pfSense and Xbox Live

Xbox Live

This is a pfSense specific version of an older post I wrote about achieving Open NAT on Xbox Live when using OPNsense. There are two goals for this setup:

  • Achieve Open NAT without turning on UPnP.
  • Have Open NAT for both the Xboxes (Xbox Series S and Xbox One S) in my house.

The official Microsoft documentation lists a lot of TCP and UDP ports that Xbox Live needs to work. In reality there is only one port that needs to be port forwarded to achieve Open NAT. If you only have one Xbox, that port is 3074 on both TCP and UDP. For households with multiple Xboxes, alternative ports need to be setup on the Xboxes themselves before starting the pfSense configurations. On the Xbox:

Settings -> General -> Networking settings -> Advanced settings -> Alternate port selection

Pick an alternative port to use for Xbox Live and make a note of it.

The Xbox will need a static IP address. That can be done via DHCP, which is straight forward to setup and I won’t cover that here. Or a static IP can be setup directly on the Xbox.

Here is how I setup port forwarding in pfSense for Xbox Live Open NAT. I note only the minimum necessary fields to be filled in. There are optional fields that can be filled out, fill those out however you want.

Create Alias for Xbox Port for both TCP/UDP:

  • Firewall -> Aliases
  • Click + Add at the bottom right
  • Name: Xbox Live Port
  • Type: Port(s)
  • Port: 3074 (or the alternative port if setting up multiple Xboxes)

Create Alias for Xbox IP addresses

  • Firewall -> Aliases
  • Click + Add at the bottom right
  • Name: Xbox Host
  • Type: Host(s)
  • IP or FQDN: IP address of Xbox

Setup Port Forwarding Rules

  • Firewall -> NAT -> Port Forward
  • Click the button (arrow up) Add at the top right
  • Interface: WAN
  • Address Family: IPv4
  • Protocol: TCP/UDP
  • Destination: WAN Address
  • Destination port range:
    • From port: Other
    • Custom: Xbox Live Port Alias (start typing and pfSense will bring up aliases)
    • To port: Other
    • Custom: Xbox Live Port Alias
  • Redirect Target IP:
    • Type: Single host
    • Address: Xbox Host Alias
  • Redirect target port:
    • Port: Other
    • Custom: Xbox Live Port Alias
  • NAT Reflection: Enable (Pure NAT) (Super Important!)

Setup Firewall Rules

These should be auto-created when port forwarding rules were created. This was the easy part.

Setup Outbound NAT Rule

  • Firewall -> NAT -> Outbound
  • Switch the Mode at the top from Automatic to Hybrid Outbound NAT
  • Click Save
  • Click the button (arrow up) Add at the top right
  • Interface: WAN
  • Address Family: IPv4
  • Protocol: TCP/UDP
  • Source:
    • Type: Network
    • Source network for the outbound NAT mapping: Xbox Host Alias /32
    • Port or Range: Xbox Live Port Alias
  • Destination:
    • Type: Any
    • Port or Range: Blank
  • Translation
    • Address: Interface Address
    • Port or Range: Blank
    • Static Port: Checked (Super Important!)

Repeat for each Xbox with their alternate Xbox Live port. The process is pretty simple to do, it took a little to figure out how to make it work. Hope this is helpful for someone else other than me.


Continue the conversation on Discord, Twitter or LinkedIn.