[Solved] Is UPNP miss configured or simply broken in it's implementation?

[FullyBorked]

I finally dug out the logs /var/log/routing.log.  Looks like my connections are making it to the upnp service but it's timing out for some reason.  Any thoughts on why these requests are timing out?

Code Select Expand


Jun 29 10:36:53 OPNsense miniupnpd[48248]: shutting down MiniUPnPd
Jun 29 10:36:53 OPNsense miniupnpd[75134]: HTTP listening on port 2189
Jun 29 10:36:53 OPNsense miniupnpd[75134]: no HTTP IPv6 address, disabling IPv6
Jun 29 10:36:53 OPNsense miniupnpd[75134]: Listening for NAT-PMP/PCP traffic on port 5351
Jun 29 10:36:53 OPNsense miniupnpd[75134]: PCPSendUnsolicitedAnnounce() IPv6 sendto(): Bad file descriptor
Jun 29 11:08:41 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:41 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:41 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:41 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:43 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:43 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:44 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:44 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:45 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:45 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out
Jun 29 11:08:46 OPNsense miniupnpd[75134]: upnp_event_process_notify: connect(192.168.1.128:2869): Operation timed out


[FullyBorked]

I finally got it working.  Took part of the static port creation rule others have mentioned and made it wider to encompass the entire subnet.  Games now work and I see entries in the status page of the plugin now.



Sent from my GM1917 using Tapatalk

[Northguy]

Funny,

On my manual list I only have some LAN related rules, so your setup is not quite similar to mine with regards to NAT Outbound.

In my setup I do have automatically created rules that look very similar to yours. Don't you have any automatically created rules like that?

[m0t0k0]

I'm glad you got your config working.

May I ask if your able to test two systems play g the same game simultaneously?
I definitely had issues with Warzone. Warframe would throw a warning on the main screen but would work.
Also only one machine could get open or moderate NAT with Microsoft Terdo service (Ipv6 tunneneling through Ipv4)  this can be checked through the Win 10 built in Xbox app.

Many thanks

[FullyBorked]

Funny,

On my manual list I only have some LAN related rules, so your setup is not quite similar to mine with regards to NAT Outbound.

In my setup I do have automatically created rules that look very similar to yours. Don't you have any automatically created rules like that?

Yes I do have those rules, the 500 is for IPSec tunnels.  I guess the other with the non static port is probably why this is such a pain to get working? 

[FullyBorked]

I'm glad you got your config working.

May I ask if your able to test two systems play g the same game simultaneously?
I definitely had issues with Warzone. Warframe would throw a warning on the main screen but would work.
Also only one machine could get open or moderate NAT with Microsoft Terdo service (Ipv6 tunneneling through Ipv4)  this can be checked through the Win 10 built in Xbox app.

Many thanks

I only have one xbox, but i'll see if I can find a common game that mine and my wife's PC share that both need NAT to test.  Another edit, looks like warzone is free to play so i'll try that one for you. 

Edit: xbox networking does show working.  So that should be good.

[FullyBorked]

Here are a few of good reads that I ran across that have helped me get where I am now.  They are for pfsense netgate, but still apply to opnsense.  They do a good job explaining what the services do, the UPnP document even references at the bottom that static port mapping may be necessary for gaming consoles.

UPnP Config and Security Concerns - https://docs.netgate.com/pfsense/en/latest/book/services/upnp-and-nat-pmp.html#

Outbound Static Port and Security Concerns - https://docs.netgate.com/pfsense/en/latest/book/nat/outbound-nat.html#nat-staticport

NAT Reflection - https://docs.netgate.com/pfsense/en/latest/book/nat/nat-reflection.html?highlight=reflection

[m0t0k0]

Thanks for the info. I'm going to go ahead and have a go when I get the opportunity.

Warzone is 70+GB so no worries if you cant test it

[xtrasyn]

I have the same issue. I can't get it to work.

I've done the same things as said in this thread - I installed the uPnP package in the administration section, (I did get some stuff about anchor creation, that I don't understand), enabled it, and enabled the NAT setting to allow hybrid outbound rule generation.

Still, no uPnP, and my users are complaining (7 and 11 year old lol) that my internets suck. :D

Can someone please help me in a step-by-step fashion, as I really can't figure this out on my own.

[logandzwon]

I think the new update broke stuff. Since updating my uPNP doesn't work, nor does the IPS. Even tail doesn't follow files as it is supposed to.  =/

Edit: I performed a full clean install and afterwards was easily able to enable uPNP by just installing the plug-in, and setting its settings. (I did NAT enable reflection before hand as part of setting up my static port forwards. I don't know if that matters for upnp.

[logandzwon]

Nevermind, upnp is now working, but only kinda. Some app on my Mac can do upnp just fine, however the Xboxes still all fail. I do see the port getting requested in "Services: Universal Plug and Play: Status". They just don't actually seem to work.

Edit.
  Ok. I understand what is happening now. By default OPNsense changes the outgoing port randomly. For XBOXLIVE to work correctly it is required that nat NOT do this. (I believe they do this so ISPs and carrier will prioritize ports XBOXLIVE traffic uses.)

IE;
When the xbox sends a packet from xboxip:3074 -> xboxlive:3074 the NAT packet filter changes both source IP and destination. So, the packet becomes wanip:randomport -> xboxlive:3074 . This breaks XBOXLIVE.

  So, if you are gaming behind your OPNsense what can you do? Well, you have to change the outbound behavior.
Go into into Firewall -> NAT -> Outbound .
See the automatic rules added on the bottom? ISAKMP is also known to break if the source port changes, so OPNsense comes with a rule to not change source port when sending to port 500. Essentially you have to recreate the rules so that outbound NAT has "Static Port" enabled.

Take note!
  If you haven't turned your xbox yet you should be all set. However, you've probably already turned your xbox on and it has conducted a upnp test, so it probably isn't going to work right away. I am not sure why; my guess is somethign to do with either established states or, XBL caching something. Even hard rebooting the xbox will not help But, not to fear! You can force it by going into the xbox setting setting an alternate port under the "advances settings" on the xbox. (Just remember to set it back to automatic later as there is no need to keep it that way. Normally the xbox and upnp are good about automatically figuring out which port to use if the default of 3074 is already active.)
  Also, booting and connecting a second xbox, then trying again with the first xbox will work, but only because the second takes 3074 and the first is forced to pick a different port. However, if you then reboot both and the first comes up first, it will go back to seeing strict nat again.


My suggestions for the future of OPNsense;
  I think that if spent some time capturing the xbox's packets before and after OPNsese we can could figure out exactly which ports it is using and add a default rule like the one for ISAKMP then this would all go more smoothly. Also, if I could isolate why exactly why once xbox see a strict nat it is stuck like that, and how to fix it, testing could go a lot faster. For these reasons I've simply configured all outbound connections to "static port" for now. As we have several gamers in the house I don't feel the benefits outweighs the complications for our use.

[logandzwon]

I have the same issue. I can't get it to work.

I've done the same things as said in this thread - I installed the uPnP package in the administration section, (I did get some stuff about anchor creation, that I don't understand), enabled it, and enabled the NAT setting to allow hybrid outbound rule generation.

Still, no uPnP, and my users are complaining (7 and 11 year old lol) that my internets suck. :D

Can someone please help me in a step-by-step fashion, as I really can't figure this out on my own.

Add the rules to Firewall: NAT: Outbound that match mine. Then, after applying them, on the xbox, go into Settings -> Network -> Advanced settings -> Alternate port selection and set something other then 3074. It should work. Then, tomorrow go back and set this back to automatic.