OPNsense Forum
English Forums => General Discussion => Topic started by: FullyBorked on June 29, 2020, 04:05:36 am
-
I really hate to post another UPNP post right above another from someone else https://forum.opnsense.org/index.php?topic=17855.0 but I don't what to hijack his thread either.
I have a similar issue. I've spooled up my first OPNsense firewall been working to get it all tuned in for about two weeks now. But recently starting finding more and more games on xbox and two gaming PC's that just refuse to connect to multiplayer because of UPNP.
So I did my searching and dug out some threads on setting up UPNP, seems simple enough, just install and enable, couple of check boxes and set your interfaces and you're off to races? Nope, least not on my box, simply doesn't work.
After some digging it looks like the only way to make this work is to set each device that needs UPNP to a static IP and add outbound NAT static port mapping.
Maybe i'm misunderstanding something, but this just simply seems absurd to me. The point of UPNP should be that I can enable it and internal devices can open ports and NAT automatically as needed. (I understand the security implications). Surely this is a misunderstanding of the service in OPNsense? Otherwise I feel like it's simply broken. I think being able to create ACL's is a great feature to lock down UPNP a bit, but should be a requirement for base configuration.
If someone knows different please let me know. I've not found any documentation on the plugin that mentions the static entries requires for this feature to work. I've love this setup a lot and I'd hate to have to tear it down for one feature.
-
Should work with uPNP plugin by ticking the first two or three boxes in the configuration page and setting interfaces. If you do not tick the 'default deny' box, you do not need user specified permissions.
Cannot estimate why this would not work in your case.
(https://forum.opnsense.org/index.php?action=dlattach;topic=17577.0;attach=10577)
-
Should work with uPNP plugin by ticking the first two or three boxes in the configuration page and setting interfaces. If you do not tick the 'default deny' box, you do not need user specified permissions.
Cannot estimate why this would not work in your case.
(https://forum.opnsense.org/index.php?action=dlattach;topic=17577.0;attach=10577)
Thanks for the reply. I've enabled it as you mentioned. Default deny is not ticked. I can see in the logs where the module is loaded. But it simply doesn't seem to do anything. My UPNP applications continue to not work and nothing shows up on the status page.
Is there a location where I might get better logs to see if it's getting requests and what it might be doing with them?
-
Do you have any active firewall rules that might affect your setup?
-
Do you have any active firewall rules that might affect your setup?
I wouldn't think so, I have the default any rule outbound for IPV4. I have an inbound port forwarding NAT rule for my dedicated gaming server and corresponding inbound firewall rule. These rules point to my DMZ subnet and interface.
-
With mentioned settings I got our PS4 running in 5 minutes time, so the question is: what is different in your setup.
Are you trying to access your own gaming server or an 'outside' server? I am not the expert on that front, but in case of contacting your own server might be something with nat reflection or loop back?
Maybe someone else can chime in....
Verstuurd vanaf mijn SM-A715F met Tapatalk
-
With mentioned settings I got our PS4 running in 5 minutes time, so the question is: what is different in your setup.
Are you trying to access your own gaming server or an 'outside' server? I am not the expert on that front, but in case of contacting your own server might be something with nat reflection or loop back?
Maybe someone else can chime in....
Verstuurd vanaf mijn SM-A715F met Tapatalk
I can get my game server working just fine since it is just simple port forwarding, no UPNP needed.
I'm having trouble getting services like XBOX gaming services and some games that require an inbound connection for multiplayer scenarios. I too am very curious what is different in our setups.
-
See below, these are my settings and one of the errors I'm getting.
Edit: not sure why that screenshot looks so terrible, must be some compression with the upload. I think you can get the idea, if not i'll re-post it at full size.
(https://uploads.tapatalk-cdn.com/20200629/6d953932f1855e1af568ff6f0eaf9523.jpg)(https://uploads.tapatalk-cdn.com/20200629/8f7da7b80cb001fb77018576a0a426ac.jpg)
Sent from my GM1917 using Tapatalk
-
You might do a test and assign a specific allow rule like I did. Either assign an IP or an IP range like:
"allow 1024-65535 192.168.1.0/24 1024-65535"
-
You might do a test and assign a specific allow rule like I did. Either assign an IP or an IP range like:
"allow 1024-65535 192.168.1.0/24 1024-65535"
That was a good thought actually, but not dice unfortunately. I even tried it with and without the default deny rule set, wasn't sure if those ACL's are used or not unless that is checked.
-
Did you try rebooting or flushing the state tables? I am never sure when flushing is actually necessary, but will not harm I guess.
Verstuurd vanaf mijn SM-A715F met Tapatalk
-
Hey FullyBorked seems like you have the same issues as I did on pfSnese.
I could get UPnP working no problem with just one device but as soon as we have multiple devices trying to access the same game service it all fell over for all but the first device which connected.
I'm certain the is to do with the way MiniUPnP is coded. It apparently has been fixed and there is a patched version which is available with the nightly builds of pfSense.
This is the issue over on MiniUPnP https://github.com/miniupnp/miniupnp/pull/455
The work was done in response to this issue on the pfSense forums https://redmine.pfsense.org/issues/7727
As both OPN and PF use MiniUPnP and the FreeBSD Packet Filter I'm sure they both will share the same fix or something very close to it?
