UPDATE:
There are several posts on Bungie's forums about this issue for both OPNSense and pfsense.
Please see here:https://www.bungie.net/en/Forums/Post/254054012 and https://www.bungie.net/en/Forums/Post/262675756?sort=0&page=0
Is there some configuration changes that can be made to improve the compatibility with this game?
This person states the following:
On the main configuration page, the importation options are below:
Start UPnP and NAT-PMP service = enabled
Enable UPnP functionality = enabled
Enable NAT-PMP functionality = enabled
Enable IGDv1 mode = enabled (The important option, Destiny 2 does not like IGDv2)
Port = 0 (Allows automatic port selection)
On the Advanced Configuration page, you must add the following options:
Announced Serial Number : <Any integer you want>
Announced Model Number : <Any integer you want>
Presentation URL : http://<ip-address-of-router>;
My question is, how do we make miniupnpd run in IGDv1 mode?
They also stated the following:
Plume is running OpenWRT under the hood and also uses miniupnpd, but there are some minor differences in how it handles uuids; I'm going to do a deep dive of the miniupnpd.conf file later and see if I can get miniupnpd.conf on pfsense to match exactly what OpenWRT is doing and test that to see if Destiny likes it any better.
This is still broken on 23.1.5.
Can someone please take a look at this? I've used wireshark and captured the packets going to the server but I can't find any logs that would tell me what is going on.
does anyone know how to troubleshoot or debug the upnp daemon?
Thanks!
There were no changes to upnp since the initial 23.1 version. And those changes seem to work fine - I don't see reports piling up, not generally and not specifically for 23.1.4.
Cheers,
Franco
Hi franco,
I did a fresh install of 23.1 last night and did not restore my configuration.
I simply installed os-upnp and reinstalled Destiny 2 and the port forwards are not being made.
There is the possibility that Bungie broke this but I highly doubt it. My next test will be to reinstall an older version of opnsense and see if it works there.
I doubt you will see tons of reports on this issue as it would require multiple people in the same private network trying to play a game that requires UPNP.
Warframe
Latest OPNsense - not a fresh install.
UPNP - enabled.
Ports detected and status reported on UPNP Status page.
Warframe - reports Strict NAT when "Analyze network" performed.
I'm able to join multiplayer games (multiplayer sessions within Waframe), so it is not clear to me what exact issue is...
Thank you for adding your experience!
I went back to 22.7 and did pkg install os-upnp-devel as root.
It installed the latest UPNP that's included with 23.1 but it still doesn't work. I'm pretty sure something has changed recently.
Figured I'd provide a vote for those who aren't having any issues. UPnP is working fine here. Do your gaming devices have access to the interface address via the UPnP ports? Do you have outbound NAT set up for those devices? Do you have "Default Deny" set, but don't have ACLs?
Hi Bondi,
I used to have ACLs set up, but as part of debugging I've removed them.
As far as your second question, I don't have rules set to specifically allow traffic to the gateway as it's always worked fine without it.
Everything was working fine until 3/21. I tried going back to 22.7 and I also tried a pfsense build and I was experiencing the same issue. I'm wondering if it's something else?
I did a tcpdump and I can see the SSDP packets going to the 239.whatever address but I'm not able to capture the response. Any ideas how to debug further?
I cannot get stable results for the UPNP functionality.
Right now after several restarts I do have UPNP working OK.
Guess I will leave it as is.
Until next time :D
I'm familiar with reading the log files in the firewall and I've also SSH'd into my opnsense box but I'm unsure how to find the actual miniupnpd logs that should show the requests and responses.
Can anyone point me in the right direction?
Thanks
This post is no longer relevant
Quote from: franco on March 30, 2023, 08:19:01 AM
There were no changes to upnp since the initial 23.1 version. And those changes seem to work fine - I don't see reports piling up, not generally and not specifically for 23.1.4.
Cheers,
Franco
I've updated the original post with other people complaining about this issue on Bungie's forums. Is this something I could work with someone on to troubleshoot?
Thanks!
