Xbox One and PS4 NAT issues - Double Firewalled (Modem/Router)


Hello guys, I have not been here in awhile but I hope there's someone out there that can help shed some light on the issue I am having.

Hopefully someone can suggest a fix and it'll all work, or at least point me in the right direction, and possibly explain anything I may be overlooking or misunderstanding. I have a basic understanding of networking, so I can work my way around my routers and modem etc.

To start, a small introductory of my issue, as you can see from the title, I have an issue getting Open NAT for my PS4 and Xbox One, I have 2 firewalls to go through, my network setup is as follows:

Modem > Router1(Router2/Router3 Bridged) > Device However. I have 2 other Routers in the house that are bridged to extend/strengthen signal in different parts of the house.

I have opened the suggested ports for Xbox One (53, 80, 88, 500, 3074, 4500) on both my Modem (ZyXel P-660R-F1) and my Router (TL-WR1043ND), I have not configured any special settings on the 2 bridged routers, the PS4 connects by wire, Xbox one by wireless (same floor as the main Router)

I have followed guides on setting both of them up (First on, then found a video for my ZyXel modem and it suggested to disable the Active Firewall, and Bypass Triangle Route. Also to change the NAT SUA Only changed to 1024 (it was 512). Lastly, it suggested to turn off the Enable SIP ALG setting).

For my router, some suggested to just let UPnP do it's job and disable the Port Forwards (Virtual Servers it's called in the settings) I have tried with just UPnP and with Port Fowards, neither make a difference. I even disabled the Port Fowards on the Modem and had UPnP on both, but to no avail.To clarify something, if I use Port Fowarding should I have UPnP off? OR will they work in together?

I have done restarts on all devices (router/modem/Xbox One) when any changes have been made.

On my XBO I have turned it to "Energy Saving" mode as I have read in several places that it can effect UPnP negatively if it is in "Instant On" mode. I have tried to set the Reserved Address in my Router for my XBO, as another site/video said that having a Static IP set on the XBO can cause problems, I have tried the static IP set through the XBO and through the router, neither makes a difference.

On my Router I have several firewall settings that are not mentioned by any guides as to if they should be altered, the settings allow me to Disable or Enable (All currently enabled):

Firewall: SPI Firewall

VPN: PPTP Passthrough, L2TP Passthrough, IPSec Passthrough


I also tried to set up Port Triggering to see if that would help, and set the protocol to ALL for all of them (originally set them up to the proper TCP/UDP but it wasn't working so I changed it to ALL) But that did not work either.

I am not sure if I am missing any other information, feel free to ask for anything I am missing. My LAN address for my Modem and Router are different (eg. Modem and for my Router) Will this effect how NAT works or cause my issues? Thank you.

P.S I know I have not added any troubleshooting for the PS4, I do not own it and I want to get one device working before I start fiddling with the next.


Is there no one out there who's network expertise could help me? Hoping this one bump will get this some attention as I have tried everything possible I can with my setup that I can think of, need some fresh ideas.


First, try a simple case
modem/router --- xbox
    + --- pc
and get the port forward working


From the looks of that you want me to connect my Computer directly to the modem and then Xbox through the router? If so, not possible. Only 1 port on the modem, goes to the router.

I can't connect my modem directly to the Xbox to try because the setup in the house just won't allow it, it's a church converted to house, anyways not important.

btw nice to see you're still around the forums Jobeard :)

Is that the only way to get this to work right?? If so I might be able to sort something out to go modem -> Xbox with no router but I wont be able to change ports then (Cause my PC won't connect then haha)

I hate networking, it's always been against me.


To be more clear
modem -- router -- devices, including the Xbox.
Object is to get the Xbox, port forwarding and the firewalls under control before we chain other routers.


Oh alright, the other 2 routers are simply bridged wirelessly to extend the network and should have hopefully no impact. However, I noticed that I should be able to set up my TP-Link to handle the modems work (has the WAN port, can set to PPPoE and put in the login info and everything) and eliminate the Zyxel modem completely.

