Xbox Live Help

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Xbox Live Help

Walt Elam
I'm running pf on OpenBSD 5.2 and am unable to get a successful connection to Xbox Live. According to the documention I found here: http://support.xbox.com/en-US/xbox-360/networking/network-ports-used-xbox-live

I need to forward ports 88 (UDP), 3074 (UDP/TCP), 53 (UDP,TCP), and 80 (TCP) to the xbox360. This seems simple enough but I have been unsuccessful.

So far I have tried using pf rules found on calomel.org (https://calomel.org/pf_config.html), as well as rules/suggestions from an article on nuux.net (https://nuxx.net/blog/2009/01/06/xbox-live-open-nat-using-pf-on-openbsd/). As a last resort I tried installing and enabling miniupnpd which also failed to solve my problem. I'm really not sure what I'm doing wrong, so here is the relevant portion of my PF config (the xbox360 gets a static ip of 192.168.13.120 which I've verified on the xbox itself):

ext_if        = "re0"
int_if         = "em0"
xbox360     =   "192.168.13.120"

xbox_out_udp    =   "{ 53, 88, 3074 }"                                           
xbox_out_tcp    =   "{ 53, 80, 3074 }"                                           
xbox_in_udp     =   "{ 53, 88, 3074 }"

match out on $ext_if from $xbox360 to any received-on $int_if \
    nat-to  ($ext_if:0) static-port                    
match out on $ext_if from $localnet nat-to ($ext_if)

# Redirect xbox live ports to the xbox                                              
pass in on $ext_if inet proto udp from !($ext_if) \                                 
    to ($ext_if) port $xbox_in_udp rdr-to $xbox360                                  
                                                                                    
                                                                                    
# Pass in traffic for the xbox                                                      
pass in quick on $ext_if inet proto udp from !($ext_if) \                           
    to $xbox360 port $xbox_in_udp                                                   
pass in quick on $int_if inet proto udp from $xbox360 to any port $xbox_out_udp  
pass in quick on $int_if inet proto tcp from $xbox360 to any port $xbox_out_tcp  
pass out quick on $int_if inet proto udp from any to $xbox360 port $xbox_in_udp

In addition, I have posted my full pf.conf, as well as a tcpdump of the traffic when trying to connect to Xbox Live. With my limited knowledge it appears that the kerberos connection is failing, but I really don't know.

pf.conf: see attached or http://pastebin.com/UBmZnqYn
tcpdump: see attached

Lastly, I hooked my xbox360 straight up to the modem and was able to successfully connect, so it does appear to be an issue with my firewall config.

Does anyone have a working config that allows an Xbox Live connection, or can anyone see what I'm doing incorrectly? I've been trying lots of different things for a few days and am at a loss as to what I'm doing wrong.

Thanks,

-Walt

xbox_live_fail.log (15K) Download Attachment
pf.conf.xbox (14K) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Xbox Live Help

Teemu Rinta-aho
On 5.12.2013 3:16, Walt Elam wrote:
> I need to forward ports 88 (UDP), 3074 (UDP/TCP), 53 (UDP,TCP), and 80
> (TCP) to the xbox360. This seems simple enough but I have been unsuccessful.

Hi Walt,

I don't do exactly the same, but almost. Check out my pf.conf at

http://www.rinta-aho.org/blog/?p=364

There you can see that I forward certain ports to machine named "core7".

I also use 3 separate VLANs to the cable modem to get 3 (out of 5 that
I pay for) different IP addresses from the ISP. 1 is mapped to PS3, one
to a PC "core7", and the rest share the third IP address. So, there
is some extra complexity in my pf.conf.

Hope it helps.

Teemu










Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Xbox Live Help

Walt Elam
Thanks Teemu, I gave some similar rules a shot but was unable to get it working.

I'm still tweaking things and trying them, I'll update if I get it figured out.

