Xbox Live Frequently Disconnects on Watchguard Firewall

I think you are using HTTP proxy and this is causing problem; many a time HTTP proxy service would strip headers and other content which is not specifically allowed, non RFC compliant or the proxy is not able to understand. Other thing which needs to be looked at is does your 360 require some port to be opened; if there is any traffic which originates from internet then we need to specifically allow that on the WG [which you have already done per original post].

For the HTTP problem I would encourage you to use packet HTTP instead; this service would do no filtering for the outbound traffic and the corresponding inbound traffic; configure the service as below:
HTTP-packet
Enabled and Allowed; from internal-ip-of-360; to ANY

After you make this change, I would like you to keep an eye on traffic monitor and parse through the deny in messages in eth0; if any of them is from legitimate source, then we might need to open those ports in addition. Also, for the custom service we can double check that the settings are correct.
Enable logging on the service for all inbound/outbound allowed and denied packets; and you should the logs in traffic monitor for the same.
NAT should be configured as static NAT or 1-1 NAT in WG.
I would like to know the version number of your WG software so I can give you exact configuration steps.

Please check and update.

Thank you.

andrew_aj1: Thanks for your response.  Yes, I've connecte the 360 directly to my Charter Communications cable modem and it worked flawlessly.  It has also been connected to a friends Netgear router through DSL and worked great.  I'm pretty sure the issue is the firewall and not the 360.

dpk_wal: Thanks for your detailed response.  What you're saying about the HTTP Proxy service makes sense.  I've checked my firewall.  It's not a FB III 700 as I had previously stated.  That must be another FB that I have.  This one is a FB II Plus-S running 6.2.B1315 (from what I can tell).  I've checked my configuration and see that I am, indeed, using the HTTP-Proxy service.  If I'm reading your post correctly, you're wanting me to create a custom service called 'HTTP-Packet'.  Your instructions all make sense and I'll make the changes when I get home.  Unfortunately, my Xbox is out for repair I probably won't have it back for several days to do some testing.  Also, where should I configure the static NAT?  Do I go into Setup/NAT/Advanced and check the 'Enable Serice-Based NAT' check-box?  That's not currently checked.  Then, in the new service, how should it be set?  Thanks for your help.

I had previously (before resorting to posting this question) created the port forwards that Microsoft recommends for Xbox Live (3074tcp, 3074udp, and 88udp).  I hope your suggestions work, but I'm really getting frustrated with this.  It doesn't make sense to ditch this (old) $5000 firewall (that I otherwise love) for a simple $50 Linksys.  I keep you posted.  Thanks again.

When you add service you have options to add "Proxies", Packet Filter (eg filteredHTTP service) and User filter [I have not worked on ver 6.x of WG software so not 100% sure if you do see all these options].

I want you to add filteredHTTP service.

For incoming traffic, you would have created a custom service. For allowing the traffic, you would have configured the Incoming tab on the service as:
"Enabled and allowed"; from ANY; to
Here you have two options to configure to; click ADD:
1. Click NAT; select the external IP from the drop-down box; then specify 360 internal IP
2. Click Add Other; and specify the 1-1 NAT public IP which you have configured for the 360.

For using 1-1 NAT you must have at least 2 or more public IP addresses; and by going in Network->NAT->Advanced->1-1 NAT; you add entry. Please note if you use 1-1 NAT, the same public IP cannot be used for static NAT and MUST be removed from the external aliases. Also, with 1-1 NAT this public IP would be dedicated to the internal machine which you configure in 1-1 entry.

Please update per your convenience.

Thank you.

I got my Xbox 360 back from the repair depot yesterday.  I didn't have it connected for more than 2 minutes and it already got disconnected.  This was before implementing any of the changes above.  Now that I have my 360 to test with, I can start changing my firewall configuration.

