPT [0:0]
:DNSFILTER - [0:0]
:LOCALSRV - [0:0]
:pCREDIRECT - [0:0]
:pUPNP - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -d 1.43.254.50/32 -j VSERVER
-A PREROUTING -s 192.168.1.0/24 -p udp -m udp --dport 53 -j DNSFILTER
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 53 -j DNSFILTER
-A POSTROUTING -o eth0 -j SNAT --to-source 1.43.254.50
-A POSTROUTING -o eth0 -j PUPNP
-A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MASQUERADE
-A DNSFILTER -m mac --mac-source 00:0B:82:9E:1A:A8 -j RETURN
-A DNSFILTER -m mac --mac-source B8:27:EB:FC:EF:30 -j RETURN
-A DNSFILTER -j DNAT --to-destination 192.168.1.1
-A VSERVER -j VUPNP
-A VUPNP -p udp -m udp --dport 3074 -j DNAT --to-destination 192.168.1.58:3074
-A VUPNP -p udp -m udp --dport 59923 -j DNAT --to-destination 192.168.1.58:59923
-A VUPNP -p tcp -m tcp --dport 59923 -j DNAT --to-destination 192.168.1.58:59923
-A VUPNP -p udp -m udp --dport 22345 -j DNAT --to-destination 192.168.1.43:22345
-A VUPNP -p tcp -m tcp --dport 22345 -j DNAT --to-destination 192.168.1.43:22345
COMMIT
# Completed on Thu Aug 24 17:10:29 2017
# Generated by iptables-save v1.4.14 on Thu Aug 24 17:10:29 2017
*mangle
:pREROUTING ACCEPT [76782:12631181]
:INPUT ACCEPT [8628:1426406]
:FORWARD ACCEPT [68120:11203307]
:OUTPUT ACCEPT [6448:6133758]
:pOSTROUTING ACCEPT [74735:17394876]
:BWDPI_FILTER - [0:0]
-A PREROUTING -i eth0 -p udp -j BWDPI_FILTER
-A FORWARD -s 192.168.1.0/24 -d 192.168.1.0/24 -o br0 -j MARK --set-xmark 0x1/0x7
-A BWDPI_FILTER -i eth0 -p udp -m udp --sport 68 --dport 67 -j DROP
-A BWDPI_FILTER -i eth0 -p udp -m udp --sport 67 --dport 68 -j DROP
COMMIT
# Completed on Thu Aug 24 17:10:29 2017
# Generated by iptables-save v1.4.14 on Thu Aug 24 17:10:29 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2928:1683603]
:ACCESS_RESTRICTION - [0:0]
:FUPNP - [0:0]
:INPUT_ICMP - [0:0]
:NSFW - [0:0]
:pControls - [0:0]
:pTCSRVLAN - [0:0]
:pTCSRVWAN - [0:0]
:SECURITY - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT ! -i br0 -j PTCSRVWAN
-A INPUT -i br0 -j PTCSRVLAN
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -p icmp -j INPUT_ICMP
-A INPUT -j DROP
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD ! -i br0 -o eth0 -j DROP
-A FORWARD -i eth0 -m state --state INVALID -j DROP
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -j NSFW
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FUPNP -d 192.168.1.58/32 -p udp -m udp --dport 3074 -j ACCEPT
-A FUPNP -d 192.168.1.58/32 -p udp -m udp --dport 59923 -j ACCEPT
-A FUPNP -d 192.168.1.58/32 -p tcp -m tcp --dport 59923 -j ACCEPT
-A FUPNP -d 192.168.1.43/32 -p udp -m udp --dport 22345 -j ACCEPT
-A FUPNP -d 192.168.1.43/32 -p tcp -m tcp --dport 22345 -j ACCEPT
-A INPUT_ICMP -p icmp -m icmp --icmp-type 8 -j RETURN
-A INPUT_ICMP -p icmp -m icmp --icmp-type 13 -j RETURN
-A INPUT_ICMP -p icmp -j ACCEPT
-A PControls -j ACCEPT
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j DROP
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j RETURN
-A SECURITY -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j DROP
-A SECURITY -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j RETURN
-A SECURITY -p icmp -m icmp --icmp-type 8 -j DROP
-A SECURITY -j RETURN
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Thu Aug 24 17:10:29 2017
vexira@RT-AC88U-7CC0:/tmp/home/root#
Full cone nat
 
same deal, seems that it needs more than just iptables and a reboot to work possibly?
looks like something else is over riding it, I suspect its adaptive qos.
 
Last edited:
@Vexira Can you post your router output inside CODE blocks because when you paste it straight into the message it gets messed up and is difficult to read.
 
If you change the IPtables to simulate FULL CONE or something other that the default NAT kind on the router, I wonder if the NAT test tool only detects the default NAT kind no matter what you change...

Possible that since the xbox is on the LAN side and the NAT test tool is on the WAN side, maybe the xbox only sees the change from the LAN side while NAT test tool doesn't see the change from the WAN side. Just a thought here.

rebooted xbox says cone nat, nat test says same results mabye I need to reboot the pc
 
nat test says same results mabye I need to reboot the pc
I've noticed that the online NAT analyser caches it's results, so even after you've made changes to the router rerunning the test gives you the same result. So before every test close your browser completely and then reopen it. Then check that the test ID has changed:

111.png

222.png
 
I've noticed that the online NAT analyser caches it's results, so even after you've made changes to the router rerunning the test gives you the same result. So before every test close your browser completely and then reopen it. Then check that the test ID has changed:

View attachment 10216
View attachment 10217
i rebooted the pc as well as my xbox and the router, same results not sure how merlin applied the extra wan rules that fixed 2 pcs for me with cod games, might need to so the same thing to get full cone.
 
Last edited:
I am experiencing this as well with 2 PS4s as well. Asus A68U with the latest FORK fw. The thing is, we can game but we cannot party chat. I haven't tried anything with QOS, is there a specific thing I can try? Is the beta ASUS fw maybe worth a try?
 

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top