OpenWrt + Xbox Live always a moderate NAT

TheHellSite · March 17, 2019, 1:27pm

I need to forward some ports on my router for Xbox Live and VoIP.
Unless I set external and destination port to any, the redirects won't work for my devices.

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '53'
	option dest_ip '192.168.1.31'
	option dest_port '53'
	option name 'XBL-TCP-53'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '80'
	option dest_ip '192.168.1.31'
	option dest_port '80'
	option name 'XBL-TCP-80'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp'
	option src_dport '3074'
	option dest_ip '192.168.1.31'
	option dest_port '3074'
	option name 'XBL-TCP-3074'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '53'
	option dest_ip '192.168.1.31'
	option dest_port '53'
	option name 'XBL-UDP-53'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '88'
	option dest_ip '192.168.1.31'
	option dest_port '88'
	option name 'XBL-UDP-88'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '500'
	option dest_ip '192.168.1.31'
	option dest_port '500'
	option name 'XBL-UDP-500'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '3074'
	option dest_ip '192.168.1.31'
	option dest_port '3074'
	option name 'XBL-UDP-3074'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '3544'
	option dest_ip '192.168.1.31'
	option dest_port '3544'
	option name 'XBL-UDP-3544'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '4500'
	option dest_ip '192.168.1.31'
	option dest_port '4500'
	option name 'XBL-UDP-4500'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '5060'
	option dest_ip '192.168.1.5'
	option dest_port '5060'
	option name 'VoIP-FB-7412'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'udp'
	option src_dport '7078:7109'
	option dest_ip '192.168.1.5'
	option dest_port '7078:7109'
	option name 'VoIP-FB-7412'

My xbox still says it has a moderate NAT and https://canyouseeme.org/ also tells me that all of the forwarded ports are closed.

psherman · March 17, 2019, 4:31pm

This is because you do have NAT. You are behind an IPv4 router, this means NAT. AFAIK, you probably will always see this. The question you should be asking at this point is not "what does the xbox say," but rather does it work properly for all the games/services that you are using.

Your redirect statements look fine syntacticly, although I do have a few thoughts beyond that...

Let's make a list of what you seem to be forwarding:
53 TCP+UDP > XBL
80 TCP > XBL
88 UDP > XBL
500 UDP > XBL
3074 TCP + UDP > XBL
3544 UDP > XBL
4500 UDP > XBL

5060 UDP > VOIP
7078-7109 UDP > VOIP

First, unless you have a need/desire for the TCP and UDP redirects to be separate rules, you can combine respective rules that are directing to the same host IP address and the same port. All you have to do is change the proto line:
option proto 'tcp udp'

Next what ports really need to be open? I don't have an Xbox of any type, so I don't have personal experience here. I looked at this support doc which indicates which ports need to be open, but this list is probably referring to the ability for the XBL to initiate connections (outbound) rather than accepting inbound connections, at least for some of the ports. The port forwards (redirect statements) are designed for connections that originate from outside your network (i.e. on the internet) to be able to arrive at the correct destination device on your network. This is the case when you (or one of your devices) is actively serving information (think of a web server like that for openwrt.org).

For example:
Port 53 is DNS. It is highly unlikely that this needs to be opened as I would be very surprised if XBL becomes a DNS server.
Same with ports 80 (http) and 88 (alternate http, kerberos auth)
port 500 is ISAKMP and IKE
port 4500 is IPSec NAT Traversal

All of the above most likely do not need to be opened. In fact...

The 'closed' ports may be a further indication that you do not need to open these ports. A port is only seen as open if 2 conditions are met: 1) assuming an IPv4 NAT, the port forward (redirect) must be properly enabled to forward packets from the WAN to the desired device, and 2) [most importantly] that there is a device + service listening and responding to requests on that port. In other words, if you have a server (let's say it was a web server) and all port forwards were configured properly, the port scan would see it is open if the web server was responding. But if you turned off that machine, or just disabled the web server service, it would no longer be seen as open, even though the router configuration did not change.

If you are hosting games on your XBL, other people may need to be able to connect to your XBL via 3074, but otherwise, I think that port also doesn't need to be open. I don't know how 3544 is handled on the XBL, but this is for Toredo tunneling and may also not be necessary.

Here are my recommendations:

Consolidate the UDP+TCP rules for your XBL.
Disable all XBL related redirect rules and test to see if things work (both at the XBL network status/diagnostics page and the games/services you want to use)
If anything doesn't work, start by enabling 3074 and then test again.
if it still doesn't work, try enabling a one at a time beyond that. When you find the magic port forwarding, try disabling the others... you don't need or want extra ports open if they are not needed.