I'm still a little unclear as to what you're asking me to do.  You want me to use the pre-created Filtered-HTTP service AND create a custom service and then configure 1-1 NAT?  On the custom service, what ports need to be considered?  BTW, I spoke with my ISP (Charter) about getting a second IP address for the 1-1 NAT.  They hooked me up with that, but it's another DHCP address.  I don't think that's going to work.  On top of that, it looks like it's on a different IP subnet from my first DHCP address.  Not sure what's going on there.

IP address in a different would be of little help; if you just have one public IP then we DO NOT need 1-1 NAT; you are good to use the static NAT.
We would create one single custom service, which would include all ports which you listed in earlier posts and do static NAT for the incoming traffic to the internal IP of 360 [this internal IP should be static].

For outbound traffic, if TCP port 80 is not needed to be allowed in, then we would create filtered-HTTP service and configure it to send traffic only from 360-internal-ip to ANY; otherwise above service would suffice.

Please implement and update.

Thank you.

Ok, I've implemented the above suggestion with no success.  Basically, dpk_wal, your solution is pretty much exactly what I had tried prior to posting, with the exception of using the Filtered-HTTP instead of the Proxied-HTTP.  Each time I tried testing the connection with the Xbox's 'built-in' network diagnostics, it says that my NAT type is still Strict.  Nothing seems to change that fact.  I see, in the Watchguard log, that the custom service is being used successfully.  I wonder what could be the problem.  I don't see any Denies (inbound or outbound) pertaining to this problem.  On the Outgoing tab of my custom service, on the drop-down that says Choose Dynamic NAT Setup, I've tried 'Use Default (Simple NAT)' as well as 'Enable NAT'.  One interesting thing that I noticed late last night was there was a deny from one of the Microsoft subnets to a destination port that I didn't recognize -- I think it was 34119.  The source port was 3074, one of the ports in the rule.  It just baffles me why a $5,000 firewall can't be configured around this problem, but a $50 Linksys can.  Another item of note... when I was reading about the ANY service in the Watchguard Reference Guide, I found this:

You also cannot use an Any service unless specific IP addresses, network addresses, host aliases, group names, or user names are used in the From or To lists -- otherwise the Any service is deemed too permissive and will not function. You can, however, use bogus network addresses which match all possible IP addresses as a work-around.

A bogus network address?  What could that be?  The software insists that the first octet be between 1 and 223.  I can't get past that.  Zeros and 255's don't work.  What could they mean by this?  This may be pointing in the direction of a solution to my problem.  This is killing me!!  Any suggestions?

Thanks.

A bogus network is something which can encompass the limitation put in by the ANY Service, you can typically have a network range from 1.0.0.1-223.255.255.254 [224 and higher being used for multicast and other purposes]
In newer version of software, version 8.3.1 or higher, limitation you mentioned is lifted and we can use the keyword ANY in ANY service.

As you have created custom service; to double check, when adding protocol/ports entries, you need to select "client port" type from the drop-down box; please make sure this is set to "ignore".
You can go to properties tab of the custom service and double check this; if not delete the service and add again with "ignore" as client port.

Or better, we can add ANY service, configured it to forward all incoming packets from 1.0.0.1-223.255.255.254 [by clicking Add->Add Other->Host Range] to static NAT->360-internal-ip and have outgoing as from internal-ip-of-360, to 1.0.0.1-223.255.255.254.
I would like to caution you here that, there would be no firewall protection for 360 from firebox when using above ANY service configuration.

Thank  you.

Thanks for the quick response.  I double-checked my custom service and it does have the Client Port set to Ignore for all three port addresses: 3074udp, 3074tcp, and 88udp.
I understand the implications of creating this kind of ANY rule to the Xbox.  It seems that everyone else is putting their Xboxes out there largely unprotected and I haven't seen anything yet about Xboxes being hacked.  I'm willing to take the chance at this point.  I'm trying to create the ANY rule now, but have hit yet another snag.  I can enter the Host Range you provided in the From list, but how do I do a Static NAT for the To list?  The NAT button is dimmed out on both the Incoming and Outgoing tabs.

ohh my bad; i forgot about that; in older version of software ANY would not do NAT; sorry about that. I would suggest you to try first with "ignore" for client port and if that does not work then I will configuration for creating a custom service to allow all ports. I dont have access to WG GUI at this time, would give details later.
Please check if setting client port to ignore solves the problem; it should help.

