Here is an update to my old NAT guide from the old forums. I added some insight gained from resolving problems in the old thread and consolidating them into this guide.
If you want to find stuff out for yourself, I can also recommend checking out Shad0wmanUK's Unofficial Guide to Xbox Live, and the Port Forward website.
Also try the troubleshooting tips below. However, if you're just curious what NAT is, and why you need it, you can scroll down (or click here) to an explanation of what NAT is, and why you currently need it to be open.
Open, moderate or strict NAT? How do I know my NAT status?
Just turn on your console, go to the "Settings" hub, then select the “System” tile in the upper left. If necessary, choose your appropriate connection type (wired or wireless), and then do a network test to Xbox Live.
If your console doesn't give you an error message about NAT, you already have an open NAT. Congratulations. You are finished here. Go play! If you experience problems with some friends, ask them to do the network test for themselves, and if they have a strict or moderate NAT, direct them here.
If your Xbox however tells you something about strict or moderate NAT, read on to hopefully resolve this.
So how do I open my NAT?
That depends on your router. Since I don't know all routers, I will give general instructions on how to get an open NAT. How you carry out these instructions on your specific router, is up to you.If in doubt, check your router's documentation or make a post. BUT! When asking here for help, please provide us the exact make andmodel of your router and modem. Just telling us you have "a Netgear WLAN router" won't help as much as telling us you have "a Netgear WGR614 v3 connected to a Motorola SB2100 cable modem", we can (hopefully) find the user manual online and help you out.
Don't forget to check out Shad0wmanUK's page, as it has lot's of router makes and models listed.
But first, try it yourself. It's really easy with most routers. Especially if they are capable of UPnP.
Use Universal Plug and Play
Look in your router's documentation to see if it is capable of UPnP (for more information on UPnP, check the NAT explanation below). If it is supported, enable it in the router's configuration. Just enable it, and you should be done (the router's documentation should have more info on how to do so).
If you continue to have a non-open NAT, look at the troubleshooting tips.
My router can't use UPnP: Manual port forwarding
If your router doesn't support UPnP, you need to manually create a port forwarding list for your router. This process is different for every router, so again: Please check your router's manual on how to do it.
A great resource of information for this is the Port Forward Website. Just find your router model in that list, and you will get a guide with pictures and detailed instructions on how to forward ports on your router.
Go to your console, and in the "Settings" hub, select the “System” tile, then “Network Settings.” If necessary, choose the connection type you use (wired or wireless) and take note of the current settings of your console.
For example, if your console is set to automatic, it might have an IP of 192.168.1.23, Subnet Mask 255.255.255.0, Default gateway of 192.168.1.1 (this is the internal IP address of your router), and the IP of the DNS is the IP of your router as well.
Take note of the IP of your console (in this example 192.168.1.23) and go to your PC.
On your PC, go to the configuration page of your router with your internet browser. Either look in the documentation of your router, or simply type in the IP of the default gateway into the browsers address bar (in our example, you would enter "http://192.168.1.1" in the address bar).
If necessary, log into the administration page of your router.
Depending on the router model, find the appropriate configuration page for port forwarding. Look for menu items "Port Forwarding", "Exposed Host", "Virtual Server", "NAT", "DMZ" or something like that.
If you find something like "Port Triggering" or "Port Mapping", this is not what you're looking for. But you're very close. Instead of "Triggering" or "Mapping" look for "Forwarding".
You should get to a configuration page, that asks for incoming port, protocol and internal IP address.
You will need to forward the following ports to the static IP of your Xbox console, that you set up earlier (and made a note of. In our example this was the 192.168.1.23)
Now forward the following ports to that IP:
- UDP 53
- TCP 53
- TCP 80
- UDP 88
- UDP 3074
- TCP 3074
Sometimes a router allows a setting for "both" TCP and UDP combined. If so, choose that to save you some work.
Whoa! Wait a minute! Opening ports! Don't all hackers use open ports to hack you?
Well, yes and no. Open ports themselves are not the real danger. Vulnerable software listening on that port is. Let's make an analogy here. Imagine your router is a large government office building. Like the immigration office, or the department of motor vehicles or something like that. Each bureau has a specific number (port number) and a very specific task (i.e. you can't go into department for motorvehicles and ask for an immigration visum or something like that).
