Scapegoatee
asked on
Wireless XBOX Behind a Sonicwall Router - NAT ISSUE
Hello Experts,
Help me out will you.
I'm using a TZ 100 Sonicwall Router, and have a Xbox connecting to it wirelessly. I lost A DAY to reading every sonicwall guide, online solution, nothing works.
When I run the Xbox diagnostic I'm getting STRICT NAT. How do I open it?
I've created a static IP for the console, and created a group of services according to the appropriate ports needed, and set the NAT policy and firewall allow rule from WAN to WLAN, and nothing. Is this the best way to achieve this, or is there a more straightforward way?
The ONLY thing which makes any difference is ticking on CONSISTENT NAT under the VOIP settings. Interestingly, NAT goes from strict to moderate with that.
I know this can be done, other questioners here have had success, just couldn't understand how.
Please solve this for me will you experts.
Many Thanks
Help me out will you.
I'm using a TZ 100 Sonicwall Router, and have a Xbox connecting to it wirelessly. I lost A DAY to reading every sonicwall guide, online solution, nothing works.
When I run the Xbox diagnostic I'm getting STRICT NAT. How do I open it?
I've created a static IP for the console, and created a group of services according to the appropriate ports needed, and set the NAT policy and firewall allow rule from WAN to WLAN, and nothing. Is this the best way to achieve this, or is there a more straightforward way?
The ONLY thing which makes any difference is ticking on CONSISTENT NAT under the VOIP settings. Interestingly, NAT goes from strict to moderate with that.
I know this can be done, other questioners here have had success, just couldn't understand how.
Please solve this for me will you experts.
Many Thanks
ASKER
Sadly not that straightforward. Sonicwall are corporate grade firewalls and need some special handling to simulate upnp which you'd get through common routers.
I have all the ports you mentioned gathered as a service group, but no change in the NAT.
Of interest to a sonicwall expert maybe, the NAT policies that I created are seeing traffic counting up and down toward the xbox object. But the firewall rule WAN to WLAN using the services mentioned, is not seeing any traffic.
Have I done something wrong?
Thanks
I have all the ports you mentioned gathered as a service group, but no change in the NAT.
Of interest to a sonicwall expert maybe, the NAT policies that I created are seeing traffic counting up and down toward the xbox object. But the firewall rule WAN to WLAN using the services mentioned, is not seeing any traffic.
Have I done something wrong?
Thanks
Are you using the Xbox MAC to identify it to the Sonicwall or its IP?
I suspect with your current arrangement getting NAT as moderate is the best you'll achieve.
Have you thought about creating a guest network for the XBox with it's own virtual wireless AP? (A kind of DMZ locked to the Xbox MAC) then you could add a rule for WAN WLAN / WLAN WAN with a ports rule of "any to any" rather than specific entries - probably the closest you'll get to uPNP with the enhanced SonicOS.
I suspect with your current arrangement getting NAT as moderate is the best you'll achieve.
Have you thought about creating a guest network for the XBox with it's own virtual wireless AP? (A kind of DMZ locked to the Xbox MAC) then you could add a rule for WAN WLAN / WLAN WAN with a ports rule of "any to any" rather than specific entries - probably the closest you'll get to uPNP with the enhanced SonicOS.
ASKER
Hey Masqueraid,
Must be a reason you're top of the leaderboards over here huh? :)
That sounds exactly like what I should try.
What are the steps? And I agree, but what's the logic? Why is a seperate network any different to creating the service rules on the current one?
Happy to try though..
Must be a reason you're top of the leaderboards over here huh? :)
That sounds exactly like what I should try.
What are the steps? And I agree, but what's the logic? Why is a seperate network any different to creating the service rules on the current one?
Happy to try though..
ASKER
Oh and I used the XBOX MAC to lock it to an IP, if that helps.
What do you think about the traffic over the firewall rule that I mentioned before I try the guest network? NAT POLICIES seem fine, as does the XBOX OBJECT, but maybe it's my FIREWALL RULE that's incorrect - or is that traffic always 0?
Screenies coming..
Thanks Again
P.S. Do you know how I retag the question to reinclude routers and sonicwall to open it out maybe?
