Messages

1

21.1 Legacy Series / Re: Trying to block single host from internet only.

« on: April 08, 2021, 11:47:44 pm »

That would possibly block packets to OPNsense itself and certainly wouldn’t work if you were running multiple VLANs/subnets that you wanted access to

Got it. I didn't even think of that.

2

21.1 Legacy Series / Re: Trying to block single host from internet only.

« on: April 08, 2021, 11:05:50 pm »

Someone can correct me if I'm wrong, but wouldn't you do a rule where the source is the IP of the machine in question and destination is anything? It shouldn't affect lan to lan connections unless you are running multiple switches tied to multiple ports on the firewall hardware.

3

21.1 Legacy Series / Re: Having some UPnP issues.

« on: April 06, 2021, 06:05:18 pm »

The problem with the UPNP service on OpnSense (not opnsense specific issue, it's upstream) is that it expects to work on an a "dumb" switch that floods multicast.  The upnp daemon never sends an IGMP Join to the switch (which, with IGMP snooping on, it expects).  Since the join is never received by the switch,  it never sends the <client>->239.255.255.250 traffic to the opnsense port.  That is why the static join is needed -- to force sending the client upnp requests to the opnsense box.

Option 2>  Turn IGMP SNooping off, so all multicast is flooded:

Another option is to turn igmp snooping off & make sure the clients & opnsense box are in the same vlan on the same switch. 

I believe that ultimately this may have been my issue. My PC was on a dumb switch that is connected to the managed switch and then the opnsense box is connected to the managed switch as well. I had gone into netgear's insight (Their managed cloud service for everything) and turned off IGMP snooping a few days ago in testing. It said it saved it, but I had to return to that page and do it 3 more times before it finally said that it was off. With the potential APR caching issue and IGMP snooping not potentially being off, the final reboot I did of everything, including that switch, may have turned snooping off and cleared the cache so that things actually started working.

I am definitely going to can this Netgear Insight crap and go back to locally managing it. It's a pain and I get less aggregated data about the connected clients, but for home I will live with it. Using all this was a test of their "business" class gear anyway to see if we would like it over the Unifi stuff we have a the office now. It's a resounding no from me. For home, it's fine. But I won't be using this cloud stuff at the office and managing a half dozen of these individually would be a colossal pain.

4

21.1 Legacy Series / Re: Having some UPnP issues.

« on: April 06, 2021, 05:40:01 am »

FreshTomato isn't in the picture. I was just referencing when I used it before I never had to clear states to get things like that to work, but I did need to in opnsense IF I had previously tried to connect just to verify it wasn't working before creating the port forward. I agree that it was weird and I shouldn't have to do that, but I've come to the conclusion that something was seriously weird and cached for me. I'll explain in a minute.

The app I was using is just called upnptest. https://www.majorgeeks.com/files/details/universal_plug_and_play_tester_(upnptest).html

You can tell that app was written by someone who clearly was having upnp issues and wanted to just a quick and dirty way to figure out what was up. You may need to lookup the UPNP specs to make sure you are filling in all the right values. If you need help, I can walk you through how to use it.

So this is a kind of long story, but the tl;dr version is mine is now working fine...

Last night I was going to set my laptop up on a mirrored port on my managed switch and I was going to mirror the port my unmanaged switch is plugged into. That unmanaged switch is where my PC and PS4 are connected. I also plug my laptop into that unmanaged switch as it's my work laptop and that's what I work from all day. I plug my laptop into the managed switch and I cannot get it to work, at all. I can't get DHCP and I even tried a static mapping and it was a no go. I was in a bit of a panic as I really needed to work today. I knew I could fall back to wifi, but I was seriously concerned. I tried different ports on the switch, and nothing. So now I'm thinking my laptop ethernet port is just dead now.

So I tried rebooting it multiple times, even booting up linux because I know dang well it could just be windows being a jerk. Still nothing. Since it was almost midnight, I decided to just throw in the towel for the night. I put the laptop back on the desk, connected ethernet from the managed switch and it all starts working again. What. The. Crap.