So imagine a hacker scanning your public IP address of the router's outside (since that is the only thing the hacker can see from the Internet), and he detects that port 3074 is open since you're playing an online multiplayer match on your Xbox console.
So he goes inside the office with the number 3074 and sees a clerk with Xbox uniform hard at work managing a Halo Multiplayer match.
The hacker opens the small window at the counter, and starts to shout exploits and throws hacking tools at the clerk. The clerk just looks at the hacker and says "Sorry kid. Wrong office. I only do Multiplayer here!" and slams the windows into the hackers face.
As long as you only open the ports necessary for the applications you use (and trust), you have nothing to fear. Just think of it that way: Even if you refuse to manually open ports, right now, when you open a web page, the router has already opened an incoming port to let the website data inside to forward it to your PC. Otherwise you couldn't read this text.
So don't be afraid of opening ports. Just be careful to open just the ports you really need, and forward it to the correct device.
But I have a strict or moderate NAT and am able to play with people. Magic?!!?
Not really. The Xbox Live matchmaking service just managed to match you to a player that has an open NAT himself. And in that case it works just like that example below with the PC actively requesting a webpage. Your Xbox console just shouted to the router "Hey router! Xbox Live told me about a Halo match at 126.96.36.199, please connect me to that." and the router will do that, and since he now knows, the Xbox requested that, will automatically route the incoming traffic to the Xbox.
However, as soon as a second player with a non-open NAT joins that game (or a Live Party), it can lead to various problems.
So even if you were able to play with some folks while having a non-open NAT, make sure you get your NAT opened.
Okay, so I turned on UPnP. I manually forwarded ports to the correct IP. But it still doesn't work!
From the insight I got from the old NAT thread, these are the most common problems you encounter when trying to open your NAT.
When you signed up for your Internet service, you might have gotten a cheap (or even free) modem device with basic functions from your Internet Service Provider. Now you wanted more comfort and maybe a Wireless router. So you buy a router, connect it to the modem you got from your ISP, and all is seemingly well.
You find that you have a non-open NAT, so you log in into your new WLAN router and set up everything correctly. But it still won't give you an open NAT.
In that case, the cheap modem you got from your ISP might be a Modem with built in NAT functionality. For example some Motorola Surfboard modems are able to simultaneously connect up to 31 devices to the Internet, despite having just one ethernet port (with the help of ethernet switches).
So while you told your WLAN router to allow Xbox Live traffic to the Xbox, the Motorola router still refuses to let anyone inside.
To resolve that, you need to configure your modem for "bridging mode" or "pass through" mode. In most cases, you might even need to call your Internet provider, as a lot of modems get a custom firmware specifically made for your Internet Service Provider.
If it is not possible to configure the modem for bridging mode, try to plug the cable from the modem to the router into one of the router's LAN ports instead of the router's WAN interface. This way you circumvent the NAT routing of the WLAN router, and just need to configure the Modem's port forwarding (if possible).
If everything else fails, you probably need to buy a new "stupid" (i.e. with no NAT capabilities) broadband modem.
I use my Laptop as a wireless bridge to connect my Xbox to the WLAN router.
See above for the Double NAT problem, as the Internet connection sharing on your Laptop is basically also an additional NAT device. In order for this to work correctly you either need to configure your router to forward the Live ports to your Laptops WLAN IP address, and in the advanced settings of the shared connection, you need to forward these ports again to your Xbox console connected to the Laptop.
Or, to make things easier, instead of using Internet Connection Sharing, bridge the connection. To do that, select both your LAN and WLAN adapters on your computer (if necessary hold CTRL while clicking on each adapter). Right click on the selection and choose to bridge these interfaces.
Now just configure your router to forward incoming Live traffic directly to the Xbox's (static) IP address.
Restrictive Firewall or Intrusion Detection Systems in your router
Some routers specifically have a Firewall running on them. In my opinion this is a simple marketing ploy to convince the buyer in getting this router, since it additionally has a firewall built in.
Because, even if you turn off this firewall (or buy a device without firewall), the router itself still is a firewall. Because if you didn't specifically give the router a port forwarding list, the router will reject all incoming traffic. And this is the purpose of a firewall: Deny unintended traffic in your network.
