Port Forwarding questions

[jondecker76]

My core is up and running stable now. I've finally finished tying in the rest of my network. The last problem I have now is with port forwarding.

Both my wife and my son have Xbox360's, and they each have their own Xbox Live accounts. For xbox live, I must forward ports TCP 3074, UDP 3074 and UDP 88. Both Xbox 360s  have static IP addresses of 192.168.80.201 and 192.168.80.202 (the DHCP in the core has been changed to stop at 192.168.80.199). Also, my external interface has a static IP address, and the ports are forwarded from my DSL modem to the core's external IP. (I know it is correct because if I unplug the core from the DSL modem and plug in an XBox 360, everything works as it should)

Now, when I set up port forwarding in the core, it does not appear to work quite right.
Here are the ports forwarded...

Code: [Select]

tcp  3074 to 3074  3074  192.168.80.201  port_forward  Delete
udp 3074 to 3074 3074 192.168.80.201 port_forward Delete
udp 88 to 88 88 192.168.80.201 port_forward Delete
tcp 3074 to 3074 3074 192.168.80.202 port_forward Delete
udp 3074 to 3074 3074 192.168.80.202 port_forward Delete
udp 88 to 88 88 192.168.80.202 port_forward Delete

Is there something I should be doing with the *limit to IP field???
Is it even possible to forward the same ports to multiple IP addresses like I have here?

thanks

Jon

[Zaerc]

It seems like you're trying to forward the same port twice to different IP numbers. 

[jondecker76]

Yes, that is exactly what I'm trying to do. Is it the right thing to do?

How can I open those ports for both of those IP addreses? (They both need them in order to use Xbox live)

[Zaerc]

Oh, sorry but as far as I know you can't.  You'd need at least two external ip numbers then I reckon.

But I'm a bit surprised that this xbox live needs to have a port exposed to the internet to begin with.  I'd expect it to be a client application that works from behind a NAT firewall.  So are you sure this is even needed?

[jondecker76]

yes, its needed unfortunately.

Why can't you forward ports to 2 IP addresses?

[teedge77]

that would be similar to to being on vacation and trying to forward your mail to two places....theres only one piece of mail...how can it go to two places?youre saying "anytime you see this send it here"....you cant say send it to here and here....

[jondecker76]

thanks - makes sense now.

[Venom986]

I'm pretty sure that as long as you set up iptables to allow existing connections back in things will work okay.  I can't imagine you actually need to forward the ports, just make sure they aren't blocked by the firewall.  sadly I can't quite remember the terminology iptables uses for this functionality; but basically its that if you have established a connection from within your network to the outside, then responses are allowed back through.

[colinjones]

I think the important point you mention here is that when you plug the xbox360's directly that they work. Can you confirm that both of them work at the same time when you do this? If yes - then you do not need port forwarding, because as Zaerc and teedge77 say, it isn't possible to forward the same port/external IP address to two different locations. They are working because they are making _outbound connections_ and are not being firewalled by your core. Outbound connections don't require port forwarding.

I seriously doubt that xbox live requires inbound initiated connections, it would be very unusual and brain damaged design cos it would mean that you couldn't have 2 or more xboxes in your home unless you had 2 or more external (and static) IP addresses - very few people would have this.

Having said this, I don't really understand why it isn't working behind your core. Outbound connections should just go through, and the statefulness of the firewall allows returning packets back in. This is normal for firewalls, but statefulness with UDP sessions can be a bit problematic because they don't really have sessions as such at the network layer, its more at the application layer. That being said, I wouldn't imagine that the core's firewall couldn't handle it...

Come to think of it - if you have tried to add these unnecessary port forwards and created an invalid duplicate, that would be confusing matters. Start by removing those, and remove the NAT on your DSL modem. This would be the correct config for outbound initiated connections. But in that configuration, you then need to add a static route to your DSL modem telling it how to get to your 192.168.80.0 network otherwise the packets will never make it back to the core in the first place.

Rambling!

1. Seriously doubt you need port forwarding/NATing
2. Remove your port forward rules on your core
3. Remove your NAT on your DSL modem
4. Add a static route on your DSL modem to point the 192.168.80.0/24 network to the external IP address of your core
5. Confirm you can browse the Internet from a device on your "internal" LMCE network.

This should fix it

[jondecker76]

I have spoken to Xbox Live support, and yest those ports do need forwarded. Though I'm not entirely sure why it is needed, NAT is one of the most important things in the xbox live settings. There is a test you can run from the console..  When it tests NAT on the Xbox360 that has port forwarding enabled for it, the NAT tests as "Open"
Without the port forwarding, the NAT is "Strict".

In order for both my wife and my son to play in the same game and lobby at the same time, they both must have an "Open" NAT.

Now, they can still use Xbox Live, they just can't play in the same game/lobby together at the same time.

I guess I will just have to keep it as it is. This was all verified on the phone with Xbox live - I do agree its pretty stupid to have suck a requirement on their xbox live system, but unfortunately they do.

[colinjones]

OK, so it is brain damaged design.... should I really be surprised.. .Microsoft...

I'm still not really sure whether you are saying that both xboxes work at the same time when not behind the core. But... it doesn't change the fact that it isn't possible to forward the same incoming TCP connections from Live to two different internal machines. There is no way for the DSL router to know which one to send the connection to. So I would be surprised if the DSL router even allows you to configure 2 conflicting NATs like this. But even if it did, it wouldn't actually work - only one or the other could work.

How have you setup the NAT(s) on your DSL router? A TCP session is uniquely identifyed as a "socket" by the combination of the IP address and port number. You've said the port is fixed, and I'm presuming you don't have 2 public Internet IP addresses, so there is no way for the router to distinguish between TCP sessions for the 2 xboxes... very curious on how you have done this if both are working at the same time...

[jondecker76]

Both do work at the same time - one fully working (has the port forwarding).. The other one does not have port forwarding - yes, it does still work, but it has crippled functionality.

So in the end, it turns out that you can use xbox live without port forwarding, you just loose some functionality such as picking which game to connect to, etc... We had never noticed this before because we only had one in the house. But we added the 2nd one and couldn't figure out why we couldn't get an "Open Nat".  Oh well, now we know.. Not much we can do about it short of paying for another IP address from the DSL company

[colinjones]

You could check with xbox live and see if they can change the incoming port number for one of your profiles. Then you could set up 2 NATs and distinguish between the 2 TCP sessions, sending them to the correct xbox. Or just ask xbox live how the hell they expect the average person with 1 IP address to set up 2 xbox lives!

Either way, I am a bit suspicious of why xbox live need an inbound connection for the functionality you mention. Doesn't seem to me like an inbound is necessary... wonder what they get from it....

Also, there's probably a socks proxy service out there somewhere on the Internet that you could get to remap the port through a PAT and then forward to your IP address, setup the separate NAT to your other xbox then update xbox live with the IP address of the proxy service... not sure how successful that would be.

[JahT]

You may have already read these:

No mention of port forwarding here:
http://forum.teamxbox.com/archive/index.php/t-236332.html

but here they talk about only applying static ip and port forwarding to only one of the boxes:
http://www.gamespot.com/forums/show_msgs.php?board_id=909102864&topic_id=25965059