So I decided that something was seriously messed up and this new managed switch must have an arp caching issue or something that's causing an issue here. So before I head up to bed, decided to just power everything off and let it all reboot. I turn it all off, and a minute later have to deal with the wife texting me "we have no internet again". I go to bed, and check the status of everything from my phone and it's good. Everything is back up and running.

Fast forward to this afternoon, I hear my son laughing and telling to my daughter to watch out for the skeletons. So I go see what they are doing, and they are playing multiplayer minecraft. That's odd. I didn't think it would work with upnp not working right... Check the status page, and there's a line for minecraft. What. The. Crap. I flip over to my desktop and turn on warzone. As it's loading shaders, refresh the status page, and low and behold it's listed. Go to the account page in settings, and it's nat open.... Open CoD Cold War, it's also nat type open.

Just to make sure it wasn't a fluke, I played quite a few rounds tonight with zero issues.

I have no idea what the real problem was. I'm certainly glad it's working now, but I would have really liked to know what was causing it not to work. With my laptop issue though, I'm really suspect of this managed switch. I think I'm going to turn off netgear's insight cloud BS and go back to just individually managing everything. I know for sure the local management had tools to at least view the arp cache, the cloud stuff has nothing. I would have liked to have cleared it last night when testing. Especially since when I was first setting all this up, I connected my PC to the managed switch a few times to test things out.

Anyway. I guess we can try to work through your problems and see if we can get yours working now.

If you wanted to revert, there are tools to revert packages and the OS. I would make a backup of the config first just in case you do need to reinstall from ISO if something goes wrong. https://docs.opnsense.org/manual/opnsense_tools.html

5

21.1 Legacy Series / Re: Having some UPnP issues.

« on: April 05, 2021, 05:10:13 pm »

So I think I've come to the conclusion for me that it's Call of Duty that isn't working right, plus I think there might be a bug in the gui UPNP status.

The app I am using to test with will also display current port forwards and I have not been using it to check for them.. I've just been using the status page.

If I create a forward without a description, it does not display in the list. According to the specs, a description isn't required. But without a description it doesn't show in the GUI status list. I've been creating them without this whole time and seeing them not show up. Also, when testing these forwards, I haven't been closing the browser window or clearing states. I think FreshTomato must be doing that behind the scenes without telling you it is..

Anyway. My test is by running nginx on my local PC (same one that runs Warzone/Cold War) with it's default web page. I create a forward using upnp for external port 8080 and internal port 80 to my local PC. Then on my phone, I turn off Wifi, and go to http://myexternalip:8080 and see if the page comes up. Without the forward, it doesn't come up. I then close that tab, clear all the states, then create the forward. I then go to that address on my phone and the page shows up immediately. Close the tab, remove the forward using the utility, clear all states, and open a tab and go to that address and it times out.

I've tried that both with a description and without, and it works. Now, this was before reading about nat-pmp. So mine is on right now. I will test again with that turned off, but for now, it does look like this is working on my config (without changing any settings like xpendable has. I will most likely try his settings as well.

The other thing I was going to do is mirror my PC's port to another port on my switch and run wireshark so I could capture the exact settings CoD is using, but I'm having an issue with my laptop being plugged into that switch... So now I'm kind of wondering if I'm having a switch issue as well. My protectli box has 2 more optional ports that I can bridge to lan, so I may do that and plug my individual switches into those to test as well. However, with it working on my simple test with nginx, I have to believe that this is actually working, but something CoD is doing is slightly different and the real problem that needs to be discoverd.

6

21.1 Legacy Series / Re: Having some UPnP issues.

« on: April 04, 2021, 06:10:20 pm »

Do you have the latest updates installed for everything?

7

21.1 Legacy Series / Re: Having some UPnP issues.

« on: April 04, 2021, 07:41:39 am »

Well, I think my first step is going to be figuring out if miniupnpd was upgraded and if it was, I'll revert to a previous version. If that still doesn't work, I'll revert opnsense to the last version and test. I'll report what I find tomorrow. I'm going to have to plan this out though as the wife and kids won't like being without internet. Lol

8

21.1 Legacy Series / Re: Having some UPnP issues.

« on: April 04, 2021, 03:12:29 am »

Thanks for all the suggestions, but even after reinstalling miniupnpd, and then removing os-upnp and reinstalling everything, it's still not working for some reason.

