Well here I am over 6 years later and I have a related problem... although definitely not the exact same one.

Would anyone expect the procedure to be a requirement for Xbox *Live*, i.e. the online games component of Windows 10? My experience would indicate "not", but I don't know that much.

For over a year I have been running MS Games under Win10 (until recently via Clear ver 6.something I think, now 7.3) and all was fine with Solitaire Collection and MahJong. Then suddenly about 2 weeks ago I started getting error messages trying to log in. The programs will allow me to continue playing as a "Guest", with no recording of results in the Cloud, but getting logged in to my Microsoft account is a no go. The three error messages received so far all indicate (in Microsoft's usual helpful fashion) that there is a network connectivity problem.

I installed this gateway less than 2 months ago on a brand new Intel MoBo using the Community 7.3 64-bit ISO.

It *is* possible log into my account on the xbox.com website - it picks up the same Avatar picture and everything - but attempting to open the game app comes up with one of those errors every time I attempt to go through the Clear gateway.

When I bypass the gateway and plug my PC directly into the DSL router, it goes in without hesitation. I can then put the gateway back in circuit and continue to play for some time - but after a day or so I'll be kicked out mid-game and told to log in, and the fun starts over.

I have tried switching off every gateway function I can:
- in Antimalware I switched off all 4 options: signature engine, heuristic engine, block ssl mismatch, and block cloaked urls
- in gateway AV I disabled block encrypted files
- under Intrusion Protection, attack detector I disabled all 4 options: postfix-sasl, proftpd, sshd, sshd-ddos
- under Intrusion Protection, IDS I stopped the service
- under Intrusion Protection, IPS I stopped the service

Under the other configuration categories I can't see anything that might have any bearing on the issue. In Reports I can't see any events occurring at the times I try to connect to the xbox live service.

Anyone have any ideas? I'm kinda stymied.

http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,40/func,view/id,42641/

Any news on that tutorial you were going to post. I am desperate to get my xbox to access live.

Thanks

I appreciate all of the help that you have given me on this. My Xbox is now up and fully functional.

I did wind up using the original code, because something funky was going on with my system after plugging yours in, but to be completely fair, I had muddled around with my system enough by then, that I wound up doing a clean install.

After a clean install, and downloading just the applications that I needed, I followed the entire process again, and it worked perfectly.

I am going to sit down and type up the process that I used for 6.2, in case anyone else is interested in the updated process.

I will post it in this thread once it is complete.

No. My version should work as is, both at the command line and in the file.

do I need the $ in front of your version of the rule when adding it to /etc/clearos/firewall.d/local ?

The instructions you have are for ClearOS 5.2. In 6.2 /etc/clearos/firewall.d/local is equivalent to 5.2's /etc/rc.d/rc.firewall.local. I would simplify the rule to a single line:

iptables -t nat -I PREROUTING -s your_xbox_IP_address -p tcp --dport 80 -j ACCEPT

Remember to either restart the firewall with a "service firewall restart" or apply my version of the line manually at the command line for the rule to work first time. The rule in your post cannot be applied to the command line as the variables (bits beginning with a $) only exist as the firewall starts. I don't think the proxy bypass option currently exists in 6.2. If you still have problems with the bypass, you may want to try leaving out the "-p tcp --dport 80" bit from the rule.

Note for this rule to work reliable, the XBox must always have the same IP address. Possibly the easiest way to achieve that is to use the Webconfig > Network > DHCP Server > Leases to add a static lease for the XBox, or convert its current one to static

OK, that got me closer, but I ma not finding valid paths for the later steps in the process.

The tutorial at the beginning of this thread reads...

The next step is to allow the Xbox to bypass the proxy. This can be done via the Web interface or with iptables rules.
Web Interface (preferred method)
Go to the Web interface of the ClearOS machine and go to: Gateway -> Web Proxy.
Here Enter in a "Nickname" and the IP of your Xbox (192.168.1.200 in this example) in the "Web Site Bypass" section at bottom of the screen.

Then click "Add".