TheHellSite · March 17, 2019, 10:04pm

I totally get your point. But the thing is, if you don't have an open NAT, some games start to freak out and you get problems with voice chatting and all sorts of things.
Also none of the ports is seen as open, even with my xbox turned on.
Not even my VoIP ports are seen as open.

As I see it, if I apply a port forwarding, the port should be forwarded. No matter if it is necessary or not.

psherman · March 17, 2019, 11:02pm

My suggestion is to disable them and then test the games you play. If you have issues, try re-enabling the port forwarding rules one by one to find the one(s) required. I really don’t think that dns (53) would ever need to be forwarded and probably not most of the others.

Meanwhile, even with the Xbox turned on, you won’t see open ports unless you are actually playing a game or using a service that listens on a given port.

psherman · March 17, 2019, 11:16pm

I wrote this analogy on another site about port forwarding. I’m reposting it here because it might provide another angle on the port forwarding questions you have.

A port that is forwarded from the WAN to a device on your LAN will allow incoming connections to the specified device on that port. But the device must be listening or else a port scan will show it as closed.

As an analogy, imagine calling someone on a land-line at their home. When you call, you assume that their phones are ringing. If they don't pick up, you don't know if a) they are not home, b) they are ignoring the call, or c) their phone is not actually ringing properly. All you know is that there was no answer.

Similarly, a port-forward to a device that is not on/listening/responding will not show as open, despite the fact that the forwarding rule has been established. It will only show as open if there is a response (i.e. picking up the phone).

So in order to get a positive port scan result, your XBox must be on and listening for incoming connections on that port -- this may or may not require it to be in a specific game or mode (someone with XBox experience may answer this better than I can).

Port forwards allow connections initiated from outside the network (i.e. the WAN/internet) to reach devices inside your network. Depending on how a given system works, this might be required to enable certain functionality or external connections.

psherman · March 18, 2019, 12:45am

a few other things for you to consider...

Some port scanning websites actually perform the port scan from a web-app that runs on your local web browser. If this is the case and you run the scan while on your own network, sometimes it will incorrectly report open or closed ports as compared to the same scan done from outside such as a scan while on cellular or at another location such as work/school/cafe/friend's house, etc.

Port forwarding will only work properly if you have a publicly routable IP address. If you are double-NAT'd or behind carrier grade NAT, port forwards will not work. You can verify this by checking that the address on your WAN port is the same as the address that you see when you use an IP check tool (such as Googling this phrase).

You also must ensure that your port forward destination address is actually pointing to your Xbox. Consider using the DHCP static leases option to ensure that the Xbox always has the same IP on your network and that it never changes.

You might consider installing and enabling UPnP instead of port forwarding. Many people consider this a security risk, though, but it does simplify things -- the device (Xbox) can basically tell the router "I need the following ports opened and forwarded to me" and the router just does it. The security risk is that you don't have control over it and if you have a device on your network that has lax security or has been otherwise compromised, you never know what it might try to do in terms of UPnP. It is a tradeoff -- generally works very well and greatly simplifies network configuration, but does potentially expose your network to other risks, and each person will have their own opinion about the better approach.

luochongjun · March 18, 2019, 1:48am

Does your configuration generate corresponding rules in the NAT table?
I suggest you try it first with the iptables command, to eliminate other factors.for example

iptables  -t nat -I PREROUTING -i br-lan -p tcp --dport 80 -j DNAT --to 192.168.1.31

TheHellSite · March 19, 2019, 3:06pm

Tried that, still reports them as closed.

I do have that.

My xbox has a static ip, configured on the xbox itself.

Regarding security, this is a nogo for me.

I might point out that if I use any other router as my wan gateway and open ports on them (for whatever device), it is working flawlessly. On my old router the xbox always reported an open NAT, after opening the needed ports.

After running your command and mine, just to try it out.

iptables  -t nat -I PREROUTING -i br-lan -p tcp --dport 5277 -j DNAT --to 192.168.1.31

iptables look like this

root@OPENWRT-ROUTER:~# iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
prerouting_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom prerouting rule chain */
zone_lan_prerouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_lan_prerouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_wan_prerouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_wan_prerouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_airvpn_prerouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_ibvpn_prerouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
postrouting_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom postrouting rule chain */
zone_lan_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_lan_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_wan_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_wan_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_airvpn_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */
zone_ibvpn_postrouting  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain postrouting_airvpn_rule (1 references)
target     prot opt source               destination

Chain postrouting_ibvpn_rule (1 references)
target     prot opt source               destination

Chain postrouting_lan_rule (1 references)
target     prot opt source               destination

Chain postrouting_rule (1 references)
target     prot opt source               destination

Chain postrouting_wan_rule (1 references)
target     prot opt source               destination

Chain prerouting_airvpn_rule (1 references)
target     prot opt source               destination

Chain prerouting_ibvpn_rule (1 references)
target     prot opt source               destination

Chain prerouting_lan_rule (1 references)
target     prot opt source               destination

Chain prerouting_rule (1 references)
target     prot opt source               destination

Chain prerouting_wan_rule (1 references)
target     prot opt source               destination

Chain zone_airvpn_postrouting (1 references)
target     prot opt source               destination
postrouting_airvpn_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom airvpn postrouting rule chain */
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_airvpn_prerouting (1 references)
target     prot opt source               destination
prerouting_airvpn_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom airvpn prerouting rule chain */

Chain zone_ibvpn_postrouting (1 references)
target     prot opt source               destination
postrouting_ibvpn_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ibvpn postrouting rule chain */
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_ibvpn_prerouting (1 references)
target     prot opt source               destination
prerouting_ibvpn_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom ibvpn prerouting rule chain */

Chain zone_lan_postrouting (2 references)
target     prot opt source               destination
postrouting_lan_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan postrouting rule chain */
SNAT       tcp  --  192.168.1.0/24       192.168.1.31         tcp dpt:53 /* !fw3: XBL-TCP-53 (reflection) */ to:192.168.1.1
SNAT       tcp  --  192.168.1.0/24       192.168.1.31         tcp dpt:80 /* !fw3: XBL-TCP-80 (reflection) */ to:192.168.1.1
SNAT       tcp  --  192.168.1.0/24       192.168.1.31         tcp dpt:3074 /* !fw3: XBL-TCP-3074 (reflection) */ to:192.168.1.1
SNAT       udp  --  192.168.1.0/24       192.168.1.31         udp dpt:53 /* !fw3: XBL-UDP-53 (reflection) */ to:192.168.1.1
SNAT       udp  --  192.168.1.0/24       192.168.1.31         udp dpt:88 /* !fw3: XBL-UDP-88 (reflection) */ to:192.168.1.1
SNAT       udp  --  192.168.1.0/24       192.168.1.31         udp dpt:500 /* !fw3: XBL-UDP-500 (reflection) */ to:192.168.1.1
SNAT       udp  --  192.168.1.0/24       192.168.1.31         udp dpt:3074 /* !fw3: XBL-UDP-3074 (reflection) */ to:192.168.1.1
SNAT       udp  --  192.168.1.0/24       192.168.1.31         udp dpt:3544 /* !fw3: XBL-UDP-3544 (reflection) */ to:192.168.1.1
SNAT       udp  --  192.168.1.0/24       192.168.1.31         udp dpt:4500 /* !fw3: XBL-UDP-4500 (reflection) */ to:192.168.1.1
SNAT       udp  --  192.168.1.0/24       192.168.1.5          udp dpt:5060 /* !fw3: VoIP-FB-7412 (reflection) */ to:192.168.1.1
SNAT       udp  --  192.168.1.0/24       192.168.1.5          udp dpts:7078:7109 /* !fw3: VoIP-FB-7412 (reflection) */ to:192.168.1.1

