Microsoft Xbox and NAT

Microsoft’s current generation games console, the Xbox One, is known to often have trouble operating through a NAT router. This problem is not exclusive to FireBrick or even to NAT; this problem may even occur if the Xbox is on a real IP address, but with inbound firewalling enabled.

The definitive list

Microsoft publishes a list of ports that are needed, inbound, to the IP address the Xbox is using. The important bit is :

  • Port 88 (UDP)
  • Port 3074 (UDP and TCP)
  • Port 53 (UDP and TCP)
  • Port 80 (TCP)
  • Port 500 (UDP)
  • Port 3544 (UDP)
  • Port 4500 (UDP)

Creating a filter ruleset and some rules within it

First, create a ruleset to contain the rules that do the remapping. You need to know a few pieces of information before you proceed.

  • Firstly you need to know what IP address your FireBrick has on its external side.
  • And secondly, you need to know what IP address your XBOX has on the internal network.

The ruleset matches anything to the external IP address, and then the individual rules more specifically match the different traffic types and ports and actually do the mapping.

Mapping access to the FireBrick itself

Be careful not to lock yourself out of the FireBrick if you are accessing it remotely over the port which you’re about to portmap! eg port 80 or 443. You can have the FireBrick’s web interface listen on a different IP address, so check that you have that working before forwarding yourself out of the FireBrick.

The ruleset will look something like this:


And then within that ruleset, you need to create rules that handle TCP and UDP :



Then within each of these, you need to set the ports, traffic type, and the address to rewrite to:



and then


Going Further – specific requirements

WISP – not enough real addresses?

If you are running this in an ISP context (for example a WISP) where each customer may not necessarily have their own ‘real’ external IPv4 address. This creates a problem if two of your downstream customers both have Xboxes.
Provided you have enough address space to enable each customer with an XBox to be allocated their own external address, for that purpose, then this is simply done by adding an extra local address (within the routing section), and then setting up the mappings on a per-customer basis.

Static DHCP for the Xbox

DHCP may mean that if an Xbox isn’t used for a long period of time, it gets allocated a different address than the one the port maps are configured against. You can protect against this by simply setting up a specific DHCP rule matching the XBox’s MAC address.