Also post the whole iptables configuration with the counters to see if there are hits.
iptables -L -vn; iptables -t nat -L -vn; iptables -t mangle -L -vn
1 Like
It has been a while but I just didn't find any time to work on these little issues. Luckily I could spare some now.
I used the standard release from here: https://downloads.openwrt.org/releases/18.06.2/targets/x86/64/openwrt-18.06.2-x86-64-combined-ext4.img.gz
Yes of course I did install extra packages, no firewall though, so it might be one of them.
There are my wired WiFi-APs which also act as 4 port network switches.
Configured with this guide: https://openwrt.org/docs/guide-user/network/wifi/dumbap
They shouldn't be the issue, see below...
This is what I did with my old RT-N18U and guess what, my xbox now detects the ports as open!
To make sure: I removed all the port fowards and restarted firewall --> xbox says moderate NAT
Then readded alle the ports, restarted firewall --> xbox immidiately gives me an open NAT
So, it seems to me that either one of my packages is messing things up OR there is a bug in the x86 release.
When I find the time I will do a clean install on my x86 router and report back.
Okay the issue seems to be fixed after a clean install! Until now I didn't install any other packages, so lets hope none of them will destroy my firewall again.
I noticed something strange. Whenever I restart my xbox and run a nat test on it, it gives me a moderate nat (not all ports open). On the 2nd test they are open again and stay open until I restart the device. Any ideas?
Ports will only stay open as long as a device is requesting to use those ports. Restarting your xbox e.g. will notify the firewall to close those ports.
1 Like
This was also my assumption. Now I know it for sure, thanks!
No, just the regular xbox live ports. But it is strange that other router software keeps them open.
There is no "requesting" taking place. The OP opened the firewall, they don't seem to be using UPnP.
1 Like
So there is something not quite right with port forwarding in openwrt 18.06.2?
Well...
My Call of Duty on PS always says Open...so, not sure.
For that matter...all games and streaming usually work after I open them.
Also, I noticed you opened 53 udp noand tcp...are you sure all of these are the needed ports?
Did you open any additional posts for your particular game?
https://support.xbox.com/en-US/xbox-one/networking/network-ports-used-xbox-live
Usually when I see this happening in a customer's firewall, it's because certain steps haven't been followed. Devices that were faulty were my only problems.
The reason I mentioned COD (specifically COD BO3) is that it uses port 3075 udp also for Xbox One. FYI You'll never need to open ANY ports below 1024 for a console system.
2 Likes
I could pass along definitions and exact terminology about Redirects,NAT, PAT. Most people asking questions on here are NOT veterans. Even I am learning after 15 years of Networking. Breaking it down so they can learn works better than spouting tech jabber 
2 Likes
I didn't open any additional network ports for specific games, since I am not playing COD and most games comply to the xbox live standard ports. So these are the only ones I opened.
Is there then a way to keep them open, even if my console is turned off / restarted so I don't have to do 2 nat test before they are open again?
Actually the games most of the time work fine even with some ports closed. Voice chat however gives you troubles all the time if there are any closed ports.
Port forwardings configured in firewall section (and not in UPnP) are always forwarded to the Xbox. So the open/closed port issue is not of the OpenWrt router. Maybe the Xbox is still not listening to those ports when you run the test for the first time.
2 Likes
Strange thing is however, if I plugin a router with stock firmware (f.e. a fritzbox from avm) and open all the ports for the xbox. The xbox always gives me an open NAT without having to do two nat tests on it.
Is there a way to check this with my windows pc? Like forwarding any port to my pc and check, if it is opened?
You can test it like this too.
To verify the forwarded ports, run this command iptables -t nat -L -vn | grep DNAT . First column is the number of packets that matched this rule and the second is the bytes.
Okay, I did some testing with this.
~2h after last router reboot, xbox turned off all the time
root@OPENWRT-ROUTER:~# iptables -t nat -L -vn | grep DNAT
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpt:5060 /* !fw3: VoIP-FB-7412_000 (reflection) */ to:192.168.1.5:5060
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpt:5060 /* !fw3: VoIP-FB-7412_000 (reflection) */ to:192.168.1.5:5060
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpts:7078:7109 /* !fw3: VoIP-FB-7412_001 (reflection) */ to:192.168.1.5:7078-7109
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpts:7078:7109 /* !fw3: VoIP-FB-7412_001 (reflection) */ to:192.168.1.5:7078-7109
0 0 DNAT tcp -- * * 192.168.1.0/24 PUBLIC_IP tcp dpt:53 /* !fw3: XBL_000_TCP-53 (reflection) */ to:192.168.1.31:53
0 0 DNAT tcp -- * * 192.168.1.0/24 192.168.0.2 tcp dpt:53 /* !fw3: XBL_000_TCP-53 (reflection) */ to:192.168.1.31:53
0 0 DNAT tcp -- * * 192.168.1.0/24 PUBLIC_IP tcp dpt:80 /* !fw3: XBL_001_TCP-80 (reflection) */ to:192.168.1.31:80
0 0 DNAT tcp -- * * 192.168.1.0/24 192.168.0.2 tcp dpt:80 /* !fw3: XBL_001_TCP-80 (reflection) */ to:192.168.1.31:80
0 0 DNAT tcp -- * * 192.168.1.0/24 PUBLIC_IP tcp dpt:3074 /* !fw3: XBL_002_TCP-3074 (reflection) */ to:192.168.1.31:3074
0 0 DNAT tcp -- * * 192.168.1.0/24 192.168.0.2 tcp dpt:3074 /* !fw3: XBL_002_TCP-3074 (reflection) */ to:192.168.1.31:3074
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpt:53 /* !fw3: XBL_003_UDP-53 (reflection) */ to:192.168.1.31:53
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpt:53 /* !fw3: XBL_003_UDP-53 (reflection) */ to:192.168.1.31:53
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpt:88 /* !fw3: XBL_004_UDP-88 (reflection) */ to:192.168.1.31:88
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpt:88 /* !fw3: XBL_004_UDP-88 (reflection) */ to:192.168.1.31:88
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpt:500 /* !fw3: XBL_005_UDP-500 (reflection) */ to:192.168.1.31:500
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpt:500 /* !fw3: XBL_005_UDP-500 (reflection) */ to:192.168.1.31:500
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpt:3074 /* !fw3: XBL_006_UDP-3074 (reflection) */ to:192.168.1.31:3074
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpt:3074 /* !fw3: XBL_006_UDP-3074 (reflection) */ to:192.168.1.31:3074
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpt:3544 /* !fw3: XBL_007_UDP-3544 (reflection) */ to:192.168.1.31:3544
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpt:3544 /* !fw3: XBL_007_UDP-3544 (reflection) */ to:192.168.1.31:3544
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpt:4500 /* !fw3: XBL_008_UDP-4500 (reflection) */ to:192.168.1.31:4500
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpt:4500 /* !fw3: XBL_008_UDP-4500 (reflection) */ to:192.168.1.31:4500
19 8331 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 /* !fw3: VoIP-FB-7412_000 */ to:192.168.1.5:5060
3 464 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:7078:7109 /* !fw3: VoIP-FB-7412_001 */ to:192.168.1.5:7078-7109
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* !fw3: XBL_000_TCP-53 */ to:192.168.1.31:53
5 224 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* !fw3: XBL_001_TCP-80 */ to:192.168.1.31:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3074 /* !fw3: XBL_002_TCP-3074 */ to:192.168.1.31:3074
1 63 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* !fw3: XBL_003_UDP-53 */ to:192.168.1.31:53
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88 /* !fw3: XBL_004_UDP-88 */ to:192.168.1.31:88
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 /* !fw3: XBL_005_UDP-500 */ to:192.168.1.31:500
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3074 /* !fw3: XBL_006_UDP-3074 */ to:192.168.1.31:3074
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3544 /* !fw3: XBL_007_UDP-3544 */ to:192.168.1.31:3544
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 /* !fw3: XBL_008_UDP-4500 */ to:192.168.1.31:4500
restarted firewall so everything is zero again
turned xbox on and let it sit idle for about 5-10 mins
root@OPENWRT-ROUTER:~# iptables -t nat -L -vn | grep DNAT
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpt:5060 /* !fw3: VoIP-FB-7412_000 (reflection) */ to:192.168.1.5:5060
