And in outbound nat, I have it in hybrid mode, and a rule for source lan net with the wan address at the nat address and static port enabled.
And in outbound nat, I have it in hybrid mode, and a rule for source lan net with the wan address at the nat address and static port enabled.
ZPrime he already has his outbound NAT using hybride mode with a single rule with static-ports for his entire LAN network.
Make sure you reboot your consoles or PC. I've noticed my Xbox or PS5 won't send AddPortMapping requests after they are up and running so no port mappings will show up in OPNsense until you reboot. But this isn't always the case.I can confirm that with Xbox at least, it sometimes doesn't want to map. What sometimes helps (and avoids a lengthy reboot) is to get into the networking section and check/test the NAT status. If it still doesn't map after that, there's a secret code (IIRC it's hold both triggers and then hit both bumpers simultaneously) that gives you a "more details" screen, and after bringing that up and then checking NAT status again, it usually seems to force the mapping.
Why do not just create alias group for devices and port
Then Port forward with group, you’re already in hybrid nat
And remove upnp ;)
*** !!WARNING!! !!WARNING!! !!WARNING!! ***
This port allows machines within your network to create holes in your
firewall. Please ensure this is really what you want!
*** !!WARNING!! !!WARNING!! !!WARNING!! ***
For this daemon to work, you must modify your pf rules to add an anchor
in both the NAT and rules section. Both must be called 'miniupnpd'.
Example:
# NAT section
# UPnPd rdr anchor
rdr-anchor "miniupnpd"
# Rules section
# uPnPd rule anchor
anchor "miniupnpd"
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] PCPSendUnsolicitedAnnounce() IPv6 sendto(): No route to host
2021-04-03T20:57:07 miniupnpd[50993] Listening for NAT-PMP/PCP traffic on port 5351
2021-04-03T20:57:07 miniupnpd[50993] setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] HTTP IPv6 address given to control points : [2601:409:200:1ab:2e0:67ff:fe22:e25d]
2021-04-03T20:57:07 miniupnpd[50993] HTTP listening on port 2189| Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port Description WAN LAN net udp/ 3074 * udp/ 3074 Interface address * YES Allow Static-Port mapping for COD |
So I think I've come to the conclusion for me that it's Call of Duty that isn't working right, plus I think there might be a bug in the gui UPNP status.Curious, what app are you using to create the forwards (presumably on Windows)? I have a Win VM and a work laptop running Windows that I can break out to try a different app.
The app I am using to test with will also display current port forwards and I have not been using it to check for them.. I've just been using the status page.
If I create a forward without a description, it does not display in the list. According to the specs, a description isn't required. But without a description it doesn't show in the GUI status list. I've been creating them without this whole time and seeing them not show up. Also, when testing these forwards, I haven't been closing the browser window or clearing states. I think FreshTomato must be doing that behind the scenes without telling you it is..How is FreshTomato part of the scenario here, I thought you were running OPNsense?
Anyway. My test is by running nginx on my local PC (same one that runs Warzone/Cold War) with it's default web page. I create a forward using upnp for external port 8080 and internal port 80 to my local PC. Then on my phone, I turn off Wifi, and go to http://myexternalip:8080 and see if the page comes up. Without the forward, it doesn't come up. I then close that tab, clear all the states, then create the forward. I then go to that address on my phone and the page shows up immediately. Close the tab, remove the forward using the utility, clear all states, and open a tab and go to that address and it times out.Yeah, so this proves that you are able to get a port to forward... if the opnsense GUI isn't showing that port mapping, that definitely seems like a bug.
I've tried that both with a description and without, and it works. Now, this was before reading about nat-pmp. So mine is on right now. I will test again with that turned off, but for now, it does look like this is working on my config (without changing any settings like xpendable has. I will most likely try his settings as well.I don't know what utility you are using to create the mappings from your PC, but NAT-PMP is originally an Apple thing, so unless your utility explicitly has NAT-PMP support in it, it probably is just using UPnP.
The problem with the UPNP service on OpnSense (not opnsense specific issue, it's upstream) is that it expects to work on an a "dumb" switch that floods multicast. The upnp daemon never sends an IGMP Join to the switch (which, with IGMP snooping on, it expects). Since the join is never received by the switch, it never sends the <client>->239.255.255.250 traffic to the opnsense port. That is why the static join is needed -- to force sending the client upnp requests to the opnsense box.
Option 2> Turn IGMP SNooping off, so all multicast is flooded:
Another option is to turn igmp snooping off & make sure the clients & opnsense box are in the same vlan on the same switch.
Hi all,Well, yes, sort-of. :)
I have a LOT of experience with this. Are both the OPNSense box & the other device on the same switch? Are they on the same vlan? Can they ping each other directly without going through a router?
I know this thread is over a month old now, but I found a solution and wanted to report it. :)
I believe my problem stemmed from the fact that I'm using Multi-WAN, which then requires rules on the LAN side to set a gateway group for the outgoing traffic.
I have a rule above my GW Group rule that is just a generic "allow to firewall LAN IP"... but that overlooks multicast.
Had to add this rule, prior to my GW group selection rule:
source network: <LAN net>
destination host: 239.255.255.250 [multicast IP used for UPnP discovery (http://www.upnp-hacks.org/upnp.html)]
Protocol: UDP
Port: 1900
This got UPnP functional again, at least with the handy Mac app "Port Map (https://github.com/monkeydom/TCMPortMapper/releases/tag/PortMap-2.0.1)". I haven't tried an Xbox yet, but I suspect it will be OK too.
I am not even using UPnP and I have a PS4 working fine so far. I gave the PS4 a static IP and it's own network for easy management and allowed a bunch of port range and some outbound ports that are static. I also use a multi wan setup. Should I even bother using UPnP if I am able to make the console work without it? When I tried to make it work I didn't work.Sounds like you've manually done what UPnP should do automatically. It's up to you if you'd rather UPnP do it or you continue manually as you have.
I am not even using UPnP and I have a PS4 working fine so far. I gave the PS4 a static IP and it's own network for easy management and allowed a bunch of port range and some outbound ports that are static. I also use a multi wan setup. Should I even bother using UPnP if I am able to make the console work without it? When I tried to make it work I didn't work.Sounds like you've manually done what UPnP should do automatically. It's up to you if you'd rather UPnP do it or you continue manually as you have.
Sent from my IN2025 using Tapatalk
I am not even using UPnP and I have a PS4 working fine so far. I gave the PS4 a static IP and it's own network for easy management and allowed a bunch of port range and some outbound ports that are static. I also use a multi wan setup. Should I even bother using UPnP if I am able to make the console work without it? When I tried to make it work I didn't work.Sounds like you've manually done what UPnP should do automatically. It's up to you if you'd rather UPnP do it or you continue manually as you have.
Sent from my IN2025 using Tapatalk
I have set it up for a friend that shares the internet with me and he is only using a few games. Doesn't UPnP also do automatic port forwarding which can be pretty dangerous? I am just wondering which solution is more secure.
Then I wonder why the PS4 is even working because I haven't set up a single port forward rule yet. I only have rules on the network the PS4 is and very few ports on the outgoing NAT side that are static.
Then I wonder why the PS4 is even working because I haven't set up a single port forward rule yet. I only have rules on the network the PS4 is and very few ports on the outgoing NAT side that are static.
Maybe you haven't played anything yet that requires port forwards? That would be my only thought. Not every game requires a port forward. Usually peer to peer games do, but dedicated server games or single player titles do not. It's mostly rare at this point that I hit games that require it. Warframe for example does require UPnP to function correctly since it's peer to peer.