[UPNP] Getting NAT sorted to allow Peer to Peer games working.

[FingerlessGloves]

Hi Guys,

Anyone here experienced with setting up UPNP? I've setup Static NAT for the IP of the computer I want UPNP working on. I've turned on UPNP (See attachment for settings). I've also got IGMP snooping turned off on all my switchesds.

Is there something I'm missing, no games that use Peer to Peer are able to open a UPNP port. Cleared the states in the firewall too!

EDIT: Going in via Network and then properties on the "FreeBSD router", I can create a port forward, but for some reason games are unable to do this 🤨

EDIT2: Doing some research it could be related to IGDv2, that's if our version of miniupnpd, is compiled using that verison. I've read some games and programs, don't comply to the IGDv2 standards, so running miniupnpd is IGDv1 mode, gets them working. As I'm not sure if our upnpd is complied with v1 or v2.
Due to "force_igd_desc_v1" not being a usable setting in the config, I'm thinkings its v1, but would be nice if someone can confirm.

EDIT3: looking at the pkg info, it does indeed say v1 "UPNP_IGDV2     : off", so I wonder what the issue might be.

Jonny

[FingerlessGloves]

Not sure if this is the same issue as this one on miniupnpd github.

https://github.com/miniupnp/miniupnp/issues/365

[packet loss]

Here's the miniupnpd (upnp) package that OPNsense is using. It doesn't use IGDV2 as it's known to cause issues. Same package as FreeBSD but with extra hardening from HardenedBSD:

Code Select Expand

oot@opnsense:~ # pkg show miniupnpd
miniupnpd-2.1.20190210,1
Name           : miniupnpd
Version        : 2.1.20190210,1
Installed on   : Wed Oct 16 10:43:18 2019 MST
Origin         : net/miniupnpd
Architecture   : FreeBSD:11:amd64
Prefix         : /usr/local
Categories     : net
Licenses       : BSD3CLAUSE
Maintainer     : squat@squat.no
WWW            : http://miniupnp.free.fr/
Comment        : UPnP IGD implementation which uses pf/ipf
Options        :
        CHECK_PORTINUSE: on
        IPV6           : on
        LEASEFILE      : off
        PF_FILTER_RULES: on
        PIE            : on
        RELRO          : on
        SAFESTACK      : on
        UPNP_IGDV2     : off
        UPNP_STRICT    : off
Shared Libs required:
        libssl.so.9
        libcrypto.so.9
Annotations    :
        FreeBSD_version: 1102000
        cpe            : cpe:2.3:a:miniupnp_project:miniupnpd:2.1.20190210:::::freebsd11:x64
        repo_type      : binary
        repository     : OPNsense
Flat size      : 267KiB
Description    :
Mini UPnPd is a lightweight implementation of a UPnP IGD daemon. This is
supposed to be run on your gateway machine to allow client systems to redirect
ports and punch holes in the firewall.

WWW: http://miniupnp.free.fr/
Locked         : no

Your issue has nothing to do with the link you posted to the miniupnpd github source code issues. I'm just guessing because I'm not clear when you say peer to peer gaming. Is this basically playing the same game locally on a LAN? What the link was referring to is this:

For BSD distributions miniupnpd won't work well if you have for example 2 Xbox consoles that are playing the exact same game at the same time. Linux doesn't have this particular issue with miniupnpd so that's why a lot of consumer grade routers don't have any issues with multiple consoles since most of the routers are based on Linux. Linux has masquerade to use with iptables and BSD distributions don't so this is so far where the problem stems from with BSD based distros such as FreeBSD. You won't have any issues with a single console though.

I have no issues with miniupnpd and OPNsense. It's working great. I suspect the issue is related to your firewall rules. For testing I would disable a lot of them until you isolate which one is causing the problem. Also the only LAN rule I added to OPNsense is a default pass like below:

Code Select Expand

IPv4 *   LAN net * * * * *   Allow LAN to Internet

It appears you have your NAT outbound rule properly setup with static ports.

[FingerlessGloves]

Here's the miniupnpd (upnp) package that OPNsense is using. It doesn't use IGDV2 as it's known to cause issues. Same package as FreeBSD but with extra hardening from HardenedBSD:

Code Select Expand

oot@opnsense:~ # pkg show miniupnpd
miniupnpd-2.1.20190210,1
Name           : miniupnpd
Version        : 2.1.20190210,1
Installed on   : Wed Oct 16 10:43:18 2019 MST
Origin         : net/miniupnpd
Architecture   : FreeBSD:11:amd64
Prefix         : /usr/local
Categories     : net
Licenses       : BSD3CLAUSE
Maintainer     : squat@squat.no
WWW            : http://miniupnp.free.fr/
Comment        : UPnP IGD implementation which uses pf/ipf
Options        :
        CHECK_PORTINUSE: on
        IPV6           : on
        LEASEFILE      : off
        PF_FILTER_RULES: on
        PIE            : on
        RELRO          : on
        SAFESTACK      : on
        UPNP_IGDV2     : off
        UPNP_STRICT    : off
Shared Libs required:
        libssl.so.9
        libcrypto.so.9
Annotations    :
        FreeBSD_version: 1102000
        cpe            : cpe:2.3:a:miniupnp_project:miniupnpd:2.1.20190210:::::freebsd11:x64
        repo_type      : binary
        repository     : OPNsense
Flat size      : 267KiB
Description    :
Mini UPnPd is a lightweight implementation of a UPnP IGD daemon. This is
supposed to be run on your gateway machine to allow client systems to redirect
ports and punch holes in the firewall.

WWW: http://miniupnp.free.fr/
Locked         : no

Your issue has nothing to do with the link you posted to the miniupnpd github source code issues. I'm just guessing because I'm not clear when you say peer to peer gaming. Is this basically playing the same game locally on a LAN? What the link was referring to is this:

For BSD distributions miniupnpd won't work well if you have for example 2 Xbox consoles that are playing the exact same game at the same time. Linux doesn't have this particular issue with miniupnpd so that's why a lot of consumer grade routers don't have any issues with multiple consoles since most of the routers are based on Linux. Linux has masquerade to use with iptables and BSD distributions don't so this is so far where the problem stems from with BSD based distros such as FreeBSD. You won't have any issues with a single console though.

I have no issues with miniupnpd and OPNsense. It's working great. I suspect the issue is related to your firewall rules. For testing I would disable a lot of them until you isolate which one is causing the problem. Also the only LAN rule I added to OPNsense is a default pass like below:

Code Select Expand

IPv4 *   LAN net * * * * *   Allow LAN to Internet

It appears you have your NAT outbound rule properly setup with static ports.

I'll put that firewall rule in and test soon.

Games like call of duty are what I'm having an issue with, where one player hosts the game and then everyone in the lobby connects to them. So with static mapping that give you moderate NAT, but if the game is able to use UPNP to open ports, then that gives you an open NAT. These terms are what gaming company use, not ideal but that's how they define it.

If you have Open NAT; everyone can connect to you.
If you have Moderate NAT; Moderate and Open can connect you you.
If you have Strict NAT; no one can connect to you.


* Strict NAT is random port mapping on routers NAT.


Do you PC game or console only? I'm trying to get just my PC working, there no other consoles or gaming computer in my house. So I think your right that issue on github is something else.

[packet loss]

I only use consoles for gaming. Also do you need to enable NAT-PMP? I have it disabled and don't have any problems with Apple products.