My pseudo solution was to put the xbox in it's own vlan and then to pass all traffic to/from that vlan. It's working, albeit with a "Strict NAT" according to the Xbox.
Previously I was logging all blocked packets but none of the xbox traffic was matching any block rules. I'm still not sure what was going on. It's not the solution I wanted, but it's the one I got. -Walt On Mon, Dec 9, 2013 at 4:21 AM, Stuart Henderson <s...@spacehopper.org>wrote: > Rather than looking at a tcpdump of packets that make it through, try > looking at blocked packets instead. Add 'log' to any block rules and try > 'tcpdump -netttipflog0'. > > > Walt Elam <wre...@gmail.com> wrote: >> >> One more update: >> >> I opened up the tcpdump traffic in Wireshark and it appears that the Xbox >> is failing on Kerberos. I see an AS_REQ, then AS_REP, then the traffic >> alternates between TGS_REQ and TGS_REP then fails. It seems like the xbox >> is failing to successfully get the ticket from the TGS. >> >> Are there special rules I need in order to ensure Kerberos works properly? >> >> -Walt >> >> >> On Fri, Dec 6, 2013 at 4:13 PM, Walt Elam <wre...@gmail.com> wrote: >> >>> Thanks Teemu, I gave some similar rules a shot but was unable to get it >>> working. >>> >>> I'm still tweaking things and trying them, I'll update if I get it >>> figured out. >>> >>> Thanks, >>> >>> -Walt >>> >>> >>> On Thu, Dec 5, 2013 at 4:47 AM, Teemu Rinta-aho <te...@rinta-aho.org>wrote: >>> >>>> On 5.12.2013 3:16, Walt Elam wrote: >>>> >>>>> I need to forward ports 88 (UDP), 3074 (UDP/TCP), 53 (UDP,TCP), and 80 >>>>> (TCP) to the xbox360. This seems simple enough but I have been >>>>> unsuccessful. >>>>> >>>> >>>> Hi Walt, >>>> >>>> I don't do exactly the same, but almost. Check out my pf.conf at >>>> >>>> http://www.rinta-aho.org/blog/?p=364 >>>> >>>> There you can see that I forward certain ports to machine named "core7". >>>> >>>> I also use 3 separate VLANs to the cable modem to get 3 (out of 5 that >>>> I pay for) different IP addresses from the ISP. 1 is mapped to PS3, one >>>> to a PC "core7", and the rest share the third IP address. So, there >>>> is some extra complexity in my pf.conf. >>>> >>>> Hope it helps. >>>> >>>> Teemu >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >>