[Solved] Is UPNP miss configured or simply broken in it's implementation?

Started by FullyBorked, June 29, 2020, 04:05:36 AM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
June 29, 2020, 04:05:36 AM Last Edit: June 29, 2020, 11:49:06 PM by FullyBorked
I really hate to post another UPNP post right above another from someone else https://forum.opnsense.org/index.php?topic=17855.0  but I don't what to hijack his thread either. 

I have a similar issue.  I've spooled up my first OPNsense firewall been working to get it all tuned in for about two weeks now.  But recently starting finding more and more games on xbox and two gaming PC's that just refuse to connect to multiplayer because of UPNP. 

So I did my searching and dug out some threads on setting up UPNP, seems simple enough, just install and enable, couple of check boxes and set your interfaces and you're off to races?  Nope, least not on my box, simply doesn't work.

After some digging it looks like the only way to make this work is to set each device that needs UPNP to a static IP and add outbound NAT static port mapping.   

Maybe i'm misunderstanding something, but this just simply seems absurd to me.  The point of UPNP should be that I can enable it and internal devices can open ports and NAT automatically as needed.  (I understand the security implications).  Surely this is a misunderstanding of the service in OPNsense?  Otherwise I feel like it's simply broken.  I think being able to create ACL's is a great feature to lock down UPNP a bit, but should be a requirement for base configuration. 

If someone knows different please let me know.  I've not found any documentation on the plugin that mentions the static entries requires for this feature to work.  I've love this setup a lot and I'd hate to have to tear it down for one feature. 
June 29, 2020, 11:20:34 AM #1
Should work with uPNP plugin by ticking the first two or three boxes in the configuration page and setting interfaces. If you do not tick the 'default deny' box, you do not need user specified permissions.

Cannot estimate why this would not work in your case.



June 29, 2020, 01:50:43 PM #2
Quote from: Northguy on June 29, 2020, 11:20:34 AM
Should work with uPNP plugin by ticking the first two or three boxes in the configuration page and setting interfaces. If you do not tick the 'default deny' box, you do not need user specified permissions.

Cannot estimate why this would not work in your case.



Thanks for the reply.  I've enabled it as you mentioned.  Default deny is not ticked.  I can see in the logs  where the module is loaded.  But it simply doesn't seem to do anything.  My UPNP applications continue to not work and nothing shows up on the status page. 

Is there a location where I might get better logs to see if it's getting requests and what it might be doing with them? 
June 29, 2020, 03:21:35 PM #3
Do you have any active firewall rules that might affect your setup?
June 29, 2020, 03:26:08 PM #4
Quote from: Northguy on June 29, 2020, 03:21:35 PM
Do you have any active firewall rules that might affect your setup?

I wouldn't think so, I have the default any rule outbound for IPV4.  I have an inbound port forwarding NAT rule for my dedicated gaming server and corresponding inbound firewall rule.  These rules point to my DMZ subnet and interface.
June 29, 2020, 03:36:54 PM #5
With mentioned settings I got our PS4 running in 5 minutes time,  so the question is: what is different in your setup.

Are you trying to access your own gaming server or an 'outside' server? I am not the expert on that front, but in case of contacting your own server might be something with nat reflection or loop back?

Maybe someone else can chime in....



Verstuurd vanaf mijn SM-A715F met Tapatalk

June 29, 2020, 03:45:46 PM #6
Quote from: Northguy on June 29, 2020, 03:36:54 PM
With mentioned settings I got our PS4 running in 5 minutes time,  so the question is: what is different in your setup.

Are you trying to access your own gaming server or an 'outside' server? I am not the expert on that front, but in case of contacting your own server might be something with nat reflection or loop back?

Maybe someone else can chime in....

Verstuurd vanaf mijn SM-A715F met Tapatalk

I can get my game server working just fine since it is just simple port forwarding, no UPNP needed. 

I'm having trouble getting services like XBOX gaming services and some games that require an inbound connection for multiplayer scenarios.  I too am very curious what is different in our setups.



June 29, 2020, 04:00:08 PM #7 Last Edit: June 29, 2020, 04:02:04 PM by FullyBorked
See below, these are my settings and one of the errors I'm getting.
Edit: not sure why that screenshot looks so terrible, must be some compression with the upload.  I think you can get the idea, if not i'll re-post it at full size.



