Having some UPnP issues.

[ZPrime]

So I think I've come to the conclusion for me that it's Call of Duty that isn't working right, plus I think there might be a bug in the gui UPNP status.

The app I am using to test with will also display current port forwards and I have not been using it to check for them.. I've just been using the status page.

Curious, what app are you using to create the forwards (presumably on Windows)? I have a Win VM and a work laptop running Windows that I can break out to try a different app.

If I create a forward without a description, it does not display in the list. According to the specs, a description isn't required. But without a description it doesn't show in the GUI status list. I've been creating them without this whole time and seeing them not show up. Also, when testing these forwards, I haven't been closing the browser window or clearing states. I think FreshTomato must be doing that behind the scenes without telling you it is..

How is FreshTomato part of the scenario here, I thought you were running OPNsense?
You shouldn't need to clear states in the router to make a new port forward work.

Anyway. My test is by running nginx on my local PC (same one that runs Warzone/Cold War) with it's default web page. I create a forward using upnp for external port 8080 and internal port 80 to my local PC. Then on my phone, I turn off Wifi, and go to http://myexternalip:8080 and see if the page comes up. Without the forward, it doesn't come up. I then close that tab, clear all the states, then create the forward. I then go to that address on my phone and the page shows up immediately. Close the tab, remove the forward using the utility, clear all states, and open a tab and go to that address and it times out.

Yeah, so this proves that you are able to get a port to forward... if the opnsense GUI isn't showing that port mapping, that definitely seems like a bug.

I've tried that both with a description and without, and it works. Now, this was before reading about nat-pmp. So mine is on right now. I will test again with that turned off, but for now, it does look like this is working on my config (without changing any settings like xpendable has. I will most likely try his settings as well.

I don't know what utility you are using to create the mappings from your PC, but NAT-PMP is originally an Apple thing, so unless your utility explicitly has NAT-PMP support in it, it probably is just using UPnP.

I'm having problems with an XBox One X that is failing to get a port mapping via UPnP (and it has worked in the past with OPNsense), so there's definitely something wrong.  I have the same problem as you - wife will be upset if I break the internet to downgrade the router unless she's asleep, so I have to work around that. I'm also not exactly sure how to rollback OPNsense to an older release... Do I need to make a config backup and then fully reinstall from an older ISO?

[thecodemonk]

FreshTomato isn't in the picture. I was just referencing when I used it before I never had to clear states to get things like that to work, but I did need to in opnsense IF I had previously tried to connect just to verify it wasn't working before creating the port forward. I agree that it was weird and I shouldn't have to do that, but I've come to the conclusion that something was seriously weird and cached for me. I'll explain in a minute.

The app I was using is just called upnptest. https://www.majorgeeks.com/files/details/universal_plug_and_play_tester_(upnptest).html

You can tell that app was written by someone who clearly was having upnp issues and wanted to just a quick and dirty way to figure out what was up. You may need to lookup the UPNP specs to make sure you are filling in all the right values. If you need help, I can walk you through how to use it.

So this is a kind of long story, but the tl;dr version is mine is now working fine...

Last night I was going to set my laptop up on a mirrored port on my managed switch and I was going to mirror the port my unmanaged switch is plugged into. That unmanaged switch is where my PC and PS4 are connected. I also plug my laptop into that unmanaged switch as it's my work laptop and that's what I work from all day. I plug my laptop into the managed switch and I cannot get it to work, at all. I can't get DHCP and I even tried a static mapping and it was a no go. I was in a bit of a panic as I really needed to work today. I knew I could fall back to wifi, but I was seriously concerned. I tried different ports on the switch, and nothing. So now I'm thinking my laptop ethernet port is just dead now.

So I tried rebooting it multiple times, even booting up linux because I know dang well it could just be windows being a jerk. Still nothing. Since it was almost midnight, I decided to just throw in the towel for the night. I put the laptop back on the desk, connected ethernet from the managed switch and it all starts working again. What. The. Crap.

So I decided that something was seriously messed up and this new managed switch must have an arp caching issue or something that's causing an issue here. So before I head up to bed, decided to just power everything off and let it all reboot. I turn it all off, and a minute later have to deal with the wife texting me "we have no internet again". I go to bed, and check the status of everything from my phone and it's good. Everything is back up and running.