I dont really like the way the Zyxel is designed and think it would run smoother with just the router handling all the work, removing the double NAT issue I am facing.

On the other hand I also read up a bit more about the Zyxel and switching it to Bridging mode and that should also turn off the firewall/NAT settings on the modem, allowing the Router to handle it.

I will try eliminating the Modem all together first and see if I can get the Router to just handle it all, will reply with the update later on, about to head to bed as I work tonight.


Suggest modem--router-- devices and attach the Xbox to one of the LAN slots.

Chaining the other routers can get complicated and right now, just trying to get one working solution which can then be expanded.


I have since fixed my issue, just now actually.

I will explain how I resolved it, with a bit of help from your suggestion and also from a friend who's fairly network savvy.

So, I noticed my Zyxel was set to "Routing", in this setup, NAT, Firewall and other security features were running, once through that it would hit my router, also with NAT and other Routing/Firewall features. I was fairly sure this double Firewall was causing my issue.

With a bit more investigation into how the Modem works I changed it over to "Bridge" mode. This disables DHCP, NAT, and some other features that come with Routing. I then change its LAN IP to the same as my Router, made sure my Router then had all required PPPoE settings (Username/Pass) and made sure everything was good there.

After further testing and setup, I tested my connection on other devices in the house, came across a small DHCP issue but resolved that by increasing the Range (It was set to just be, I switched it to include My xbox, even though the IP address was set to start at .105 for what ever reason was having DHCP problems.

Anyways, onward from that I double checked all ports, added any missing ones, I then also added my Xbox One to the Reserved IP list so that it would always get .105 and the router would handle it, the Xbox could be reset to Automatic (it was Manual)

I then tested my network on the Xbox again and got "Moderate" - Success! well, halfway anyways.

So with a quick google search I found out that when doing a "Test Multiplayer Connection" and waiting for the next screen that says "Everything is good" you hold Right-Bumper, Right Trigger, Left-Bumper, Left Trigger, it tells you detailed NAT status, mine was CONE (The other is Port Restricted, which I assume was resolved by my double checking of Ports) I then hit A twice and it switched to OPEN

I do apologies if my explanation is a bit chaotic, but I did a whole lot at once and it worked. My main issue with the DHCP stemmed from my extra routers being on the lower half of the IP Spectrum (below 100).

TL;DR - Set modem to Bridge mode, setup router for PPPoE. Resolved my issue for the most part with the extra info above.



The bridge-mode is necessary when we have
  • modem---router and the modem provides NAT
  • OR
  • we chain router#1(lan slot)----(wan slot)router#2
Instead of the latter wiring, the following makes life really simple:
  • disable DHCP in router2
  • and wire it router#1(lan slot)---(lan slot)router#2 and leave#2 wan empty
Router#2 will operate as a switch (not a router), have no NAT support, and router#1 will control everything.
I'm using this to add WiFi support in router#2 to my existing wired network


I have my other 2 routers just set under WDS bridging as well so their router functions are disabled as well, but extends my wireless to upper and lower floors.

I have cables already running to the routers from Router 1, but didn't need them with WDS Bridging. Thinking I may connect through LAN again to prevent any loss of packets/delays.


again, well done - - that's the trick for chaining router#1--- router#2--- router#x

For those following this topic, all devices attached to any of these routers will appear on the same ip-subnet,
eg have ip addresses which vary only in the last value; 192.168.1.x

The other setup (not using the bridging setting) for chaining router#1(lan) -- connected-to--(wan)router#2
will need unquie subnets for each router;
  1. router#1 -- 1.255
  2. router#2 -- 2.255
and then each subnet is isolated from the others (no print/file sharing) and port forwarding is a nightmare.


Yes, exactly. My original setup had them on 2 different networks and I assumed this was where a lot of my problems were stemming from, this new setup works much smoother. Thank you for the hints/ideas and explanations :)