Service-Group.JPG
NAT-POLICIES.JPG
POLICY-DETAIL.JPG
FIREWALL-RULE.JPG
RULE-DETAIL.JPG
What do you think about the traffic over the firewall rule that I mentioned before I try the guest network? NAT POLICIES seem fine, as does the XBOX OBJECT, but maybe it's my FIREWALL RULE that's incorrect - or is that traffic always 0?
Screenies coming..
Thanks Again
P.S. Do you know how I retag the question to reinclude routers and sonicwall to open it out maybe?
Service-Group.JPG
NAT-POLICIES.JPG
POLICY-DETAIL.JPG
FIREWALL-RULE.JPG
RULE-DETAIL.JPG
ASKER
Thanks pal.
Yes, I was reading through that guide just before I posted. The three solutions seems to be about different aspects though, so I found it unclear as to which actually resolved the issue.
It seems they, as you recommended, steered toward a separate virtual network. It's the bit after that I'm unclear about:
"anything WLAN > WAN will be allowed. It's WAN > WLAN that's the real problem. if you create your address object for one MAC, then you can run the public server wizard to allow some bogus service into your WLAN host. then, go back and modify the NAT and access rules to include the address group that contains all the MACs and then allow Any service."
Anything from MAC onward confuses me :)
Thanks for spreading the word. It does seem people have had success in the past, but I can't find a single straightforward case explaining the resolution.
If we get anything to work here, I will certainly write up a detailed step-by-step of how we arrived at it.
Thanks Again
Yes, I was reading through that guide just before I posted. The three solutions seems to be about different aspects though, so I found it unclear as to which actually resolved the issue.
It seems they, as you recommended, steered toward a separate virtual network. It's the bit after that I'm unclear about:
"anything WLAN > WAN will be allowed. It's WAN > WLAN that's the real problem. if you create your address object for one MAC, then you can run the public server wizard to allow some bogus service into your WLAN host. then, go back and modify the NAT and access rules to include the address group that contains all the MACs and then allow Any service."
Anything from MAC onward confuses me :)
Thanks for spreading the word. It does seem people have had success in the past, but I can't find a single straightforward case explaining the resolution.
If we get anything to work here, I will certainly write up a detailed step-by-step of how we arrived at it.
Thanks Again
ASKER
So do we think Virtual Guest Network is the way to go? If so how do I configure the rules specifically for it?
Hello - Got your email. What you are trying to get the SW appliance to do is support uPnP which is a common feature of many other SOHO type firewalls. SW appliances do not support uPnP which is what allows the XBox to communicate effectively through the firewall to the Internet. Here is the official SW dope on the matter, http://bit.ly/TEU2AB.
What the entry you linked to above and in the email was referencing was "opening" the WAN to WLAN to "simulate" uPnP on the SW appliance. I had instructed parmor to chose a bogus service as in any service because (I think this was true then) the "Any" service was not available when running the Public Server Wizard. So, you had to go back and modify the NAT policies and Firewall rules to Any. I just ran the wizard and see the "Any" option is now available.
Additionally, I was having them use MAC address as opening the WAN > WLAN in this manner on the Sonicwall is not considered secure. So, using a specific MAC address is a little more secure. If something happened and another device got the same IP as the rules and policies, then that device would be opened to the WAN. The probability of getting the same MAC is possible but very unlikely. If the xbox has a static IP then you can use that. You could also do a DHCP reservation on the SW to assign the same IP to the xbox.
To modify the original steps: Anything WLAN > WAN will be allowed. It's WAN > WLAN that's the real problem. Create a destination address object for the xbox MAC. Then you run the public server wizard selecting that address object and the "Any" service. Running the Public Server Wizard will ensure there are the appropriate firewall rules and NAT policies created.
Regarding the virtual WLAN, you could create a virtual WLAN to isolate this type of traffic and further secure your network. It's up to you how much you want to do here. What I'd recommend at this point is to just get it working. You could go back and add other steps to further secure your network once you know how to set things up.
Give that a go and report back your results or report back if you have any other questions.
Thanks for giving me the opportunity to help!
What the entry you linked to above and in the email was referencing was "opening" the WAN to WLAN to "simulate" uPnP on the SW appliance. I had instructed parmor to chose a bogus service as in any service because (I think this was true then) the "Any" service was not available when running the Public Server Wizard. So, you had to go back and modify the NAT policies and Firewall rules to Any. I just ran the wizard and see the "Any" option is now available.