Fast forward to this afternoon, I hear my son laughing and telling to my daughter to watch out for the skeletons. So I go see what they are doing, and they are playing multiplayer minecraft. That's odd. I didn't think it would work with upnp not working right... Check the status page, and there's a line for minecraft. What. The. Crap. I flip over to my desktop and turn on warzone. As it's loading shaders, refresh the status page, and low and behold it's listed. Go to the account page in settings, and it's nat open.... Open CoD Cold War, it's also nat type open.

Just to make sure it wasn't a fluke, I played quite a few rounds tonight with zero issues.

I have no idea what the real problem was. I'm certainly glad it's working now, but I would have really liked to know what was causing it not to work. With my laptop issue though, I'm really suspect of this managed switch. I think I'm going to turn off netgear's insight cloud BS and go back to just individually managing everything. I know for sure the local management had tools to at least view the arp cache, the cloud stuff has nothing. I would have liked to have cleared it last night when testing. Especially since when I was first setting all this up, I connected my PC to the managed switch a few times to test things out.

Anyway. I guess we can try to work through your problems and see if we can get yours working now.

If you wanted to revert, there are tools to revert packages and the OS. I would make a backup of the config first just in case you do need to reinstall from ISO if something goes wrong. https://docs.opnsense.org/manual/opnsense_tools.html

[5SpeedFun]

Hi all,

I have a LOT of experience with this.  Are both the OPNSense box & the other device on the same switch?  Are they on the same vlan?  Can they ping each other directly without going through a router?

If so the following advice should fix it.

Option 1> IGMP SNooping on

If you are using a switch with IGMP snooping and BOTH (client) devices (& opensense) are connected to it, then do the following:

* Leave IGMP snooping on.
* Make the switch an IGMP querier (I'm assuming this is a home setup & you don't have a rendezvous point or other layer 3 device that is an IGMP querier).  If you aren't sure how to make it an IGMP Querier, post here and I may be able to help.
* Do a STATIC JOIN on your switch for the Opnsense box "lan" port and join it to 239.255.255.250.  If you aren't sure how to do a static join, post here & I can assist.

Again: If there is a "layer 3" device between the opnsense box & the upnp clients, you will need to enable PIM (if you can) or use an IGMP proxy or it won't work.

The problem with the UPNP service on OpnSense (not opnsense specific issue, it's upstream) is that it expects to work on an a "dumb" switch that floods multicast.  The upnp daemon never sends an IGMP Join to the switch (which, with IGMP snooping on, it expects).  Since the join is never received by the switch,  it never sends the <client>->239.255.255.250 traffic to the opnsense port.  That is why the static join is needed -- to force sending the client upnp requests to the opnsense box.

Option 2>  Turn IGMP SNooping off, so all multicast is flooded:

Another option is to turn igmp snooping off & make sure the clients & opnsense box are in the same vlan on the same switch. 

[thecodemonk]

The problem with the UPNP service on OpnSense (not opnsense specific issue, it's upstream) is that it expects to work on an a "dumb" switch that floods multicast.  The upnp daemon never sends an IGMP Join to the switch (which, with IGMP snooping on, it expects).  Since the join is never received by the switch,  it never sends the <client>->239.255.255.250 traffic to the opnsense port.  That is why the static join is needed -- to force sending the client upnp requests to the opnsense box.

Option 2>  Turn IGMP SNooping off, so all multicast is flooded:

Another option is to turn igmp snooping off & make sure the clients & opnsense box are in the same vlan on the same switch. 

I believe that ultimately this may have been my issue. My PC was on a dumb switch that is connected to the managed switch and then the opnsense box is connected to the managed switch as well. I had gone into netgear's insight (Their managed cloud service for everything) and turned off IGMP snooping a few days ago in testing. It said it saved it, but I had to return to that page and do it 3 more times before it finally said that it was off. With the potential APR caching issue and IGMP snooping not potentially being off, the final reboot I did of everything, including that switch, may have turned snooping off and cleared the cache so that things actually started working.

I am definitely going to can this Netgear Insight crap and go back to locally managing it. It's a pain and I get less aggregated data about the connected clients, but for home I will live with it. Using all this was a test of their "business" class gear anyway to see if we would like it over the Unifi stuff we have a the office now. It's a resounding no from me. For home, it's fine. But I won't be using this cloud stuff at the office and managing a half dozen of these individually would be a colossal pain.

