NAT Traversal and XBONE Strict NAT on PFSense

Hey folks,

Was trying to do the splatoon trial today and kept getting hit with the error "Nat traversal process has failed." I'm not exactly familiar with nat traversal, but what I went ahead and did was create nat rules:

Also enabled NAT-PMP:

XBONE shows strict nat with these rules as well so I reckon I'm overlooking some setup here.

Completed tasks:

XBONE and Switch both have static DHCP addresses and are on the primary subnet. I'm considering DMZing them off though but that's a bit harder with the switch since it's wireless.

There was someone else on the forum with the same problem and I can't remember if we fixed it or not.

Do you have upnp enabled as well and nat-pnp?

Those wan rules for the xbone are wrong, the source address should be any and your xbones address should be the destination. You also need destination ports, you'll have to look up which ports it uses. But none of that will do anything unless you also set up port forwards.

You shouldn't have to manually port forward though, if you can get upnp working properly.

Yeah I haven't done the inbound rule for the xbone yet, I'm troubleshooting the switch at the moment and will just copy that rule when it's fixed. Aye it's enabled as well.

Edit: Let me turn on the xbone and see if it's still strict, actually. I haven't looked since turning that on. I've been focused on fixing the switch issue.

Can confirm XBONE is strict.

So fun fact. In my NAT rules I put 172...that's what we use at work for our primary subnet so I crossed wires with home. I put 192 in and my Xbox's NAT is open now so I'd image my Switch is working as well now. I'll see tomorrow.

Right, I thought these were firewall rules but I seen now that they're the outbound NAT rules. So the auto mode didn't work and when you switched it to manual the default rules didn't work either? If you didn't get any default rules you should have got one with the source address as, the NAT address as WAN address and everything else set to any, and probably also one for port 500. I'm curious if the default rules don't work then maybe the problem is that the XBONE requires a static source port rather than a random port for the NAT as the default is to use a random port.

Actually automatic nor manual work. I'm using Hybrid and that's what fixed it.

When you tried manual did you have any default rules? But it looks like it does need that static source port, which is good to know.

Right it does need static, as does the Switch. Apparently the way nintendo does it the same port is used both ways.

Well I was on manual to begin with since I was originally NAT'ing my outbound traffic to PIA when I first installed PFSense. There were default rules though.

Xbone actually uses a range of ports. I forget which ones but its like 10 different ones.