This question is answered
LOCKED

How To: Open NAT to resolve multiplayer and party problems (updated with Xbox One info)

  • Level   5

The Xbox One is launched, and with it, comes a small change in the network ports used by Xbox Live. This post is updated to reflect that. Since I don't have my One, yet, I'll update the post later with instructions on how to set up a static IP on the Xbox One, if your router isn't UPnP capable.

Until then, if you want to find stuff out for yourself, I can also recommend checking out Shad0wmanUK's Unofficial Guide to Xbox Live, and the Port Forward website.

Also try the troubleshooting tips below, if you already tried to open your NAT and it still shows up as moderate or strict. And finally, if you're just curious what NAT is, and why you are currently stuck with it, you can scroll down to the last chapter(or click here) for an explanation of what NAT is, and why you need it to be open.


Table of contents:
How do I know my NAT Status?
How do I open my NAT ...
... with Universal Plug and Play (UPnP)? This is the easiest and recommended method!
... by manual port forwarding/DMZ?

Troubleshooting
- Double NAT (two routers or having to use 3G/4G Internet or some ISPs with Carrier Grade NAT)
- Issues with using a Laptop with Internet Connection Sharing
- Firewall or Intrusion Detection enabled on the router
- Two or more Xbox consoles in the house
- The instructions didn't work and I need help!

What is NAT anyways?


Open, moderate or strict NAT? How do I know my NAT status?

Just turn on your console, go to the "Settings" Hub on the far right, then select the "System" tile in the upper left. If necessary, choose your appropriate connection type (wired or wireless), and then do a network test to Xbox Live.

If your console doesn't show you an error message about NAT, you already have an open NAT. Congratulations! You are done here. Go play! If you experience problems with some friends, ask them to do the network test for themselves, and if they have a strict or moderate NAT, direct them here.
 

If, however, your Xbox tells you something about strict or moderate NAT, read on to hopefully resolve this.

 

So how do I open my NAT?

That depends on your router and network configuration. Since I can't possibly know all routers, I will give general instructions on how to configure your router to get an open NAT. How you carry out these instructions on your specific router, is up to you. If in doubt, check your router's documentation or make a post. BUT! When asking here for help, please provide us the exact make and model of your router and modem. Just telling us you have "a Netgear WLAN router" won't help as much as telling us you have "a Netgear WGR614 v3 connected to a Motorola SB2100 cable modem". That way we can (hopefully) find the user manual online and help you out.

Also, don't forget to check out Shad0wmanUK's page, as it has lot's of popular router makes and models listed with instructions how to configure them properly, as well as the Portforward website (keep in mind however, that this page often shows you an advertisement for their PFConfig software to buy it. You do NOT need to buy this tool if you don't want! The tool just automatically does for you, what you do in this guide manually!)

So let's try to open your NAT yourself. It's really easy with most routers. Especially if yours is capable of UPnP.

Use Universal Plug and Play

This is the only method to get two or more Xbox consoles online at the same time. If you have two or more consoles and no way of using UPnP, there is unfortunately no way around getting a new router (unless your current router can be updated with a Firmware patch).

Look in your router's documentation to see if it is capable of UPnP. If it is supported, enable it in the router's configuration, and you should be done (sometimes your router needs to be restarted. If necessary simply pull the router's powercord and replug it again).

Some routers don't have a proper implementation of UPnP, which might be fixed in a Firmware update, so check the manufacturer website, if a newer Firmware is available for your router.

If you continue to have a non-open NAT, look at the troubleshooting tips below or if you only have one Xbox console, try manual port forwarding.

My router can't use UPnP: Manual port forwarding

This method will only work if you have only one Xbox console in your network. If you have two or more consoles, you will have to use UPnP.

If your router doesn't support UPnP, or supports it badly, you need to manually create a port forwarding list for your router. This process is different for every router, so again: Please check your router's manual on how to do it.

Another great resource of information for this is the Port Forward Website. Just find your router model in that list (ignore the "Black Ops" heading, as the ports for Xbox Live are the same for all Xbox games), and you will get a guide with pictures and detailed instructions on how to forward ports on your router.

Since you forward ports to a specific IP address in your network, we must make sure, that this IP address doesn't change on the console. Otherwise the Router will forward the ports to the wrong address, should the IP of the console automatically change for whatever reason. So you need to set the address on the console manually.

To do this, go to your console, and to the "Settings" hub on the far right. Select the "System" tile in the upper left, then "Network Settings". If necessary, choose the connection type you use (wired or wireless) and take note of the current IP settings of your console.