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpt:5060 /* !fw3: VoIP-FB-7412_000 (reflection) */ to:192.168.1.5:5060
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpts:7078:7109 /* !fw3: VoIP-FB-7412_001 (reflection) */ to:192.168.1.5:7078-7109
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpts:7078:7109 /* !fw3: VoIP-FB-7412_001 (reflection) */ to:192.168.1.5:7078-7109
0 0 DNAT tcp -- * * 192.168.1.0/24 PUBLIC_IP tcp dpt:53 /* !fw3: XBL_000_TCP-53 (reflection) */ to:192.168.1.31:53
0 0 DNAT tcp -- * * 192.168.1.0/24 192.168.0.2 tcp dpt:53 /* !fw3: XBL_000_TCP-53 (reflection) */ to:192.168.1.31:53
0 0 DNAT tcp -- * * 192.168.1.0/24 PUBLIC_IP tcp dpt:80 /* !fw3: XBL_001_TCP-80 (reflection) */ to:192.168.1.31:80
0 0 DNAT tcp -- * * 192.168.1.0/24 192.168.0.2 tcp dpt:80 /* !fw3: XBL_001_TCP-80 (reflection) */ to:192.168.1.31:80
0 0 DNAT tcp -- * * 192.168.1.0/24 PUBLIC_IP tcp dpt:3074 /* !fw3: XBL_002_TCP-3074 (reflection) */ to:192.168.1.31:3074
0 0 DNAT tcp -- * * 192.168.1.0/24 192.168.0.2 tcp dpt:3074 /* !fw3: XBL_002_TCP-3074 (reflection) */ to:192.168.1.31:3074
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpt:53 /* !fw3: XBL_003_UDP-53 (reflection) */ to:192.168.1.31:53
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpt:53 /* !fw3: XBL_003_UDP-53 (reflection) */ to:192.168.1.31:53
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpt:88 /* !fw3: XBL_004_UDP-88 (reflection) */ to:192.168.1.31:88
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpt:88 /* !fw3: XBL_004_UDP-88 (reflection) */ to:192.168.1.31:88
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpt:500 /* !fw3: XBL_005_UDP-500 (reflection) */ to:192.168.1.31:500
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpt:500 /* !fw3: XBL_005_UDP-500 (reflection) */ to:192.168.1.31:500
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpt:3074 /* !fw3: XBL_006_UDP-3074 (reflection) */ to:192.168.1.31:3074
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpt:3074 /* !fw3: XBL_006_UDP-3074 (reflection) */ to:192.168.1.31:3074
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpt:3544 /* !fw3: XBL_007_UDP-3544 (reflection) */ to:192.168.1.31:3544
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpt:3544 /* !fw3: XBL_007_UDP-3544 (reflection) */ to:192.168.1.31:3544
0 0 DNAT udp -- * * 192.168.1.0/24 PUBLIC_IP udp dpt:4500 /* !fw3: XBL_008_UDP-4500 (reflection) */ to:192.168.1.31:4500
0 0 DNAT udp -- * * 192.168.1.0/24 192.168.0.2 udp dpt:4500 /* !fw3: XBL_008_UDP-4500 (reflection) */ to:192.168.1.31:4500
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 /* !fw3: VoIP-FB-7412_000 */ to:192.168.1.5:5060
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:7078:7109 /* !fw3: VoIP-FB-7412_001 */ to:192.168.1.5:7078-7109
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 /* !fw3: XBL_000_TCP-53 */ to:192.168.1.31:53
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 /* !fw3: XBL_001_TCP-80 */ to:192.168.1.31:80
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:3074 /* !fw3: XBL_002_TCP-3074 */ to:192.168.1.31:3074
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 /* !fw3: XBL_003_UDP-53 */ to:192.168.1.31:53
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88 /* !fw3: XBL_004_UDP-88 */ to:192.168.1.31:88
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 /* !fw3: XBL_005_UDP-500 */ to:192.168.1.31:500
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3074 /* !fw3: XBL_006_UDP-3074 */ to:192.168.1.31:3074
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3544 /* !fw3: XBL_007_UDP-3544 */ to:192.168.1.31:3544
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 /* !fw3: XBL_008_UDP-4500 */ to:192.168.1.31:4500
- no hits at all on the forwarded ports after 10mins idle time, xbox shows a moderate nat
- after the 1st NAT test, there are still no hits on the ports and xbox says moderate NAT
- after the 2nd NAT test, there are also no hits on the ports but the xbox says open NAT
- after 10 mins idle time there are still no hits on the firewall but the xbox says open NAT
- even after playing a multiplayer game there are no hits
what is also strange the xbox is using an alternate "backup" port 53453, which I can see under advanced settings in the xbox's network config.