Maybe someone with some more technical understanding can let us know.
I do know the COD Warzone was affected and on my PF box a single PC could connect no issues through UPnP but any subsequent PC would be blocked.
It also affects Xboxes where the first one can connect to the Microsoft network but the subsequent connection on other Xboxes are blocked.
Can we sideload plugins? The patched version of MiniUPnP (miniupnpd-2.2.0-RC1.tar.gz) is available here
https://miniupnp.tuxfamily.org/files/
-
Hey FullyBorked seems like you have the same issues as I did on pfSnese.
I could get UPnP working no problem with just one device but as soon as we have multiple devices trying to access the same game service it all fell over for all but the first device which connected.
I'm certain the is to do with the way MiniUPnP is coded. It apparently has been fixed and there is a patched version which is available with the nightly builds of pfSense.
This is the issue over on MiniUPnP https://github.com/miniupnp/miniupnp/pull/455
The work was done in response to this issue on the pfSense forums https://redmine.pfsense.org/issues/7727
As both OPN and PF use MiniUPnP and the FreeBSD Packet Filter I'm sure they both will share the same fix or something very close to it?
Maybe someone with some more technical understanding can let us know.
I do know the COD Warzone was affected and on my PF box a single PC could connect no issues through UPnP but any subsequent PC would be blocked.
It also affects Xboxes where the first one can connect to the Microsoft network but the subsequent connection on other Xboxes are blocked.
Can we sideload plugins? The patched version of MiniUPnP (miniupnpd-2.2.0-RC1.tar.gz) is available here
https://miniupnp.tuxfamily.org/files/
Hey m0t0k0, I've not been able to get even the first device to work. None of my devices seem to want to activate the upnp service. I wish i knew log location so i could see if it's even getting a request.
Sent from my GM1917 using Tapatalk
-
Did you try rebooting or flushing the state tables? I am never sure when flushing is actually necessary, but will not harm I guess.
Verstuurd vanaf mijn SM-A715F met Tapatalk
I have on my other tests, i haven't since adding your allow acl. I'm on my work vpn during the day so won't be able to bounce those connections till after hours.
Sent from my GM1917 using Tapatalk
-
Hey m0t0k0, I've not been able to get even the first device to work. None of my devices seem to want to activate the upnp service. I wish i knew log location so i could see if it's even getting a request.
Sent from my GM1917 using Tapatalk
[/quote]
Oh sorry for hijacking your thread! My experience was with pfSense but I assume OPNsense would be similar. Good luck
-
I finally dug out the logs /var/log/routing.log. Looks like my connections are making it to the upnp service but it's timing out for some reason. Any thoughts on why these requests are timing out?
Jun 29 10:36:53 OPNsense miniupnpd[48248]: shutting down MiniUPnPd
Jun 29 10:36:53 OPNsense miniupnpd[75134]: HTTP listening on port 2189
Jun 29 10:36:53 OPNsense miniupnpd[75134]: no HTTP IPv6 address, disabling IPv6
Jun 29 10:36:53 OPNsense miniupnpd[75134]: Listening for NAT-PMP/PCP traffic on port 5351
Jun 29 10:36:53 OPNsense miniupnpd[75134]: PCPSendUnsolicitedAnnounce() IPv6 sendto(): Bad file descriptor
Jun 29 11:08:41 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:41 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:41 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:41 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:43 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:43 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:44 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:44 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:45 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:45 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:46 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
-
I finally got it working. Took part of the static port creation rule others have mentioned and made it wider to encompass the entire subnet. Games now work and I see entries in the status page of the plugin now.
(https://uploads.tapatalk-cdn.com/20200629/f057706a1c8bd82bf4ffcbd19e846555.jpg)
Sent from my GM1917 using Tapatalk
-
Funny,
On my manual list I only have some LAN related rules, so your setup is not quite similar to mine with regards to NAT Outbound.
In my setup I do have automatically created rules that look very similar to yours. Don't you have any automatically created rules like that?
(https://forum.opnsense.org/index.php?action=dlattach;topic=17869.0;attach=10791)
-
I'm glad you got your config working.
May I ask if your able to test two systems play g the same game simultaneously?
I definitely had issues with Warzone. Warframe would throw a warning on the main screen but would work.
Also only one machine could get open or moderate NAT with Microsoft Terdo service (Ipv6 tunneneling through Ipv4) this can be checked through the Win 10 built in Xbox app.
Many thanks
-
Funny,
On my manual list I only have some LAN related rules, so your setup is not quite similar to mine with regards to NAT Outbound.
In my setup I do have automatically created rules that look very similar to yours. Don't you have any automatically created rules like that?
(https://forum.opnsense.org/index.php?action=dlattach;topic=17869.0;attach=10791)
Yes I do have those rules, the 500 is for IPSec tunnels. I guess the other with the non static port is probably why this is such a pain to get working?
-
I'm glad you got your config working.
May I ask if your able to test two systems play g the same game simultaneously?
