OPNsense Forum

Archive => 16.7 Legacy Series => Topic started by: blomus on August 02, 2016, 01:36:51 am

Title: [SOLVED] UPNP seems not working anymore since update to 16.7
Post by: blomus on August 02, 2016, 01:36:51 am
Hi all,

Since the update to 16.7 I have several issues with UPNP clients in my network. UPNP is on, everything seems ok from the admin website. If I check the status on the admin website, I can't see any clients showing up, which is quite unusual as I have several pc's of my kids with a lot of online games, XBOX, etc.

Since the update I have issues in a few games I play myself.

Any other here which have issues like that?
Title: Re: UPNP seems not working anymore since update to 16.7
Post by: macafee on August 02, 2016, 06:42:37 am
Restart your XBOX
Title: Re: UPNP seems not working anymore since update to 16.7
Post by: blomus on August 02, 2016, 01:38:59 pm
All clients in my network have issues, multiple Windows PC's, Xbox, etc. Rebooted devices several times, rebooted OPNsense and ISP Router. No change at all. All games and apps who uses UPNP has errors like strict NAT type. If I check Teredo perhaps with Netsh Int Teredo Show Stat I can see that UPNP seems not to be active:

NAT Special Behaviour   : UPNP: No, PortPreserving: No
Title: Re: UPNP seems not working anymore since update to 16.7
Post by: blomus on August 05, 2016, 12:36:28 pm
Did a new installation of the system which solved the problem.
Title: Re: [SOLVED] UPNP seems not working anymore since update to 16.7
Post by: obarthel on September 24, 2016, 01:03:09 pm
Hi all,

Since the update to 16.7 I have several issues with UPNP clients in my network. UPNP is on, everything seems ok from the admin website. If I check the status on the admin website, I can't see any clients showing up, which is quite unusual as I have several pc's of my kids with a lot of online games, XBOX, etc.

Since the update I have issues in a few games I play myself.

Any other here which have issues like that?

Yes, and the issue has not gone away yet. I'm currently running 16.7.4.

My test case uses a PS3, which needs the "Allow UPnP Port Mapping" option to be enabled. The UPnP exchange works well until it breaks down when the port mapping is requested. I captured the network traffic and also ran "miniupnpd" in the shell with the options "-d -f /var/etc/miniupnpd.conf -P /var/run/miniupnpd.pid", capturing its output.

The PS3 requests to know the external address of the DSL router, and "miniupnpd" responds as follows (from the packet capture):

Code: [Select]
<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:GetExternalIPAddressResponse xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">
<NewExternalIPAddress>[redacted].[redacted].[redacted].[redacted]</NewExternalIPAddress>
</u:GetExternalIPAddressResponse>
</s:Body>
</s:Envelope>

The PS3 then requests a port mapping to be performed (from the packet capture):

Code: [Select]
<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1">
<NewRemoteHost/>
<NewExternalPort>3658</NewExternalPort>
<NewProtocol>UDP</NewProtocol>
<NewInternalPort>3658</NewInternalPort>
<NewInternalClient>192.168.1.185</NewInternalClient>
<NewEnabled>1</NewEnabled>
<NewPortMappingDescription>192.168.1.185:3658 to 3658 (UDP)</NewPortMappingDescription>
<NewLeaseDuration>0</NewLeaseDuration>
</u:AddPortMapping>
</s:Body>
</s:Envelope>

This operation fails. Here is what "miniupnpd" would report (shell output):

Code: [Select]
miniupnpd[24698]: HTTP REQUEST from 192.168.1.185:59239 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd[24698]: Host: 192.168.1.1:2189
miniupnpd[24698]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
miniupnpd[24698]: AddPortMapping: ext port 3658 to 192.168.1.185:3658 protocol UDP for: 192.168.1.185:3658 to 3658 (UDP) leaseduration=0 rhost=
miniupnpd[24698]: no permission rule matched : accept by default (n_perms=0)
miniupnpd[24698]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
miniupnpd[24698]: redirecting port 3658 to 192.168.1.185:3658 protocol UDP for: 192.168.1.185:3658 to 3658 (UDP)
miniupnpd[24698]: ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Operation not supported by device
miniupnpd[24698]: Returning UPnPError 501: ActionFailed