Alternatively you could append the following iptables rule to /etc/rc.d/rc.firewall.local

Code:

## Added to allow the Xbox to get at XBox Live services
#LANIF is set auto-magically, uncomment the line below to manually specify
#LANIF=eth4

#XBOX is set to the IP address of your XBOX
XBOX=192.168.1.200
$IPTABLES -t nat -I PREROUTING -i ${LANIF} -s ${XBOX} -p tcp -m tcp --dport 80 -j ACCEPT

There is no "Web Site Bypass" section at bottom of the screen in the web GUI, and no /etc/rc.d/rc.firewall.local path shown in WinSCP

HELP... AGAIN!!!

Excellent!... thanks for the info!

While my primary workstation is a MBP, I run VMWare Fusion, so I have access to a virtual copy of Windows 7.

I will D/L what you recommended and give it a shot

No, the file already exists. You are just adding to it. If you have Windoze PC's on your LAN get yourself a copy of WinSCP and PuTTy. WinSCP is a graphical file manager with a GUI text editor. PuTTy is for remote terminal sessions. You can copy from PuTTy just by highlighting text and paste by right-clicking.

Thanks for that Nick... again, I am the victim of being painfully new to the Linux world.

What is the best way to place that code in /etc/clearos/firewall.d/local?

I'm assuming that just creating a .txt file in that location is not an option, LOL.

Anthony Smart wrote:

I believe that is correct but, you can also just add a iptables rule to allow the Xbox to bypass the proxy as previously mentioned. I documented what ended up working for me here:

http://csmartonline.com/blog/2012/01/23/clearos-web-proxy-content-filter-and-xboxlive/

I use a transparent proxy by the way and I'm assuming you are too. If you're not, I'm not sure if this works for you or not. Either way, be sure to check that your proxy is still working as expected before making the change permanent.

I'll check out your blogpost, I'm using a transparent proxy as you assumed.
Thanks for the insight, I'll try out the iptables rule the next time I'm dealing with Xboxes

Jumping in in the middle of a thread .....

The lines with $ need to have the $. They are bash variables.

If you are executing this from the command line you need to change $EXTIF to something like eth0 or whatever your external interface is.

If you add the code to /etc/clearos/firewall.d/local it will execute automatically when the firewall is restarted and at that point $EXTIF is defined and will be picked up correctly.

Christer Jonassen wrote:

For the sake of simplicity, I would normaly go for miniupnpd, but I'm looking for a way to do this with out uPnP

We use Clear OS for LAN-parties, but consoles are always an issue. Unfortunately we can't be without the content filter and these days most Torrent clients and other p2p services uses uPnP... So in minutes we would have unwanted seeding from all the people forgetting that they have left their torrent client running..

So if i understood correctly, placing an xbox in a Hotlan could solve the issue, even though content filtering and proxy is enabled?

I believe that is correct but, you can also just add a iptables rule to allow the Xbox to bypass the proxy as previously mentioned. I documented what ended up working for me here:

http://csmartonline.com/blog/2012/01/23/clearos-web-proxy-content-filter-and-xboxlive/

I use a transparent proxy by the way and I'm assuming you are too. If you're not, I'm not sure if this works for you or not. Either way, be sure to check that your proxy is still working as expected before making the change permanent.

Thanks for the information Tony. That got me closer (and yes, that was a typo)

I was able to successfully install the newest x64 version of miniupnpd. Now I am having issues with the following code...

And again I apologize in advance for my lack of understanding. I am still trying to wrap up my knowledge base on working int he Linux environment

##
#MINIUPNPD required tables
##
IPTABLES=/sbin/iptables
#EXTIF= (not required as uses automagic to determine WAN, can be manually specified)
#adding the MINIUPNPD chain for nat
$IPTABLES -t nat -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD

#adding the MINIUPNPD chain for filter
$IPTABLES -t filter -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD

I understand that the "#" indicates a REM statement. I also discovered by trial and error that the lines that start with $ actually need to be typed without the $

$IPTABLES -t nat -N MINIUPNPD completed successfully
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD is not. I keep getting an error stating that the line cannot complete due to an invalid command.

Also, I don't suppose there is a way to access the command line via the web GUI interface is there? I am currently at work, but it is a slow day, and would like to spend some time working on this issue remotely.

For the sake of simplicity, I would normaly go for miniupnpd, but I'm looking for a way to do this with out uPnP

We use Clear OS for LAN-parties, but consoles are always an issue. Unfortunately we can't be without the content filter and these days most Torrent clients and other p2p services uses uPnP... So in minutes we would have unwanted seeding from all the people forgetting that they have left their torrent client running..