Chain zone_lan_prerouting (2 references)
target     prot opt source               destination
prerouting_lan_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom lan prerouting rule chain */
DNAT       tcp  --  192.168.1.0/24       PUBLIC_IP        tcp dpt:53 /* !fw3: XBL-TCP-53 (reflection) */ to:192.168.1.31:53
DNAT       tcp  --  192.168.1.0/24       192.168.0.2          tcp dpt:53 /* !fw3: XBL-TCP-53 (reflection) */ to:192.168.1.31:53
DNAT       tcp  --  192.168.1.0/24       PUBLIC_IP        tcp dpt:80 /* !fw3: XBL-TCP-80 (reflection) */ to:192.168.1.31:80
DNAT       tcp  --  192.168.1.0/24       192.168.0.2          tcp dpt:80 /* !fw3: XBL-TCP-80 (reflection) */ to:192.168.1.31:80
DNAT       tcp  --  192.168.1.0/24       PUBLIC_IP        tcp dpt:3074 /* !fw3: XBL-TCP-3074 (reflection) */ to:192.168.1.31:3074
DNAT       tcp  --  192.168.1.0/24       192.168.0.2          tcp dpt:3074 /* !fw3: XBL-TCP-3074 (reflection) */ to:192.168.1.31:3074
DNAT       udp  --  192.168.1.0/24       PUBLIC_IP        udp dpt:53 /* !fw3: XBL-UDP-53 (reflection) */ to:192.168.1.31:53
DNAT       udp  --  192.168.1.0/24       192.168.0.2          udp dpt:53 /* !fw3: XBL-UDP-53 (reflection) */ to:192.168.1.31:53
DNAT       udp  --  192.168.1.0/24       PUBLIC_IP        udp dpt:88 /* !fw3: XBL-UDP-88 (reflection) */ to:192.168.1.31:88
DNAT       udp  --  192.168.1.0/24       192.168.0.2          udp dpt:88 /* !fw3: XBL-UDP-88 (reflection) */ to:192.168.1.31:88
DNAT       udp  --  192.168.1.0/24       PUBLIC_IP        udp dpt:500 /* !fw3: XBL-UDP-500 (reflection) */ to:192.168.1.31:500
DNAT       udp  --  192.168.1.0/24       192.168.0.2          udp dpt:500 /* !fw3: XBL-UDP-500 (reflection) */ to:192.168.1.31:500
DNAT       udp  --  192.168.1.0/24       PUBLIC_IP        udp dpt:3074 /* !fw3: XBL-UDP-3074 (reflection) */ to:192.168.1.31:3074
DNAT       udp  --  192.168.1.0/24       192.168.0.2          udp dpt:3074 /* !fw3: XBL-UDP-3074 (reflection) */ to:192.168.1.31:3074
DNAT       udp  --  192.168.1.0/24       PUBLIC_IP        udp dpt:3544 /* !fw3: XBL-UDP-3544 (reflection) */ to:192.168.1.31:3544
DNAT       udp  --  192.168.1.0/24       192.168.0.2          udp dpt:3544 /* !fw3: XBL-UDP-3544 (reflection) */ to:192.168.1.31:3544
DNAT       udp  --  192.168.1.0/24       PUBLIC_IP        udp dpt:4500 /* !fw3: XBL-UDP-4500 (reflection) */ to:192.168.1.31:4500
DNAT       udp  --  192.168.1.0/24       192.168.0.2          udp dpt:4500 /* !fw3: XBL-UDP-4500 (reflection) */ to:192.168.1.31:4500
DNAT       udp  --  192.168.1.0/24       PUBLIC_IP        udp dpt:5060 /* !fw3: VoIP-FB-7412 (reflection) */ to:192.168.1.5:5060
DNAT       udp  --  192.168.1.0/24       192.168.0.2          udp dpt:5060 /* !fw3: VoIP-FB-7412 (reflection) */ to:192.168.1.5:5060
DNAT       udp  --  192.168.1.0/24       PUBLIC_IP        udp dpts:7078:7109 /* !fw3: VoIP-FB-7412 (reflection) */ to:192.168.1.5:7078-7109
DNAT       udp  --  192.168.1.0/24       192.168.0.2          udp dpts:7078:7109 /* !fw3: VoIP-FB-7412 (reflection) */ to:192.168.1.5:7078-7109

Chain zone_wan_postrouting (2 references)
target     prot opt source               destination
postrouting_wan_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan postrouting rule chain */
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3 */

Chain zone_wan_prerouting (2 references)
target     prot opt source               destination
prerouting_wan_rule  all  --  0.0.0.0/0            0.0.0.0/0            /* !fw3: Custom wan prerouting rule chain */
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 /* !fw3: XBL-TCP-53 */ to:192.168.1.31:53
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 /* !fw3: XBL-TCP-80 */ to:192.168.1.31:80
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3074 /* !fw3: XBL-TCP-3074 */ to:192.168.1.31:3074
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 /* !fw3: XBL-UDP-53 */ to:192.168.1.31:53
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:88 /* !fw3: XBL-UDP-88 */ to:192.168.1.31:88
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:500 /* !fw3: XBL-UDP-500 */ to:192.168.1.31:500
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:3074 /* !fw3: XBL-UDP-3074 */ to:192.168.1.31:3074
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:3544 /* !fw3: XBL-UDP-3544 */ to:192.168.1.31:3544
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:4500 /* !fw3: XBL-UDP-4500 */ to:192.168.1.31:4500
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 /* !fw3: VoIP-FB-7412 */ to:192.168.1.5:5060
DNAT       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:7078:7109 /* !fw3: VoIP-FB-7412 */ to:192.168.1.5:7078-7109

luochongjun · March 20, 2019, 1:17am

Oh,Why doesn't your command generate the corresponding rule?
After executing the command, you should see the following rules.

root@GL-MIFI-V3:~# iptables  -t nat -I PREROUTING -i br-lan -p tcp --dport 5277 -j DNAT --to 192.168.1.31
root@GL-MIFI-V3:~# iptables -t nat -n -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:5277 to:192.168.1.31

TheHellSite · March 20, 2019, 9:00pm

I have no clue.
Maybe there is a bug in the x86 openwrt release?

