are there any security risks if i set up port forwarding on my router to change my nat type from ...

[G+_Dan K]

are there any security risks if i set up port forwarding on my router to change my nat type from moderate to open on my xbox one?

[G+_Travis Hershberger]

While I really, really don't like it, just enable PnP if you're working with any sort of game console.  Different games are going to use different ports and/or sets of ports.  Trying to manually manage all of them is just a headache waiting to happen.

 

That said, opening ports always increases risk.  Shouldn't be a huge risk, but it's always a risk.

[G+_Ben Reese]

I kinda disagree. If you don't mind managing the ports, port forwarding is preferred. Make sure you set your Xbox to a static IP first - either on the Xbox or through DHCP Reservations on your router (best to put the reserved IP outside your normal DHCP range). I assume the security on the Xbox is strong, so (assuming static IP outside normal DHCP range) even DMZ could be more secure than UPnP.

 

Just my 2¢.

[G+_Dan K]

dmz to me just a bad idea allways

[G+_Eddie Foy]

I keep all devices on a DHCP reservations.  (Basically assigning static IPs via the DHCP server.) This way Xbox is always .188 and the Roku is always .140  This way maintaining ports is a lot easier.

(also makes seeing any rouge devices obvious since they are in the DHCP pool)

[G+_Keith Mallett]

Dan K  If  you are not sharing data between your XBox One and other devices on your network then consider putting it on a different subnet. If your consumer grade router doesn't support vlan or subnet ranges (most don't) then consider the "Three Dumb Routers" setup Steve Gibson explained...

https://www.grc.com/sn/sn-545.pdf

 

If you need to share data between your XBox One and other devices then make sure you have good security software running on the PCs and Macs iinside the network such as the free version of Sophos Home.

https://home.sophos.com/reg

 

If you running Linux you are pretty much safe.

 

A DMZ is not a bad idea it's just a tool, but using a DMZ to segregate this situation is like using a sledge hammer to crack open a walnut. Use the right tool or type of tool. You don't need a DMZ when what you really want is a physically separated network or a vlan. Now if you were hosting a Mine Craft server on you XBox - well then - that a wholly different situation!

 

Travis Hershberger is right about PNP - BUT (and its a REALLY BIG BUTTTT) - there are risks involved in using PNP so if you don't need to share data between the XBox and the rest of the network setup then use a physical separation to be safe.

 

Ben Reese & Eddie Foy Using DHCP Reservations is a good idea guys as if gives you centralized control; however, they ranges are still on the same subnet so I think what you guys are both hinting at is....  a VLAN. Unless of course you have a DHCP server (like Server 2012 R2) that supports multiple scopes, consumer routers typically don't do that.

 

Replacing your consumer grade router with commercial grade ones is usually cost prohibitive. However, there are a number of good free "Network Gateway Servers" available that you can setup on your own hardware (an old pc with two nics) and they offer much greater control over consumer routers. Here are two that I've been playing with, both have pros and cons - WARNING - keep your consumer router handy, you need a solid understanding of firewall concepts to set these up properly and there is a learning curve. The last thing you need is an angry spouse because they can't get the attachment in their email!

 

https://www.untangle.com/get-untangle/

 

https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx

 

Cheers!