So if i understood correctly, placing an xbox in a Hotlan could solve the issue, even though content filtering and proxy is enabled?

yum install miniupnpd

Note miniupnpd - has two 'i's - not one as in your append... typo I presume.

Know nothing re. Xbox so that's all from me...

NB You can install wget with

yum install wget

I just realized that the DMZ option will not work in my case, because I stream video from a desktop on my network to my xBox360 using a Xbox extender. Creating a DMZ would break that, if I understand the concept of a DMZ.

I tried to follow the tutorial on installing minupnp, but my x64 6.2 clearOS box tells me that wget is not a valid command.

Suggestions?

I am sorry if this seems to be a N00B question, but N00B I am!

I am having similar issues with my Xbox 360 not being able to access the marketplace. The easiest way to resolve this issue would simply be to add a 3rd NIC, designate it as a DMZ., then assign a static I.P. address to the Xbox and connect it directly to that NIC... correct?

If I understand how ClearOS works, anything connected to the DMZ NIC (either directly, or via a dedicated DMZ switch) will completely bypass the content filter, right? Will all other services by bypassed as well?

Hmm... I do not observe any change in those particular chains unless I add the local IP to the web site bypass on the web proxy page. However, this is no use as this seems to only affect the destination (which would be a web site and not the local IP).

When adding the IP to the content filter's exempt list, those chains stay the exact same. However, I know the exempt list works because I have my laptop exempted from the content filter.

Prerouting is applied to traffic just before it leaves, and effectively permits your outbound packets to hop over the fence which prevents port 80 traffic leaving the LAN unless it goes through the proxy.

Hmm wwhen I first looked at this thread, the webconfig proxy bypass worked, and inserted the correct iptables prerouting rule to permit traffic to get round the proxy. Now it doesn't seem to work... :S i'll investigate!

EDIT: Nope still OK, if you add a host to the webconfig, you should notice a new rule in PREROUTING 'iptables -L -n -v -t nat'

Thank you for the link but, that would seem to do the exact same thing as the line I previously mentioned does. It just adds a new table called 'BYPASS' instead.

However, in trying it, I did find the solution which my pee brain never thought of until now; allow port 80 to be opened on outgoing connections and then use the iptable line:

iptables -t nat -I PREROUTING -s 192.168.0.360 -p tcp --dport 80 -j ACCEPT

No one ever mentioned it though and I never thought of it because I assumed that by adding the iptables line to accept destination port 80, it would allow the outgoing traffic. (I'm no expert in iptables!)

However, i don't understand why adding the Xbox360's IP to the exempt list on the webconfig doesn't already invoke this line and open the port. Nonetheless, this is what works and I am now happy.


Thank you to everyone!

I also was having the same issue. Dansguardian is tricky that way from my experience. You will have to put a bypass rule into iptables to fix it.

http://wiki.squid-cache.org/KnowledgeBase/TransparentProxySelectiveBypass

Thanks for the reply Kevin. I know I am way late with mine, please forgive me.

Unfortunately, setting the DMZ in this way did not work.

As I stated before, it seems to have everything to do with the content filter. If it is disabled, the Xbox360 works. If it is enabled, the Xbox360 does not work.

Any (other) suggestions on how to bypass the content filter manually? Maybe the IP tables are getting set wrong when entering the Xbox360's IP on the content filter bypass page. Isn't it IP tables that controls everything under the hood on all of the firewall, proxy/content filter bypass, etc. pages anyway? The line I mentioned above is correct to bypass it manually, right? So then why doesn't it work would be my next question...

EDIT: I can sign into XboxLive with the content filter enabled but, it informs me that some of the content is not available and also, Netflix won't get the cover images or stream a movie without the content filter being disabled. So, the content filter is clearly not being bypassed even though I have tried the correct IP in both the Web Proxy Bypass and the Content Filter Bypass.

Hi Anthony,

There is two ways that ClearOS can do DMZ, this is what makes ClearOS very nice system all together.

You can do it via a third network card, and this will either become your "hot-lan" or DMZ.

Or you can this.

logo into the WebGui,

Click on Network --- Firewall --- DMZ.

