Xbox Live firewall exception: additional ports needed

[ken.louie]

re: Pace 4111N router settings, Settings tab > Firewall tab > Applications, Pinholes, and DMZ page

The "Xbox" item on the firewall application exceptions list doesn't forward all of the ports needed for Xbox Live.
It only forwards 88 UDP, 3074 TCP, and 3074 UDP.

Per Xbox support, you need to forward 53 UDP, 53 TCP, and 80 TCP as well.
Network ports used by Xbox LIVE
See: http://support.xbox.com/en-US/xbox-live ... -xbox-live

In Halo: Reach, I was seeing my NAT go from "Open" (desired status) to "Moderate" (not desired) without warning, usually after I was away from the Xbox for about 15 minutes or more.
When I exited the game, disconnected from Xbox Live, and then reconnected, my NAT would go back to "Open."
I created a custom exception to include all of the needed ports. So far, so good, my NAT is staying "Open."

[cduran]

ken.louie,
Thanks for this report. The majority of the preset exceptions are pretty outdated (do people still play Doom or use Kazaa?). It sounds like you've already figured out how to create a user-defined application for Xbox Live (Settings > Firewall > Applications, Pinholes and DMZ > Add a new user-defined application).

I'll pass your report on to our vendor to request that they update the xbox definition in a future firmware update.

[ken.louie]

Thanks for reporting this to the vendor.
Update: most of the time, the Halo:Reach network status screen shows that I have an Open NAT. But occasionally, I will still see Moderate NAT. I don't know why it would change around like that. And I haven't made any router changes since creating the firewall exception for Xbox Live.
Essentially, with the same router settings, I get Open NAT mostly, but sometimes Moderate NAT, which increases matchmaking time.

I tried a few things when I saw the Moderate NAT:
a. stayed in Halo, logged off Xbox Live, logged back on. Result: no effect
b. exited Halo, logged off Xbox Live, logged back on. Result: no effect
c. exited Halo, power off the Xbox completely, turn it back on, log in. Result: no effect
I gamed for a few hours with the Moderate NAT, then shut down the Xbox before going to dinner. When I came back an hour later and turned on the Xbox, I found that my NAT was now Open. Very odd.

I've never had this problem before. Before Sonic, I had AT&T DSL with Speedstream 5100 modem and an old D-Link Di-604 router. That router had a firmware version that was "Xbox Live certified". It also had a "gaming mode" that I kept on. It had a UPnP setting too (which I kept off for security). I didn't need to manually forward any ports.

[cduran]

ken.louie,
Can you confirm that the definition list for your user-defined xbox live application looks like the image below?

xbox_live.PNG (15.76 KiB) Viewed 9271 times

If it does and the problem persists, the next question is what other metric is Halo Reach using to determine NAT type? You might try using the 4111N's DMZplus feature to forward all inbound traffic to your xbox (if you were to try this you might as well disable the user-defined pinhole you set up for xbox live):

• Log into the modem's interface at gateway.sonic.net
• Click the "Settings" tab
• Click "Firewall"
• Click "Applications, Pinholes and DMZ"
• Under "1) Select a computer" select your Xbox or supply the NAT address assigned to your Xbox
• Check the box for "Allow all applications (DMZplus mode)"
• Click "Save"
• Reboot the modem and Xbox

Alternatively, If you prefer the D-Link you could always bridge the 4111N (https://wiki.sonic.net/wiki/Pace_4111N#Bridge_mode), disable the Pace's wireless and reconnect your D-link behind it. That being said, the bridged configuration is unsupported, and as such our support group may ask you to temporarily re-enable routing should you ever require telephone support.

[ken.louie]

Yes, those are the ports I forwarded.
I used the default timeouts at first but the Moderate NAT still appeared.
I increased the timeout on the UDP protocol to 1800 sec to troubleshoot as I found that the NAT type went from Open to Moderate if there was no activity. E.g. I booted up with an Open NAT, played for a couple hours, I stopped matchmaking, stayed in Halo at the screen right before you go into Matchmaking, kept the Xbox on, went to lunch, came back 30 min later, started Matchmaking, and a pop-up message warned me that my NAT was now Moderate.

Result:
The increased timeouts had no effect...Moderate NAT still appeared. I've restored the default timeouts

I'm going to try your DMZ suggestion this Friday, and then try Bridge mode if that fails to work.
From researching this at xbox.com and bungie.net, I'm not alone. Many, many users have fought with their routers, of all makes and models, to get an Open NAT. It seems there's no single solution, and sometimes there's never one at all. Examples:
http://www.bungie.net/en-US/Forum/Post?id=2234135

[ken.louie]

Update: Putting the Xbox in "DMZ Plus" mode did the trick. I haven't seen the Moderate NAT warning since I did this.
Thanks for your help, Chris.