Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    UPNP disabled, but something was using it - Unpossible, right?

    Scheduled Pinned Locked Moved General pfSense Questions
    2 Posts 2 Posters 467 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P Offline
      pffffSensing-N00b-3485901
      last edited by

      I have a pfSense box acting as a router for my home network.  It has 2x Intel gigabit cards, one for LAN, the other for WAN, going to a cable modem.  PfSense sends all traffic out through an OpenVPN link to a commercial VPN provider.  This has been working for 4 - 6 months with no problem.  In fact, I didn't even reboot the machine in that whole time.

      Yesterday I started seeing a weird phenomenon.  The VPN would go down, and no Internet traffic would go out, save for a torrent client, Deluge.  The client was enabled for UPNP and NAT-PMP.  After restarting the VPN service a few times, i started looking into things.  Eventually figured out that it was able to keep going through UPNP or NAT-PMP, so I turned them both off.  next time there was a failure, the torrent client failed completely, like it should have.

      Today, I haven't been running any torrents, but the VPN daemon even crashed so hard I had to reboot the box.  I decided to turn UPNP and NAT-PMP off on the pfsense box, but lo and behold, it was already off.

      I don't understand how something could use UPNP if it was turned off.  Even if the modem could use it, wouldn't pfsense block the traffic, for at least 2 reasons (UPNP is LAN only, and when things failed, there was no reason/way for pfsense to relay packets to the modem), right?

      1 Reply Last reply Reply Quote 0
      • W Offline
        W4RH34D
        last edited by

        sounds like pwnage - someone prolly got logins to your box

        do you use a remote log server to see if there's any suspicious activity?  If they have your logins then local logs will be useless unless they were sloppy.

        Did you really check your cables?

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.