Solved

Xbox says the MTU setting is incorrect

Posted on 2011-09-30
19
850 Views
Last Modified: 2012-05-12
In the Girls dorm, I have them connected to our Sonicwall internet firewall behind a Mikrotik router used for only their dorms. I have checked all my settings to the Mikrotik and found that it is set at 1500 MTU on both interfaces. Still the girls are complaining that their Xbox says the MTU setting must be a minimum MTU setting of 1364. is there any way to test the MTU on my Sonicwall to see if it is the problem or if it's the providers problem? Any input would be greatly appreciated.
0
Comment
Question by:CCC-Ravens
  • 9
  • 6
  • 4
19 Comments
 

Author Comment

by:CCC-Ravens
ID: 36892096
Found some interesting information on testing the MTU size...

http://help.expedient.com/broadband/mtu_ping_test.shtml

I found mine is 1472 which should be plenty for Xbox Live.

what else could cause this error?
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 36892129
Have you already set up port forwarding for Xbox Live!?
Details here: http://portforward.com/english/applications/port_forwarding/Xbox_Live_360/Xbox_Live_360index.htm

The MTU error message is rarely actually about MTU and almost always about connectivity.

See the Microsoft troubleshooting information here:
http://support.xbox.com:80/en-US/xbox-360/troubleshoot/kb/error-your-network-does-not-have-sufficient-mtu-setting-979104#top
0
 

Author Comment

by:CCC-Ravens
ID: 36892156
I have all the ports forwarded as follows

UDP Ports 88, 3074, 53, 1863

TCP Ports 3074, 53, 1863

and of course 80 is open

however I show no packets hitting any of the port rules in the Mikrotik.

The girl tells me that she can connect to xbox live but cannot complete the tests without getting the error.
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 36892197
Wired or wireless?
0
 

Author Comment

by:CCC-Ravens
ID: 36892206
She has it connected wired
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 36892268
Which model of Microtek? Fixed IP's or DHCP?
Does your Sonicwall support uPNP?
Is there any way to bypass it for diagnostics?

Thinking currently either lack of uPNP or the router and firewall are both using NAT
0
 

Author Comment

by:CCC-Ravens
ID: 36904851
I placed the mikrotik in the DMZ however the problem persisted.
it is a RB450gs and has the 5.7 RBOS on it.
Yes the sonic wall supports uPNP as far as I can tell. It is a Sonic wall 3500 security appliance
0
 
LVL 4

Expert Comment

by:digus
ID: 36921794
Double NAT. It would be best to ditch one of the routers - I'd keep the Mikrotik (and the Sonic for a backup).  Why do you have two routers (I'm assuming the Sonic is _not_ serving public IP's on it's internal/LAN port)? Also, the Mikrotik can perform most functions (P2P/bandwidth queuing, filtering, etc..) as a bridge/brouter, if you really need both routers for some reason.
0
 

Author Comment

by:CCC-Ravens
ID: 36931885
The Sonic wall is the Firewall that controls the internet for the entire campus. They wanted the women's dorm on our internet but to be firewalled from our network hints why I installed the Mikrotik. So removing the sonic wall although would be ok with me, but it's not my decision, cannot be done.

I know that the Mikrotik could handle everything our sonic wall can, I have to maintain what we have.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 4

Expert Comment

by:digus
ID: 36932148
You should be able to just bridge the Mikrotik, then put the girls on a different subnet behind the Mikrotik, and have the Mikrotik drop all packets to/from the main subnet in it's firewall. Of course you'd have to put a new gateway for the girls subnet on the sonic also.

Any reason you're not running VLANs here? Seems like that would be much simpler..
0
 

Author Comment

by:CCC-Ravens
ID: 36932283
That would be some major reconfiguration but might be what has to be done. Hope fully I understand routing enough to get that done if need be.
0
 

Author Comment

by:CCC-Ravens
ID: 36932304
The strange thing is my rules opening the ports for the xbox don't look to me like they are even being hit Firewall rules
0
 
LVL 4

Expert Comment

by:digus
ID: 36932558
OK - these are just firewall "filter rules" you have setup - you need NAT rules for port forwards - and you have to specify a "dst-address". Also, the filter "input chain" is only for accessing the router itself. You will need to use the "forward chain" for firewall "filter rules" to affect the LAN - that is why they are not matching and being hit.

