Hi,
miniupnpd seems to be broken in 26.1:
miniupnpd 37136 - [meta sequenceId="85"] pfctl_get_rules_info: Invalid argument
Its spamming the routing log.
//Daniel
First time I hear this. Kernel ABI and upstream software didn't change from 25.7.x so not sure what we're looking at here.
Cheers,
Franco
Fun, a puzzle :D
Had it working in 25.7 for a couple of playstations, and i had trouble getting it going OOTB but that's a couple of years ago so i can't remember what i did. But in sure it wasn't this error.
//Daniel
when trying to map a port from my macbook:
miniupnpd 34776 - [meta sequenceId="77"] ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Invalid argument
True, it's more likely the errors were always there or at least for a while.
Cheers,
Franco
Quote from: fotring on January 26, 2026, 06:45:42 PMHad it working in 25.7 for a couple of playstations
Why not just give them 1:1 Port Mapping and leave it at Moderate NAT level instead of fully Open NAT ?!
/EDIT :Quote from: d0shie on January 27, 2026, 06:22:03 AMOther console people who are on Strict NAT (more than you'd think) can only talk to Open NAT.
With how prevalent the P2P matchmaking model is, Moderate NAT just won't do if you want the best chance at finding more people to play with.
UPnP, on the other hand, provides the perfect middle ground while cleaning up after itself so allowed devices can cycle between ports. I'd say these days consoles is one of the primary reasons why UPnP is in use.
Fair enough :)
I am PC gamer who needs it only for some games that use that P2P crap too sadly and really hate the fact that they do
(PC gaming folks like Dedicated Servers !!! LOL!) so I don't mind missing out on those Strict NAT players if that means I can keep my LAN side less exposed than it needs to be !!! ^_^
Quote from: nero355 on January 27, 2026, 12:08:12 AMWhy not just give them 1:1 Port Mapping and leave it at Moderate NAT level instead of fully Open NAT ?!
Because Moderate NAT can only talk to Moderate and Open NAT. Other console people who are on Strict NAT (more than you'd think) can only talk to Open NAT. With how prevalent the P2P matchmaking model is, Moderate NAT just won't do if you want the best chance at finding more people to play with. There's also the need to factor in the effort to manually configure mappings for every game service. The better equivalence would be putting that console behind a DMZ, but it'd also mean the ports have to remain open 24/7, and only for that console.
UPnP, on the other hand, provides the perfect middle ground while cleaning up after itself so allowed devices can cycle between ports. I'd say these days consoles is one of the primary reasons why UPnP is in use.
I'm still missing the point a bit: it was said it's broken because it's spamming. The question is: is it still working after upgrading from 25.7.11 (where it worked) to 26.1-RCx (in which the code really doesn't differ)?
Cheers,
Franco
Just to chime in since I guess not that many are using miniupnpd.. I'm still running 25.7.11_2 and I use UPnP for consoles and kids' gaming, and I'm not seeing those errors in my log..
(A lot of other errors, but I'm guessing it's because the clients didn't clear their active mappings before shutting off)..
