UPnP issues?

[m0t0k0]

Hi I would like to try OPNsense but there is one thing holding me back!

My home network has 8 gaming PC/Consoles with a constantly evolving games library. This means UPnP is essential as I don't have enough time to be constantly adding and removing ports.

I did try running pfSense a while ago but we had big problems with UPnP. It would work for one user but for some games, subsequent users would not be able to access the game's servers.
I'm pretty confident this was because of MiniUPnPs interaction with the FreeBSD Packet Filter.

From what I understand this has been an ongoing issue for years but has recently seen some work to get it fixed. There is a thread about it over at pfSense.
https://redmine.pfsense.org/issues/7727#change-41170

Before I take the plunge and start learning my way around another firewall is anyone able to confirm if OPNsense would suffer from the same issues?
If it would be possible to use the updated version of MiniUPnP-2.2.0.r1,1?

Many thanks

[samsonmcnulty]

You can enable upnp on lan and then add a rule like

Code: [Select]

allow 88-65535 x.x.x.x/24 2000-65535 to the settings. After that you only need to add each device to outbound nat with a static port.

[m0t0k0]

After that you only need to add each device to outbound nat with a static port.

Having a static port somewhat eliminates the function of UPnP tho right?

It seems others have experienced the same type of problems as I have
https://www.reddit.com/r/OPNsenseFirewall/comments/av1t3w/upnp_problems_gaming/

[samsonmcnulty]

Setting outbound nat with the static port setting for each device that needs to use upnp simply stops the firewall from overwriting the outbound port with a randomized one. You don't need to do any manual port forwarding. Setting the allow rule as I mentioned above in the upnp settings allows the device on a subnet or a specific device to use the ports that are allowed. By default upnp in OPNsense operates with a least access configuration and requires whitelisting whereas, in most consumer grade hardware, upnp is using "allow all".

[Northguy]

You can install optional uPNP plugin which does not require any manual NAT configuration. The process is quite simple:

• Install optional upnp plugin
• enable service
• allow upnp port mapping
• set proper interfaces
• optionally check default deny and custom entry per IP for enhanced security

Example configuration below:

[m0t0k0]

Thanks for the replys

samsonmcnulty thanks I understand what your saying now OPNsense would randomize the outbound port however it can be set to static so I would use whichever port number the application requested.

I'm 100% certain this is what I did when using pfSense it was locked down with an alias list, ACL and firewall rules.

It worked perfectly but only for one machine at a time.

It appears the fix to MiniUPnP has been merged and so should be available in the next release.
https://github.com/miniupnp/miniupnp/pull/455

I assume the UPnP plugin is MiniUPnP and OPENsense uses the FreeBSD Packet Filter so the issue wo8uld affect it just the same as pfSense?

Does anyone run multiple PC/Game consoles at home who connect to the same online games simultaneously? Can anyone confirm if this just works out the box?

[FullyBorked]

Thanks for the replys

samsonmcnulty thanks I understand what your saying now OPNsense would randomize the outbound port however it can be set to static so I would use whichever port number the application requested.

I'm 100% certain this is what I did when using pfSense it was locked down with an alias list, ACL and firewall rules.

It worked perfectly but only for one machine at a time.

It appears the fix to MiniUPnP has been merged and so should be available in the next release.
https://github.com/miniupnp/miniupnp/pull/455

I assume the UPnP plugin is MiniUPnP and OPENsense uses the FreeBSD Packet Filter so the issue wo8uld affect it just the same as pfSense?

Does anyone run multiple PC/Game consoles at home who connect to the same online games simultaneously? Can anyone confirm if this just works out the box?

In digging around to fix my issue, I think this is resolved by enabling NAT reflection. 

[Maxpower]

What settings did you change in the NAT reflection?  I too am having issues with getting UPnP to work correctly all the time.  Thanks.

[FullyBorked]

What settings did you change in the NAT reflection?  I too am having issues with getting UPnP to work correctly all the time.  Thanks.

Firewall > Settings > Advanced > Reflection for Port Forwards. 

This won't help get UPnP working.  But will help if you have it working and you have to devices trying to play on the same services.  Say if two PC's are trying to play Warzone for example. I still haven't tested this but others online seem to confirm that this corrects the multiple internal devices connecting to the same service.

If you are trying to get it working at a base  level see my thread here https://forum.opnsense.org/index.php?topic=17869.0 took me forever but I was finally able to get it going.