Types Of NAT Explained

Every TCP/IP packet contains a source IP address, source port, destination IP address and destination port. All types of NAT create NAT mappings using these values. For example a connection from an internal client with IP 192.168.0.1 using port 56876 may go to a website IP 56.45.78.89 (destination IP address) on port 80 (destination port) using IP of 45.34.78.98 (translated source IP) and port 56876 (source port). NAT creates a mapping using these 4 values to the 192.168.0.1 internal client for that specific connection. When packets come back from the website to the router using the same values associated with that mapping NAT forwards the packets to the internal client.

Dont confuse NAT restriction with NAT translation – For example a Ful Cone NAT only looks at the destination port when choosing whether to accept the connection or not (the restriction). When it does the actual the NAT translation however, it always uses the 4 values mentioned above.

A full cone NAT (also known as a one to one NAT) is the only type of NAT where the port is permanently open and allows inbound connections from any external host. A full cone NAT maps a public IP address and port to a LAN IP and port. Any external host can send data to the LAN IP through the mapped NAT IP and port. If it tries to send data through a different port it will fail. This type of NAT is also known as port forwarding. This is the least restrictive type of NAT; the only requirement is that the connection comes in on a specific port

A restricted cone NAT works in the same way as a full cone NAT but applies additional restrictions based on an IP address. The internal client must first have sent packets to IP address (X) before it can receive packets from X. In terms of restrictions the only requirement is that packets come in on the mapped port and from an IP address that the internal client has sent packets to.

A port restricted cone NAT acts in exactly the same way as a restricted cone NAT but applies restrictions to ports also. Where a restricted cone NAT will accept connections from any source port a port restricted cone NAT restricts this further by only accepting connections from the IP address and port it sent the outbound request to.

A symmetric NAT applies restrictions exactly the same way as a port restricted cone NAT but handles the NAT translation differently. Symmetric NAT is more complicated and has it’s own unique problem as a symmetric NAT NATs ports to new randomly generated ones. This even applies to connections from the same client to different destinations.

One solution for NAT traversal, called the Internet Gateway Device Protocol (IGD Protocol), is implemented via UPnP. Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client.

So, for your Consoles (I'm focusing on the Xbox 360/One)

NAT type = Cone
UPnP = Enabled
the following ports should be opened and forwarded to your console if UPnP is not working or you have a shitty router. Set a static/reserved IP for your console, then :

Xbox 360
0.0.0.0 (Any) UDP port 88 -> IP of Console
0.0.0.0 TCP & UDP port 3074 -> IP of console
0.0.0.0 TCP & UDP port 53 -> IP of console
0.0.0.0 TCP & UDP port 1863 -> IP of console
0.0.0.0 TCP port 80 -> IP of console

Xbox One
0.0.0.0 TCP port 53 -> IP of console
0.0.0.0 TCP port 80 -> IP of console
0.0.0.0 TCP port 3074 -> IP of console
0.0.0.0 UDP port 53 -> IP of console
0.0.0.0 UDP port 88 -> IP of console
0.0.0.0 UDP port 500 -> IP of console
0.0.0.0 UDP port 3074 -> IP of console
0.0.0.0 UDP port 3544 -> IP of console
0.0.0.0 UDP port 4500 -> IP of console

The ports used :
53 TCP/UDP = DNS this allows your console to receive DNS reponses coming back from port 53
80 TCP = HTTP traffic
3074 TCP/UDP = Xbox LIVE traffic
88 TCP/UDP = Authentication traffic ;-)
500 TCP/UDP = ISAKMP/IKE traffic (Don't stress too much trying to understand why the Xbox uses this)
3544 UDP = Teredo tunneling (IPv6 -> IPv4 tunneling)
4500 UDP = IPSec NAT Traversal

From what I have seen on my router/firewall is that the XBOne creates an IPSec tunnel to the MS servers to exchange information which is why it requires additional ports (500, 3544 and 4500) and MS loves IPv6 (hence 3544 being present).

Generally NAT type Cone with UPnP will just work, but some router manufacturers and software configurations seem to think that standards is just another word for "rough guideline"