For example, if your console is set to automatic, it might have an IP of 192.168.1.23, Subnet Mask 255.255.255.0, Default gateway of 192.168.1.1 (this is the internal IP address of your router), and the IP of the DNS should also be 192.168.1.1 (the IP of your router as well).

Now set your consoles network configuration to manual, and simply copy the settings for IP, Subnet Mask, Default Gateway and DNS into the appropriate fields.

If you want to be 100% correct, make sure you choose a static IP outside the DHCP IP-range of your router. Again, check the manual of your router for information about how the router sets up DHCP.

Take note of the IP of your console (in this example 192.168.1.23) and go to your PC.

On your PC, browse to the configuration page of your router with your internet browser. Either look in the documentation of your router, or simply type in the IP of the default gateway the console has shown you into the browsers address bar (in our example, you would enter "http://192.168.1.1" in the address bar of your PC's webbrowser).

If necessary, log into the administration page of your router. And consult the routers manual if you are unsure.

Depending on the router model, find the appropriate configuration page for port forwarding. Look for menu items labeled "Port Forwarding", "Exposed Host", "Virtual Server", "NAT", "DMZ" or something like that.

If you find something like "Port Triggering" or "Port Mapping", this is not what you're looking for. But you're very close. Instead of "Triggering" or "Mapping" look for "Forwarding".

You should get to a configuration page, that usually asks for incoming port, protocol and internal IP address.

You will need to forward the following ports to the static IP of your Xbox console, that you set up earlier (In our example this was the 192.168.1.23)

Now forward the following ports to that console IP:

  • UDP 53
  • TCP 53
  • TCP 80
  • UDP 88
  • UDP 3074
  • TCP 3074

For the Xbox One, these three additional ports are also used:

  • 500 (UDP)
  • 3544 (UDP)
  • 4500 (UDP)

Sometimes a router allows a protocol setting for "both" TCP and UDP combined. If so, choose that to save you some work and create only a single rule for ports 53 and 3074.

Whoa! Wait a minute! Opening ports! Don't hackers use open ports to hack you?

Well, yes and no. Open ports themselves are not the real danger. Vulnerable software listening on opened ports is. Let's make an analogy here. Imagine your router is a large government office building with departments like the immigration office, or the department of motor vehicles. Each bureau has a specific room number (port number) and a very specific task (i.e. you can't go into department for motor vehicles and ask for an immigration visum and vice versa).

So imagine a hacker scanning your public IP address of the router's outside interface (since that is the only thing the hacker can see from the Internet), and he detects that port 3074 is open since you're playing an online multiplayer match on your Xbox console.

So he goes inside the office with the number 3074 (as all other offices are closed) and sees a clerk with Xbox uniform hard at work managing a Halo Multiplayer match.

The hacker opens the small window at the counter, starts to shout exploits and throws hacking tools at the clerk. The clerk just looks at the hacker and says "Sorry kid. Wrong office. I only do Multiplayer here! I have no idea what you are doing." and slams the small window into the hackers face.

As long as you only open the ports necessary for the applications you use (and trust), you have nothing to fear. Just think of it that way: Even if you refuse to manually open ports: right now, when you open a web page, the router has already opened an incoming port itself, to let the website data inside to your PC that requested it. Otherwise you couldn't read this text.

So don't be afraid of opening ports. Just be careful to open just the ports you really need, and forward it to the correct device.

But I have a strict or moderate NAT and am able to play with people. Magic?!!?

Not really. The Xbox Live matchmaking service just managed to match you to a player that has an open NAT himself. And in that case it works just like that example below with the PC actively requesting a webpage. Your Xbox console just shouted to the router "Hey router! Xbox Live told me about a Halo match at 123.45.67.89, please connect me to that." and the router will do that, and since he now knows, the Xbox requested that connection, will automatically route the incoming traffic to the Xbox.

However, as soon as a second player with a non-open NAT joins that game (or a Live Party), it can lead to various problems.

So even if you were able to play with some folks while having a non-open NAT, make sure you get your NAT opened.

Troubleshooting: so I turned on UPnP. I manually forwarded ports to the correct IP. But it still doesn't work!

From the insight I got from the old NAT thread, these are the most common problems you encounter when trying to open your NAT.

