Bypassing WAN for local traffic?

When at home with two xboxes, is there a way to tell the Peplink Balance One to send the data that is destined to one of its WAN IP addresses to NOT send the data out to the internet just for it to come right back to a device behind NAT?

Xbox1 hosting game lobby. All players connect to public IP of WAN1. Xbox2 on same LAN connects to game lobby. UDP traffic is sent by XBox2 to XBox1 using WAN IP and forwarded port (configured by UPNP). Xbox2 gets information about connecting to XBox1 from Xbox live servers. Is there a way to keep the UDP stream from leaving out the WAN?

I believe it would be an option something like “bypass WAN for traffic destined for device on same LAN”


This is depending on the connection initiated by the XBox2.

Have you observed the connection from XBox2? XBox2 accesses XBox1 via NAT loopback or XBox2 will connect to an external server then only connect to XBox1?

It gets the connection information from an external server, but then connects directly. Well, as directly as it can figure out. The packets are going out the WAN and looping back.


It work as expected now ?

@sitloongs - it has always worked as expected, I am just curious if there was a more efficient way.

Basically, I want the router to recognize that the outbound stream is really destined for a local resource. Right now, I can see an outbound connection from Xbox2 to WAN.

An example with fake IPs
XBox1 - NAT with UDP 3074 forwarded from WAN1
Xbox2 - NAT

For XBox2 to connect to XBox1 on port 3074 UDP, it is currently going to I want the router to recognize that XBox1 is the final destination for the packet and NOT send it out the WAN.

Make sense?

I would say this will make sense if the external server provides XBox1 private IP ( to XBox2. I believe the XBox1’s IP provided by the external server is Hence, Balance One definitely will route this IP to WAN then loop back. Even we can destinate the Xbox2’s packet to XBox1, XBox1 will not respond since it doesn’t know the packet is destinated to it because the destination IP is

Agreed to @TK_Liew.

This should be more like the Xbox application level feature how to detect the available host or server in the same network.

At router level, it should be capable to NAT loop back :thumbsup: the traffics to LAN if such traffics received.

So Peplink knows that the packet is destined for its own public WAN IP. Both XBoxes are going to listen for traffic on their NAT’d IPs. Peplink should be able to recognize this traffic as local since it knows the WAN IP is its own. Neither Xbox will ever receive IP traffic that shows the public IP - doesn’t NAT rewrite the IP headers to the NAT IP?

Real world example using physical mail. Husband, wife, and child live in the same house. Child picks mail up from mailbox and delivers to individual slots in mail holder every day. Husband mails wife a letter. The return address is the same as the mailing address. Does the post man really need to carry the letter to the post office and put it through the sorting process? Couldn’t the mailman recognize that this piece of mail is going to come right back to the same mailbox? Couldn’t he just leave the mail in the box and it still make it to wife? The child will still grab the mail from the box and put it in the wife’s mail location at home. In this example Husband is XBox2, Wife is XBox1, child is NAT, and postmaster is router.

This seems like an opportunity to remove some latency. There really isn’t a reason the modem ever needs to see the traffic between XBox1 and XBox2. Basically, I would like to see “outbound traffic destined for local WAN should be considered as internal traffic”.


NAT loop back traffics basically can be considered as internal traffics as the traffics is not send out to the internet. It’s more to the router capability to handle such traffics (Destined for its own public WAN IP) and forward the traffics back the the local server/host.


Xbox2 ( --connecting → Xbox1 (
With NAT Mapping basically the traffics is directly forwarded from Balance to the Xbox1 (

So the traffics flow with NAT loop back should be as below:
Xbox2 ( ↔ Balance ↔ Xbox1 (NAT --forwarded to →
P/S: Traffic is not forward out to the internet.

In-term of improvement from Xbox2 ( --connecting directly without sending to Balance → Xbox1 (, i believe this only can be done by the Xbox application level

Thank you @sitloongs - that is exactly what I was looking for. Is there any way to confirm that the traffic is actually looping back instead of going to the internet? I know there is a packet capture option now that may show it.

Since this traffic is considered “internal” - would a firewall rule need to be present to allow that loopback? I imagine that many have a default rule of Allow for internal traffic such as this.

Thanks again for the awesome information. I guess I caused some confusion by omitting that the Xboxes never know about their own Public IP. They simply send packets to XBox Live and those servers maintain the public IP to communicate with any given XBox. The XBox games typically use a peer to peer type of game connection. Only public IP information is given out by XBox Live when trying to connect.

The data streams are very small (<56Kbps typically), but latency is detrimental to the gaming experience. The scenario I described will ONLY happen in the event that one of the two local Xboxes is nominated as host.

Take that same scenario, except XBox1 is on WAN1 (enforced by outbound policy) and XBox2 is on WAN2 – I assume the traffic between XBox2 and XBox1 would still take the loopback path? Or would that be impossible?

You are right!

You shouldn’t have NAT loopback issue with default firewall settings. Anyway, Internal firewall will block NAT loopback if you block the desired port.

Yes. NAT loopback doesn’t affect by outbound rule.

1 Like

Y’alls gear is so badass. Thanks much. that is precisely how I was thinking it should work. If I can just get my game and update downloads to utilize both links concurrently, I will be in business. Thanks to your remote Syslog for DNS, I am able to determine what the DNS record used to find the CDN for a given update or patch - eventually, I will have a pretty good list of outbound rules for load distribution. I just need a mechanism that plays nicely with the way the XBox makes its requests. I have some ideas and will post it in the feature request section.

Thanks again fellas.

1 Like