Xbox Live behind a firewall

Discussion in 'Xbox Forums' started by def, Apr 9, 2007.

  1. def

    def
    Active Member

    Joined:
    Feb 21, 2004
    Messages:
    1,909
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    63
    Ratings:
    +142
    Hi,

    Figured this might help someone else as I spent bloody ages working through my firewall logs to figure it out. Lots of googling showed people with the same problem and no simple solution.

    So the basic problem is you can't get on Xbox live with your 360, and secondly how to get into PGR3 playtime online without getting the "Cannot communicate with other players in the game" message.

    Solution is quite easy when you know the ports, and you absolutely don't need a uPNP router or "Xbox live compatible router" - what a crock.

    In my case I have a home network with a couple of subnets, a machine acting as a router and NAT gateway, and the Xbox connected via wired lan.

    Simply do the following:

    1. Assign your Xbox a static IP on your LAN. Set the default gateway and subnet correctly.

    2. On your firewall, add the following rules:
    ALLOW TCP source host = any source port = 3074 dest host = (yours) dest port = any
    ALLOW UDP source host = any source port = 3074 dest host = (yours) dest port = any
    ALLOW UDP source host = any source port = 88 dest host = (yours) dest port = any
    ALLOW TCP source host = any source port = any dest host = (yours) dest port = 3074
    ALLOW UDP source host = any source port = any dest host = (yours) dest port = 3074
    ALLOW UDP source host = any source port = any dest host = (yours) dest port = 88
    ALLOW UDP source host = any source port = any dest host = (yours) dest port range = 51000 to 52000

    3. In your firewall NAT gateway config, add the following rules:
    FORWARD UDP port = 88 to <xbox ip> port = 88
    FORWARD UDP port = 3074 to <xbox ip> port = 3074
    FORWARD TCP port = 3074 to <xbox ip> port = 3074
    FORWARD UDP port = 8602 to <xbox ip> port = 8602

    4. Make sure your firewall does not drop unsolicited UDP packets (this is normally an option saying something like "Drop incoming UDP if it doesn't have an entry in the NAT state table").


    Now I'm pretty sure not all of these are required, but even with this config I still get "moderate" status for my NAT in the xbox network config. However this does let me play PGR3 in playtime online, which was a major step forward (I couldn't do this even after I got the XBox live connection to work). I'll start disabling individual rules soon and see which ones are absolutely needed.

    Also for network-savvy people, note that the MTU check is actually absolute rubbish. If you get an MTU error on the XBox but you can do:

    ping -f -l 1472 microsoft.com

    without any error from any machine inside your network, the MTU isn't the problem. The Xbox actually uses the TCP/UDP ports above to test MTU, so if your firewall is dropping TCP/UDP it gets reported as an MTU error. Utterly bizarre and bad work on Microsoft's part, as there's no way they can expect the general public to understand what MTU is or how to fix it when it's been wrongly reported.

    I still have no idea how to get "open" status, but everything seems to work for me so far and my firewall isn't dropping anything when I do the network tests, so I guess we'll leave that mystery for another day.

    Cheers!
     
  2. ShadowmanUK

    ShadowmanUK
    Active Member

    Joined:
    Feb 14, 2006
    Messages:
    1,299
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    63
    Ratings:
    +132
    No you don't need a UPnP router or an Xbox Live Compatible one if your happy with a Moderate NAT ;)

    Getting a live compat router does make things easier, as does UPnP.

    If you want to run more than one Xbox behind a router, getting a live compat router is essential there's no other way to do it, no amount of forwarding will sort that out.
     
  3. def

    def
    Active Member

    Joined:
    Feb 21, 2004
    Messages:
    1,909
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    63
    Ratings:
    +142
    Ah, it turns out my ruleset (above) actually gives you "open" status for NAT. For some wierd reason it only updated the status when I rebooted the xbox.

    All sorted now.

    I'm very curious how any NAT device can support more than one 360 behind it, even an XBox live-compatible one. My firewall logs showed unsolicited UDP arriving at the external interface - if the packets are unsolicited there will be no entry in the state table for them, therefore no NAT gateway will know what to do with them.

    I guess one option would be to rebroadcast them internally. Wonder if that would work...
     
  4. ShadowmanUK

    ShadowmanUK
    Active Member

    Joined:
    Feb 14, 2006
    Messages:
    1,299
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    63
    Ratings:
    +132
    The Xbox live compat ones use a special firmware using a modified version of UPnP, its custom written by the vendor to pass the Microsoft tests.

    So there's no forwarding at all, just UPnP. All the ones on the microsoft list work with up to 4 xboxes at once. And it really does work.

    Unfortunately the vendors don't carry that feature over when they release new firmware versions :( so you find that you have to downgrade to earlier versions of firmware to get that level of compatibility, which is a bit poor.

    Also, there's no ADSL modem/routers on the list either, just broadband routers.
     
  5. def

    def
    Active Member

    Joined:
    Feb 21, 2004
    Messages:
    1,909
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    63
    Ratings:
    +142
    Custom version? That's just ridiculous.
     
  6. ShadowmanUK

    ShadowmanUK
    Active Member

    Joined:
    Feb 14, 2006
    Messages:
    1,299
    Products Owned:
    0
    Products Wanted:
    0
    Trophy Points:
    63
    Ratings:
    +132
    The firmware, not the router :)
     

Share This Page

Loading...