Thank you.

Thanks again.  Yeah, I had checked on the 'ignore' thing.  That's what I've been using.  I only got disconnected a few times last night and the night before.  It may have just been a coincedence though.  I had been running the same configuration previously with constant disconnects.  I have a WG X1000 here at the office with a much more recent version of the software.  Could I use that software to config my FB II Plus-S at the house?  When I open the Policy Manager, it warns me about having to convert the configuration file.  Several years ago, the first time I touched a FB, I trashed it because I converted the config using an incompatible version.  At least I think that's what happened.  I'm kinda gun shy now.  I'm running 8.20 B2540 client software to configure my X1000, but I can use it to view my II Plus.  This version doesn't contain an image file for my II Plus, but that might not be a problem as long as we're not going to try to flash a new image.  I just opened my II Plus from here with the new software and the tried to add the Any service.  The NAT button that was previously dimmed out (in the older version of client software) is completely missing in this new version.  Back to the drawing board?

Your idea about creating a custom service to encompass all ports is intriguing.  I think I just did it, but I'll wait to hear your solution.  Thanks again for helping me through this.  If we can get this to work, I'm sure it will help alot of other people struggling with the same problem.  In the end, it may come down to me setting up WireShark on both the internal and external networks and watch the conversations.  Like I said in my first post, I've seen with my own eyes how the FB has changed destination ports for no apparent reason.  The packet would come into the external interface without being denied, but when it came out of the trusted interface, it had a different destination port.  The device that the packet was addressed to didn't know what to do with the packet because it wasn't listening on that port.  It kept our phone switches between two offices from communicating properly.  For a long time I blamed the Samsung phone switch, but now I know it was the firewall.  Move the phone switch outside of the firewall and everything works great now.  This may be a similar problem (with a different FB).

We cannot use any version above 7.x as FB II is not a supported platform. I think it would be better if you leave the box at the current version. I am not 100% sure but think 7.0 was the last supported release for FB II.

I do not remember correctly if on version 8.x ANY service supported NAT; but in version 10.x or higher it does support NAT, here is the screenshot.

Sometimes FB does change ports on the incoming packets when destined to the internal machines when implementing PAT. If we wish not to have port translations done by firebox, we have few options, configure FB not to do any NAT for a specific machine (but here you should a public IP for this machines), configure 1-1 NAT [in this case as one public IP is dedicated to one internal host, IP is masqueraded but not ports].

Coming back to the solution, we now want to create a custom service to allow most of the ports. Please note we would need to use "Client port" as "client" in this case so we get to specify port range; we would select 0-65535 as port range and add both TCP and UDP protocols.
The setting "client" would make sure that the incoming packet MUST have source port greater than 1024, only then it would be allowed through this service.
In this custom service we can do NAT.

One thing I would say that if you are seeing destination port numbers being translated from firebox, this would be for the packets which are part of the session and FB has entry in the NAT table. Mostly due to this reason VOIP does not work behind FB with static NAT [again not 100% sure if this is the case then 360 might also have problems]. Any packet originating from the internet, FB would not change the destination port on the packet.

Please check and update on the results.

Thank you.

Just forgot to clarify that when I say NAT with ANY Service, I mean static NAT; ANY service can always do 1-1 NAT in all versions.

Thank you.

Tried your suggestion above to create a custom service that includes all ports.  As I was creating it, I thought of a possible problem.  This was confirmed when I saved the configuration and the FB put it into effect.  Because the From says ANY, this causes ALL inbound packets to be directed to the Xbox.  That's not going to work.  I had to quickly remove the rule as there were others in the house using the Internet.  Anyway, I tried several other things.  I think I've exhausted all possibilities with this version of WG software.  It sounds like the newer software (and hardware) would be able to do what I'm trying to do because it has lifted the restrictions on the Any service.  Unfortunately, I'm stuck with this old stuff.

