Scholar
•
133 Messages
NAT=Strict/Moderate/Open
1) I've been reading the multiple posts on the forum about multiple xbox's in one house (including somejoe's detailed solution). Many posts reference NAT and Strict/Moderate/Open. I've never seen the words Strict/Moderate/Open on the gateway webpage. Is it a user setting that I can control through the router or is a status that is derived from some other setting. If it is router status display is it based upon some configuration from the xbox?
2) I've read enough to know that I can't have an xbox one and xbox 360 online at the same time but since I only have one gamer and he can't be on two systems at once is it possible to set it up so both systems would work as long as they are at different times. (I'm assuming the answer is no which means that everytime he wants to play the "other" xbox I would have to go into the Uverse gateway settings and reassign the gaming pinhole to the "other" xbox". (I'm not sure if this makes a difference to the answer but my gateway is the Motorola NVG589)
Accepted Solution
Official Solution
SomeJoe7777
Expert
•
9.4K Messages
10 years ago
2) Yes, that is correct. Even though only one system would be used at a time, you would have to go to the U-Verse gateway every time and redirect the ports to the other XBox. That's probably impractical, thus a UPnP router would be recommended.
1) The labels for NAT types of "Strict", "Moderate", and "Open" are terms invented by Microsoft and used by other gaming console manufacturers like Sony for the PS3/PS4. They are not official or defined networking terms, and thus do not appear in any router configuration. However, they do have specific meaning. They refer to how the security algorithm that the network address translation (NAT) code that is running inside the router treats incoming packets.
In a NAT router, the router must keep track of the "endpoints" of all conversations so that packets can be routed to the correct host. An "endpoint" is the combination of an IP address, a protocol (TCP or UDP), and a port number. The router uses this memorized information about each conversation to route packets.
Let's look at an example. Let's have an internal network of 192.168.1.0/24, and an outside IP address of 99.99.99.99. Let's say there are two hosts on the inside network, 192.168.1.10 and 192.168.1.20, and they both want to bring up the www.google.com web page.
Host #1 at 192.168.1.10 sends a packet to www.google.com, a TCP packet, with a source port of 10000, and a target of www.google.com with a destination port of 80 (HTTP). The router memorizes these two endpoints as conversation A:
Conversation A: 192.168.1.10:10000 -> www.google.com:80.
The router also chooses a port that it will use for this conversation on the outside IP address, let's say it chooses 30000. The memorized NAT entry now looks like this:
Conversation A: 192.168.1.10:10000 -> NAT to 99.99.99.99:30000 -> www.google.com:80.
Google's web site answers the web request, and sends back a packet to 99.99.99.99:30000. The router recognizes that incoming packet based on the port (30000), and uses the table entry above to translate the target IP address and port to 192.168.1.10:10000 and send the return packet to the correct host.
Now let's say that host #2 at 192.168.1.20 also needs to talk to www.google.com, and also happens to choose a source port of 10000. The router makes a new NAT entry that looks like this:
Conversation B: 192.168.1.20:10000 -> NAT to 99.99.99.99:30001 -> www.google.com:80.
Return packets from Google will come to port 30001, which is enough for the router to differentiate this packet from the other conversation (conversation A). The router will uses the NAT table entry to change the destination endpoint on the return packet to 192.168.1.20:10000 and send the packet to host #2.
Now, the question is, is there a security problem that would allow some malicious attacker to exploit these memorized conversation entries? It turns out that different routers use different algorithms to handle incoming packets.
Security consideration X: Suppose that Conversation A has been memorized by the router, and I try to talk to host #1 from a different IP address. Supposed I send a TCP packet to 99.99.99.99:30000 from my endpoint, 101.101.101.101:80 (same source port, but different source IP address). Will the router let my packet through, even though it thinks that the conversation is supposed to be talking to Google?
Security consideration Y: Suppose I go further, and send a TCP packet to 99.99.99.99:30000 from endpoint 101.101.101.101:40000 (different source port AND different source IP address). Will the router let this packet through?
The way the router handles these return packets based on the memorized conversation entry is very important to console gameplay, because the data streams for playing the game are mostly peer-to-peer, and everyone is behind a NAT router. Each console has to communicate with the others, and there is no good way to open ports automatically for inbound traffic (exception: UPnP, but many routers do not have this).
Microsoft decided to label the different ways that the NAT routing code can handle these packets as follows:
If the router will allow inbound packets to a memorized conversation from any source port and any source IP address (i.e. In security consideration Y, the router routes the packet), then the NAT type is labeled as "Open".
If the router will allow inbound packets to a memorized conversation from any source IP address, but the source port must match (i.e. in security consideration X, the router routes the packet, but in security consideration Y, the router drops the packet), then the NAT type is labeled as "Moderate".
If the router drops any inbound packet that doesn't precisely match both the source port and source IP addrress (i.e. in both security consideration X and Y, the router drops the packet), then the NAT type is labeled as "Strict".
Since the NAT type is a function of the routing and NAT code, it is generally not a behavior that can be altered for any particular router. The only way to create the equivalent of an "Open" type on a router whose native code presents a "Moderate" or "Strict" NAT type is to manually open ports on the router for inbound traffic, and direct those ports to the XBox (or other console).
Most consumer NAT routers, including the 2Wire/Pace and Motorola units that AT&T uses for U-Verse service all have NAT/routing code that results in a "Moderate" NAT type. Opening ports will work on these routers for one console. For more than one console, a UPnP router set up behind the U-Verse router is required.
