OPNsense Forum

English Forums => 24.1 Production Series => Topic started by: kartman on May 01, 2024, 05:29:52 pm

Title: OPNsense 24.1.6: Correct UPnP setup?
Post by: kartman on May 01, 2024, 05:29:52 pm

I'm moving over from pfSense where things seemed to be configured OK. Long story..

Steps I've taken:
1) installed the os-upnp plugin and enabled
2) setup is "deny default" and I've added and "allow" for my statically assigned gaming computer
3) NAT config is "hybrid"

I mostly play Destiny2 and uPnP seems to be working in that I have "OPEN" reported in game and the status page on OPNsense is showing UDP ports 3097 and 19199 open to my static IP. My only issue is that randomly the game will declare I'm behind a firewall on startup. If I clear the uPNP sessions and restart the service and restart Destiny2, the issue seems to go away and the same open ports are re-established.

Seems flakey... have I done something wrong? I didn't have this issue on pfSense so I'm trying to understand.

Lastly, I DIDN'T create the NAT rule that is mentioned in other posts. I don't really understand what this rule is supposed to do. I can add it but I'd like to understand.

Big thanks.

Title: Re: OPNsense 24.1.6: Correct UPnP setup?
Post by: sja1440 on May 01, 2024, 05:46:51 pm

If sounds like it could be a race condition between the port actually being opened by os-upnp and Destiny2 starting up.

If that is the case then the fix would simply be to restart Destiny2 without clearing the uPNP sessions within os-upnp.

Perhaps, in OPNsense the ports are opened asynchronous with respect to the request? Or perhaps Destiny2 fires the port open request but does not wait for the response?

I have just started using os-upnp with only " Allow NAT-PMP Port Mapping" enabled (I believe the attack surface of UPnP is too large).  I have " Manual outbound NAT rule generation" set and I do not need any specific NAT rule for this.

By the way, os-upnp, rather annoyingly creates rdr rules with the pass quick flags set. This means that no filter rule is examined on the WAN interface. But I guess that is not relevant for you.

Title: Re: OPNsense 24.1.6: Correct UPnP setup?
Post by: kartman on May 01, 2024, 05:57:55 pm

Quote from: sja1440 on May 01, 2024, 05:46:51 pm

If that is the case then the fix would simply be to restart Destiny2 without clearing the uPNP sessions within os-upn

I will monitor but I think I tried to simply relaunch. The issue persisted in the game so I went to OPNsense to investigate. As mentioned, my "fix" was to clear the uPnP session and then restart the service. This seems to consistently correct the issue when I then relaunch D2.

Maybe clear and restart service is over-kill. All I know is that it seemed to work and that I never had to do this when using pfSense as my firewall. Again, goal is to understand/learn and correct going forward.

More comments welcome! Cheers.

Title: Re: OPNsense 24.1.6: Correct UPnP setup?
Post by: Apex on May 02, 2024, 02:43:26 pm

A family relative who I setup OPNSense for had similar issues, I had him try upnp for his XBox BUT also add in the static port mapping rule.

He hasn't had any issues using his gaming console since that configuration change.

It might be worthwhile to try that solution and see if you still experience that behavior.