2026-01-27T09:23:31 Error miniupnpd upnpevents_processfds: 0x1239f410080, remove subscriber uuid:4a4dccd4-fb59-11f0-af55-00d0b4023658 after an ERROR cb: http://10.0.10.134:2869/upnp/eventing/dkgqwukrhw
2026-01-27T09:23:31 Warning miniupnpd upnp_event_process_notify: connect(10.0.10.134:2869): Operation timed out
2026-01-27T09:23:31 Error miniupnpd upnpevents_processfds: 0x1239f410100, remove subscriber uuid:4a487762-fb59-11f0-af55-00d0b4023658 after an ERROR cb: http://10.0.10.134:2869/upnp/eventing/bejxzoycej
2026-01-27T09:23:31 Warning miniupnpd upnp_event_process_notify: connect(10.0.10.134:2869): Operation timed out
2026-01-27T09:23:31 Warning miniupnpd upnp_event_process_notify: connect(10.0.10.134:2869): Operation timed out
2026-01-27T09:23:15 Warning miniupnpd upnp_event_process_notify: connect(10.0.10.134:2869): Operation timed out
2026-01-27T09:23:15 Warning miniupnpd upnp_event_process_notify: connect(10.0.10.134:2869): Operation timed out
2026-01-27T09:23:15 Warning miniupnpd upnp_event_process_notify: connect(10.0.10.134:2869): Operation timed out
2026-01-27T09:21:25 Warning miniupnpd upnp_event_process_notify: connect(10.0.1.153:2869): Operation timed out
2026-01-27T09:07:13 Error miniupnpd upnpevents_processfds: 0x1239f410000, remove subscriber uuid:0319bd80-fb57-11f0-af55-00d0b4023658 after an ERROR cb: http://10.0.10.127:2869/upnp/eventing/ujhzqdwdtn
2026-01-27T09:07:13 Warning miniupnpd upnp_event_process_notify: connect(10.0.10.127:2869): Operation timed out
2026-01-27T09:07:13 Error miniupnpd upnpevents_processfds: 0x1239f410280, remove subscriber uuid:0314bbca-fb57-11f0-af55-00d0b4023658 after an ERROR cb: http://10.0.10.127:2869/upnp/eventing/ocsmvlvmza
/Kewin
Quote from: Kewin on January 27, 2026, 09:48:45 AMJust to chime in since I guess not that many are using miniupnpd.. I'm still running 25.7.11_2 and I use UPnP for consoles and kids' gaming, and I'm not seeing those errors in my log..
(A lot of other errors, but I'm guessing it's because the clients didn't clear their active mappings before shutting off)..
2026-01-27T09:23:31 Error miniupnpd upnpevents_processfds: 0x1239f410080, remove subscriber uuid:4a4dccd4-fb59-11f0-af55-00d0b4023658 after an ERROR cb: http://10.0.10.134:2869/upnp/eventing/dkgqwukrhw
2026-01-27T09:23:31 Warning miniupnpd upnp_event_process_notify: connect(10.0.10.134:2869): Operation timed out
2026-01-27T09:23:31 Error miniupnpd upnpevents_processfds: 0x1239f410100, remove subscriber uuid:4a487762-fb59-11f0-af55-00d0b4023658 after an ERROR cb: http://10.0.10.134:2869/upnp/eventing/bejxzoycej
2026-01-27T09:23:31 Warning miniupnpd upnp_event_process_notify: connect(10.0.10.134:2869): Operation timed out
2026-01-27T09:23:31 Warning miniupnpd upnp_event_process_notify: connect(10.0.10.134:2869): Operation timed out
2026-01-27T09:23:15 Warning miniupnpd upnp_event_process_notify: connect(10.0.10.134:2869): Operation timed out
2026-01-27T09:23:15 Warning miniupnpd upnp_event_process_notify: connect(10.0.10.134:2869): Operation timed out
2026-01-27T09:23:15 Warning miniupnpd upnp_event_process_notify: connect(10.0.10.134:2869): Operation timed out
2026-01-27T09:21:25 Warning miniupnpd upnp_event_process_notify: connect(10.0.1.153:2869): Operation timed out
2026-01-27T09:07:13 Error miniupnpd upnpevents_processfds: 0x1239f410000, remove subscriber uuid:0319bd80-fb57-11f0-af55-00d0b4023658 after an ERROR cb: http://10.0.10.127:2869/upnp/eventing/ujhzqdwdtn
2026-01-27T09:07:13 Warning miniupnpd upnp_event_process_notify: connect(10.0.10.127:2869): Operation timed out
2026-01-27T09:07:13 Error miniupnpd upnpevents_processfds: 0x1239f410280, remove subscriber uuid:0314bbca-fb57-11f0-af55-00d0b4023658 after an ERROR cb: http://10.0.10.127:2869/upnp/eventing/ocsmvlvmza
/Kewin
Good note! Then it's not just my install. Can something have changed upstream in miniupnpd? Im on 2.3.9_2,1.