Some business-class and enterprise routers have code that results in a "Moderate" NAT, but many, including the Cisco IOS, result in a "Strict" NAT type.
0
houston01
Scholar
•
133 Messages
10 years ago
Thank you Joe. Very interesting and helpful.
I'm not going to go the UPnP route based upon your prior advice. If anyone else needs further proof this somewhat recent article might be all you need.
www.forbes.com/sites/andygreenberg/2013/01/29/disable-a-protocol-called-upnp-on-your-router-now-to-avoid-a-serious-set-of-security-bugs/
0
0
Ponzi
Mentor
•
44 Messages
10 years ago
I recently added a separate router behind my RG just for the purpose of enabling UPnP for an Xbox 360 and an Xbox One. Both Xboxes show an Open NAT. The router is the only device that's in the DMZ of the RG, and the Xboxes are the only devices that connect to the router. Does this minimize the security risk of using UPnP since it's only enabled for the Xboxes?
0
0
SomeJoe7777
Expert
•
9.4K Messages
10 years ago
The main security risk from UPnP is that if a computer that is behind a UPnP router is compromised, then additional ports can easily be opened on the router by the attacker using the compromised computer and the UPnP protocol. However, with no computers behind the UPnP router (only game consoles), this risk is eliminated since the gaming consoles themselves are unlikely to be hacked.
0
houston01
Scholar
•
133 Messages
10 years ago
I've got lots of cat5e wires running through the house so I'm intrigued by the possiblity of adding another router specfic to gaming devices only but I am unclear on the set-up.
1) I'm assuming the Motorola NVG589 will still be the dhcp "router" for the DVR, STB, computers, and iPad's in the house.
2) I'm assuming that UPnP router that I would have to buy would connect to one of the ethernet ports on the NVG589.
3) I'm assuming that I would connect the "xbox 360" and the "xbox one" directly to the UPnP router that I would be buying.
4) The Motorola NVG 589 has a different webpage console, I see no mention on DMZ, do I use the cascaded router settings?
5) For the Motorola NVG 589 do I turn-off the Firewall NAT/Gaming "service" specific to XBox 360 Live?
I didn't read all the threads on the XBOX forum but it sounds like not all routers are created equal when it comes to mulitple xbox's in one house. One of the threads I read recommend one of 3 Netgear routers...WNR2000;WNDR3400;WNDR3700 (they listed other brands for not working so well). Fortunately these are not state of the art so they are pretty cheap.
6) Any guess as to why only some routers support the UPnP that Xbox live likes?
7) Do I have to do any port forwarding on the UPnP router?
😎 I went into the xbox settings and set manual ip's rather automatic. 192.168.1.60 and 192.168.1.61 so it would be easier to reassign/toggle NVG 589 firewall gaming service to the xbox 360 or xbox one but hopefully I won't do that anymore...any reason I can't keep the manual ip's now that I've set them?
0
0
SomeJoe7777
Expert
•
9.4K Messages
10 years ago
2) Yes
3) Yes
4) No, you will use the IP Passthrough option on the Motorola gateway, which is the equivalent of DMZPlus option on the 2Wire/Pace gateways.
5) Shouldn't matter if the IP Passthrough is set up, but I'd go ahead and turn it off anyway.
6) UPnP in general has large security problems, people are better off without it if at all possible.
7) No, the purpose of UPnP is to avoid having to port forward at all.
😎 Once the IP Passthrough is set up to the new UPnP router and the consoles are plugged into that, switch the consoles back to DHCP.
0
0
houston01
Scholar
•
133 Messages
10 years ago
1) somejoe can you clarify step two for me. I'm taking an ethernet cable and plugging into say port 2 on the Motorola gateway and there are 5 ports on the new UPnP router, 1 yellow labeled internet and 4 orange. Do I plug into the single yellow or one of the 4 orange on the UPnP?
2) is there a link to a representative post that I can read that discusses IP Passthrough
0
0
SomeJoe7777
Expert
•
9.4K Messages
10 years ago
You will use the yellow port labeled Internet.
See the following post for an example of how to use IP Passthrough with the Motorola gateways (NVG510 and NVG589):
https://forums.att.com/t5/Features-and-How-To/NVG510-Bridge-Mode/m-p/2928989#M29846
0
0
houston01
Scholar
•
133 Messages
10 years ago
I found these two links,
http://forums.xbox.com/xbox_forums/xbox_support/f/9/t/157383.aspx
www.unofficialguidetolive.co.uk/faqs/228-xbox-live-certified-hardware
somejoe777 link (below) is also very helpful (see his accepted solution which also cites his sources)
http://forums.att.com/t5/Residential-Gateway/XBox-Live-problem-2wire-NAT-is-not-open/m-p/3449081#M9319
-----------------------------------------
microsoft pulled their recommended router list from their forums which is why I included the second link (xbox-live-certified-hardware) I'm going to give the Netgear WNR2000 a whirl (other posts I saw have had good luck with it)
0
0
houston01
Scholar
•
133 Messages
10 years ago
Somejoe:
I've read all 3 pages of the suggested post.
There are many well intentioned comments in the post but there are a few that have conflicting recommendations.
As far as IP Passthrough on the Motorola 589 a post from 11/21 recommends setting the Allocation Mode="passthrough" with the passthrough mode set to DHCPS-dynamic and the post on 12/18 recommends Allocation Mode="default server" and using a default server internal address.
Any thoughts?
0
0