XBOX 360 - DHCP and Manual Lease not working

Can't get the XBOX to work with the WiFi, connects but gets no IP, setting it manually with verified settings still doesn't help, I've see a few threads and blog posts about this issue with OpenWRT and the only solution they provide is getting the XBOX mac and reserving an IP address + forwarding a few bunch of ports.

I'm just wondering if this "hack" is still needed in LEDE (17.01) or if there is a more elegant way of handling this in current builds.

Thank you.

  • Consistently connected devices should have an IP reserved, as it helps to keep things sane in both configs and logs.

  • As to port redirects, Xbox Live requires 5 port redirects, with the following ports to be forwarded:
    # /etc/config/firewall
    
       # Xbox Live #
    #---------------------------------------------------
    config redirect
       option  target          'DNAT'
       option  family          'ipv4'
       option  proto           'udp'
       option  src             'WAN'
       option  src_dport       '88'
       option  dest            'LAN'
       option  dest_ip         '192.168.1.9'
       option  dest_port       '88'
       option  name            'Allow Xbox Live (88) -> Xbox One'
    
    config redirect
       option  target          'DNAT'
       option  family          'ipv4'
       option  proto           'tcp udp'
       option  src             'WAN'
       option  src_dport       '3074'
       option  dest            'LAN'
       option  dest_ip         '192.168.1.9'
       option  dest_port       '3074'
       option  name            'Allow Xbox Live (3074) -> Xbox One'
    
    config redirect
       option  target          'DNAT'
       option  family          'ipv4'
       option  proto           'udp'
       option  src             'WAN'
       option  src_dport       '500'
       option  dest            'LAN'
       option  dest_ip         '192.168.1.9'
       option  dest_port       '500'
       option  name            'Allow Xbox Live (500) -> Xbox One'
    
    config redirect
       option  target          'DNAT'
       option  family          'ipv4'
       option  proto           'udp'
       option  src             'WAN'
       option  src_dport       '3544'
       option  dest            'LAN'
       option  dest_ip         '192.168.1.9'
       option  dest_port       '3544'
       option  name            'Allow Xbox Live (3544) -> Xbox One'
    
    config redirect
       option  target          'DNAT'
       option  family          'ipv4'
       option  proto           'udp'
       option  src             'WAN'
       option  src_dport       '4500'
       option  dest            'LAN'
       option  dest_ip         '192.168.1.9'
       option  dest_port       '4500'
       option  name            'Allow Xbox Live (4500) -> Xbox One'
    

If you are not adverse to using UPnP to allow devices to open ports to themselves from the router, you can install luci-app-upnp (for the WebUI) or (if cli only you can install miniupnpd).

You might want to read up on routers and UPnP before going that way though, as while convenient it's not so good for security.

UPnP should never be utilized, as it's not secure, and more importantly, is a massive security risk. I provided the port forwards required for Xbox Live in the aforementioned most, negating the need for UPnP.

  • There is literally only a handful of devices and services that require port redirects, and any device or service that requires redirects can be found either on PortForward's site or on the manufacturer's support site.

  • There are zero reasons why someone should be using UPnP, and a whole host of reasons why they should not... Choosing UPnP over configuring port redirects is simply lazy.

Ok, how do you have 2+ XBox devices doing XBox Live behind the same NAT without UPnP?

Are you utilizing Xbox Live on both at the same time?

  • If so, I'd recommend trying what's suggested in Portforwarding Two Xboxes

  • If that doesn't work, I do know it is possible to do this without UPnP, but I'm not sure exactly how to accomplish it on OpenWrt (there's different approaches one can configure on the router, but I'm not sure which one(s) would be easiest/compatible to configure).
    • You're likely going to need to do some research in the OpenWrt wikis and via Google, unless someone who does know chimes in.
      • I've invited @hnyman, @jow, and @tmomas to the conversation, as they'll likely either know, or will shoot you in the right direction of where to look.

UPnP Security Risk Explanation: What are the security implications of enabling UPnP in my home router?

I suggest to use upnp with appropriate ACLs to only allow the xboxes to open ports as needed.

2 Likes

@JW0914 Those posts are over five years old. miniupnpd has matured a lot since then, and, more importantly, on OpenWrt there are ACL's (as @jow points out). I actually knew this. I do know that with two Xboxes you are not guaranteed as to what ports you're going to get. With OpenWrt you can enable UPnP just for the XBoxes which solves the problem of suddenly allowing general purpose devices (and or uber-risky IoT devices) to use UPnP). And of course if you worry some game is going to open ports on the XBox to do nefarious things, then really you shouldn't be using an XBox.