Hi, static NAT ports for UDP are a godsend for real-time protocols. Anyone who has troubleshooted WebRTC knows this: they're worth their weight in gold. They cost nothing, except to acknowledge that port "randomization" in UDP is not a security feature.
pass out quick on igc0 inet proto udp from igc1:network nat-to (igc0) static-port
pass out on igc0 inet from igc1:network nat-to (igc0)
I have had issues with UPNP as well recently in 26.1, even tried making a fresh new interface with only an Allow All rule, to rule out any firewall issues, while also disabling all custom WAN Rules... no luck for my PS5 or my PC. For the time being I have just made a NAT outbound static port rule so I can get moderate NAT at least.
Really frustrating me, but I'm not trying to blame anyone, as I am not as tech savvy as you all.
Here's my logs if it helps at all, sorry I am not very knowledgeable of any of this stuff.
2026-01-29T01:50:27-08:00 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-29T01:50:13-08:00 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-29T01:49:51-08:00 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-29T01:49:51-08:00 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-29T01:49:33-08:00 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-29T01:49:32-08:00 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-29T01:49:20-08:00 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-29T01:49:20-08:00 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-29T01:49:19-08:00 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-29T01:49:19-08:00 Error miniupnpd could not open lease file: /var/run/miniupnpd.leases-ipv6
2026-01-29T01:49:19-08:00 Error miniupnpd could not open lease file: /var/run/miniupnpd.leases
Here are my logs from a port mapping attempt from qbittorrent:
miniupnpd 9211 - - HTTP REQUEST from 192.168.1.158:61797 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 9211 - - Host: 192.168.1.1:2189
miniupnpd 9211 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
miniupnpd 9211 - - AddPortMapping: ext port 43831 to 192.168.1.158:7620 protocol UDP for: qBittorrent/5.1.4 leaseduration=604800 rhost=
miniupnpd 9211 - - no permission rule matched : accept by default (n_perms=0)
miniupnpd 9211 - - pfctl_get_rules_info: Invalid argument
miniupnpd 9211 - - Check protocol UDP for port 43831 on ext_if igc1 100.35.202.163, A3CA2364
miniupnpd 9211 - - 0101a8c0:5351 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 0132a8c0:5351 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 0101a8c0:59796 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 0132a8c0:36397 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 00000000:1900 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 0132a8c0:123 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 0100007f:123 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - a3ca2364:123 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 0101a8c0:123 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 00000000:123 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 0101a8c0:43339 0a01a8c0:514 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 00000000:0 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 0101a8c0:161 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 0100007f:2056 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 0132a8c0:5353 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 0101a8c0:5353 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 00000000:5353 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 00000000:49935 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 0100007f:2055 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 0100007f:63685 0100007f:2055 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 0100007f:4930 0100007f:2055 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 00000000:53053 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 00000000:53053 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 00000000:53053 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 00000000:53053 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 00000000:51820 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 00000000:4500 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 00000000:500 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 00000000:53 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - 00000000:67 00000000:0 <=> 43831 a3ca2364:7620
miniupnpd 9211 - - redirecting port 43831 to 192.168.1.158:7620 protocol UDP for: qBittorrent/5.1.4
miniupnpd 9211 - - ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Invalid argument
miniupnpd 9211 - - Returning UPnPError 501: Action Failed
Reports are piling up. I'm wondering if the kernel has a bad change?
# opnsense-update -zkr 25.7.11
And reboot?
Cheers,
Franco
Quote from: franco on January 29, 2026, 05:10:22 PMReports are piling up. I'm wondering if the kernel has a bad change?
# opnsense-update -zkr 25.7.11
And reboot?
Cheers,
Franco
Same result on the older kernel
And the base system?
# opnsense-update -zbr 25.7.11
(also needs a reboot)
Cheers,
Franco
Same behavior unfortunately
I'm a bit at a loss where the bug would come from if components are back on 25.7.11 and it's still happening. It was working on 25.7.11, totally and normally?
Cheers,
Franco
Honestly, I'm not sure. I don't think I ever checked on 25.7.11.