Thanks,

-Walt


On Thu, Dec 5, 2013 at 4:47 AM, Teemu Rinta-aho <[hidden email]> wrote:
On 5.12.2013 3:16, Walt Elam wrote:
I need to forward ports 88 (UDP), 3074 (UDP/TCP), 53 (UDP,TCP), and 80
(TCP) to the xbox360. This seems simple enough but I have been unsuccessful.

Hi Walt,

I don't do exactly the same, but almost. Check out my pf.conf at

http://www.rinta-aho.org/blog/?p=364

There you can see that I forward certain ports to machine named "core7".

I also use 3 separate VLANs to the cable modem to get 3 (out of 5 that
I pay for) different IP addresses from the ISP. 1 is mapped to PS3, one
to a PC "core7", and the rest share the third IP address. So, there
is some extra complexity in my pf.conf.

Hope it helps.

Teemu












Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Xbox Live Help

Walt Elam
One more update:

I opened up the tcpdump traffic in Wireshark and it appears that the Xbox is failing on Kerberos. I see an AS_REQ, then AS_REP, then the traffic alternates between TGS_REQ and TGS_REP then fails. It seems like the xbox is failing to successfully get the ticket from the TGS.

Are there special rules I need in order to ensure Kerberos works properly?

-Walt


On Fri, Dec 6, 2013 at 4:13 PM, Walt Elam <[hidden email]> wrote:
Thanks Teemu, I gave some similar rules a shot but was unable to get it working.

I'm still tweaking things and trying them, I'll update if I get it figured out.

Thanks,

-Walt


On Thu, Dec 5, 2013 at 4:47 AM, Teemu Rinta-aho <[hidden email]> wrote:
On 5.12.2013 3:16, Walt Elam wrote:
I need to forward ports 88 (UDP), 3074 (UDP/TCP), 53 (UDP,TCP), and 80
(TCP) to the xbox360. This seems simple enough but I have been unsuccessful.

Hi Walt,

I don't do exactly the same, but almost. Check out my pf.conf at

http://www.rinta-aho.org/blog/?p=364

There you can see that I forward certain ports to machine named "core7".

I also use 3 separate VLANs to the cable modem to get 3 (out of 5 that
I pay for) different IP addresses from the ISP. 1 is mapped to PS3, one
to a PC "core7", and the rest share the third IP address. So, there
is some extra complexity in my pf.conf.

Hope it helps.

Teemu













Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Xbox Live Help

Teemu Rinta-aho
Hi Walt,

unfortunately I don't have specific knowledge either on Xbox or
Kerberos... I can only wish you good luck! (Or switch to Playstation ;-))

BR,
Teemu

7.12.2013 3:02, Walt Elam kirjoitti:

> One more update:
>
> I opened up the tcpdump traffic in Wireshark and it appears that the
> Xbox is failing on Kerberos. I see an AS_REQ, then AS_REP, then the
> traffic alternates between TGS_REQ and TGS_REP then fails. It seems like
> the xbox is failing to successfully get the ticket from the TGS.
>
> Are there special rules I need in order to ensure Kerberos works properly?
>
> -Walt
>
>
> On Fri, Dec 6, 2013 at 4:13 PM, Walt Elam <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Thanks Teemu, I gave some similar rules a shot but was unable to get
>     it working.
>
>     I'm still tweaking things and trying them, I'll update if I get it
>     figured out.
>
>     Thanks,
>
>     -Walt
>
>
>     On Thu, Dec 5, 2013 at 4:47 AM, Teemu Rinta-aho <[hidden email]
>     <mailto:[hidden email]>> wrote:
>
>         On 5.12.2013 3:16, Walt Elam wrote:
>
>             I need to forward ports 88 (UDP), 3074 (UDP/TCP), 53
>             (UDP,TCP), and 80
>             (TCP) to the xbox360. This seems simple enough but I have
>             been unsuccessful.
>
>
>         Hi Walt,
>
>         I don't do exactly the same, but almost. Check out my pf.conf at
>
>         http://www.rinta-aho.org/blog/__?p=364
>         <http://www.rinta-aho.org/blog/?p=364>
>
>         There you can see that I forward certain ports to machine named
>         "core7".
>
>         I also use 3 separate VLANs to the cable modem to get 3 (out of
>         5 that
>         I pay for) different IP addresses from the ISP. 1 is mapped to
>         PS3, one
>         to a PC "core7", and the rest share the third IP address. So, there
>         is some extra complexity in my pf.conf.
>
>         Hope it helps.
>
>         Teemu
>
>
>
>
>
>
>
>
>
>
>
>
>

