Having some UPnP issues.

[thecodemonk]

I'm am a long time pfSense user (at work) that has had a R7000 with FreshTomato on it at home. Since my R7000 is about 8 years old and the wifi is starting to have issues, I decided to roll my own stuff at home instead of getting Orbi's or a Netgear wifi 6 mesh system. I bought a Protectli box and was going to use pfSense, but decided to give opnsense a go. I installed everything last night and configured it for my network and got the new access points wired up to the new switch (it's a managed netgear switch with poe).

I installed the upnp plugin. At home, I have a PS4, a few gaming PCs, and 4 Nintendo Switches. The kids often play multiplayer Minecraft and I play Warzone on my PC, as well as some various multiplayer PS4 games.

On FreshTomato, it was just ticking off the boxes and going and I would get open nat in Warzone and minecraft worked fine for the kids. With opnsense, I'm not having any luck at all.

After many hours of troubleshooting, I'm kind of stuck now and need some assistance. I doesn't seem to be working at all. In the status page of the upnp plugin, no mappings ever show up. However! I downloaded a upnp tool that lets you send requests to discovered devices. So when I do the AddPortMapping request, it actually says success. If I use the GetSpecificPortMappingEntry request, it returns what I requested, but it still doesn't actually show up in the upnp status page.

I have default deny turned off, but I have also tried adding my PC's IP and a large port range to the permissions, and I got the same result. In the routing log, I don't see any errors for requests. And in outbound nat, I have it in hybrid mode, and a rule for source lan net with the wan address at the nat address and static port enabled. I did not try to put my specific PC address in there, but I don't think this even comes into play yet.

I've uninstalled the plugin and re-enabled as well as just reinstalling it. I've disabled/reenabled and still no go.

I also attempted to turn off IGMP snooping in my switch, but since it's a cloud managed device (for now, I'm going to be turning that garbage off this weekend), I decided to just plug the switch my PC is on into the lan port of the firewall and plug my poe switch into my standard unmanaged lan switch. Still doesn't seem to work.

I'm really confused that the upnp test app says success and I'm not seeing the rule in the status list. I disabled the upnp and did the requests again, just to make sure it wasn't responding, just in case it thought it was sending it to the router when something else on the network was messing with it, but it does fail with it disabled.

I'm kind of at a loss for what to try next. While I could just put in manual port forwards for everything, minecraft could be a little more difficult, and I'm not sure what other games the kids are playing that might need port forwarding. I'd rather this be a little more hands off. Once it is working, I'll turn on the default deny and start ACL'ing this. So, any ideas?

[ZPrime]

Turn on UPnP

Then, Firewall -> NAT -> Outbound

Switch the radio buttons at the top to "Hybrid outbound NAT"
Now, either setup a rule for the entire LAN subnet, or configure your game systems/consoles to be in a sub-subnet (e.g. a /29 or /28 out of your LAN /24), and setup a rule for just that chunk... you want "Static Port = Yes" for the problem systems.

Again, this is just for outbound traffic, it insures that the firewall doesn't shuffle around the source port on the WAN side.

As long as UPnP is enabled and setup correctly, and you have static port outbound NAT for the game systems, this should take care of it.

[packet loss]

And in outbound nat, I have it in hybrid mode, and a rule for source lan net with the wan address at the nat address and static port enabled.

ZPrime he already has his outbound NAT using hybride mode with a single rule with static-ports for his entire LAN network.

thecodemonk, I recently installed OPNsense within the last week and configured everything manually. I use upnp as well and also noticed no mappings were shown under upnp -> status. So I was experiencing the same issue as you. I reinstalled the upnp plugin. That did not seem to fix the issue. I then reinstalled miniupnpd under packages and then rebooted OPNsense. After that, mappings started to show up under upnp -> status.

Make sure you reboot your consoles or PC. I've noticed my Xbox or PS5 won't send AddPortMapping requests after they are up and running so no port mappings will show up in OPNsense until you reboot. But this isn't always the case.

