XBox Live problem - 2wire NAT is not open

OK, I don't have an XBox 360, so I can't test this, but I did a lot of research tonight on this issue because this has been an ongoing question/problem that has been posted several times on the forum.  Here are a few facts and my recommendation:

• The reason that the XBox 360 is very particular about the NAT on the user's router is due to the way the XBox 360 connects to other users to play a game.  While the XBox Live servers are used to register and coordinate game play, the actual internet communication between XBox 360 consoles is peer-to-peer for several of the communication streams.
• Even though a lot of XBox 360 communication is initiated from inside the firewall (i.e. the connection is outbound, and therefore the port opens automatically), this is sometimes not enough for proper game play, because multiple other XBox 360's have to send packets back to yours on that open port.  Many routers will not allow a packet from just anyone on the Internet to come back in on that open port.  Many routers will specifically only allow packets coming back in from the same source port as the initial outbound packet was directed to (if your router restricts inbound packets like this, then the NAT type is labeled "moderate").  Some routers go further and will only allow packets coming back in from the same source port AND the same source IP address as the initial outbound packet was directed to (if your router restricts inbound packets like this, then the NAT type is labeled "strict").  If your router is not restricting inbound packets by source port or IP address, then the NAT type is labeled "open".
• The XBox 360 is smart enough to compensate for moderate and strict NAT types if the majority of the other people who have joined the game are open NAT types.  Where problems occur is when multiple people in the game have moderate or strict NAT, then the gameplay won't work properly.  Thus, the preferred setup is to have an open NAT type, because this makes it such that your XBox 360 can join and stay connected to any game on the Internet, regardless of other people's NAT types.
• For routers that support Universal Plug and Play (UPnP), the XBox 360 can direct the router to open ports such that the NAT type will be open.  However, as has been mentioned before:
• UPnP is a security nightmare, because there is no authentication, authorization, or logging for UPnP requests to the router.
• The 2Wire routers that AT&T uses do not support UPnP anyway.
• Microsoft has some documentation in several places for how to open ports on your router if your router does not support UPnP.  Unfortunately, these directions are incorrect, and open far more ports than are necessary for proper operation.

Here is the proper method to open ports on the 2Wire routers for the XBox 360.  This should give you an open NAT.

1. Open a web browser, browse to the URL of your U-Verse® Residential Gateway (usually http://192.168.1.254).
2. Click the Settings tab at the top.
3. Click the Firewall label in the second row of tabs.
4. Click the Applications, Pinholes, and DMZ label in the third row of tabs.
5. Click on your XBox 360 under section (1).  You will probably have to identify it by its IP address.
6. Click the Allow Individual Applications button under section (2).
7. Click Add a New User-Defined Application.
8. Type "XBox 360 Live" in the Application Profile Name field.
9. Select TCP for the protocol.
10. Type 3074 in the Port From and Port To fields.
11. Leave the Protocol Timeout field blank.
12. Leave the Map to Host Port field blank.
13. Do not select anything in the Application Type pull-down.
14. Click the Add to List button.
15. Select UDP for the protocol.
16. Type 3074 in the Port From and Port To fields.
17. Leave the Protocol Timeout field blank.
18. Leave the Map to Host Port field blank.
19. Do not select anything in the Application Type pull-down.
20. Click the Add to List button.
21. Select UDP for the protocol.
22. Type 88 in the Port From and Port To fields.
23. Leave the Protocol Timeout field blank.
24. Leave the Map to Host Port field blank.
25. Do not select anything in the Application Type pull-down.
26. Click the Add to List button.
27. Click the Back button.
28. Reselect your XBox 360 under section (1).  You will probably have to identify it by its IP address.
29. Click the Allow Individual Applications button under section (2).
30. Click "XBox 360 Live" in the Application list.
31. Click the Add button.  XBox 360 Live will now be listed in the Hosted Applications list.
32. Click the Save button at the bottom.

Now reboot your XBox 360, you should have an open NAT type.

This procedure opens only the necessary ports on your router (3074 TCP/UDP, and 88 UDP), and directs them to the XBox 360 only, not to the whole network.  Thus, the security implications are minimal.

Hopefully, this procedure should work for you.  Please post your results so that we know if this is solved or not.

Here are two of the references where this information is further discussed:

http://forums.xbox.com/xbox_forums/b/engineering_blog/archive/2011/06/21/nats_2d00_and_2d00_xbox_2d00_live.aspx

http://compnetworking.about.com/b/2008/11/15/tcp-and-udp-port-numbers-for-xbox-live.htm

---

@tinalms2001 wrote:
You might want to also explain this to the AT&T tech support folks. As they are telling me that it does not matter that I assign a port to be open on a specific IP address that it will be open for everything. Well not with their gateway. It would be great if I could do that then both xboxes would work. However I cannot assign the same open ports to 2 different IP addresses with their 2wire gateway. It does not support what they sell as in the u-verse xbox set to run your u-verse through the xbox and then actually use the xbox for online gaming. Xbox will work great with u-verse if you are a hermit one person household. Now in the real world where many homes have more than one person and more than one xbox or gaming computer or playstation whatever it may be. you cannot play online with 2 at the same time. One is fine but 2 not gonna happen. As the 2nd one will have a strict NAT that will not allow you to join game sessions. So until AT&T can figure this out and their tech support can actually be useful I would not recommend u-verse to anyone. Maybe they should go and take pointers from Comcast, Wow, and even time warner they all know how to make it work without an issue!!!!

---

You cannot port forward the same port from one public IP address through a NAT gateway to two different private addresses.  It cannot be done, regardless of the vendor of the router.  To accomplish what you want the RG has to have two different public addresses to route the same port to two devices inside the home.  Once you have that, there is no port forwarding configuration needed, just opening the ports in the RG FW.

---

@gregzoll_1 wrote:
Sorry, but if you follow Microsoft's instructions, it will leave you open for open ports on your firewall. I have hooked up hundreds of systems, and never had a issue with leaving it as is, and they work.

All you have to do is disregard the whole NAT "Moderate" issue, and you will be fine. The games will work just fine with leaving them as is.

---

If Microsoft believed opening ports for the Xbox were a security issue, they wouldn't tell you to do it. Here's a post from a guy on the Xbox forums that explains why you should open up just the ports Microsoft identifies (and forward to the Xbox only), and why it's not a security risk. He also explains why you may sometimes be able to play with others on Xbox Live even if your NAT is set to strict or moderate.

http://forums.xbox.com/xbox_forums/xbox_support/f/9/t/157383.aspx