Additionally, I was having them use MAC address as opening the WAN > WLAN in this manner on the Sonicwall is not considered secure. So, using a specific MAC address is a little more secure. If something happened and another device got the same IP as the rules and policies, then that device would be opened to the WAN. The probability of getting the same MAC is possible but very unlikely. If the xbox has a static IP then you can use that. You could also do a DHCP reservation on the SW to assign the same IP to the xbox.
To modify the original steps: Anything WLAN > WAN will be allowed. It's WAN > WLAN that's the real problem. Create a destination address object for the xbox MAC. Then you run the public server wizard selecting that address object and the "Any" service. Running the Public Server Wizard will ensure there are the appropriate firewall rules and NAT policies created.
Regarding the virtual WLAN, you could create a virtual WLAN to isolate this type of traffic and further secure your network. It's up to you how much you want to do here. What I'd recommend at this point is to just get it working. You could go back and add other steps to further secure your network once you know how to set things up.
Give that a go and report back your results or report back if you have any other questions.
Thanks for giving me the opportunity to help!
Thanks digitap
Good timing - I'm about to be off the site for a day or so (and had pretty much emptied out any SW stuff I had left in my head anyway :)
Good timing - I'm about to be off the site for a day or so (and had pretty much emptied out any SW stuff I had left in my head anyway :)
ASKER
And thank you both of you - unsurprisingly, a very helpful and proactive community - and you two have been superb.
Opportunity - I don't think so - thank you Digitap for taking the time to address an old concern for a new naive user. Very generous.
I'll try the first process you describe tonight, and report back.
So far, I have the console DHCP reserved by it's mac address. Wasn't quite sure if it was the right thing, but I lowered the general IP range of the router from ending .255 to .250, and then made the MAC address of the console assign a static of .251, just outside the range. It wouldn't accept within the range so I thought that was the right thing to do - was it?
So with that setup, if I read you right, I need to run the Public Server Wizard and follow your steps pointing to that object, and it will create the rules for me? Excellent, here's hoping.
Otherwise I'm quite curious to try the guest network approach..
This is not even my console, it's a lodger, but I'm enjoying exploring the wilds of SW configuration with your guidance.
You're awesome, bye for now.
Opportunity - I don't think so - thank you Digitap for taking the time to address an old concern for a new naive user. Very generous.
I'll try the first process you describe tonight, and report back.
So far, I have the console DHCP reserved by it's mac address. Wasn't quite sure if it was the right thing, but I lowered the general IP range of the router from ending .255 to .250, and then made the MAC address of the console assign a static of .251, just outside the range. It wouldn't accept within the range so I thought that was the right thing to do - was it?
So with that setup, if I read you right, I need to run the Public Server Wizard and follow your steps pointing to that object, and it will create the rules for me? Excellent, here's hoping.
Otherwise I'm quite curious to try the guest network approach..
This is not even my console, it's a lodger, but I'm enjoying exploring the wilds of SW configuration with your guidance.
You're awesome, bye for now.
Correct. Follow the steps and it should be as I've indicated.
The times I deploy a virtual WLAN is when I need to deploy a guest wireless network along side my corporate network. Then, I can control who connects, where they go and when traffic is allowed to the Internet. Unless that's the case, or in the event you have devices connected that are less securely connected to the WAN, then you really don't need the virtual WLAN. Of course, unless you merely want to learn how to set it up.
Here are links for setting up VAPs for Corp and Guest.
Corp: https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5801
Guest: https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5798
The times I deploy a virtual WLAN is when I need to deploy a guest wireless network along side my corporate network. Then, I can control who connects, where they go and when traffic is allowed to the Internet. Unless that's the case, or in the event you have devices connected that are less securely connected to the WAN, then you really don't need the virtual WLAN. Of course, unless you merely want to learn how to set it up.
Here are links for setting up VAPs for Corp and Guest.
Corp: https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5801
Guest: https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5798
ASKER
Stolen away for the weekend, so will report back come the week..
ASKER
Aaagh.. no joy this path regrettably Digi.