Let me know if this works for you.

[ZPrime]

And in outbound nat, I have it in hybrid mode, and a rule for source lan net with the wan address at the nat address and static port enabled.

ZPrime he already has his outbound NAT using hybride mode with a single rule with static-ports for his entire LAN network.

Sorry about that... I shouldn't be replying at 4am local time. :p

Make sure you reboot your consoles or PC. I've noticed my Xbox or PS5 won't send AddPortMapping requests after they are up and running so no port mappings will show up in OPNsense until you reboot. But this isn't always the case.

I can confirm that with Xbox at least, it sometimes doesn't want to map. What sometimes helps (and avoids a lengthy reboot) is to get into the networking section and check/test the NAT status. If it still doesn't map after that, there's a secret code (IIRC it's hold both triggers and then hit both bumpers simultaneously) that gives you a "more details" screen, and after bringing that up and then checking NAT status again, it usually seems to force the mapping.

UPnP is so great in theory, but the practice/execution is very janky at times...

[zyon]

Why do not just create alias group for devices and port
Then Port forward with group, you're already in hybrid nat

And remove upnp ;)

[cranky]

Hi, i was facing the same issue, could not get OPEN nat on xboxlive or battle.net (warzone).
I finally fixed it after a whole week!!!!

Things i did to get it working.
1. forward all nescesarry ports like normal.
2. turn outbound on to hybrid.
3. add a static outbound with static port

(see my screenshots)

If you need more then one device to have OPEN nat, remove the forwards (leave static route and hybrid), and install and run UPNP.

Hope this helps, cheers.

[packet loss]

Why do not just create alias group for devices and port
Then Port forward with group, you're already in hybrid nat

And remove upnp ;)

This is just not feasible in a gaming household. Too many games, too many consoles and PC's running at the same time playing games. The amount of ports one would have to port forward would be unreasonable.

But as cranky has shown and what you are suggesting is an alternative method that does work. Although, it's just not suitable for my network.

[thecodemonk]

Thanks for all the suggestions, but even after reinstalling miniupnpd, and then removing os-upnp and reinstalling everything, it's still not working for some reason.

Upon install of os-upnp, this is in the install window:

Code Select Expand

*** !!WARNING!! !!WARNING!! !!WARNING!! ***
This port allows machines within your network to create holes in your
firewall.  Please ensure this is really what you want!
*** !!WARNING!! !!WARNING!! !!WARNING!! ***

For this daemon to work, you must modify your pf rules to add an anchor
in both the NAT and rules section.  Both must be called 'miniupnpd'.
Example:

# NAT section
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

# Rules section
# uPnPd rule anchor
anchor "miniupnpd"
Checking integrity... done (0 conflicting)
Nothing to do.
***DONE***

Then after going into upnp and enabling everything, I went to the routing log and this was in there:

Code Select Expand

2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:08 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] ioctl(dev, DIOCGETRULES, ...): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] PCPSendUnsolicitedAnnounce() IPv6 sendto(): No route to host
2021-04-03T20:57:07 miniupnpd[50993] Listening for NAT-PMP/PCP traffic on port 5351
2021-04-03T20:57:07 miniupnpd[50993] setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument
2021-04-03T20:57:07 miniupnpd[50993] HTTP IPv6 address given to control points : [2601:409:200:1ab:2e0:67ff:fe22:e25d]
2021-04-03T20:57:07 miniupnpd[50993] HTTP listening on port 2189

In COD Cold war, when I open the game (after rebooting my pc) I am still get Nat Moderate and no forwarded ports listed in the upnp status.

Here are screenshots of my setup.. Am I missing something? Is there something else I need to tweak? What can I turn on to debug this? Is it a bug I need to report?





The images aren't showing up in the embed, so I just attached them.

[ZPrime]

I can confirm you're not crazy, something is wrong with UPnP for me too (on 21.1.4).

I'd be happy to provide more info if I knew what would help.

[thecodemonk]

Well, I think my first step is going to be figuring out if miniupnpd was upgraded and if it was, I'll revert to a previous version. If that still doesn't work, I'll revert opnsense to the last version and test. I'll report what I find tomorrow. I'm going to have to plan this out though as the wife and kids won't like being without internet. Lol

[xpendable]

I have uPnP setup and working fine with COD Warzone, however my setup is a bit different then yours...

Firewall/Settings/Advanced:
Reflection for port forwards = unchecked/disabled
Automatic outbound NAT for Reflection = unchecked/disabled

Firewall/NAT/Outbound:

Interface    Source    Source Port    Destination    Destination Port    NAT Address            NAT Port    Static Port    Description WAN         LAN net   udp/ 3074      *                   udp/ 3074           Interface address      *               YES                       Allow Static-Port mapping for COD

uPnP:
Default Deny = checked/enabled
Use System Time = unchecked/disabled
Entry 1 = allow 1024-65535 192.168.0.0/24 1024-65535

I just used the example values for this post for the uPnP Entry 1 rule, be sure to use your own subnet and the port range you want to forward.

NOTE:
I have found that COD takes a while to show up in the uPnP status for some reason, maybe up to a day or so. I know it's not my setup because other uPnP services work fine without any delay or issues. I have found this is the only port needed in the NAT Outbound rules for Warzone (This also worked during the Cold War Trial) running from my PC. The network status went from Strict to Moderate and then after a day or so (as noted above), it will then show as Open once the entry appears in the uPnP status page.

[thecodemonk]

Do you have the latest updates installed for everything?

[ZPrime]

I had some time to play around with this some more... from a Mac, using the free/open source "Port Map" app, and the Mac creates a port mapping successfully.

but, by default the Mac app is using NAT-PMP and not UPnP.

When I disable NAT-PMP in OPNsense's daemon, the mac app wants to fall back to UPnP, but it's not working. It sits at "searching" forever and things are not happy. I'm not seeing anything revealing popping up in the log on opnsense though...

[thecodemonk]

So I think I've come to the conclusion for me that it's Call of Duty that isn't working right, plus I think there might be a bug in the gui UPNP status.

The app I am using to test with will also display current port forwards and I have not been using it to check for them.. I've just been using the status page.

If I create a forward without a description, it does not display in the list. According to the specs, a description isn't required. But without a description it doesn't show in the GUI status list. I've been creating them without this whole time and seeing them not show up. Also, when testing these forwards, I haven't been closing the browser window or clearing states. I think FreshTomato must be doing that behind the scenes without telling you it is..

Anyway. My test is by running nginx on my local PC (same one that runs Warzone/Cold War) with it's default web page. I create a forward using upnp for external port 8080 and internal port 80 to my local PC. Then on my phone, I turn off Wifi, and go to http://myexternalip:8080 and see if the page comes up. Without the forward, it doesn't come up. I then close that tab, clear all the states, then create the forward. I then go to that address on my phone and the page shows up immediately. Close the tab, remove the forward using the utility, clear all states, and open a tab and go to that address and it times out.

I've tried that both with a description and without, and it works. Now, this was before reading about nat-pmp. So mine is on right now. I will test again with that turned off, but for now, it does look like this is working on my config (without changing any settings like xpendable has. I will most likely try his settings as well.

The other thing I was going to do is mirror my PC's port to another port on my switch and run wireshark so I could capture the exact settings CoD is using, but I'm having an issue with my laptop being plugged into that switch... So now I'm kind of wondering if I'm having a switch issue as well. My protectli box has 2 more optional ports that I can bridge to lan, so I may do that and plug my individual switches into those to test as well. However, with it working on my simple test with nginx, I have to believe that this is actually working, but something CoD is doing is slightly different and the real problem that needs to be discoverd.

[xpendable]

Hi thecodemonk, I am running OPNsense 21.1.4 updated via the GUI with no patches or any manual installs.

I hope you get it all figured out, as long as you get it running with your setup is all that matters ;)