Upon install of os-upnp, this is in the install window:

Code: [Select]

*** !!WARNING!! !!WARNING!! !!WARNING!! ***
This port allows machines within your network to create holes in your
firewall.  Please ensure this is really what you want!
*** !!WARNING!! !!WARNING!! !!WARNING!! ***

For this daemon to work, you must modify your pf rules to add an anchor
in both the NAT and rules section.  Both must be called 'miniupnpd'.
Example:

# NAT section
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

# Rules section
# uPnPd rule anchor
anchor "miniupnpd"
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***
Then after going into upnp and enabling everything, I went to the routing log and this was in there:

Code: [Select]

2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] PCPSendUnsolicitedAnnounce() IPv6 sendto(): No route to host
2021-04-03T20:57:07 miniupnpd[50993] Listening for NAT-PMP/PCP traffic on port 5351
2021-04-03T20:57:07 miniupnpd[50993] setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] HTTP IPv6 address given to control points : [2601:409:200:1ab:2e0:67ff:fe22:e25d]
2021-04-03T20:57:07 miniupnpd[50993] HTTP listening on port 2189
In COD Cold war, when I open the game (after rebooting my pc) I am still get Nat Moderate and no forwarded ports listed in the upnp status.

Here are screenshots of my setup.. Am I missing something? Is there something else I need to tweak? What can I turn on to debug this? Is it a bug I need to report?





The images aren't showing up in the embed, so I just attached them.

9

21.1 Legacy Series / Having some UPnP issues.

« on: April 02, 2021, 05:29:23 pm »

I'm am a long time pfSense user (at work) that has had a R7000 with FreshTomato on it at home. Since my R7000 is about 8 years old and the wifi is starting to have issues, I decided to roll my own stuff at home instead of getting Orbi's or a Netgear wifi 6 mesh system. I bought a Protectli box and was going to use pfSense, but decided to give opnsense a go. I installed everything last night and configured it for my network and got the new access points wired up to the new switch (it's a managed netgear switch with poe).

I installed the upnp plugin. At home, I have a PS4, a few gaming PCs, and 4 Nintendo Switches. The kids often play multiplayer Minecraft and I play Warzone on my PC, as well as some various multiplayer PS4 games.

On FreshTomato, it was just ticking off the boxes and going and I would get open nat in Warzone and minecraft worked fine for the kids. With opnsense, I'm not having any luck at all.

After many hours of troubleshooting, I'm kind of stuck now and need some assistance. I doesn't seem to be working at all. In the status page of the upnp plugin, no mappings ever show up. However! I downloaded a upnp tool that lets you send requests to discovered devices. So when I do the AddPortMapping request, it actually says success. If I use the GetSpecificPortMappingEntry request, it returns what I requested, but it still doesn't actually show up in the upnp status page.

I have default deny turned off, but I have also tried adding my PC's IP and a large port range to the permissions, and I got the same result. In the routing log, I don't see any errors for requests. And in outbound nat, I have it in hybrid mode, and a rule for source lan net with the wan address at the nat address and static port enabled. I did not try to put my specific PC address in there, but I don't think this even comes into play yet.

I've uninstalled the plugin and re-enabled as well as just reinstalling it. I've disabled/reenabled and still no go.

I also attempted to turn off IGMP snooping in my switch, but since it's a cloud managed device (for now, I'm going to be turning that garbage off this weekend), I decided to just plug the switch my PC is on into the lan port of the firewall and plug my poe switch into my standard unmanaged lan switch. Still doesn't seem to work.

I'm really confused that the upnp test app says success and I'm not seeing the rule in the status list. I disabled the upnp and did the requests again, just to make sure it wasn't responding, just in case it thought it was sending it to the router when something else on the network was messing with it, but it does fail with it disabled.

I'm kind of at a loss for what to try next. While I could just put in manual port forwards for everything, minecraft could be a little more difficult, and I'm not sure what other games the kids are playing that might need port forwarding. I'd rather this be a little more hands off. Once it is working, I'll turn on the default deny and start ACL'ing this. So, any ideas?