For the port forwards: If the xbox's IP is 10.10.10.100 (substitute the actual xbox IP), and the outside/WAN IP of the Mikrotik is 10.254.254.1 (again, substitute), then this should work for you (paste these commands into the terminal):


/ip firewall nat add action=same chain=dstnat dst-address=10.254.254.1 protocol=tcp dst-port=3074 to-addresses=10.10.10.100 to-ports=3074

/ip firewall nat add action=same chain=dstnat dst-address=10.254.254.1 protocol=tcp dst-port=53 to-addresses=10.10.10.100 to-ports=53

/ip firewall nat add action=same chain=dstnat dst-address=10.254.254.1 protocol=tcp dst-port=1863 to-addresses=10.10.10.100 to-ports=1863

/ip firewall nat add action=same chain=dstnat dst-address=10.254.254.1 protocol=udp dst-port=3074 to-addresses=10.10.10.100 to-ports=3074

/ip firewall nat add action=same chain=dstnat dst-address=10.254.254.1 protocol=udp dst-port=53 to-addresses=10.10.10.100 to-ports=53

/ip firewall nat add action=same chain=dstnat dst-address=10.254.254.1 protocol=udp dst-port=1863 to-addresses=10.10.10.100 to-ports=1863

/ip firewall nat add action=same chain=dstnat dst-address=10.254.254.1 protocol=udp dst-port=88 to-addresses=10.10.10.100 to-ports=88
0
 

Author Comment

by:CCC-Ravens
ID: 36932677
Hum I see, however I have more than one xbox in the girls dorms and they are all assigned dhcp addresses. so I cannot forward to one address I need to open those ports for all network traffic.
0
 
LVL 4

Expert Comment

by:digus
ID: 36933386
That's is only possible if you have multiple public IPs available to point to the Mikrotik - one per xbox. As far as the DHCP goes, Mikrotik has a "static DHCP" feature that is really slick and easy to use - you should check it out. Still, you're stuck with one fully functional xbox, unless you have multiple public addresses to spare..
0
 

Author Comment

by:CCC-Ravens
ID: 36933828
That sucks, I don't want to burn public addresses for the Girls to play online games.
 
If 1 to 1 NAT is the only way an xbox will work then i guess the Girls will not be getting their Call of Duty and Halo fixes LOL.
0
 
LVL 4

Expert Comment

by:digus
ID: 36934083
I hear ya - gamers make my life - well, interesting at times, to put it nicely. As far as I know, the games do actually function properly without the mappings - the stupid M$ xbox just reports that it is not an "optimal" connection (or something like that), if you don't have a public IP mapped/wasted.

Good luck - at least they are not paying good money for the connection, so they can't really complain like apartment or condo residents do..
0
 
LVL 62

Expert Comment

by:☠ MASQ ☠
ID: 36935458
If you can remove the double NAT issue this will work,   There are many locations like yours running multiple Xbox 360's off a single external IP. Could you allocate a "Dorm" range on the Sonicwall with fixed IP's on the consoles and swap the Mictrotek into a switch so effectively there's only the Sonicwall in the way of a direct connection to XBL! .
0
 
LVL 4

Accepted Solution

by:
digus earned 500 total points
ID: 36936183
That was my suggestion in post #10 - a bridge, which would still retain the filtering capabilities they need. Also, in my previous post, I pointed out that they should be working. Problem is, if you don't have a public IP for each one, it will still report some issue about the connection - no matter what firewall/router you have. You can only forward a port from 1 public IP to one place at a time. As far as I know, they still work fine, the message just bothers people because the console is telling them something is "wrong". I would still go with VLANs though - this problem will continue to pop up as the network grows. Double-NAT is also a VOIP killer..
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Asymmetric Routing (Firewall) 3 62
Setup ADSL modem with Router 7 48
SNMP v3 Encryption of encoded messages 3 32
HSRP needed? 4 31
This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now