| « NW Elixirs #1 Hott Sauce |
XBOX Live (XBL), JunOS, NAT and a Juniper SRX210 on Comcast
![[mail]](img/envelope.gif){kind=small}
After spending 2 months of having my Juniper SRX210H router threatened to be jettisoned across the Columbia River by my better half, I was finally able to track down the cause of my XBOX 360 showing "Strict NAT" type of connection.
Here's a few notes that might help others to get an "Open NAT" connection to XBOX Live with a router running the JunOS router operating system:
1. I use Comcast for my residential home Internet connection. Comcast will not provide more than one IP for residential connections in Oregon or SW Washington, so you must use it wisely.
2. I use PAT (port forwards) to other devices on my network, which means I can't use a 1:1 or Static NAT on my only Comcast-provided public IP.
3. I followed the guidance of many that tried before me and wrote about it. Notably these blog entries were extremely helpful, but not exactly what I needed to solve the problem:
http://www.networkengineerdigest.com/2011/07/05/how-to-configure-a-juniper-srx-for-xbox-live/
http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/SSG-5-and-Xbox-Live/td-p/944
4. After contacting a friend that works for Microsoft, he was able to do some digging and come up with some comments that helped me to isolate the issue: Apparently you must enable source port persistence for the XBOX Live (very custom) IPSec tunnel to work. The XBOX makes a UDP connection on source port 3074 and receives traffic on destination port 3074. This means that when it goes though the NAT is must stay on UDP port 3074 for both the destnation AND the source.
5. I'm running the latest version of JunOS that is currently available, which is 11.4R1.6. This may or may not work for you on different versions.
6. My Comcast modem is plugged into ge-0/0/0 and all other ports on the router are on the "Home" side.
7. If your WAN IP changes, you will need to update the configuration to reflect the change under security -> nat -> source -> pool xbox -> address.
8. The only port that needs to be forwarded from the DNAT configuration is UDP/3074.
9. Here are the applicable portions of my configuration:
groups {
home {
interfaces {
<*> {
unit 0 {
family ethernet-switching {
port-mode access;
vlan {
members vlan3;
}
}
}
}
}
}
}
system {
host-name r1;
services {
ssh;
dhcp {
pool 10.0.0.0/24 {
address-range low 10.0.0.100 high 10.0.0.254;
router {
10.0.0.1;
}
}
propagate-settings ge-0/0/0.0;
}
}
}
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
dhcp;
}
}
}
ge-0/0/1 {
apply-groups home;
}
fe-0/0/2 {
apply-groups home;
}
fe-0/0/3 {
apply-groups home;
}
fe-0/0/4 {
apply-groups home;
}
fe-0/0/5 {
apply-groups home;
}
fe-0/0/6 {
apply-groups home;
}
fe-0/0/7 {
apply-groups home;
}
vlan {
unit 3 {
family inet {
address 10.0.0.1/24;
}
}
}
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
pool xbox {
address {
### Set this to your DHCP-assigned IP from ge-0/0/0.0
### with a mask of /32.
255.255.255.255/32;
}
}
port-randomization disable;
rule-set snat {
from zone trust;
to zone untrust;
rule xbox {
match {
### The IP Address of the XBOX.
source-address 10.0.0.20/32;
}
then {
source-nat {
pool {
xbox;
persistent-nat {
permit target-host;
inactivity-timeout 180;
}
}
}
}
}
rule lan {
match {
source-address 10.0.0.0/24;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool xbox-3074 {
address 10.0.0.20/32 port 3074;
}
rule-set dnat {
from interface ge-0/0/0.0;
rule xbox-3074 {
match {
destination-address 0.0.0.0/0;
destination-port 3074;
protocol [ udp ];
}
then {
destination-nat pool xbox-3074;
}
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy untrust-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.3;
}
}
security-zone untrust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
}
}
applications {
application xbox-live-udp-53 {
protocol udp;
destination-port 53;
}
application xbox-live-tcp-88 {
protocol tcp;
destination-port 88;
}
application xbox-live-udp-88 {
protocol udp;
destination-port 88;
}
application xbox-live-tcp-3074 {
protocol tcp;
destination-port 3074;
}
application xbox-live-udp-3074 {
protocol udp;
destination-port 3074;
}
application-set xbox-app-set {
application xbox-live-udp-53;
application xbox-live-tcp-88;
application xbox-live-udp-88;
application xbox-live-tcp-3074;
application xbox-live-udp-3074;
}
}
vlans {
vlan3 {
description "Home LAN";
vlan-id 3;
l3-interface vlan.3;
}
}
Since this now works, I'm no longer being threatened to have my enterprise-grade router replaced with a Belkin. Phew.
Trackback address for this post
Trackback URL (right click and copy shortcut/link location)
1 comment
Cory, this router has a docsis 3 module have you tried it so one less box (no cable modem). It is pricey, but I was just wondering. I just got cisco DPQ3925, but come to find out the voip part is not in the admin have to figure out if its tell net of ssh configurable and how to do it. Does srx210 has a wifi? This post has 1 feedback awaiting moderation...
Comment feed for this postLeave a comment
