Will we ever get upnp to work behind private network IP?
-
@bob-dig said in Will we ever get upnp to work behind private network IP?:
@gblenn the proof is directly Next to it, the port test from grc.
Really weird stuff...
And game just sits there...Turning off STUN obviously gives me this
And...
But GRC is still reporting stealth?! In fact it does that regardless of what I do...
-
@gblenn Port-tests usually work only for TCP, so in your case, this is expected.
-
@gblenn So you got open? Can it be any better?
I did some quick (and dirty) test by enabling Teredo in the first router (Fritzbox).
I then got a "strict" NAT type by the xbox networking test in Windows.
I then disabled Teredo in the fritzbox and now it shows me "blocked" again.
But in both cases UPnP wasn't used according to pfSense.So whatever they are doing, I don't get it.
-
@bob-dig said in Will we ever get upnp to work behind private network IP?:
@gblenn So you got open? Can it be any better?
No no, that was when I turn OFF STUN and rely on regular port forwarding... Tests #1 and 2 above... But as I said, still stealth from GRC, and that is true also if I change the port forwarding to TCP/UDP. But I suppose nothing is listening to UDP on that port...
I did some quick (and dirty) test by enabling Teredo in the first router (Fritzbox).
I then got a "strict" NAT type by the xbox networking test in Windows.
I then disabled Teredo in the fritzbox and now it shows me "blocked" again.
But in both cases UPnP wasn't used according to pfSense.So whatever they are doing, I don't get it.
I don't use IPv6 so Teredo shouldn't be relevant?? And I have not tested on an Xbox, never even used one... GRC simply needed a name for the port I guess - sounds better than the underlying application which is Activision Blizzards Demonware. There are a ton of games using that port, but often there are other ports used as well.
The whole point is that UPnP works perfectly fine IF I change the WAN IP to a fake public IP. Then all games get Open NAT, just like it does on my main WAN where I have fiber and a public IP on the WAN interface. I can even have STUN enabled for UPnP, as long as the WAN IP is a public one.
Can you change from that 172-IP to a fake public one to see what you get in your Xbox testing?
One thing to note... I do kill all states related to the PC I'm testing on, and do release/renew between any changes made...
-
@gblenn said in Will we ever get upnp to work behind private network IP?:
Can you change from that 172-IP to a fake public one to see what you get in your Xbox testing?
That is an option in Windows, has nothing to do with a real xbox. I did some more testing and now I am always blocked. So I say, forget this one (xbox in Windows).
-
@bob-dig said in Will we ever get upnp to work behind private network IP?:
@gblenn said in Will we ever get upnp to work behind private network IP?:
Can you change from that 172-IP to a fake public one to see what you get in your Xbox testing?
That is an option in Windows, has nothing to do with a real xbox. I did some more testing and now I am always blocked. So I say, forget this one (xbox in Windows).
Ok, any games you can test? Call of Duty series from MW2 (2009) and onward basically all use these ports. Quickest one to test with is MW2 or 3. No menu to check for connectivity, simply clicking play will reveal Strict, Moderate or Open NAT, or error as above.
-
As a way to simplify things, here is a much more straight forward testing and comparison between the two main scenarios:
Scenario 1.
Upstream router gives pfsense a Private IP in DMZ on WAN.
UPnP settings in pfsense GUI under Services > UPnP & NAT-PMP: Enable, Allow UPnP Port mapping, Allow NAT-PMP Port mapping, External interface WAN, Internal interface LAN, and I activate STUN (using google server) or Override WAN address using the actual Public IP.Result : in pfsense Status / UPnP & NAT-PMP rules list, the requested port no 3074 UDP is listed together with correct internal IP.
WAN udp any 3074 192.168.1.91 3074 DemonwarePortMapping
None of the games are able to connect at all = worse than Strict NATScenario 2.
Upstream router gives pfsense a fake public IP in DMZ on WAN.
All other settings as in scenario 1: Enable, Allow UPnP Port mapping, Allow NAT-PMP Port mapping, External interface WAN, Internal interface LAN.
However, I do not have to use STUN in order to inform UPnP about the correct external IP. I can use either STUN (google server) OR Override WAN address using the actual Public IP, but doing so makes no difference to the result in this scenario.Result : in pfsense Status / UPnP & NAT-PMP rules list, the requested port no 3074 UDP is listed together with correct internal IP.
WAN udp any 3074 192.168.1.91 3074 DemonwarePortMapping
All games report Open NAT -
@gblenn So could it be a problem of your first router then?
I did a packet capture to check if UDP comes through to my LAN and it does. Still the torrent client was used on my part to initiate the UPnP portforwarding.
-
@bob-dig said in Will we ever get upnp to work behind private network IP?:
@gblenn So could it be a problem of your first router then?
I did a packet capture to check if UDP comes through to my LAN and it does. Still the torrent client was used on my part to initiate the UPnP portforwarding.