--
Teemu Rinta-aho                    Tel:    +358 40 562 3066
Langenintie 9 as. 3                E-mail: [hidden email]
28400 Ulvila, Finland                      [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Xbox Live Help

Stuart Henderson
In reply to this post by Walt Elam
Rather than looking at a tcpdump of packets that make it through, try looking at blocked packets instead. Add 'log' to any block rules and try 'tcpdump -netttipflog0'.

Walt Elam <[hidden email]> wrote:
One more update:

I opened up the tcpdump traffic in Wireshark and it appears that the Xbox is failing on Kerberos. I see an AS_REQ, then AS_REP, then the traffic alternates between TGS_REQ and TGS_REP then fails. It seems like the xbox is failing to successfully get the ticket from the TGS.

Are there special rules I need in order to ensure Kerberos works properly?

-Walt


On Fri, Dec 6, 2013 at 4:13 PM, Walt Elam <[hidden email]> wrote:
Thanks Teemu, I gave some similar rules a shot but was unable to get it working.

I'm still tweaking things and trying them, I'll update if I get it figured out.

Thanks,

-Walt


On Thu, Dec 5, 2013 at 4:47 AM, Teemu Rinta-aho <[hidden email]> wrote:
On 5.12.2013 3:16, Walt Elam wrote:
I need to forward ports 88 (UDP), 3074 (UDP/TCP), 53 (UDP,TCP), and 80
(TCP) to the xbox360. This seems simple enough but I have been unsuccessful.

Hi Walt,

I don't do exactly the same, but almost. Check out my pf.conf at

http://www.rinta-aho.org/blog/?p=364

There you can see that I forward certain ports to machine named "core7".

I also use 3 separate VLANs to the cable modem to get 3 (out of 5 that
I pay for) different IP addresses from the ISP. 1 is mapped to PS3, one
to a PC "core7", and the rest share the third IP address. So, there
is some extra complexity in my pf.conf.

Hope it helps.

Teemu













Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Xbox Live Help

Walt Elam
My pseudo solution was to put the xbox in it's own vlan and then to pass all traffic to/from that vlan. It's working, albeit with a "Strict NAT" according to the Xbox.

Previously I was logging all blocked packets but none of the xbox traffic was matching any block rules. I'm still not sure what was going on.

It's not the solution I wanted, but it's the one I got.

-Walt


On Mon, Dec 9, 2013 at 4:21 AM, Stuart Henderson <[hidden email]> wrote:
Rather than looking at a tcpdump of packets that make it through, try looking at blocked packets instead. Add 'log' to any block rules and try 'tcpdump -netttipflog0'.


Walt Elam <[hidden email]> wrote:
One more update:

I opened up the tcpdump traffic in Wireshark and it appears that the Xbox is failing on Kerberos. I see an AS_REQ, then AS_REP, then the traffic alternates between TGS_REQ and TGS_REP then fails. It seems like the xbox is failing to successfully get the ticket from the TGS.

Are there special rules I need in order to ensure Kerberos works properly?

-Walt


On Fri, Dec 6, 2013 at 4:13 PM, Walt Elam <[hidden email]> wrote:
Thanks Teemu, I gave some similar rules a shot but was unable to get it working.

I'm still tweaking things and trying them, I'll update if I get it figured out.

Thanks,

-Walt


On Thu, Dec 5, 2013 at 4:47 AM, Teemu Rinta-aho <[hidden email]> wrote:
On 5.12.2013 3:16, Walt Elam wrote:
I need to forward ports 88 (UDP), 3074 (UDP/TCP), 53 (UDP,TCP), and 80
(TCP) to the xbox360. This seems simple enough but I have been unsuccessful.