 

Double NAT

When you signed up for your Internet service, you might have gotten a cheap (or even free) modem device with basic functions from your Internet Service Provider. Maybe you wanted more comfort and maybe you wanted a Wireless access point. So you buy a new (wireless) router, connect it to the modem you got from your ISP, and all is seemingly well, since you can go to websites and so on.

But you find that you have a non-open NAT, so you log in into your new WLAN router and set up everything correctly. But it still won't give you an open NAT.

In that case, the cheap modem you got from your ISP might be a Modem with built in NAT functionality. For example some Motorola Surfboard modems are able to simultaneously connect up to 31 devices to the Internet, despite having just one ethernet port (with the help of ethernet switches).

So while you told your WLAN router to allow Xbox Live traffic to the Xbox, the Motorola router "in front" of the WLAN router you set up correctly still refuses to let anyone inside.

To resolve that, you need to configure your modem for "bridging mode" or "pass through" mode. In most cases, you might even have to call your Internet provider, as a lot of modems get a custom firmware specifically made for your Internet Service Provider, and you can't change anything on the modem yourself.

If it is not possible to configure the modem for bridging mode, try to plug the cable from the modem to the router into one of the router's LAN ports instead of the router's WAN interface. This way you circumvent the NAT routing of the WLAN router, and just need to configure the Modem's port forwarding (if possible).

If everything else fails, you probably need to buy a new "stupid" (i.e. with no NAT capabilities) broadband modem.

Recently, some internet providers have started to run out of public IPv4 Internet adresses for their customers, and start to NAT their own network (known as Carrier Grade NAT). This means the ISP uses one public IP address, and "hides" most of their customers behind that one IP (just like your home router does with all your devices at home). In that case, you need to contact your Internet provider and specifically request that you get a public IPv4 Address. If that is not possible, there is no way around but getting a new Internet provider.

The same is often true for 3G/4G/MiMo/Mobile Internet users

If you live in an area with bad land-line (cable or DSL) Internet coverage, your only alternative often is a cellphone based Internet connection like 3G/4G. Some providers also offer access through a gigantic "WLAN"-like access point for a whole town, which requires a strong antenna.

Unfortunately, these mobile Internet providers face a problem, as they can't predict how many devices will connect to that access point where you live, and often NAT inside their own Data Centers (Carrier Grade NAT) as well. If that is the case for you, there is nothing you can do about it besides switching to a landline based Internet provider with enough free IPv4 addresses to give you an unique public IPv4 address.

If you want to check if your ISP is putting you behind his own NAT, browse to your router's configuration. Find the router's WAN IP address (check the router documentation again, if in doubt). Make a note of that WAN-IP address, and then browse to a page that reads your public IP address (simply Bing for "what is my ip address" or go here).

If the IP address shown on the website is different to the WAN-IP in your home router, you have a double NAT. Either your Internet Provider puts you behind a NAT, or your Modem is also a NAT device.

I use my Laptop as a wireless bridge to connect my Xbox to the WLAN router.

See above for the Double NAT problem, as the Internet connection sharing on your Laptop is basically also an additional NAT device. In order for this to work correctly, you need to configure your router to forward the Live ports to your Laptops WLAN IP address. Then in the advanced settings of the shared connection, you need to forward these ports again to your Xbox console connected to the Laptop.

Or, to make things easier, instead of using Internet Connection Sharing, bridge the connection without using NAT. To do that on Windows, press "Windowskey + R", in the small window type "ncpa.cpl" and press OK. Select both your LAN and WLAN adapters on your computer (if necessary hold CTRL while clicking on each adapter). Right click on the selection and choose to bridge these interfaces.

Now just configure your router to forward incoming Live traffic directly to the Xbox's (static) IP address as above.

For more information on how to properly set up Internet Connection Sharing or Bridging, follow the instructions in this Post.

Restrictive Firewall or Intrusion Detection Systems in your router

Some routers specifically have a Firewall running on them. In my (personal) opinion this is a simple marketing ploy to convince the buyer in getting this router, since it has "more" functions that the other router.

You see, most non-technical people think, that a Firewall is like an Anti-Virus Software, that blocks "evil" Internet traffic from entering your network. But this is not how a Firewall works!

Even if you turn this firewall off (or buy a device without firewall in the first place), the router itself still works like a Firewall in a home user scenario! Because if you didn't specifically give the router a port forwarding list, the router will reject all unknown incoming Internet traffic. But for Multiplayer you specifically want incoming traffic to your Xbox.