Are you using a static port on your outbound NAT rule? Port randomisation seems to break various games. I also find denying port 3074 using UPNP ACLs will force some XBL games to retry on other ports and has fixed a few problems.
I'm looking at my firewall now and can see about 25 different NAT rules generated by UPNP currently so it appears to be working.
FWIW we run gaming events with around 1,000 - 1,200 devices and UPNP worked well for us the past two events we ran.
I solved it by using a rule like this...
(https://i.ibb.co/807cbHH/image.png) (https://ibb.co/jTrRzSS)
Gianluca
Does a single outbound nat rule like that effectively disable automatic outbound nat rule generation? Sorry if I'm not very knowledgeable about such things.
I went the other way and created rules for specific gaming devices. I didn't want to affect other devices on the network.
(https://i.imgur.com/Y8XvY17.png)
Quote from: tawmu on April 07, 2023, 02:36:37 PM
Are you using a static port on your outbound NAT rule? Port randomisation seems to break various games. I also find denying port 3074 using UPNP ACLs will force some XBL games to retry on other ports and has fixed a few problems.
I'm looking at my firewall now and can see about 25 different NAT rules generated by UPNP currently so it appears to be working.
FWIW we run gaming events with around 1,000 - 1,200 devices and UPNP worked well for us the past two events we ran.
Hi Tawmu, your fixes to UPnP were working fine up until 3/21/2023.
Bungie has changed something in the game that I believe requires IGDv1 for UPnP to work properly.
Some individuals on reddit are saying their DumaOS based routers are still getting port maps set up properly.
I don't see how I could compile a miniupnpd that would support IGDv1, I'd need development support as I'm not deep on this code base.
I've confirmed it also doesn't work on an OpenWRT based ER605 Omada router.
Quote from: laterizi on April 07, 2023, 02:44:48 PM
I solved it by using a rule like this...
(https://i.ibb.co/807cbHH/image.png) (https://ibb.co/jTrRzSS)
Gianluca
Hi Gianluca,
Static port mapping will work fine for a single console and give you moderate NAT. It won't help you when you have multiple.
Quote from: tawmu on April 07, 2023, 02:36:37 PM
Are you using a static port on your outbound NAT rule? Port randomisation seems to break various games. I also find denying port 3074 using UPNP ACLs will force some XBL games to retry on other ports and has fixed a few problems.
I'm looking at my firewall now and can see about 25 different NAT rules generated by UPNP currently so it appears to be working.
FWIW we run gaming events with around 1,000 - 1,200 devices and UPNP worked well for us the past two events we ran.
I believe this is specific to Destiny 2 and it being extremely picky with UPnP. This post talks about the configuration changes needed for UPnP on OpenWRT:
On the main configuration page, the importation options are below:
Start UPnP and NAT-PMP service = enabled
Enable UPnP functionality = enabled
Enable NAT-PMP functionality = enabled
Enable IGDv1 mode = enabled (The important option, Destiny 2 does not like IGDv2)
Port = 0 (Allows automatic port selection)
I can see miniupnpd has a runtime option to report as an IGDv1 device even when running in IGDv2 mode so perhaps this is the easiest option to add into opnsense, assuming it works reliably for Windows devices. Someone on the OpenWRT forums suggests that runtime option isn't enough but it looks as if there's a workaround for Windows clients already in miniupnpd: https://github.com/miniupnp/miniupnp/commit/2f2685af97c28ee3559af8d0a0cdf5d8b215a68f
The thing is when I tested Windows clients before submitting miniupnpd changes a couple of months ago I definitely saw it creating UPNP entries (because I know for a fact Windows Firewall stops Windows talking to a UPNP server in a different subnet when we forward broadcasts across VLANs). I guess this suggests some games just have rubbish UPNP implementations.
@effex i'm away from a firewall at the moment so I cannot check but I believe there was also a bug in miniupnpd versions prior to 2.3 that meant the v1 reporting to MS clients was broken. Can you check what version of the miniupnpd package your firewall is running? If it's <2.3 then try installing the miniupnpd-devel package in opnsense and test again.