TheHellSite · March 24, 2019, 4:35pm

The bug is still present. None of my devices gets any ports forwarded.

vgaetera · March 24, 2019, 4:58pm

https://support.xbox.com/en-US/xbox-one/networking/network-ports-used-xbox-live

Those are ports for outgoing connections.
OpenWrt does not limit outgoing connections for LAN-clients by default.
So you don't need to create additional rules for those ports.

VoIP is another story.
Provide the link to your VoIP-device model/documentation to determine required settings.

psherman · March 24, 2019, 5:02pm

It is possible that there is a bug, but it is also possible that there is some other explanation for the issue. It occurs to me that we (the community) have never suggested the following things:

post your complete config info -- maybe there is something overlooked that has not yet been shared. files of interest for what you've described would be:
/etc/config/network
/etc/config/firewall
but there may also be other files that you have changed that could be relevant.
Have you installed any packages since the original OpenWrt installation? Did you use the standard release image, or did you get or make a custom one? Maybe there is a package that is affecting your firewall behavior (especially if you have installed an alternate firewall).
In your network, are there any devices between the internet connection and the OpenWrt router (i.e. an ISP provided router or other device that may not be purely bridged; if not, verify that the modem/device is truly bridged and that you are getting a publicly routable IP on your OpenWrt WAN). Are there any devices between your OpenWrt router and your Xbox (other than an unmanaged switch; if there is anything between the devices, try removing that by connecting the xbox directly to the router).
consider starting fresh and configuring your OpenWrt environment step by step (manually). Unless you have a complex setup, this may not be all that time consuming and may actually resolve the issue if you have some random setting or package somewhere that is messing things up. You could literally start with just one port forward and see if traffic makes it through. Obviously make a backup before you do this -- you'll be able to refer to the files within the backup tarball and/or use the backup for a direct restore should it be necessary.

Also / alternatively, if you have another device that runs OpenWrt (even a cheap consumer router), you can use it to experiment and just swap it in for your current x86 OpenWrt router

trendy · March 25, 2019, 10:19pm

Also post the whole iptables configuration with the counters to see if there are hits.
iptables -L -vn; iptables -t nat -L -vn; iptables -t mangle -L -vn

TheHellSite · May 3, 2019, 11:59am

It has been a while but I just didn't find any time to work on these little issues. Luckily I could spare some now.

I used the standard release from here: https://downloads.openwrt.org/releases/18.06.2/targets/x86/64/openwrt-18.06.2-x86-64-combined-ext4.img.gz
Yes of course I did install extra packages, no firewall though, so it might be one of them.

There are my wired WiFi-APs which also act as 4 port network switches.
Configured with this guide: https://openwrt.org/docs/guide-user/network/wifi/dumbap
They shouldn't be the issue, see below...

This is what I did with my old RT-N18U and guess what, my xbox now detects the ports as open!
To make sure: I removed all the port fowards and restarted firewall --> xbox says moderate NAT
Then readded alle the ports, restarted firewall --> xbox immidiately gives me an open NAT

So, it seems to me that either one of my packages is messing things up OR there is a bug in the x86 release.
When I find the time I will do a clean install on my x86 router and report back.

TheHellSite · May 8, 2019, 6:40pm

Okay the issue seems to be fixed after a clean install! Until now I didn't install any other packages, so lets hope none of them will destroy my firewall again.

TheHellSite · May 10, 2019, 11:14am

I noticed something strange. Whenever I restart my xbox and run a nat test on it, it gives me a moderate nat (not all ports open). On the 2nd test they are open again and stay open until I restart the device. Any ideas?

mindwolf · May 10, 2019, 4:58pm

Ports will only stay open as long as a device is requesting to use those ports. Restarting your xbox e.g. will notify the firewall to close those ports.

mindwolf · May 10, 2019, 4:59pm

@TheHellSite

Are you port forwarding for COD?

TheHellSite · May 10, 2019, 5:40pm

This was also my assumption. Now I know it for sure, thanks!

No, just the regular xbox live ports. But it is strange that other router software keeps them open.