Tonight I decided to connect my little Linksys router up and see what it would do.  It has the DMZ Host setting that I would probably have to use (to pass-through all packets, unaltered).  I connected it and did a Xbox Live connection test (before configuring the DMZ Host).  It passed with flying colors!!  WHAT!?  My NAT is apparently 'Open' because I didn't get any errors.  I phoned an Xbox 360 friend and we got online and messed around with Photo Party and voice chat for a couple of hours with no connection issues.  Just minutes before I had switched to the Linksys (still running on the FB) we couldn't even get into a voice chat.  Every time she accepted my chat invite, it would disconnect me from Xbox Live.  Then, I would have a heck of a time reconnecting.

I'm glad that my problem has been 'fixed', but I'm disappointed that I won't be able to use my FB to monitor what's going on in my network.  I really like Host Watch and the Traffic Monitor.  The live scrolling log was nice to have, too.  I could see when someone was trying to access my stuff from outside.  Just last night I saw someone trying RDP and VNC.  I'm going to loose all of this.  Unless... I can figure out a way to still include it into the network with the rest of my network (with the exception of the Xbox) behind it.  I think this could be done easily enough.  The problem it would create (and it's minor) is that the Xbox won't be able to access the computers on the network to access multimedia content.  (That feature only works on the local network and they would be on different subnets.)  I guess I could always just move its patch cable to the inside when I want to do that.  Sigh...

I had the same idea in my head as you just diagrammed above, but I had forgotten about drop-in mode.  Also, I did not configure the Linksys to make the 360 a DMZ host.  No special configurations have been made in the Linksys for the 360.  I've never used drop-in mode before.  If I recall correctly, it simply 'forwards' packets between the external and internal interfaces.  You say it doesn't do NAT, so then the external and internal interfaces would be on the same subnet?  If so, then the 360 and my 'internal' machines would be on the same subnet?  If this is the case, that would be totally cool.  Would I be able to use the FB as my DHCP server again, rather than using the Linksys?  Oh, nevermind...  Even if it can't hand out and address to the 360 on the external network, it could still hand out addresses to the machines on the internal network.  I could just static the 360.
I played on Xbox Live all night last night without even one disconnect.  I sure would like to get the FB back into the mix so that I can monitor my network traffic.  I'll try to implement this tonight (if my daughter's not playing World of Warcraft again (still)).  :)  Thanks again for hanging in there with me.

Lonnie.

Correct, all the interfaces of FB would have one single IP address; and 360, FB and the machines behind FB would be on the same network.
The FB can act as DHCP Server (not 100% sure on your version of software, please double check); so you can have 360 and FB with static IP behind Linksys; configure linksys not to act as DHCP Server and let FB lease out IP addresses.
As I said, for having 360 and machines behind FB share files/folders you would need to create a service to allow traffic.

Please let know if you need more details.

Its nice working together! :)

Regards.

I haven't forgotten about this.  I've just been busy on other stuff (like enjoying my Xbox LIVE without being disconnected).  Also, my daughter's boyfriend is staying over (they both play WOW and PS3).  AND, since the weather has been bad, they're staying in alot more.  I may just have to pull the Household Network Administrator card out and schedule a maintenance window.  :)

Lonnie.

No problem; please update the thread if you need any assistance, I would be happy to help! :)

Thank you.

And you thought I forgot about this...  Well actually, it's been working so good and I've been so busy with other stuff, I just haven't gotten back around to this.  I wanna give you your points, but I'm not sure if we'll still be able to communicate if I have an issue.  I've been putting a computer room together in my house and have been kinda busy with that while the kids have been using the 360.  I haven't even turned the 360 on in weeks.  Hoping you'll still be available to help me with this last configuration change (if needed).  Thanks again for putting in so much time with me.

Lonnie.