[ZPrime]

Hi all,

I have a LOT of experience with this.  Are both the OPNSense box & the other device on the same switch?  Are they on the same vlan?  Can they ping each other directly without going through a router?

Well, yes, sort-of. :)

all of my devices are on a single VLAN. I have a Ubiquiti EdgeSwitch 24-PoE as my "core", and in two locations I have Ubiquiti Unifi switches (an 8 port and a 16 port PoE). I have IGMP snooping disabled on the EdgeSwitch, and have not enabled it in the Unifi controller in the "Network" section, so everything should be getting multicast fllood. All systems that would normally be using UPnP are hardwired.

I did just realize that I had some level of IGMP filtering happening on my Unifi APs ("Multicast Enhancement" was enabled on the wireless network), which would partially explain why some of my testing was failing (laptop is on wifi)... but it doesn't explain why the Xbox wasn't working (which is hardwired).

However, there is one other piece in the game I often forget about... I have a "SamKnows" bandwidth testing box on my LAN at home. It's basically a small linux box that sits behind my opnsense box and it just bridges all traffic through it, and then runs internet speed tests when it detects enough of an "idle window" in the traffic flow. It's supposed to be a transparent bridge, although I've discovered that it filters 802.1q (i.e. it chokes on vlan tagging). Multicast had been working fine in the past though (UPnP has not been a problem before.)

I wouldn't be entirely surprised if something changed and it started filtering multicast though.  That said, after fixing the filtering on the wifi, I now can use the Windows UPnP test app that thecodemonk mentioned, and I'm getting responses from opnsense. So it doesn't seem like multicast is entirely blocked, at least. More testing needed to see if it will allow me to actually map a port though...

Win10 (in a VMware VM, using bridged networking on my Mac) with this UPnPTest app can map a port. 

The Mac itself cannot map a port or even get a response from opnsense via UPnP (although NAT-PMP works). I even pulled down the "upnpc" client  (which is part of the miniupnpd project, same thing used on opnsense) with homebrew, and it isn't even getting an answer from opnsense... which makes me wonder if Apple is doing something with multicast on recent versions of MacOS. I don't really care much about the Mac though, the xboxes are what need to work.

I need to give an xbox another try and see if it magically starts working now... I definitely have IGMP snooping disabled on the Unifi switch it is uplinked to, so it should be getting flooded, but it's probably worth verifying that with wireshark because Unifi gear is known to often do things you don't expect.

[ZPrime]

I know this thread is over a month old now, but I found a solution and wanted to report it. :)

I believe my problem stemmed from the fact that I'm using Multi-WAN, which then requires rules on the LAN side to set a gateway group for the outgoing traffic.

I have a rule above my GW Group rule that is just a generic "allow to firewall LAN IP"... but that overlooks multicast.

Had to add this rule, prior to my GW group selection rule:
source network: <LAN net>
destination host: 239.255.255.250  [multicast IP used for UPnP discovery]
Protocol: UDP
Port: 1900

This got UPnP functional again, at least with the handy Mac app "Port Map". I haven't tried an Xbox yet, but I suspect it will be OK too.

[FullyBorked]

I know this thread is over a month old now, but I found a solution and wanted to report it. :)

I believe my problem stemmed from the fact that I'm using Multi-WAN, which then requires rules on the LAN side to set a gateway group for the outgoing traffic.

I have a rule above my GW Group rule that is just a generic "allow to firewall LAN IP"... but that overlooks multicast.

Had to add this rule, prior to my GW group selection rule:
source network: <LAN net>
destination host: 239.255.255.250  [multicast IP used for UPnP discovery]
Protocol: UDP
Port: 1900

This got UPnP functional again, at least with the handy Mac app "Port Map". I haven't tried an Xbox yet, but I suspect it will be OK too.

I'll be honest I figured this would do nothing since I thought my ANY rule should cover this also. I also have multi-wan so figured I'd give it a try.  However Xbox networking now shows NAT Type: Strict and Server: Connected.  Which is better  than unable to connect as it has.  Thanks for the post.

[tanks]

My configuration as below.

