As far as I know the Xbox is using IPv6 native. With the Tredo protocol it will tunneling IPv6 over IPv4, if no IPv6 is available. A very huge security issue, because you have no chance to configure/secure this tunnel, am attacker who claims to be Microsoft is able to use the Xbox as hopper to your network … In theory, this for another day. Back to topic:
The Xbox indeed needs some open ports. Put the Xbox in DMZ, as ‘Exposed Host’ or whatever you’ll call it could work. But I strongly recommend to forward only the needed ports.
Port forward:
88 UDP
3074 TCP/UDP
3544 UDP
[Alternate Port]* TCP/UDP
(* The ‘Alternate Port’ that depends on the user. Regular the Xbox will negotiate a Port itself and use it for Multiplayer or Chat and so on. But you can set it to a fixed port per user.
On the Xbox Settings: Network Settings - Advanced Settings - Alternate port selection. Here you can select one from a bunch of port numbers. It needs to be forwarded in TCP and UDP. One port per Xbox-User)
Upnp never worked for me, with different routers. Maybe one time during setup/testing, but never reliable.