@bmeeks Thank you so much. I did send you the full log separately. Please let me know if I can get you anything else. And you needn’t do any more. I’m more than happy with what I’ve learned. Cheers!

@stephenw10 said in CGNAT UPnP Issue Advice:

Yeah set an override or enable the STUN external IP detection.

UPnP can still work in that situation if the upstream router is forwarding traffic. So if you set the pfSense as the DMZ IP in your ISP router for example.

Steve

For this scenario, where UPnP isn't actually used for anything towards external servers/devices, STUN might work as a way to remove the errors.

It might also work for e.g. a gaming scenario, at least if the mobile router has a public IP, (I'll make sure to test that). But in this case the mobile router is behind CG-NAT, so it might not work for gaming.

What I don't understand though, is why does miniupnp give this error and refuses to do it's job if the WAN IP is from the private IP range?
If the upstream router places pfsense in DMZ, it should still work!

I have tested this and it does actually work fine if you can "fool it"...

My failover goes over LTE and the mobile router has a public IP but doesn't do bridging. It does however have DMZ and most importantly, it allows me to set any IP on the LAN interface. If I set it to a public IP, UPnP on pfsense works perfectly fine, giving me Open NAT on all the games I throw at it, double NAT and all. Other routers, like Ubiquiti edgerouter, also work, but they do it even if WAN has a private IP...

The problem that you run into when doing it this way, is that it breaks the Dynamic DNS setup, since it will now take the fake WAN IP and not use the "Check IP Service".

I see three simple things that we need here.

Provide an override selection to prevent miniupnp to check for private IP on the WAN interface. Introduce Gateway Group into the External Interface selection for UPnP, so it can follow the default gateway in a failover scenario, or allow multi select not only for Internal interfaces. Not really a necessity if 1 & 2 are in place but still a good idea to have the option to force "Check IP service" regardless of the WAN IP.

@stephenw10 the one in the picture above

@orcape Wie gesagt, wenn wäre es ein Problem auf der Client Side, also bei OpenWRT. Den Server interessiert es nicht.
Edit: Gerade mal getestet gegen WG für Android. In der Fritte neu verbunden, dann gewartet bis die entsprechenden E-Mail-Benachrichtungen dazu bei mir eingingen. Davor auf dem Smartphone WiFi aus und WG Client gestartet. Ergebnis, auch nach dem IP-Wechsel und DDNS nach Hause steht die Verbindung.
Was bei mir aber nicht wirklich funktioniert ist der IPv6-Wechsel, damit hat die Sense so ihre Probleme. WG und DDNS laufen bei mir aber über IPv4.

@bmeeks

Yeah, got catch! I checked PfBlocker and the cron job starts at the top of the hour (see screenshot below). I probably should change that to on the half hour 00:30 so they don't collide. I'll try that and report back :)

screenshot4.jpg

@rcoleman-netgate I'm supposed to be patient when I'm troubleshooting? 🤣 thanks for letting me know.

Welche Version ist im Einsatz, hier kam ja vor kurzem jemand mit einer 2.3 oder 2.4 an.

Es gab Probleme in bestimmten Versionen mit der Log Komprimierung, die sollte man abschalten.

Ein CLI Terminal kopiert das markierte automatisch, kenne das nicht anderes.
Ansonsten einfach printable output in ein Log schreiben.

Was die Hardware angeht, ja würde mal Zeit für was neueres, gibt ja auch die IPU Reihe, wenn du dem Hersteller treu bleiben willst.
Da geht es auch eher um aktuelle Features wie AES usw. Das gibts bei deiner CPU von 2011 noch alles nicht.
Wie schnell ist das Inet und gibt es des PPPoE bei dir?

@steveits is Wi-Fi and Ethernet connected at the same time I wonder.

@rcoleman-netgate working now, thanks 👍

@flobernd I just did a test but not with pfSense and it was normal, so no problem on CFs side.

@jimp thanks a lot, this is exactly my case. Cheers!

@fireodo said in barnyard2:

@bmeeks said in barnyard2:

I will make myself a reminder to remove that line in the next package update.

OK. Have a fine Day and thanks,
fireodo

Thank you for reporting the deprecated code!

@cloudless-smart-home Funny little project :-)

It’s always usefull to learn about tech by testing various ideas like that. However, the security gains by disabling the service are not really there as it will be available in large parts of the day. Also: it will cost slightly more battery on your phone because it wakes the wifi every minute when you are home.

I think your next project should be pfBlockerNG and retrieving the AS number of your cell service provider. That way you can create a rule so only IP’s belonging to your provider is able to reach the OpenVPN server. That will have a MUCH more relevant impact on security than turning it on and off.

grazie x la risposta e per l'ottimismo. ancora qualche dettaglio poi non vi assillo piu'

a) se compro una sk video su usb , e la collego all'usb dell'apparato, secondo voi vedo l'immagine a monitor?

b) in alternativa , come collego un monitor all'apparato? l'ho svitato ed aperto, ma nessun negoziante ha saputo collegarmi un monitor

ancora grazie

@michmoor exactly... To be honest, that is DO - in what scenario would they ever need to be inbound to you?

Block all of their ASNs

NetRange: 165.22.0.0 - 165.22.255.255 CIDR: 165.22.0.0/16 NetName: DIGITALOCEAN-165-22-0-0

pfblocker makes it easy to look up ASNs and put them into a alias and then block that completely from your services you don't want them to be able to talk to.. DO while is a big cloud provider - why would you have need of inbound traffic from them? They are not known for being to particular on how they allow their services to be used.

@pfsjap Seeing this aswell but it's marked as "next stable version". So I think it's the public RC.

@boarlol Screenshot_1.png