I definitely had issues with Warzone. Warframe would throw a warning on the main screen but would work.
Also only one machine could get open or moderate NAT with Microsoft Terdo service (Ipv6 tunneneling through Ipv4) this can be checked through the Win 10 built in Xbox app.
Many thanks
I only have one xbox, but i'll see if I can find a common game that mine and my wife's PC share that both need NAT to test. Another edit, looks like warzone is free to play so i'll try that one for you.
Edit: xbox networking does show working. So that should be good.
(https://uploads.tapatalk-cdn.com/20200630/2bbd9fda2509fc6e20c620cb607878f3.jpg)
-
Here are a few of good reads that I ran across that have helped me get where I am now. They are for pfsense netgate, but still apply to opnsense. They do a good job explaining what the services do, the UPnP document even references at the bottom that static port mapping may be necessary for gaming consoles.
UPnP Config and Security Concerns - https://docs.netgate.com/pfsense/en/latest/book/services/upnp-and-nat-pmp.html#
Outbound Static Port and Security Concerns - https://docs.netgate.com/pfsense/en/latest/book/nat/outbound-nat.html#nat-staticport
NAT Reflection - https://docs.netgate.com/pfsense/en/latest/book/nat/nat-reflection.html?highlight=reflection
-
Thanks for the info. I'm going to go ahead and have a go when I get the opportunity.
Warzone is 70+GB so no worries if you cant test it
-
I have the same issue. I can't get it to work.
I've done the same things as said in this thread - I installed the uPnP package in the administration section, (I did get some stuff about anchor creation, that I don't understand), enabled it, and enabled the NAT setting to allow hybrid outbound rule generation.
Still, no uPnP, and my users are complaining (7 and 11 year old lol) that my internets suck. :D
Can someone please help me in a step-by-step fashion, as I really can't figure this out on my own.
-
I think the new update broke stuff. Since updating my uPNP doesn't work, nor does the IPS. Even tail doesn't follow files as it is supposed to. =/
Edit: I performed a full clean install and afterwards was easily able to enable uPNP by just installing the plug-in, and setting its settings. (I did NAT enable reflection before hand as part of setting up my static port forwards. I don’t know if that matters for upnp.
-
Nevermind, upnp is now working, but only kinda. Some app on my Mac can do upnp just fine, however the Xboxes still all fail. I do see the port getting requested in "Services: Universal Plug and Play: Status". They just don't actually seem to work.
Edit.
Ok. I understand what is happening now. By default OPNsense changes the outgoing port randomly. For XBOXLIVE to work correctly it is required that nat NOT do this. (I believe they do this so ISPs and carrier will prioritize ports XBOXLIVE traffic uses.)
IE;
When the xbox sends a packet from xboxip:3074 -> xboxlive:3074 the NAT packet filter changes both source IP and destination. So, the packet becomes wanip:randomport -> xboxlive:3074 . This breaks XBOXLIVE.
So, if you are gaming behind your OPNsense what can you do? Well, you have to change the outbound behavior.
Go into into Firewall -> NAT -> Outbound .
See the automatic rules added on the bottom? ISAKMP is also known to break if the source port changes, so OPNsense comes with a rule to not change source port when sending to port 500. Essentially you have to recreate the rules so that outbound NAT has "Static Port" enabled.
Take note!
If you haven't turned your xbox yet you should be all set. However, you've probably already turned your xbox on and it has conducted a upnp test, so it probably isn't going to work right away. I am not sure why; my guess is somethign to do with either established states or, XBL caching something. Even hard rebooting the xbox will not help But, not to fear! You can force it by going into the xbox setting setting an alternate port under the "advances settings" on the xbox. (Just remember to set it back to automatic later as there is no need to keep it that way. Normally the xbox and upnp are good about automatically figuring out which port to use if the default of 3074 is already active.)
Also, booting and connecting a second xbox, then trying again with the first xbox will work, but only because the second takes 3074 and the first is forced to pick a different port. However, if you then reboot both and the first comes up first, it will go back to seeing strict nat again.
My suggestions for the future of OPNsense;
I think that if spent some time capturing the xbox's packets before and after OPNsese we can could figure out exactly which ports it is using and add a default rule like the one for ISAKMP then this would all go more smoothly. Also, if I could isolate why exactly why once xbox see a strict nat it is stuck like that, and how to fix it, testing could go a lot faster. For these reasons I've simply configured all outbound connections to "static port" for now. As we have several gamers in the house I don't feel the benefits outweighs the complications for our use.
-
I have the same issue. I can't get it to work.
I've done the same things as said in this thread - I installed the uPnP package in the administration section, (I did get some stuff about anchor creation, that I don't understand), enabled it, and enabled the NAT setting to allow hybrid outbound rule generation.
Still, no uPnP, and my users are complaining (7 and 11 year old lol) that my internets suck. :D
Can someone please help me in a step-by-step fashion, as I really can't figure this out on my own.
Add the rules to Firewall: NAT: Outbound that match mine. Then, after applying them, on the xbox, go into Settings -> Network -> Advanced settings -> Alternate port selection and set something other then 3074. It should work. Then, tomorrow go back and set this back to automatic.