UPnP between LAN and Wireguard Interface...Fails

rpm5099

I have read every post related to Wireguard, pfsense, igmpproxy, udpbroadcast, Avahi, pimd, UPnP, SSDP, and IGMP everywhere I can find. I think that there is a bug in how the Wireguard interface is handled, but I have not been able to pin down exactly what the problem is. I have several devices on my LAN that have mobile apps that require SSDP/IGMP to use. I have created a separate subnet on another physical NIC on a Supermicro, added a wifi access point to it, connected phone to that and everything works perfectly. But I have been completely unable to successfully connect to these devices via the Wireguard (or OpenVPN) tunnel. I greatly appreciate any insight you all have to provide. Here is what I think is the relevant info, but please let me know what I'm leaving out:

System:
FreeBSD [removed].arpa 14.0-CURRENT FreeBSD 14.0-CURRENT #1 plus-RELENG_23_05_1-n256108-459fc493a87: Wed Jun 28 04:26:04 UTC 2023 root@freebsd:/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/obj/amd64/f2Em2w3l/var/jenkins/workspace/pfSense-Plus-snapshots-23_05_1-main/sources/FreeBSD-src-plus-RELENG_23_05_1/amd64.amd64/sys/pfSense amd64

Interfaces:
LAN (where target devices reside): 10.0.0.1/24
OPT1 - tun_wg0 (wireguard): 10.200.0.1/24
Firewall: Opened between LAN and OPT1 for all IPV4, options enabled, including on each interface and floating rules

igmpproxy:
Get's errors when applying the settings in the GUI regardless of the problem, although the service looks like it is successfully started and running. Shows lots of member reporting originating from 10.200.0.1 and 10.0.0.0/24 and various devices on the LAN ("igmpproxy[38793] RECV V3 member report from 10.0.0.191 to 224.0.0.22") but errors sending broadcast messages from the WG interface: "igmpproxy[38793] sendto to 224.0.0.1 on 10.200.0.1; Errno(93): Capabilities insufficient". SSDP/IGMP discovery of devices on LAN does not work.

Avahi:
Seems to be working, but if it is required is not the only thing necessary.

pimd:
Lot's of "Capabilities insufficient" messages, similar to igmpproxy (can provide more details)

The problem seems to be related to the fact that the IGMP proxy cannot send multicast messages from the 10.200.0.0/24 network, connecting directly to any 10.0.0.0/24 IP from Wireguard works fine. "Capabilities insufficient" is a BSD syscall error - "93 ENOTCAPABLE Capabilities insufficient. An operation on a capability file descriptor requires greater privilege than the capability allows." (FreeBSD man page). I noticed that Wireguard works find without an interface assigned to it, however you are unable to select an interface with igmpproxy/pimd unless you have done that. In the firewall rules settings it lists both "Wireguard" and the OPT1 interface that you have associated with tun_wg0 - why are both of these present and which is the correct one to set the rules on? Is this something specific to Wireguard/OpenVPN, as the problem seems to occur with both?

Thanks again if you read this far, I feel like I must be missing something obvious but I cannot figure out what it is.

JonathanLee

@rpm5099 have you also selected that interface inside of mini UPnP?

WLAN is selected on mine for example, you must also open port 1900 for whatever needs UPnP

Check what ports are required

rpm5099

@JonathanLee

Hey, thanks for replying. Yes I have tried both of those things you suggested. I noticed this in the system routing logs:

2023-09-19 00:50:01.509563-04:00	miniupnpd	69708	SSDP packet sender 10.200.0.40:41899 (if_index=10) not from a LAN, ignoring //(this seems like a problem 0 phone is 10.200.0.40 here, and it's packet is being ignored)
2023-09-19 00:48:42.339875-04:00	miniupnpd	69708	ioctl(dev, DIOCGETRULES, ...): Invalid argument //(LOTS of these)