So the way NAT works for outgoing connections is that the first packet of the connection has a 5-tuple, e.g. UDP 192.168.0.2:12345 to 203.0.113.53:53, and the NAT translates it to a different one, e.g. UDP 198.51.100.42:12345 (your public IP) to 203.0.113.53:53. Then when a UDP packet comes back from 203.0.113.53:53 to 198.51.100.42:12345, the NAT knows to forward it to 192.168.0.2:12345. If at the same time it sees a UDP packet from 192.168.0.3:34567 to 8.8.8.8:53, it'll translate that to 198.51.100.42:34567 and everything is fine. It can tell the difference between packets from 203.0.113.53:53 because they'll either be to 198.51.100.42:12345 or 198.51.100.42:23456 and thereby know where to forward it. Even if the original packet is from 192.168.0.3:12345, then it'll translate the port too and use e.g. 198.51.100.42:12346 and still have an unambiguous translation. For incoming connections, that doesn't work. The first packet is from the remote peer. You get a packet from UDP 192.0.2.10:12345 to 198.51.100.42:4500, which internal host should it go to? There is no connection tracking entry yet and now the first packet doesn't contain the address of either internal host. The normal solution to this is to either use a different public IP address or a different port for each internal host. Alternative solutions are inherently protocol-specific and not even guaranteed to actually exist. I don't know anything specific to tell you about what protocol(s) Xbox uses. There doesn't appear to be a conntrack helper for this. The simplest solution if it really has to use specific ports is to get another public IP address. ISPs often offer these on business-class connections, or you may be able to get one from a VPN provider.
Thank you very much for the info. From my understanding, this is not an issue with IPv6 so I may enable IPv6 and try it out, although there may be other headaches associated with that. I am also not sure if some of my older network devices support IPv6 so I'm likely looking at a hybrid LAN if I go in that direction. My ISP supports IPv6 so the WAN side should be covered. I'll have to think about this. Thanks again. -MikeD
