CGNAT UPnP Issue Advice
-
I have four internal interfaces, but I only have the internal interface for my home automation devices enabled for UPnP. I did however, select the WAN as the external interface because it is. Can I just select the VPN as external instead? I have no port forwards enabled right now anyhow. So nothing is open from outside.
-
Or override WAN address option?
-
@gblenn It's cellular, so I don't think a public IP is possible.
Depends on the carrier I suppose... Where I live at least, all carriers will provide a public IP on wireless broadband if you ask for it (LTE or 5G router).
@stephenw10 What is the actual reason miniupnp can not use a private IP on the WAN?
-
@wormuths
I cannot think of any sense running UPnP with a private WAN address as well. But if you really need it for whatever reason, maybe pfSense stops complaining if you assign a public IP as a virtual IP alias to the WAN.
Just try any public IP, which you never need to access. -
Yeah set an override or enable the STUN external IP detection.
UPnP can still work in that situation if the upstream router is forwarding traffic. So if you set the pfSense as the DMZ IP in your ISP router for example.
Steve
-
Okay, progress...
What I decided to do was add an IP override in the UPnP setup screen, and I used the IP address reported by my Dynamic DNS service. I have a DynDNS setup to update my IP, but as of yet, I'm not using it for anything...
So maybe a good solution is to always point that override to the address reported by Dynamic DNS?
Is there a way to create an IP Alias which is a reflection of the Dynamic DNS IP? That would at least keep my IP somewhat accurate externally, no? Is that making sense, or am I off the rails a bit?
Thanks for all the help....
Steven -
Using the STUN setup is supposed to detect the external IP and use that. Does that not work for you?
-
@stephenw10 Let me look into that...
-
@stephenw10 said in CGNAT UPnP Issue Advice:
Yeah set an override or enable the STUN external IP detection.
UPnP can still work in that situation if the upstream router is forwarding traffic. So if you set the pfSense as the DMZ IP in your ISP router for example.
Steve
For this scenario, where UPnP isn't actually used for anything towards external servers/devices, STUN might work as a way to remove the errors.
It might also work for e.g. a gaming scenario, at least if the mobile router has a public IP, (I'll make sure to test that for my own use). But in this case the mobile router is behind CG-NAT, so it might not work for gaming.
What I don't understand though, is why does miniupnp give this error and refuses to do it's job if the WAN IP is from the private IP range?
If the upstream router places pfsense in DMZ, it should still work!I have tested this and it does actually work fine if you can "fool it"...
My failover goes over LTE and the mobile router has a public IP but doesn't do bridging. It does however have DMZ and most importantly, it allows me to set any IP on the LAN interface. If I set it to a public IP, UPnP on pfsense works perfectly fine, giving me Open NAT on all the games I throw at it, double NAT and all. Other routers, like Ubiquiti edgerouter, also work, but they do it even if WAN has a private IP...
The problem that you run into when doing it this way, is that it breaks the Dynamic DNS setup, since it will now take the fake WAN IP and not use the "Check IP Service".
I see three simple things that we need here.
- Provide an override selection to prevent miniupnp to check for private IP on the WAN interface.
- Introduce Gateway Group into the External Interface selection for UPnP, so it can follow the default gateway in a failover scenario, or allow multi select not only for Internal interfaces.
- Not really a necessity if 1 & 2 are in place but still a good idea to have the option to force "Check IP service" regardless of the WAN IP.
-
Part of what UPnP does is return the external IP to internal hosts that request it. If it doesn't have a valid external IP it can't do that. And if it returned the private IP a lot of services using it would fail.
But it was an upstream design decision. See: https://redmine.pfsense.org/issues/10398
Steve
-
That was much easier. LOL
I set up the STUN section, and it seems to work fine. I deleted the IP override, and the errors are gone. Thanks!
-
@stephenw10 said in CGNAT UPnP Issue Advice:
Part of what UPnP does is return the external IP to internal hosts that request it. If it doesn't have a valid external IP it can't do that. And if it returned the private IP a lot of services using it would fail.
But it was an upstream design decision. See: https://redmine.pfsense.org/issues/10398
Steve
I'm thinking UPnP is mostly used in home environments, and the largest use case by far, is gaming.
A setup with an upstream router (ISP provided or not) does in fact work for gaming with other solutions also involving UPnP, like Ubiquiti and most or all consumer wifi-routers etc.
As I mentioned, it works fine with pfsense as well, IF the upstream router hands out an IP which pfsense recognizes as something from a public IP range.
Why then can it not simply accept whatever IP is given, as an override alternative? The "old fashioned way" with Hybrid mode (static IP) and port forward of the required ports work fine of course...I made some testing with my public IP as an override WAN. Not sure I did it the right way though, just put the IP directly in the field, no alias etc. But games like MW2 (2009) and MW3 can't even login to Infinity Ward servers, don't even get Strict NAT.
The UPnP status page shows me the requested ports though, (like 28960 or 3074).I also tested with Stun but all I get is STUN: ext interface vtnet0 with IP address 192.168.3.15 is now behind restrictive NAT with public IP address NN.NN.NNN.NN: Port forwarding is now impossible
That is quite an assumption isn't it, considering that it's a DMZ and clearly works also for pfsense...