I used the Wizard, chose Public Server, chose other so that I could select a service, chose ANY, typed in the private IP of the console, left what it had for the public, and hit go.
The new NAT rules it created are both getting traffic. But NAT on the console side is still strict. The ONLY thing which changes this is checking the ENABLE CONSISTENT NAT box under VOIP. This switches it from STRICT to MODERATE. Maybe if I could understand what services or DNS function that option had, I could get to the bottom of how it is being blocked?
If we now go the GUEST NETWORK route, can I create a DMZ zone on the guest for the console to sit inside - or is it essentially the same as I now have - new NAT policies and access?
Thanks so much for your thoughts again..
I used the Wizard, chose Public Server, chose other so that I could select a service, chose ANY, typed in the private IP of the console, left what it had for the public, and hit go.
The new NAT rules it created are both getting traffic. But NAT on the console side is still strict. The ONLY thing which changes this is checking the ENABLE CONSISTENT NAT box under VOIP. This switches it from STRICT to MODERATE. Maybe if I could understand what services or DNS function that option had, I could get to the bottom of how it is being blocked?
If we now go the GUEST NETWORK route, can I create a DMZ zone on the guest for the console to sit inside - or is it essentially the same as I now have - new NAT policies and access?
Thanks so much for your thoughts again..
ASKER
Found this:
Configuring Consistent Network Address Translation (NAT)
Consistent NAT enhances standard NAT policy to provide greater compatibility with peer-to-peer applications that require a consistent IP address to connect to, such as VoIP. Consistent NAT uses an MD5 hashing method to consistently assign the same mapped public IP address and UDP Port pair to each internal private IP address and port pair.
For example, NAT could translate the private (LAN) IP address and port pairs, 192.116.168.10/50650 and 192.116.168.20/50655 into public (WAN) IP/port pairs.
With Consistent NAT enabled, all subsequent requests from either host 192.116.168.10 or 192.116.168.20 using the same ports illustrated in the previous result in using the same translated address and port pairs. Without Consistent NAT, the port and possibly the IP address change with every request.
Configuring Consistent Network Address Translation (NAT)
Consistent NAT enhances standard NAT policy to provide greater compatibility with peer-to-peer applications that require a consistent IP address to connect to, such as VoIP. Consistent NAT uses an MD5 hashing method to consistently assign the same mapped public IP address and UDP Port pair to each internal private IP address and port pair.
For example, NAT could translate the private (LAN) IP address and port pairs, 192.116.168.10/50650 and 192.116.168.20/50655 into public (WAN) IP/port pairs.
With Consistent NAT enabled, all subsequent requests from either host 192.116.168.10 or 192.116.168.20 using the same ports illustrated in the previous result in using the same translated address and port pairs. Without Consistent NAT, the port and possibly the IP address change with every request.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So, when you enable consistent NAT, are you saying things start working?
Just a thought, depending on how the current plan goes re losing strict/moderate NAT. what about using Transparent Mode to put the Xbox into effectively its own, MAC identified, DMZ?
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979&catID3=215&catID2=588&catID1=143
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=5979&catID3=215&catID2=588&catID1=143
ASKER
Hello Again Experts,
Thank you for persevering. I'm inclined not to be beaten too, eecially with such a teasing challenge.
1. Yes, almost Digi. That guide is the first I followed, and it does indeed shift the NAT result from strict to moderate, but I'm looking for open. I also realised, that all of the forwarding involved is irrelevant. I reset to a plain configuration, and just ticked the Enable Consistent NAT box and it went to moderate anyway - that tick box truly is the only thing to have an effect. It is because it does that I believe this is soluble.
2. Transparent mode sounds really interesting, ideal maybe. My question is, can it be done wirelessly? From what little I know, if you set up a plain Jane DMZ as a new interface, then it's assigned to one of the physical ports and you have to plug in to access it. A wireless interface is a different selection so they can't be DMZ and WLAN at the same time. This transparent mode seems a way around that, but how do I then put the console in the range of the DMZ if it's not wireless, will it allow it?
Thank you for persevering. I'm inclined not to be beaten too, eecially with such a teasing challenge.
