Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [solved] UPnP behind double NAT is not working, even with a STUN-Server

    Scheduled Pinned Locked Moved Gaming
    16 Posts 3 Posters 5.4k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Bob.DigB Offline
      Bob.Dig LAYER 8
      last edited by Bob.Dig

      What is not working is UPnP behind another router, although pfSense is the exposed host of this router. Tried with the now pinned patch also.

      CaptureXL.png

      1 Reply Last reply Reply Quote 0
      • viktor_gV Offline
        viktor_g Netgate
        last edited by viktor_g

        This is correct
        See "behind the restrictive NAT"
        "port forwarding is now impossible"

        Bob.DigB 1 Reply Last reply Reply Quote 1
        • Bob.DigB Offline
          Bob.Dig LAYER 8 @viktor_g
          last edited by Bob.Dig

          @viktor_g said in UPnP behind double NAT is not working, even with a STUN-Server:

          See "behind the restrictive NAT"
          "port forwarding is now impossible"

          But that is not true, it is not restricted, it is exposed.
          I have regular open ports on pfSense working without any problem.

          I created a redmine issue: https://redmine.pfsense.org/issues/12797

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            1. Make sure you have the patch applied from the latest sticky post about UPnP. It's required even on 22.01 and 2.6.0.
            2. This is likely the same problem from another existing thread:
              https://forum.netgate.com/topic/169773/miniupnp-full-cone-double-natincorrectly-adding-rules

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            Bob.DigB 1 Reply Last reply Reply Quote 1
            • Bob.DigB Offline
              Bob.Dig LAYER 8 @jimp
              last edited by

              @jimp For me, with STUN it looks like it is not working at all. When I use the "Override WAN address", even with the IP 6.6.6.6 it is doing something and the rules in UPnP Status are shown.

              Capture2.png

              1 Reply Last reply Reply Quote 0
              • jimpJ Offline
                jimp Rebel Alliance Developer Netgate
                last edited by

                When you have that client active, see what shows up in the rules. Run this:

                pfSsh.php playback pfanchordrill
                

                And post what shows up in the miniupnpd anchor. You can mask the external address if it's identifiable and not a dummy address.

                And also confirm that you've patched in the required fix I mentioned.

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                Bob.DigB 1 Reply Last reply Reply Quote 1
                • Bob.DigB Offline
                  Bob.Dig LAYER 8 @jimp
                  last edited by Bob.Dig

                  @jimp I auto-applied the patch and had pfSense restarted but the patch is doing nothing for my double-NAT problem it seems.

                  Your command is only showing something when there is also something to see in "UPnP & NAT-PMP Rules" in the Web-UI.

                  And this is only the case when I am using the WAN override. Not using the override or using the STUN-Server, there is nothing.

                  ipsec rules/nat contents:
                  
                  miniupnpd rules/nat contents:
                  nat log quick on hn0 inet proto udp from 192.168.1.10 port = 19503 to any keep state label "Tixati" rtable 0 -> 6.6.6.6 port 19503
                  rdr pass log quick on hn0 inet proto tcp from any to any port = 19503 keep state label "Tixati" rtable 0 -> 192.168.1.10 port 19503
                  rdr pass log quick on hn0 inet proto udp from any to any port = 19503 keep state label "Tixati" rtable 0 -> 192.168.1.10 port 19503
                  
                  natearly rules/nat contents:
                  
                  natrules rules/nat contents:
                  
                  openvpn rules/nat contents:
                  
                  tftp-proxy rules/nat contents:
                  
                  userrules rules/nat contents:
                  

                  Just to let you know, tixati is a filesharing program for windows. Just install it, it will do UPnP out of the box, nothing to configure, super easy.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ Offline
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    I use deluge for testing like that, it's similarly easy to trigger. But I'm not behind double NAT on my edge, and I don't have a STUN setup currently. If it isn't adding the NAT rules it must not be getting a proper result from the STUN server. In the other case I linked I believe it was was getting a STUN server response and making rules just using the wrong address on the outside.

                    When you force the external address it makes sense that it's using it directly since the use case for that is different (e.g. you have an IP alias VIP or CARP VIP on WAN and want to NAT the UPnP stuff out that).

