uPNP not working with WAN Failover

[dmcgough]

I went through this guide (https://docs.opnsense.org/manual/how-tos/multiwan.html) and set up multiwan here. I was testing with uPNP and noticed that not all my firewalls would respond to uPNP requests, even though all had the plugin installed, configured similarly, etc.

I narrowed it down to the firewall with multiwan enabled. I went into the firewall Rules on the inbound interface (LAN side) and modifed the Gateway part of the internet access rule to no longer use the WAN_FAILOVER group. Just the default gateway setup. uPNP started working. Went back to WAN_FAILOVER, uPNP no longer functions.

Not sure how to submit this as a bug, or if anyone would pay attention, but the uPNP configuration only specifies one of my two internet links (my primary one) - if that matters.

[dmcgough]

I think I've found a workaround for this. I put in an explicit Firewall Rule inbound on the LAN interface. I explicitly permitted any/any UDP port 1900, and I left the Gateway set to 'default'. At this point, I ran the test again with upnpc-static.exe and it was successful.

The way failover rules seem to work is more of a brute-force (ish) policy routing solution. Anything that you want to go through a Service or Plugin may need to have an explicit Firewall Rule put in place, so that the catchall internet access rule's failover Gateway doesn't stop it from working.

I guess the real question is related to Order of Operations. Is this the way the Opnsense devs expect it to work? Should authors of Plugins add usage notes related to WAN Failover?