And this is the response the PS3 received (from the packet capture):

Code: [Select]
<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
<s:Body>
<s:Fault>
<faultcode>s:Client</faultcode>
<faultstring>UPnPError</faultstring>
<detail>
<UPnPError xmlns="urn:schemas-upnp-org:control-1-0">
<errorCode>501</errorCode>
<errorDescription>ActionFailed</errorDescription>
</UPnPError>
</detail>
</s:Fault>
</s:Body>
</s:Envelope>

The PS3 reports this as "UPnP: Not Available" and assumes that it is running behind "NAT Type: Type 3", which is shorthand for "restrictive" (the worst grade).

This used to work before, and in the same configuration in my home. With "miniupnpd" working correctly, the PS3 would report "NAT Type: Type 2", which is what it should have been.

The "miniupnpd" shell output suggests that it is unable to query or modify the packet filter's port forwarding rules.
Title: Re: [SOLVED] UPNP seems not working anymore since update to 16.7
Post by: franco on September 24, 2016, 01:36:38 pm
Code: [Select]
miniupnpd[24698]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
miniupnpd[24698]: redirecting port 3658 to 192.168.1.185:3658 protocol UDP for: 192.168.1.185:3658 to 3658 (UDP)
miniupnpd[24698]: ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Operation not supported by device

Can you try to reinstall the miniupnpd package from the Firmware, packages tab? We have had similar issues with the load balancer before.
Title: Re: [SOLVED] UPNP seems not working anymore since update to 16.7
Post by: obarthel on September 24, 2016, 02:09:34 pm
Code: [Select]
miniupnpd[24698]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
miniupnpd[24698]: redirecting port 3658 to 192.168.1.185:3658 protocol UDP for: 192.168.1.185:3658 to 3658 (UDP)
miniupnpd[24698]: ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Operation not supported by device

Can you try to reinstall the miniupnpd package from the Firmware, packages tab? We have had similar issues with the load balancer before.
Thank you, that did the trick :)

Reinstallation launched "miniupnpd" version 1.9, with the same configuration which failed to work in the case I reported on.

Now the PS3 reports "UPnP: Available" and "NAT Type: Type 2", as it should be. "NAT Type 2" means "moderate", i.e. the PS3 uses port forwarding at the firewall level.
Title: Re: [SOLVED] UPNP seems not working anymore since update to 16.7
Post by: franco on September 24, 2016, 02:46:56 pm
Ok, great! I'm trying to fix this for when the upgrade to 17.1 is out, but it's not very elegant... it needs to fetch 200 MB of packages and reapply them after boot in order to keep the user binaries in sync with the kernel (which was the original problem).
Title: Re: [SOLVED] UPNP seems not working anymore since update to 16.7
Post by: gwaitsi on November 12, 2016, 02:17:10 pm
It doesn't work for me.

But I note there is no OPENVPN interface, so don't see how it can be setup to work anyway.
Title: Re: [SOLVED] UPNP seems not working anymore since update to 16.7
Post by: franco on November 12, 2016, 02:41:32 pm
Is this for OpenVPN or UPnP?
Title: Re: [SOLVED] UPNP seems not working anymore since update to 16.7
Post by: gwaitsi on November 13, 2016, 07:32:06 am
Franco, the problem is under the Services, UPNP, Settings, Interfaces:
there are only;
Blue, Green, Red, Opt1, Opt2, Opt3

there is no Openvpn interface.

As i have openvpn setup as a client going to Opt1, 2, 3 for failover no ports are opened.

I note this same issue appears on the pfsense board as well.