Firewall -> NAT -> Outbound

Interface   Source   Source Port   Destination   Destination Port   NAT Address   NAT Port   Static Port   Description
WAN   192.168.50.99/32    *   *   *   Interface address   *   YES   Xbox One

Entry in uPnP
allow 88-65535 192.168.50.99/32 88-65535

[DoomSalamander]

I am not even using UPnP and I have a PS4 working fine so far. I gave the PS4 a static IP and it's own network for easy management and allowed a bunch of port range and some outbound ports that are static. I also use a multi wan setup. Should I even bother using UPnP if I am able to make the console work without it? When I tried to make it work I didn't work.

[FullyBorked]

I am not even using UPnP and I have a PS4 working fine so far. I gave the PS4 a static IP and it's own network for easy management and allowed a bunch of port range and some outbound ports that are static. I also use a multi wan setup. Should I even bother using UPnP if I am able to make the console work without it? When I tried to make it work I didn't work.

Sounds like you've manually done what UPnP should do automatically.  It's up to you if you'd rather UPnP do it or you continue manually as you have.

Sent from my IN2025 using Tapatalk

[DoomSalamander]

I am not even using UPnP and I have a PS4 working fine so far. I gave the PS4 a static IP and it's own network for easy management and allowed a bunch of port range and some outbound ports that are static. I also use a multi wan setup. Should I even bother using UPnP if I am able to make the console work without it? When I tried to make it work I didn't work.

Sounds like you've manually done what UPnP should do automatically.  It's up to you if you'd rather UPnP do it or you continue manually as you have.

Sent from my IN2025 using Tapatalk

I have set it up for a friend that shares the internet with me and he is only using a few games. Doesn't UPnP also do automatic port forwarding which can be pretty dangerous? I am just wondering which solution is more secure.

[FullyBorked]

I am not even using UPnP and I have a PS4 working fine so far. I gave the PS4 a static IP and it's own network for easy management and allowed a bunch of port range and some outbound ports that are static. I also use a multi wan setup. Should I even bother using UPnP if I am able to make the console work without it? When I tried to make it work I didn't work.

Sounds like you've manually done what UPnP should do automatically.  It's up to you if you'd rather UPnP do it or you continue manually as you have.

Sent from my IN2025 using Tapatalk

I have set it up for a friend that shares the internet with me and he is only using a few games. Doesn't UPnP also do automatic port forwarding which can be pretty dangerous? I am just wondering which solution is more secure.

Yes it does automatic port forwarding.  Manually would arguably be more secure.  And placing the device on an isolated vlan as well if your primary concern is security. 

Personally I prefer just letting UPnP do it's job and my stuff just "works".  I understand and accept the risks on my home network.  I host some servers in my home lab and those all live in a DMZ physically and logically sperate from my LAN.  But for the random game I might want to spool up on short notice or that my wife might try and play.  I don't have the time or patients to figure out all the port forwarding each time to get these devices up and going.  And I don't want to forget and leave those port forwards in place if we aren't playing that particular game any longer.  All that to say I prefer the UPnP way of life lol. 

[DoomSalamander]

Then I wonder why the PS4 is even working because I haven't set up a single port forward rule yet. I only have rules on the network the PS4 is and very few ports on the outgoing NAT side that are static.

[FullyBorked]

Then I wonder why the PS4 is even working because I haven't set up a single port forward rule yet. I only have rules on the network the PS4 is and very few ports on the outgoing NAT side that are static.

Maybe you haven't played anything yet that requires port forwards?  That would be my only thought.  Not every game requires a port forward.  Usually peer to peer games do, but dedicated server games or single player titles do not.  It's mostly rare at  this point that I hit games that require it.  Warframe for example does require UPnP to function correctly since it's peer to peer. 

[DoomSalamander]

Then I wonder why the PS4 is even working because I haven't set up a single port forward rule yet. I only have rules on the network the PS4 is and very few ports on the outgoing NAT side that are static.

Maybe you haven't played anything yet that requires port forwards?  That would be my only thought.  Not every game requires a port forward.  Usually peer to peer games do, but dedicated server games or single player titles do not.  It's mostly rare at  this point that I hit games that require it.  Warframe for example does require UPnP to function correctly since it's peer to peer.

I think this might be it. He only uses very few games such as COD Warzone and NBA2k20. I think he only uses like 4 games. He hasn't complained yet so I guess. Set it and forget it. Didn't bother doing UPnP since I haven't managed to make it work since then.