Hi Walt,

I don't do exactly the same, but almost. Check out my pf.conf at

http://www.rinta-aho.org/blog/?p=364

There you can see that I forward certain ports to machine named "core7".

I also use 3 separate VLANs to the cable modem to get 3 (out of 5 that
I pay for) different IP addresses from the ISP. 1 is mapped to PS3, one
to a PC "core7", and the rest share the third IP address. So, there
is some extra complexity in my pf.conf.

Hope it helps.

Teemu














Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Xbox Live Help

secucatcher
In reply to this post by Walt Elam
hi
it was working for me years ago with static-port

example:
nat on vr0 from 192.168.0.33 to any -> (vr0) static-port
nat on vr0 from 192.168.0.34 to any -> (vr0) static-port

rdr on vr0 inet proto udp from any to vr0 port 88 -> 192.168.0.33
rdr on vr0 inet proto { tcp, udp } from any to vr0 port 3074 -> 192.168.0.33
rdr on vr0 inet proto udp from any to vr0 port 3658 -> 192.168.0.34

don't remind exactly one for xbox and one for playstation, but you will find easily
cheers


----- Mail original -----
De: "Walt Elam" <[hidden email]>
À: [hidden email]
Envoyé: Jeudi 5 Décembre 2013 02:16:03
Objet: Xbox Live Help



I'm running pf on OpenBSD 5.2 and am unable to get a successful connection to Xbox Live. According to the documention I found here: http://support.xbox.com/en-US/xbox-360/networking/network-ports-used-xbox-live 

I need to forward ports 88 (UDP), 3074 (UDP/TCP), 53 (UDP,TCP), and 80 (TCP) to the xbox360. This seems simple enough but I have been unsuccessful.


So far I have tried using pf rules found on calomel.org ( https://calomel.org/pf_config.html ), as well as rules/suggestions from an article on nuux.net ( https://nuxx.net/blog/2009/01/06/xbox-live-open-nat-using-pf-on-openbsd/ ). As a last resort I tried installing and enabling miniupnpd which also failed to solve my problem. I'm really not sure what I'm doing wrong, so here is the relevant portion of my PF config (the xbox360 gets a static ip of 192.168.13.120 which I've verified on the xbox itself):

ext_if = "re0"
int_if = "em0"
xbox360 = "192.168.13.120"




xbox_out_udp = "{ 53, 88, 3074 }"
xbox_out_tcp = "{ 53, 80, 3074 }"
xbox_in_udp = "{ 53, 88, 3074 }"



match out on $ext_if from $xbox360 to any received-on $int_if \
nat-to ($ext_if:0) static-port
match out on $ext_if from $localnet nat-to ($ext_if)



# Redirect xbox live ports to the xbox
pass in on $ext_if inet proto udp from !($ext_if) \
to ($ext_if) port $xbox_in_udp rdr-to $xbox360


# Pass in traffic for the xbox
pass in quick on $ext_if inet proto udp from !($ext_if) \
to $xbox360 port $xbox_in_udp
pass in quick on $int_if inet proto udp from $xbox360 to any port $xbox_out_udp
pass in quick on $int_if inet proto tcp from $xbox360 to any port $xbox_out_tcp
pass out quick on $int_if inet proto udp from any to $xbox360 port $xbox_in_udp


In addition, I have posted my full pf.conf, as well as a tcpdump of the traffic when trying to connect to Xbox Live. With my limited knowledge it appears that the kerberos connection is failing, but I really don't know.

pf.conf: see attached or http://pastebin.com/UBmZnqYn 
tcpdump: see attached


Lastly, I hooked my xbox360 straight up to the modem and was able to successfully connect, so it does appear to be an issue with my firewall config.


Does anyone have a working config that allows an Xbox Live connection, or can anyone see what I'm doing incorrectly? I've been trying lots of different things for a few days and am at a loss as to what I'm doing wrong.


Thanks,


-Walt
Loading...