Why would you think it is my upstream router? Isn't it clear that things work perfectly fine as long as it is not a Private IP. I have done tests in the past using another LTE router which I recently swapped between my sites... Also, replacing pfsense with anything like a DDWRT router, Ubiquiti Edgerouter or Netgear with stock fw will work perfectly fine using UPnP.
I find that it is ONLY miniupnp in combination with a private IP that simply does not work...
It should be an easy fix as well, just add a selector where the user can force it to accept a private IP.I don't think torrenting is a good check, as it will work without any ports being open at all... Are you seeing traffic coming through the specific port listed by UPnP in the Status page?
You need to test with games... Do you have anything from the CoD series?BTW, is there a config file for miniupnp that I can go in and edit, and where do I find it?
-
@gblenn said in Will we ever get upnp to work behind private network IP?:
You need to test with games... Do you have anything from the CoD series?
It is working with a private IP fine here with my torrent client, that is a fact and has already been proven by me. So there must be something different if your game is doing it, then if my torrent client is doing it.
I play COD WZII but that doesn't need any open port or tell you about NAT-status.
-
@bob-dig Here's my result in trying to start WZ2.0 when STUN is activated.
And it actually does report NAT type, although this error means there is no "NAT" at all to report about.
When in the game Lobby, click Settings > Account and Network and scroll down to Network Info. You will get a screen showing a summary page where it will say Nat type: Open, Moderate or Strict.
I got NAT type Open when testing just now and only forwarding port 3074 in the firewall (no UPnP active at all).
If you get a different result there clearly must be something different in our setups?!
First of all, when making any changes I make sure the game is NOT started. Then go to Diagnostics, States, filter on my PC IP and clear all! Then I do ipconfig /reload and /renew from the PC before starting up the game again.
How can I be sure that UPnP actually has the right external IP using STUN? Alternatively, is it 100% certain that if I enter my public IP in the Override WAN address field, UPnP is definitely using that?
Oh, and like I said, Torrenting is very different. And you don't need UPnP or any ports forwarding for that to work...
-
This is what it looks like in WZ 2.0 if I don't have any port forward or UPnP active at all.
But I can still connect to servers and play. Normally this would also mean that I can only play with friends who have Open NAT. In WZ you hook up in teams anyway so I'm not sure what this would actually mean in that case.
BUT, if you were to try to set up a Private match in MWII (which WZ is based on), you would however run into trouble having Strict NAT. Only those with Open NAT could connect to you if you were hosting, and anyone with Moderate or Strict NAT will be left out.The issue here though is that when UPnP is enabled with STUN, I can't connect at all, as the picture in the previous post. This happens in the first startup phase before updating stats and getting all your player info from the servers.
-
@gblenn Sry, I only play DMZ and I don't have to deal with NAT there. I am not even sure what the actual name of that title is. But it is fun.
-
@bob-dig said in Will we ever get upnp to work behind private network IP?:
@gblenn Sry, I only play DMZ and I don't have to deal with NAT there. I am not even sure what the actual name of that title is. But it is fun.
It sure is..
Question... What is your setup exactly, wrt port forward and use of UPnP?In Firewall > NAT? Inbound and Outbound?
Services > UPnP & NAT-PMP?And would you mind checking in DMZ (cogwheel up right) under Account and Network and scroll down to Network info. What does it say?
-
@gblenn said in Will we ever get upnp to work behind private network IP?:
And would you mind checking in DMZ (cogwheel up right) under Account and Network and scroll down to Network info. What does it say?
It says: "Strict" . But it has never bothering me.
-
@gblenn I changed my outbound NAT to use static ports, now it says "Moderate". Still it doesn't do any port forwarding via UPnP according to pfSense.
Also it says relay connected. Most probably the first time too.
-
@bob-dig Strict is ok as long as you are not playing private matches with friends. And then it can still be ok if they have Open NAT...
Sounds like you are seeing the same thing as me then...
Try adding a port forward of 3074 and see if you can get Open NAT.
Do you have STUN active in UPnP??
-
@gblenn said in Will we ever get upnp to work behind private network IP?:
Try adding a port forward of 3074 and see if you can get Open NAT.
Do you have STUN active in UPnP??
Yes and yes.
-
-
-
-
-
-
-
-
-
-
-
@bob-dig said in Will we ever get upnp to work behind private network IP?:
@gblenn said in Will we ever get upnp to work behind private network IP?:
Try adding a port forward of 3074 and see if you can get Open NAT.
Do you have STUN active in UPnP??
Yes and yes.
Ok so this is interesting, you now have Open NAT from manually forwarding port 3074.
But you have UPnP enabled, with STUN. What settings do you have in UPnP?
Any ACL's?? And what server are you using for STUN? -
@gblenn I already had posted my settings here.