There are no hits, so most likely the hits that you saw in the first try were random port scans, since they were probing 2 popular services, DNS and HTTP.
I don't own an Xbox, so the explanation by @vgaetera seems the most plausible.
1 Like
After struggeling for so long I finally figured out the problem.
@mindwolf is right! You indeed don't have to open any ports below 1024.
After some short testing I also figured out that you don't even have to open udp ports 3544 (teredo) and 4500 (IPSec).
However to be extra safe I still opened all the listed ports mentioned in the link below.
https://support.xbox.com/en-US/xbox-one/networking/network-ports-used-xbox-live
Since I had already done this before, with my xbox still showing me a moderate NAT, there had to be something else.
At "Network Settings" --> "Advanced settings" my xbox is telling me the port in use, which was for whatever reason not the default 3074.
Instead it was using an alternate port automatically. This feature is actually intended for people owning multiple xbox consoles that they would like to have an open NAT or if you need the port 3074 for something else.
I have no clue why my xbox is selecting an alternate port, but so be it. Maybe OpenWrt is using this port for something?
Anyway the solution is quite simple.
After opening the alternate port displayed, the xbox was still showing me a moderate NAT.
After opening all the alternate ports the settings would let you choose from, it was giving me an open NAT all the time!!!
I can restart my console, router, .... and my xbox now has an open NAT without needing to run any NAT tests on it.
In case anyone needs it, this is the firewall config which achieved me an open NAT.
firewall config
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp'
option src_dport '80'
option dest_ip '192.168.1.31'
option dest_port '80'
option name 'XBL_000_TCP-80'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '88'
option dest_ip '192.168.1.31'
option dest_port '88'
option name 'XBL_001_UDP-88'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '500'
option dest_ip '192.168.1.31'
option dest_port '500'
option name 'XBL_002_UDP-500'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '3544'
option dest_ip '192.168.1.31'
option dest_port '3544'
option name 'XBL_003_UDP-3544'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option src_dport '4500'
option dest_ip '192.168.1.31'
option dest_port '4500'
option name 'XBL_004_UDP-4500'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '53'
option dest_ip '192.168.1.31'
option dest_port '53'
option name 'XBL_005_TCP+UDP-53'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '3074'
option dest_ip '192.168.1.31'
option dest_port '3074'
option name 'XBL_006_TCP+UDP-3074'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '52635'
option dest_ip '192.168.1.31'
option dest_port '52635'
option name 'XBL_007_TCP+UDP-52635'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '53044'
option dest_ip '192.168.1.31'
option dest_port '53044'
option name 'XBL_008_TCP+UDP-53044'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '53453'
option dest_ip '192.168.1.31'
option dest_port '53453'
option name 'XBL_009_TCP+UDP-53453'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '53862'
option dest_ip '192.168.1.31'
option dest_port '53862'
option name 'XBL_010_TCP+UDP-53862'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '54271'
option dest_ip '192.168.1.31'
option dest_port '54271'
option name 'XBL_011_TCP+UDP-54271'
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'tcp udp'
option src_dport '54680'
option dest_ip '192.168.1.31'
option dest_port '54680'
option name 'XBL_012_TCP+UDP-54680'
Again, you probably don't need to forward any ports tcp+udp apart from 3074 and the alternate ports (52635 53044 53453 53862 54271 54680) to get an open NAT.
I still did it, but it also worked without all the others listed by microsoft.
1 Like
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.