Many people sem to be having a problem using pfSense with Xbox Live or PlayStation Network to game online. I have both and both of them are working fine through pfSense, without opening up UPnP up to all devices on the network. This also works with the game that seems to cause the most issues… Call of Duty: Modern Warfare 3.
So here is what you need to do to make it work.
- Assign Static DHCP mappings to the console(s)
- Enable UPnP and restrict it to the console(s)
- Modify Outbound NAT rules for the console(s)
Each step should be repeated for each console. I should probably point out that the WAN interface on my setup is called EXTERNAL and the LAN interface is called TRUSTED.
1. Assign Static DHCP mappings to the console(s)
For this step the MAC address of the console(s) will be handy. Login to your pfSense box and go to Status > DHCP Leases in the navigation bar. Find the line that contains the MAC address of your console and click the icon to add a static mapping.
The MAC address field should contain the MAC address of the console you are configuring. IP Address is the IP that will be assigned to the console and must be outside the DCHP range of your network. Hostname can be set to PS3 or Xbox depending on the console you are configuring and Description is optional.
Click on save to save the mapping.
Click Apply Changes to set the change in stone.
Repeat this step for the other console if required.
2. Enable UPnP and restrict it to the console(s)
Go to Services > UPnP & NAT-PMP on the navigation bar.
Enable the following options.
- Enable UPnP and NAT-PMP
- Allow UPnP Port Mapping
- Allow NAT-PMP Port Mapping
- By default deny access to UPnP & NAT-PMP?
Make sure you select the Interface that your console(s) are connected to.
You can enable the “Log Packets” option to troubleshoot if you like.
Enter “allow 88-65535 192.168.100.7/32 88-65535” into the User specified permissions box(es), one for each console. replace 192.169.100.7/32 with the IP address of the console you are configuring. The /32 limits the subnet to a single IP address and is important.
Click change.
3. Modify Outbound NAT rules for the console(s)
Click on Firewall > NAT in the navigation bar and select the the Outbound TAB. Change your NAT type from “Automatic Outbound NAT” to “Manual Outbound ANT”. Click Save.
Click the icon at the top of the table to create a new outbound NAT rule.
In the Source: Address box enter the IP address of the console you are configuring. Select 32 from the drop-down menu next to the address.In the Translation section check the box called Static Port. Enter a description if you wish but it is not required.
Click Save.
Repeat this step for each console if required.
In the Outbound NAT table select the check box next to the row(s) you have just created and click the icon next to the line containing the “Auto created rule for TRUSTED to EXTERNAL ” row in the table.
Click theApply Changes button.
You should now be good to go.
My setup consists of the following for reference.
- pfSense 2.0 WARP running on a Watch Guard Firebox 700
- Xbox 360 slim running latest firmware
- PS3 slim running latest firmware
Let me know in the comments if you have any problems.
Dan McIntyre 