So having a firewall enabled on a router, is like telling one bouncer at your disco to allow your friends inside for a multiplayer match, while telling a second bouncer to make sure no one ever gets past that other bouncer. Not even your friends.
A similar problem is with Intrusion Detection Systems (IDS). These tools are there to defend your network from malicious attacks. But since attackers aren't marking their attacks as malicious (just imagine a terrorist asking the guard if it's OK if he just goes in there and blows up the building), IDS systems try to look for patterns, that could be an attack.
Now if you initiate a multiplayer match, a lot of different IP adresses are suddenly asking your network if there is still room in your match for another player. The pattern of a lot of "strangers" suddenly asking for access into your network could be mistaken as a Distributed Denial of Service attack, and therefore the router will block these requests.
So just turn off these "security" features of your router.
Two or more Xbox consoles for multiplayer at the same time
If you have two or more Xbox consoles that are supposed to play online multiplayer at the same time, the router is stuck with the same dilemma as with the quiet listen server in the "What is this NAT thing anyways" explanation below. If there are incoming Xbox Live data packets to the router, to which console should these packets be sent? Xbox 1 or Xbox 2?
Let's make an analogy: Your router's public IP address is the street address of an apartment complex. In that building you have two men named "John Smith".
Now if the postman comes with a packet for "John Smith" at that street address (but no apartment number), and the postman sees two Mr. Smith on the doorbells, he just throws away the packet and goes away. Both consoles have a strict NAT.
The problem? You can manually only configure port forwarding rules for one specific port to only one specific destination.
To keep with the analogy: This would mean that one Mr. Smith puts a sticker on his doorbell reading "All packets to John Smith to me here!"
This way, only that Mr. Smith with the sticker on his doorbell will get all packets (the one Xbox having an open NAT), while the other Mr. Smith still won't get any packets.
Placing the other Xbox into a DMZ (De-Militarized Zone) is like the other Mr. Smith camping outside the apartment complex near the doorbells, and grabbing every Packet for any Mr. Smith himself before the mailman reaches the doorbells.
Depending on how the router priorizes DMZ or Port Forwarding over the other, the mailman could still tell the camping Mr. Smith, that the sticker on the doorbell reads to deliver packets for Mr. Smith there instead of the camping Mr. Smith.
Either way, one of the both Xbox consoles will always have a non-open NAT.
The only solution to this problem is to use a router with a very good implementation of UPnP.
Unfortunately, not all routers with UPnP are able to support two (or more) Xbox consoles. Therefore, Microsoft has tested several routers, and those that were able to support multiple Xbox consoles, got a certification and an official "Compatible with Windows 7/Vista" sticker.
On the support site there is a list of compatible routers that support two consoles.
So if your router does not have UPnP, or if it has UPnP and still one or both consoles show a non-open NAT, you need to buy a new router.
Also keep in mind, that the Games for Windows Live Client on a PC uses the same Xbox Live ports for multiplayer. Even if you don't have two consoles, this might be the problem.
I think I followed these instructions correctly, but it still won't work
If you think you did everything right, and already checked for the most common problems, specifically the double NAT problem above, feel free to post here, and ask for help.
But please, in order to help you, you first need to help us, by describing your network setup as specific as possible.
Try to describe all devices that your Xbox needs to traverse in order to reach the internet. Please use the full model name of the device(s).
A bad request for help would be "HELP! I have that Netgear router, and I can't play online!"
A good request for help would be something like this: "Help! I have a Netgear WGR614 v3 router connected to a Motorola SB 2100 cable modem. My console can connect to Xbox Live, but complains about moderate NAT. I can't play Black Ops with my friends!"
The more we know about your network setup, the better we can help. So please help us help you! Thank you!
What is this NAT thing anyways?
NAT is an acronym for Network Access Translation. It's purpose is to allow multiple devices in your home to access one internet line and be connected online simultaneously. Those with enough networking knowledge, please keep in mind, that this explanation is intentionally kept simple, and oversimplifies the whole process, so the average "I don't want to become a Cisco Certified Network Associate, I just want to play Black Ops with my friend!" can easily relate to what's happening in his home network.
While IPv6 resolves most of the problems described below, keep in mind that currently nearly all Internet Service Providers (and Xbox) still only use IPv4 for private home users, and will do so for quite some time.
As you might already know, each device on a TCP/IP network (and the Internet is just a very large network) needs to have its own unique IP address. When you sign up for Internet service with your Internet provider, you usually get one connection to the Internet, and it's only one IP address. But since you want your Laptop, your PC, your Xbox 360 and many other Internet aware devices in your home to connect online, you may begin to see the problem. It's not possible for your Internet provider to give all your devices unique IP adresses, as you would need to tell him about each new device you buy, and IPv4 adresses are basically "sold out". All IPv4 numbers are currently given out.
To resolve this, you usually get a router from your Internet provider, that does NAT. The interface, that connects to the Internet (called WAN Interface, for Wide Area Network) recieves this unique public IP address visible from the Internet. I's basically the "street address" of your home for the Internet.
On the "inside" of your home, the router gives private IP adresses to the devices connected to its LAN ports (for Local Area Network). So your PC, Xbox, Laptop and internet aware fridge will get an IP address from certain reserved IP ranges. Usually IP Adresses in the range of 192.168.XXX.YYY or 10.XXX.YYY.ZZZ.
To better explain what NAT does, let's make an example.
You are sitting on your PC and want to go to http://www.xbox.com, while your sister is doing homework on her Laptop and wants to do some research on Wikipedia. Both of you type the adress of the websites into your browsers and hit Enter.
Your PC now shouts to the router "Hey router! I'm the PC, and I want to fetch http://www.xbox.com!". The router now takes the order, writes in a list, that the PC wanted to see Xbox.com, and relays the order to the Internet. The laptop shouts: "Hey router! I'm the laptop and want to go to http://en.wikipedia.org!", and the router also writes in the list, that the laptop wants to see the Wikipedia homepage. It then shouts to the Internet "Hey Wikipedia! I'm the router at the public IP Address 188.8.131.52 and am requesting the page for a device inside my network!".
Now xbox.com answers, and sends data to the public IP address of the router. The router now looks at its notes, and remembers, that the PC wanted to see Xbox.com. So the router forwards the incoming data to the PC. When Wikipedia answers, the data gets routed to the Laptop.
So far so good. Now there are some multiplayer games, that use so called "listen servers" (imagine an ear the computer uses to listen to incoming other players) to host a game.This means, that if you for example start a game of Counterstrike on your PC, your PC will silently listen on it's internal IP 192.168.1.20 for other players.
The problem is: No one knows that the PC is simply listening to incoming requests. In the previous example, the PC shouted out it's order to fetch Xbox.com. Now it's quietly sitting there, listening for other players.
Now imagine a router being a bouncer of a popular club with gaming consoles inside, and you, inside the club, use your cellphone to invite your friends over to the club for a gaming session.
When your friends arrive, they are stopped by the bouncer: "Stop! You are not on my guest list, and with these pants you don't get inside here."
Your friend: "But I am invited! See? My friend sent me that message, that he's playing Halo here!"
Bouncer: "I don't know you, and I don't know of any Halo match. So beat it, before I beat you!"
Your friend: "Okay, calm down! I'm going already..."
Inside you're wondering why your friends don't show up.
Had you told the bouncer that you are doing a Halo match and awaiting your friends, he could write your friends on the guest list, let them inside and direct them to the gaming area where you're waiting for your buddies to arrive.
In router language this "guest list" would be forwarded ports. So in natural language you would tell the router: "If there is incoming traffic on port 27015, this is data for a counterstrike game on the PC, and if data arrives on port 3074, it's for the Xbox 360, so please forward it that way."
The router will then do exactly that, and your console won't know a router is there, which results in an open NAT.
I hope this clears up a bit about the confusion what NAT is, and why it's not in Microsoft’s hands to "get rid" of NAT. Maybe in the (not so distant) future, the use of IPv6 gets more popular. With IPv6 any IPv6 capable device has its own unique publicly accessible IP address, so NAT isn't necessary. Until then you need to rely on UPnP or manual port forwarding to resolve your NAT issues.