Will we ever get upnp to work behind private network IP?
-
@bob-dig Well, I agree games may be stupid, but consistent...
What exactly is it that you say is "working"? Could you please add some detail, what is your set up? Are you saying that you get Open NAT with UPnP behind Private IP on WAN using STUN?
-
@gblenn No. But when I start my favorite torrent application, it will open ports. And when I close that app, the ports get closed too.
I don't play any game at the moment, that would report things like open NAT.
And whatever "teredo" is, MS don't want you to block it, but the router in front of my pfSense can and is doing that. Maybe have a look there, if you got one too. -
@bob-dig said in Will we ever get upnp to work behind private network IP?:
@gblenn No. But when I start my favorite torrent application, it will open ports. And when I close that app, the ports get closed too.
I don't play any game at the moment, that would report things like open NAT.
And whatever "teredo" is, MS don't want you to block it, but the router in front of my pfSense can and is doing that. Maybe have a look there, if you got one too.Are you using UPnP at all?? And are you behind a Private IP?
-
@gblenn yes and yes...
-
@bob-dig And are you using STUN as well?
-
-
@gblenn And some more screenshots
-
@bob-dig Well it looks no different than it does on my side. UPnP appears to be working, as I stated in test #3. I see the list of ports normally being requested by the games, and the games behave as they would when they get confirmation of the port being opened, but nothing goes through.
In the case of Torrenting, port forward isn't really a necessity at all. So the fact that Tixati thinks the port is open (it only sais listening and mapped), isn't proof that it's actually being used.
-
@gblenn the proof is directly Next to it, the port test from grc.
-
Here's what it looks like in my case
Port 3074 is what MW3 is asking for and 28960/61 are used by MW2
A long time after trying to start gameplay, I get this message. Other games just sit there trying to log in...
-
@bob-dig said in Will we ever get upnp to work behind private network IP?:
@gblenn the proof is directly Next to it, the port test from grc.
Really weird stuff...
And game just sits there...Turning off STUN obviously gives me this
And...
But GRC is still reporting stealth?! In fact it does that regardless of what I do...
-
@gblenn Port-tests usually work only for TCP, so in your case, this is expected.
-
@gblenn So you got open? Can it be any better?
I did some quick (and dirty) test by enabling Teredo in the first router (Fritzbox).
I then got a "strict" NAT type by the xbox networking test in Windows.
I then disabled Teredo in the fritzbox and now it shows me "blocked" again.
But in both cases UPnP wasn't used according to pfSense.So whatever they are doing, I don't get it.
-
@bob-dig said in Will we ever get upnp to work behind private network IP?:
@gblenn So you got open? Can it be any better?
No no, that was when I turn OFF STUN and rely on regular port forwarding... Tests #1 and 2 above... But as I said, still stealth from GRC, and that is true also if I change the port forwarding to TCP/UDP. But I suppose nothing is listening to UDP on that port...
I did some quick (and dirty) test by enabling Teredo in the first router (Fritzbox).
I then got a "strict" NAT type by the xbox networking test in Windows.
I then disabled Teredo in the fritzbox and now it shows me "blocked" again.
But in both cases UPnP wasn't used according to pfSense.So whatever they are doing, I don't get it.
I don't use IPv6 so Teredo shouldn't be relevant?? And I have not tested on an Xbox, never even used one... GRC simply needed a name for the port I guess - sounds better than the underlying application which is Activision Blizzards Demonware. There are a ton of games using that port, but often there are other ports used as well.
The whole point is that UPnP works perfectly fine IF I change the WAN IP to a fake public IP. Then all games get Open NAT, just like it does on my main WAN where I have fiber and a public IP on the WAN interface. I can even have STUN enabled for UPnP, as long as the WAN IP is a public one.
Can you change from that 172-IP to a fake public one to see what you get in your Xbox testing?
One thing to note... I do kill all states related to the PC I'm testing on, and do release/renew between any changes made...
-
@gblenn said in Will we ever get upnp to work behind private network IP?:
Can you change from that 172-IP to a fake public one to see what you get in your Xbox testing?
That is an option in Windows, has nothing to do with a real xbox. I did some more testing and now I am always blocked. So I say, forget this one (xbox in Windows).
-
@bob-dig said in Will we ever get upnp to work behind private network IP?:
@gblenn said in Will we ever get upnp to work behind private network IP?:
Can you change from that 172-IP to a fake public one to see what you get in your Xbox testing?
That is an option in Windows, has nothing to do with a real xbox. I did some more testing and now I am always blocked. So I say, forget this one (xbox in Windows).
Ok, any games you can test? Call of Duty series from MW2 (2009) and onward basically all use these ports. Quickest one to test with is MW2 or 3. No menu to check for connectivity, simply clicking play will reveal Strict, Moderate or Open NAT, or error as above.
-
As a way to simplify things, here is a much more straight forward testing and comparison between the two main scenarios:
Scenario 1.
Upstream router gives pfsense a Private IP in DMZ on WAN.
UPnP settings in pfsense GUI under Services > UPnP & NAT-PMP: Enable, Allow UPnP Port mapping, Allow NAT-PMP Port mapping, External interface WAN, Internal interface LAN, and I activate STUN (using google server) or Override WAN address using the actual Public IP.Result : in pfsense Status / UPnP & NAT-PMP rules list, the requested port no 3074 UDP is listed together with correct internal IP.
WAN udp any 3074 192.168.1.91 3074 DemonwarePortMapping
None of the games are able to connect at all = worse than Strict NATScenario 2.
Upstream router gives pfsense a fake public IP in DMZ on WAN.
All other settings as in scenario 1: Enable, Allow UPnP Port mapping, Allow NAT-PMP Port mapping, External interface WAN, Internal interface LAN.
However, I do not have to use STUN in order to inform UPnP about the correct external IP. I can use either STUN (google server) OR Override WAN address using the actual Public IP, but doing so makes no difference to the result in this scenario.Result : in pfsense Status / UPnP & NAT-PMP rules list, the requested port no 3074 UDP is listed together with correct internal IP.
WAN udp any 3074 192.168.1.91 3074 DemonwarePortMapping
All games report Open NAT -
@gblenn So could it be a problem of your first router then?
I did a packet capture to check if UDP comes through to my LAN and it does. Still the torrent client was used on my part to initiate the UPnP portforwarding.
-
@bob-dig said in Will we ever get upnp to work behind private network IP?:
@gblenn So could it be a problem of your first router then?
I did a packet capture to check if UDP comes through to my LAN and it does. Still the torrent client was used on my part to initiate the UPnP portforwarding.
Why would you think it is my upstream router? Isn't it clear that things work perfectly fine as long as it is not a Private IP. I have done tests in the past using another LTE router which I recently swapped between my sites... Also, replacing pfsense with anything like a DDWRT router, Ubiquiti Edgerouter or Netgear with stock fw will work perfectly fine using UPnP.
I find that it is ONLY miniupnp in combination with a private IP that simply does not work...
It should be an easy fix as well, just add a selector where the user can force it to accept a private IP.I don't think torrenting is a good check, as it will work without any ports being open at all... Are you seeing traffic coming through the specific port listed by UPnP in the Status page?
You need to test with games... Do you have anything from the CoD series?BTW, is there a config file for miniupnp that I can go in and edit, and where do I find it?
-
@gblenn said in Will we ever get upnp to work behind private network IP?:
You need to test with games... Do you have anything from the CoD series?
It is working with a private IP fine here with my torrent client, that is a fact and has already been proven by me. So there must be something different if your game is doing it, then if my torrent client is doing it.
I play COD WZII but that doesn't need any open port or tell you about NAT-status.