The purpose for a Firewall would be, you want incoming traffic only from a small group of known Internet addresses, like for example: "Only allow the office branch in Chicago with a specific IP address access to your email server in your main office in New York, and no one else!" But since you usually want players from all over the world to join you, a restricting Firewall makes no sense for your home network.

Having a Firewall enabled on a router, is like telling one bouncer at your disco to allow your friends inside for a multiplayer match (the port forwarding rules in the router), while telling a second bouncer (the Firewall) to make sure no one ever gets past that other bouncer. Not even your friends.

A similar problem is with Intrusion Detection Systems (IDS). These tools are there to defend your network from malicious attacks. But since attackers aren't marking their attacks as malicious (just imagine a terrorist asking a policeman if it's OK if he just goes in that building there to blow it up), IDS systems try to look for patterns in network traffic, that could be an attack.

Now if you initiate a multiplayer match, a lot of different IP addresses are suddenly asking your network if there is still room in your match for another player. The pattern of a lot of "strangers" suddenly asking for access into your network could be mistaken as a Distributed Denial of Service attack, and therefore the router will block these requests.

So just turn off these "security" features of your router. In your private home network you will have no security gain from these functions.

Two or more Xbox consoles for multiplayer at the same time

If you have two or more Xbox consoles that are supposed to play online multiplayer at the same time, the router is stuck with the same dilemma as with the quiet listen server in the "What is this NAT thing anyways" explanation below. If there are incoming Xbox Live data packets to the router, to which of the two consoles should these packets be sent? Xbox A or Xbox B?

Let's make an analogy: Your router's public IP address is the street address of an apartment complex. In that building you have two men named "John Smith".

Now if the mailman comes with a packet for "John Smith" at that street address (but no apartment number), and the postman sees two Mr. Smith on the doorbells. In the Internet, he just throws away the packet and goes away. Both consoles have a strict NAT.

The tricky part with two consoles in your network is: You can manually only configure port forwarding rules for one specific port to only one specific destination.

To keep with the analogy: This would mean that one Mr. Smith puts a sticker on his doorbell reading "All packets from Xbox Live to John Smith are to be delivered to me in this apartment here!"

This way, only that Mr. Smith with the sticker on his doorbell will get all Xbox Live packets (the one Xbox having an open NAT), while the other Mr. Smith still won't get any packets.

Placing the other Xbox into a DMZ (De-Militarized Zone) is like one of the Mr. Smiths camping outside the apartment complex near the doorbells, and grabbing every Packet for any John Smith himself before the mailman even reaches the doorbells.

Depending on how the router prioritizes DMZ or Port Forwarding over the other, the mailman could still tell the camping Mr. Smith, that the sticker on the doorbell reads to deliver Xbox Live packets for Mr. Smith there instead of the camping Mr. Smith.

Either way, one of the two Xbox consoles will always have a non-open NAT.

The only solution to this problem is to use a router with a very good implementation of UPnP.

Unfortunately, not all routers with UPnP are able to support two (or more) Xbox consoles. Therefore, Microsoft has tested several routers, and those that were able to support multiple Xbox consoles, got a certification and an official "Compatible with Windows 7/Vista" sticker.

On the support site there is a list of compatible routers that support two consoles.
 

So if your router does not have UPnP, or if it has a "bad" UPnP implementation, so one or both consoles show a non-open NAT, you need to check for an updated Firmware or buy a new router.

Also keep in mind, that the Games for Windows Live Client on a PC uses the same Xbox Live ports for multiplayer. Even if you don't have two consoles, this might be the problem.

I think I followed these instructions correctly, but it still won't work

If you think you did everything right, and already checked for the most common problems mentioned above, specifically the double NAT problem, feel free to post here, and ask for help.

But please, in order to help you, you first need to help us, by describing your network setup as specific as possible.

Try to describe all devices that your Xbox needs to traverse in order to reach the internet. Please use the full model name of the device(s).

A bad request for help would be "HELP! I have that Netgear router, and I can't play multiplayer!"

A good request for help would be something like this: "Help! I have a Netgear WGR614 v3 router connected to a Motorola SB 2100 cable modem. My console can connect to Xbox Live, but complains about moderate NAT. I can't play Black Ops with my friends!"

The more we know about your network setup, the better we can help. So please help us help you! Thank you!

What is this NAT thing anyways?

For those wanting that extra background knowledge: NAT is an acronym for Network Access Translation. Its purpose is to allow multiple devices in your home to access one internet line and be connected online simultaneously.