Enter the IP address of you Xbox, and this will essentially create a whole, and assuming this will just create a firewall rule to allow all traffic and port it to IP address.

You can try that...


Or I could be wrong... From the manual, it only using the Network card that is on the DMZ... I know I had a thread on the ClarkConnect forums that I'll try to dig up that dealt with exactly this issues and see if that helps you.

Yes, I do have the Xbox360's IP in the bypass for the content filter.

However, I'm not sure I fully understand how to setup a DMZ on ClearOS. I don't have an extra NIC and my understanding is that you have to have a dedicated NIC to have a DMZ.

Am I correct, or am I missing something?


Thank You

Well, come to think about it... either my content filter is not working, or something else is wrong.

I'm just in the process of reinstalling ClearOS (hoping to have COS 6.2)... but I'll check again after the clean install to see if my Xbox works or not. I know right now it is because it downloaded the update...

I have the content filters on. there is a bypass and I'm sure you already did that. You could DMZ it, but that's not the best choice either.

Kevin

It is definitely a problem with the content filter. If the content filter is disabled, the Xbox360 works. If it is enabled, well, you guessed it! It doesn't work!

However, I need the content filter to be enabled and am therefore still searching for a solution. I have the Xbox360's IP listed in the exempt section on the content filter. I also have it's IP listed on the outgoing firewall and web proxy bypass. In addition to the above, I have also tried this line:

iptables -t nat -I PREROUTING -s 192.168.0.360 -p tcp --dport 80 -j ACCEPT

Nothing seems to work except disabling the content filter or setting the Xbox360 on a separate LAN, neither of which will work for my situation. (I don't have an extra NIC card and cannot do without a filter as one of the kids were caught looking at some nasty things...)

Any help would be greatly appreciated!

Great little write up, by the way David.

That's interesting that people have problems... as I haven't had a problem with running Xbox Live, updates, or anything since ClarkConnect days.

I remember running CC, I had a to add a line to bypass the proxy, but not any more.

hmmm...

I guess it could be the content filter if it's turned on, that would/could case a few issues, I've been running my new 360 since 5.0 and haven't had a issue ever, or have to add any specific rules....

Hello! Well it's December 25th 2011 and an XBox 360S found it's way into our house. I was immediately recruited by my 13 year old son to help resolve an issue with Xbox LIVE. The Xbox 360 was unable to connect to XBox Live, regardless of what I did, including following this tech tip. The only thing I did differently was I used miniupnpd-1.5.20110309-1.clearos.i686.rpm instead of miniupnpd-1.4.20100921-2.clearos.i686.rpm as enumerated in the tech tip.

I was able to resolve the problem by putting the Xbox on a HOTLAN that I set up on a third NIC card. I also divided my Asante switch into 2 VLANS. The Xbox is on VLAN2, which is connected to the HOTLAN. This assures complete isolation from the primary, content filtered, ICS LAN that the PC's in our house occupy. Then use port forwarding to forward the following ports to a static IP assigned to the Xbox on the HOTLAN. Port 88 (UDP),Port 3074 (UDP and TCP),Port 53 (UDP and TCP),Port 80 (TCP). Then manually configure the Xbox for this new static IP, and the DNS server for your ISP. I'm not sure why the Xbox doesn't like to be proxied, but I think this HOTLAN solution is probably the best from a gaming standpoint as it should help keep the ping times down as low as possible, and the best part is, you don't have to try an figure out all this egghead iptables stuff. Thanks for investing the time to try and create a work around, and more power to you if you're able to make it work. I was not. (Clear OS 5.2)

Sorry for the late reply, I've been experimenting.
Thanks for the feedback, and yes you are right, I don't appear to need the INPUT rule for port 3074.

Great summary David! thanks for pulling it all together

Unfortunately I don't own an XBox, so i'm curious why it doesn't like being stuck behind the proxy

FYI you can also add an IP to bypass the proxy from the webconfig This saves having to create the iptables rule in rc.firewall.local
Gateway > Web Proxy > Enter local IP in Website Bypass at bottom > Click Add

If you have MiniUPNPD working correctly, you should also not need the INPUT rule to open port 3074, as it will automatically create the forwarding rules required for your XBox to talk to the net. You can verify by running

iptables -L MINIUPNPD -n -v