Hi,
It worked perfectly fine on 25.7.11 before upgrade... :)
I got the same errors... After upgrade.
2026-01-29T22:10:40Errorminiupnpdpfctl_get_rules_info: Invalid argument
2026-01-29T22:10:40ErrorminiupnpdFailed to add NAT-PMP 28159 TCP->192.168.1.19:32400 'NAT-PMP 28159 TCP'
2026-01-29T22:10:40Errorminiupnpdioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Invalid argument
2026-01-29T22:10:40Errorminiupnpdpfctl_get_rules_info: Invalid argument
I'm liking to https://forum.opnsense.org/index.php?topic=50566.msg258338#msg258338 which could be related since we don't get anywhere with older OS versions.
Quote from: Marius_ on January 29, 2026, 10:18:02 PMHi,
It worked perfectly fine on 25.7.11 before upgrade... :)
I got the same errors... After upgrade.
2026-01-29T22:10:40Errorminiupnpdpfctl_get_rules_info: Invalid argument
2026-01-29T22:10:40ErrorminiupnpdFailed to add NAT-PMP 28159 TCP->192.168.1.19:32400 'NAT-PMP 28159 TCP'
2026-01-29T22:10:40Errorminiupnpdioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Invalid argument
2026-01-29T22:10:40Errorminiupnpdpfctl_get_rules_info: Invalid argument
I am also getting
2026-01-30T00:51:58-08:00 Error miniupnpd ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Invalid argument
And Franco I also tried both the opnsense-update commands you shared (with a reboot each time) and no change.
I had some spare time, so I set up a fresh USB install of OPNsense 26.1 with the default config/settings to test UPnP behavior.
here is the log:
2026-01-30T10:00:39 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:39 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:39 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:36 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:36 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:36 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:33 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:33 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:33 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:33 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:33 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:22 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:18 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:18 Error miniupnpd ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Invalid argument
2026-01-30T10:00:18 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:18 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:18 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:18 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:18 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:18 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:17 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:17 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:17 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T10:00:17 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T09:59:38 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T09:59:37 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T09:59:37 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T09:59:36 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T09:59:35 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T09:59:28 Error miniupnpd pfctl_get_rules_info: Invalid argument
2026-01-30T09:59:28 Error miniupnpd could not open lease file: /var/run/miniupnpd.leases-ipv6
2026-01-30T09:59:28 Error miniupnpd could not open lease file: /var/run/miniupnpd.leases
(https://i.imgur.com/0XnD9vx.jpeg)
Quote from: franco on January 30, 2026, 09:23:52 AMI'm liking to https://forum.opnsense.org/index.php?topic=50566.msg258338#msg258338 which could be related since we don't get anywhere with older OS versions.
No luck. Same behavior after patching.
I know this is for the 26.1 section but thought I would at least mention I am still on 25.7.11_9 and "UPnP IGD & PCP" seems to be working fine for me. I was able to use my PS5 and connect to various games and see active maps being created in the GUI under Services: UPnP IGD & PCP: Active Maps. If there is anything I can potentially provide to help with this while still on this version please let me know.
I think I found it. Looks like a feature removal gone wrong:
# opnsense-patch https://github.com/opnsense/core/commit/311184daa8
# /usr/local/etc/rc.filter_configure
It should bring back the required anchors.
Cheers,
Franco
Quote from: franco on January 30, 2026, 11:18:37 PMI think I found it. Looks like a feature removal gone wrong:
# opnsense-patch https://github.com/opnsense/core/commit/311184daa8
# /usr/local/etc/rc.filter_configure
It should bring back the required anchors.
Cheers,
Franco
Appears to be working for me now :)
(https://i.imgur.com/9BVYF5O.png)
Looks good. Working for me too :)
Thanks!!
The patch brought UPNP back, great work!
Assuming this is going to make it into the next hot fix, not in the commit history for 26.1 yet?
We'll do a 26.1.1 next week for various reasons and include the fix of course.
Cheers,
Franco
Thanks a lot for fixing, worked perfectly. Relied on these anchors for tailscale direct connections.