Those with enough networking knowledge, please keep in mind, that this explanation is intentionally kept simple, and oversimplifies the whole process, so the average "I don't want to become a Cisco Certified Network Associate, I just want to play Black Ops with my friend!"-person can easily relate to what's happening in his home network.

While IPv6 resolves most of the problems described below, keep in mind that currently nearly all Internet Service Providers (and Xbox) still only use IPv4 for private home users, and will still do so for quite some time.

As you might already know, each device on a TCP/IP network (and the Internet is just a very large network) needs to have its own unique IP address. When you sign up for Internet service with your Internet provider, you usually get one connection to the Internet, and only one IP address. But since you want your Laptop, your PC, your Xbox 360 and many other Internet aware devices in your home to connect online, you may begin to see the problem. It's not possible for your Internet provider to give all your devices unique IP adresses, as you would need to tell him about each new device you buy, and IPv4 adresses are basically "sold out", so all your new devices can't get one anyways, as the amount of IP adresses your provider has bought are limited.

To resolve this, you usually get a router from your Internet provider, that does NAT. The interface, that connects to the Internet (called WAN Interface, for Wide Area Network) recieves this unique public IP address visible from the Internet from your Internet provider. I's basically the "street address" of your home for the Internet.

On the "inside" of your home, the router gives private IP adresses to the devices connected to its LAN ports (for Local Area Network). So your PC, Xbox, Laptop and internet aware fridge will get an IP address from certain reserved IP ranges. Usually IP Adresses in the range of 192.168.XXX.YYY or 10.XXX.YYY.ZZZ.

To better explain what NAT does, let's make an example.

You are sitting at your PC and want to go to Xbox.com, while your sister is doing homework on her Laptop and wants to do some research on Wikipedia. Both of you type the adress of the websites into your browsers and hit Enter.

Your PC now shouts to the router "Hey router! I'm the PC, and I want to fetch http://www.xbox.com!". The router now takes the order, writes in a list, that the PC wanted to see Xbox.com, and relays the order to the Internet. The laptop shouts: "Hey router! I'm the laptop and want to go to http://en.wikipedia.org!", and the router also writes in the list, that the laptop wants to see the Wikipedia homepage. It then shouts to the Internet "Hey Wikipedia! I'm the router at the public IP Address 123.45.67.89 and am requesting these pages for some devices inside my network!".

Eventually the website at Xbox.com answers, and sends data to the public IP address of the router. The router now looks at its notes, and remembers that the PC wanted to see Xbox.com. So the router forwards the incoming data to the PC. When Wikipedia answers, the data gets routed to the Laptop according to the list.

So far so good. But there are multiplayer games, that use so called "listen servers" (imagine an "ear" the computer uses to listen to incoming other players) to host a game. This means, that for example you start a game of Counterstrike on your PC, your PC will silently listen on its internal IP 192.168.1.20 for other players.

The problem with that is: No one knows that the PC is simply listening to incoming requests. In the previous example, the PC shouted out it's order to fetch Xbox.com. Now it's quietly sitting there, listening for other players.

Just imagine a router being a bouncer of a popular club with gaming consoles inside, and you, inside the club, use your cellphone to invite your friends over to the club for a gaming session.

When your friends arrive, they are stopped by the bouncer: "Stop! You are not on my guest list, and with these pants you don't get inside here."
Your friend: "But I am invited! See? My friend sent me that message, that he's playing Halo here!"
Bouncer: "I don't know you, and I don't know of any Halo match. So beat it, before I beat you!"
Your friend: "Okay, calm down! I'm going already..."

Inside you're wondering why your friends don't show up.

Had you told the bouncer that you are doing a Halo match and awaiting your friends, he could write your friends on the guest list, let them inside and direct them to the gaming area where you're waiting for your buddies to arrive.

In router language this "guest list" would be forwarded ports. So in natural language you would tell the router: "If there is incoming traffic on port 27015, this is data for a Counterstrike game on the PC, and if data arrives on port 3074, it's meant for the Xbox 360, so please forward it that way."

The router will then do exactly that, and your console won't know a router is there, which results in an open NAT.

I hope this clears up a bit about the confusion what NAT is, and why it's not in Microsoft’s hands to "get rid" of NAT. Maybe in the (not so distant) future, the use of IPv6 gets more popular. With IPv6 any IPv6 capable device has its own unique publicly accessible IP address, so NAT isn't necessary. Until then you need to rely on UPnP or manual port forwarding to resolve your NAT issues.

Verified Answer
  • Verified.

All Replies