Oh and miniupnpd in OpenWrt is configured to restrict UPnP to opening ports on the device that originated the requests (there are implementations of UPnP that didn't make that essential so a device could open ports to another device).

1 Like

UPnP, even with ACLs, is still not a secure service to run, as UPnP, by definition, will always be a security risk. This is not my opinion, but the consensus of most, if not all, InfoSec researchers.

As to the age of the post, you must be unfamiliar with StackExchange... it's not a forum, it's an answer site. You clearly didn't take the time to review Rapid7's white paper, let alone bother to google something like "UPnP Security Flaw", or something as simple as "UPnP Safe"... perhaps some due diligence should be considered.

Furthermore, this is directly from the maintainer of miniupnpd's site:

Security

UPnP implementations are potentially subject to security breaches. Badly implemented or configured UPnP IGDs are vulnerable. Security researcher HD Moore did a good work to reveal vulnerabilities in existing implementations : Security Flaws in Universal Plug and Play (PDF). A common problem is to let SSDP or HTTP/SOAP ports open to the internet : they should be only reachable from the LAN.

In the past, several vulnerabilities have been found in MiniUPnPd, so it is very important to update your code to the last version.

Good stuff, I'll be giving this a shot tonight and will report back.

Btw, I just learned that UPnP was enabled by default on my LEDE installation, since it imposes so many risks shouldn't it be set to OFF by default on new LEDE releases? Just wondering.

2018-08-07_10-17-01

Right click and open on a new tab to view full-size.
2018-08-07_10-25-02

But the service was never started... Hence why 'Start UPnP and NAT-PMP service' is not ticked. Therefore, it's not ON by default.

Again, you're linking 5-6 year old information. I've had this discussion with you a few months ago regarding UPnP, ACLs, and consoles. Please, reread my previous argument in that thread. Provide to me a relevant exploit or proof of concept that counters my opinion. Stop calling people lazy, when you yourself are being lazy by not providing that information and just telling people to Google stuff. Thank you kindly!

Here's the original thread:

1 Like

I'm not going to argue with you over utilizing UPnP, as I've provided you with numerous ways to show UPnP is a security risk (including the maintainer of miniupnpd)... you can lead a horse to water, but you can't force it to drink.

  • Don't you find it a bit odd there's not a single link with anyone stating UPnP is not a security risk to utilize, but I digress.

By the way, Einstein publish his Theory of General Relativity in 1916... 102 years ago. Time does not make an answer irrelevant, facts to the contrary do.

Well it's kind of difficult to use multiple consoles of the same type without UPnP on the same network. There are risks to everything and most services that run. However, understanding and mitigating those risks is the best defense. In this case ACLs along with secure mode are mitigating most of these risks, and people understand that there are risks associated with running UPnP. But what other solutions are there? The Xbox One multiple consoles article was designed for Activision. But, the world of games do not revolve around Call of Duty....

1 Like

Unlike the rules of physics, the rules of code in software can be modified and changed...

As I stated in a prior post, there's actually quite a few ways it can be done on the router without UPnP, however what I don't know is whether any of those ways are either efficient or capable of being done on OpenWrt, hence why I stated "You're likely going to need to do some research in the OpenWrt wikis and via Google, unless someone who does know chimes in."

Not familiar with spoofing or MITM?

I digress, as you're clearly looking for an argument, facts be damned.

I've covered that as well in my previous thread. Please reread.

But the service was never started... Hence why 'Start UPnP and NAT-PMP service' is not ticked. Therefore, it's not ON by default.

True, missed it, perhaps there should be just one check box (Enabled = Start Service).
Thank you.

Ok guys, noob here, couldn't get none of the options above to work...

  1. Reserved the IP address:
    WiFi

  2. Forwarded the ports:
    Forwarding

  3. Rebooted XBOX and tried:
    TestXBOX

  4. Checked the WiFi settings and it still displays this:
    XBOX-IP

Then I scraped the port forwarding settings and tried UPnP.

  1. Turned ON UPnP service, rebooted router and then rebooted the XBOX:
    UPnP

  2. Still the same outcome on the XBOX, failed the tests and an invalid IP address acquired.

Would be great to know what I'm doing wrong, btw, never had any issues with my previous D-LINK router running stock firmware so the XBOX is working good.

Thank you

From your screenshot you are not actually getting a DHCP address from the router on your XBox. Do you have DHCP enabled on your wifi network? Is anything else using wifi (i.e. is it just the XBox or is this the only wireless device so far?) Do you perhaps have MAC whitelisting enabled but have not whitelisted the XBox (it's not on by default, so if it is, you would know).