Sent from my GM1917 using Tapatalk

June 29, 2020, 04:23:32 PM #8
You might do a test and assign a specific allow rule like I did. Either assign an IP or an IP range  like:

"allow 1024-65535 192.168.1.0/24 1024-65535"
June 29, 2020, 04:45:31 PM #9
Quote from: Northguy on June 29, 2020, 04:23:32 PM
You might do a test and assign a specific allow rule like I did. Either assign an IP or an IP range  like:

"allow 1024-65535 192.168.1.0/24 1024-65535"

That was a good thought actually, but not dice unfortunately.  I even tried it with and without the default deny rule set, wasn't sure if those ACL's are used or not unless that is checked.
June 29, 2020, 04:55:18 PM #10
Did you try rebooting or flushing the state tables? I am never sure when flushing is actually necessary,  but will not harm I guess.

Verstuurd vanaf mijn SM-A715F met Tapatalk

June 29, 2020, 06:28:16 PM #11 Last Edit: June 29, 2020, 06:32:32 PM by m0t0k0
Hey FullyBorked seems like you have the same issues as I did on pfSnese.
I could get UPnP working no problem with just one device but as soon as we have multiple devices trying to access the same game service it all fell over for all but the first device which connected.

I'm certain the is to do with the way MiniUPnP is coded. It apparently has been fixed and there is a patched version which is available with the nightly builds of pfSense.

This is the issue over on MiniUPnP https://github.com/miniupnp/miniupnp/pull/455
The work was done in response to this issue on the pfSense forums https://redmine.pfsense.org/issues/7727

As both OPN and PF use MiniUPnP and the FreeBSD Packet Filter I'm sure they both will share the same fix or something very close to it?

Maybe someone with some more technical understanding can let us know.
I do know the COD Warzone was affected and on my PF box a single PC could connect no issues through UPnP but any subsequent PC would be blocked.
It also affects Xboxes where the first one can connect to the Microsoft network but the subsequent connection on other Xboxes are blocked.

Can we sideload plugins? The patched version of MiniUPnP (miniupnpd-2.2.0-RC1.tar.gz)  is available here
https://miniupnp.tuxfamily.org/files/
June 29, 2020, 06:48:48 PM #12
Quote from: m0t0k0 on June 29, 2020, 06:28:16 PM
Hey FullyBorked seems like you have the same issues as I did on pfSnese.
I could get UPnP working no problem with just one device but as soon as we have multiple devices trying to access the same game service it all fell over for all but the first device which connected.

I'm certain the is to do with the way MiniUPnP is coded. It apparently has been fixed and there is a patched version which is available with the nightly builds of pfSense.

This is the issue over on MiniUPnP https://github.com/miniupnp/miniupnp/pull/455
The work was done in response to this issue on the pfSense forums https://redmine.pfsense.org/issues/7727

As both OPN and PF use MiniUPnP and the FreeBSD Packet Filter I'm sure they both will share the same fix or something very close to it?

Maybe someone with some more technical understanding can let us know.
I do know the COD Warzone was affected and on my PF box a single PC could connect no issues through UPnP but any subsequent PC would be blocked.
It also affects Xboxes where the first one can connect to the Microsoft network but the subsequent connection on other Xboxes are blocked.

Can we sideload plugins? The patched version of MiniUPnP (miniupnpd-2.2.0-RC1.tar.gz)  is available here
https://miniupnp.tuxfamily.org/files/
Hey m0t0k0, I've not been able to get even the first device to work.  None of my devices seem to want to activate the upnp service.  I wish i knew log location so i could see if it's even getting a request.

Sent from my GM1917 using Tapatalk

June 29, 2020, 06:50:41 PM #13
Quote from: Northguy on June 29, 2020, 04:55:18 PM
Did you try rebooting or flushing the state tables? I am never sure when flushing is actually necessary,  but will not harm I guess.

Verstuurd vanaf mijn SM-A715F met Tapatalk
I have on my other tests, i haven't since adding your allow acl.  I'm on my work vpn during the day so won't be able to bounce those connections till after hours.

Sent from my GM1917 using Tapatalk

June 29, 2020, 07:51:21 PM #14
Hey m0t0k0, I've not been able to get even the first device to work.  None of my devices seem to want to activate the upnp service.  I wish i knew log location so i could see if it's even getting a request.

Sent from my GM1917 using Tapatalk
[/quote]

Oh sorry for hijacking your thread! My experience was with pfSense but I assume OPNsense would be similar. Good luck
Print
Go Up Pages1 2
User actions