1. Yes, almost Digi. That guide is the first I followed, and it does indeed shift the NAT result from strict to moderate, but I'm looking for open. I also realised, that all of the forwarding involved is irrelevant. I reset to a plain configuration, and just ticked the Enable Consistent NAT box and it went to moderate anyway - that tick box truly is the only thing to have an effect. It is because it does that I believe this is soluble.
2. Transparent mode sounds really interesting, ideal maybe. My question is, can it be done wirelessly? From what little I know, if you set up a plain Jane DMZ as a new interface, then it's assigned to one of the physical ports and you have to plug in to access it. A wireless interface is a different selection so they can't be DMZ and WLAN at the same time. This transparent mode seems a way around that, but how do I then put the console in the range of the DMZ if it's not wireless, will it allow it?
I don't believe you can put a WLAN zone on a DMZ. What you COULD do is setup a DMZ port and attach WAP to the port. Let the WAP act as a wireless bridge and then connect your XBOX wireless using a public IP address. In theory it should work...
ASKER
Any chance you could explain the merits of Transparent Mode and how I might use it?
ASKER
OK, progress, kind of..
I created a DMZ interface on an unassigned port. Hooked up a Access Point in Bridge mode, allowing only the console mac address as client. The new ip range is set, the firewall access rules seem fine, dmz to wan open for instance.
The console connects perfectly to the dhcp, but EXACTLY the same story. STRICT with VOIP ticked, MODERATE with?!!
I mean, is there something fundamental we're missing here? Nothing seems to get around this security restriction. I mean this is from WITHIN the DMZ now - how tight do SW want to be??
Any thoughts guys?
I created a DMZ interface on an unassigned port. Hooked up a Access Point in Bridge mode, allowing only the console mac address as client. The new ip range is set, the firewall access rules seem fine, dmz to wan open for instance.
The console connects perfectly to the dhcp, but EXACTLY the same story. STRICT with VOIP ticked, MODERATE with?!!
I mean, is there something fundamental we're missing here? Nothing seems to get around this security restriction. I mean this is from WITHIN the DMZ now - how tight do SW want to be??
Any thoughts guys?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
True true.
Maybe I'll wrap this up then as we tried everything? Transparent Mode is my only curiosity..
Moderate NAT is a pain. He can't matchmake smoothly, and hooking up with friends is inconsistent, and that's what the box is for!
Maybe I'll wrap this up then as we tried everything? Transparent Mode is my only curiosity..
Moderate NAT is a pain. He can't matchmake smoothly, and hooking up with friends is inconsistent, and that's what the box is for!
When an interface on the SW is configured in transparent mode, you can configure a host connected to that interface with a public IP address. You can then connect your XBox to the port configured in transparent mode and give it a public IP. This allows the device to bypass NAT'ing performed by the sonicwall.
I should really refresh before responding. So, you configured a port on the SW in transparent mode and connected the wireless bridge? Did you configured the device with a public IP address?
ASKER
Thanks Digi, this sounds worth one last shot.
So I have the DMZ interface configured, and the AP setup. What do I change to give transparent mode a try?
So I have the DMZ interface configured, and the AP setup. What do I change to give transparent mode a try?
ASKER
If I set the DMZ to transparent, I need to set a range - what should I choose and how does it relate to the DHCP ranges? Do I then have the console reserve a ip within that range by its mac address?
Any guidance appreciated..
Any guidance appreciated..
ASKER
..and me :) (re: refresh)
I configured the DMZ in static mode, not transparent. It's the public IP, or what to do with the IPs that I don't get..
I configured the DMZ in static mode, not transparent. It's the public IP, or what to do with the IPs that I don't get..
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
No real solution here regrettably. Excellent advice and support, but a kind of insoluble challenge from the off. For those of you attempting to open SW routers, save yourself the time, and switch router.
Thanks Everyone
Thanks Everyone
Sorry. There was a time when this worked, so it's clear SW has locked down their hardware.
Thanks for the points!
Thanks for the points!
Thanks to digitap for running with this :)
I've been off the radar for a while, so glad to help. Mostly doing cleanup stuff.
Here is an example for 1 vs 100: http://portforward.com/english/routers/port_forwarding/Sonicwall/TZ-170/XBOX360_1_vs._100.htm
The ports you want to allow are the following:
88 (UDP)
3074 (UDP and TCP)
53 (UDP and TCP)
80 (TCP)