SG-3100 upgrade to 24.03 seems to have broken UPnP
-
@fred7911 said in SG-3100 upgrade to 24.03 seems to have broken UPnP:
xinetd 41470 readjusting service 19001-udp
xinetd 41470 readjusting service 19001-tcpThose are almost certainly because you have NAT reflection enabled in NAT+Proxy mode? Probably not required but also not a problem.
When UPnP is working as expected what status do you see? A large number of open ports to each host? Range of ports?
-
Yes I'm also using an "Override WAN address" setting in my "UPnP & NAT-PMP Settings" for this specific subnet (the only one with UPnP enabled)
Usually each inside server opens 8-10 ports (at least) on WAN to be able to communicate. Sometimes in range, sometimes not, it actually depends on the need...
-
Hmm, failing to replicate that. I can open multiple ports to an internal host on a 3100:
-
Could it be related to the upgrade somehow? That's why I posted here initially, because it was immediate after the final reboot for the upgrade to 24.03
-
That could be a clue: https://github.com/miniupnp/miniupnp/issues/715
I checked and the "ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists" message was not present in logs with 23.09 -
Yup looks like that. Interesting that bug is shown against FreeBSD 14 though. So perhaps this is unrelated to the pfSense upgrade; 23.09.1 was built on 14.
-
For information, I rolled back the Netgate 3100 to version 23.09.1 and everything is working smoothly, without changing anything on the servers using UPnP.
It could be interesting to have further testings, and maybe see if it could be related to a specific setting (as you could make it work). The main one I could imagine is the "Override WAN address" in the UPnP config.
-
I had to use 'Override WAN address' because my 3100 here does not have a public IP on the WAN. miniUPnP will not add forwards from a private IP address. Which is inconvenient!
-
The only thing I noticed with the latest upgrade is that UPnP is not closing any open ports on its own anymore.
-
Hmm, like at all?
They should have a lifetime set when created, like 1h default.Edit: Doesn't seem to be expiring though....
-