                    If there is some deeper issue with STUN inside UPnP that's a much different problem.

                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    Bob.DigB 1 Reply Last reply Reply Quote 1
                    • Bob.DigB Offline
                      Bob.Dig LAYER 8 @jimp
                      last edited by

                      @jimp In the first screenshot there you can see my public wan address, so I guess the STUN is working.

                      jimpJ 1 Reply Last reply Reply Quote 0
                      • jimpJ Offline
                        jimp Rebel Alliance Developer Netgate @Bob.Dig
                        last edited by

                        @bob-dig said in UPnP behind double NAT is not working, even with a STUN-Server:

                        @jimp In the first screenshot there you can see my public wan address, so I guess the STUN is working.

                        But it said you were behind restrictive NAT and port forwarding wasn't possible. So it may have worked to detect your IP address but it did not detect your NAT properly. I'd still consider that an issue in STUN. The STUN code in miniupnpd is capable of detecting if you are behind restrictive NAT, symmetric NAT, 1:1, etc. It's also possible the STUN server you are using isn't responding as expected to all the probes.

                        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        Bob.DigB 1 Reply Last reply Reply Quote 1
                        • Bob.DigB Offline
                          Bob.Dig LAYER 8 @jimp
                          last edited by

                          @jimp I went back for now, because of a real problem described here.
                          I used the STUN Server from sipgate, didn't checked any other.

                          1 Reply Last reply Reply Quote 0
                          • jimpJ Offline
                            jimp Rebel Alliance Developer Netgate
                            last edited by

                            FYI, I setup a test with a 1:1 NAT and STUN and it worked fine for me here for inbound connections. If I disable STUN, the client cannot open UPnP ports and a port test fails. If I enable STUN, it works.

                            That said, outbound connections aren't right as it's trying to NAT to the IP address it discovered via STUN and not the actual WAN, but as I mentioned someone else is already looking into that.

                            When it works properly there is no log message about STUN or the external IP address, so there must be some filtering happening upstream from you. I also received a similar error to the one you saw until I made sure I was behind 1:1 NAT with all incoming traffic passed through to the internal firewall.

                            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                            Need help fast? Netgate Global Support!

                            Do not Chat/PM for help!

                            Bob.DigB 1 Reply Last reply Reply Quote 1
                            • Bob.DigB Offline
                              Bob.Dig LAYER 8 @jimp
                              last edited by Bob.Dig

                              @jimp said in UPnP behind double NAT is not working, even with a STUN-Server:

                              so there must be some filtering happening upstream from you.

                              I wouldn't know any, but as I have general problems described elsewhere, it is not the best test situation in the first place, at least for now.

                              1 Reply Last reply Reply Quote 0
                              • jimpJ Offline
                                jimp Rebel Alliance Developer Netgate
                                last edited by

                                Sure, but as there is at least one other person having an issue with UPnP+STUN and outbound NAT I figured it was worth mentioning what I found.

                                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                Need help fast? Netgate Global Support!

                                Do not Chat/PM for help!

                                1 Reply Last reply Reply Quote 1
                                • Bob.DigB Offline
                                  Bob.Dig LAYER 8
                                  last edited by Bob.Dig

                                  @jimp @viktor_g I now tested it with the google STUN Server and it is working for me. With the two other ones it is not. I consider this as solved from my point of view, because some of the other stuff mentioned here is telling me nothing.
                                  I guess the redmine Issue https://redmine.pfsense.org/issues/12797 could be closed too.

                                  jimpJ 1 Reply Last reply Reply Quote 0
                                  • jimpJ Offline
                                    jimp Rebel Alliance Developer Netgate @Bob.Dig
                                    last edited by

                                    @bob-dig said in [solved] UPnP behind double NAT is not working, even with a STUN-Server:

                                    @jimp @viktor_g I now tested it with the google STUN Server and it is working for me.

                                    Great! That's the same one I used when testing and it worked well here.

                                    I guess the redmine Issue https://redmine.pfsense.org/issues/12797 could be closed too.

                                    The problem I mentioned on the Redmine issue is still a legitimate issue that is being worked on. It affects new outbound connections (like for game clients) and not inbound connections like those for torrent/download clients.

                                    Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 1
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.