Do UPnP rules not expire?

Witchboard

@stephenw10 Thank you. So looks like it will be resolved in 2.8.0. I appreciate it.

JonathanLee

When we use the Xbox they disappear after it’s done with the games. The states don’t close?

Wolf666

@stephenw10
Hi, I am still having this issue on pfSense Plus 24.11, see my old post:
https://forum.netgate.com/topic/181043/status-upnp-nat-pmp-persistent-rules

stephenw10

Testing....

Bob.Dig

@stephenw10 Here it does work fine, no PS5 though.

stephenw10

Yup working OK here too. Sessions are removed when they expire. Tested using 1hr.

Dec 18 12:14:27 	miniupnpd 	86687 	remove port mapping 5554 TCP because it has expired
Dec 18 12:14:37 	miniupnpd 	86687 	remove port mapping 5553 TCP because it has expired
Dec 18 12:15:24 	miniupnpd 	86687 	remove port mapping 5552 TCP because it has expired 

Perhaps it's adding very long sessions?

Wolf666

@stephenw10
Yes, normally very long sessions, it is a PS5.
I need to test some additional things. I think the problem could be because it is put in rest mode and not completly off when I finished the play sessions.
I will report back this weekend, I will shut down the PS5 and see if the state remains on or not.

Wolf666

@stephenw10
Just asked my daughter yesterday to shut down the PS5 completely, states remains up, this is today:

Here the log:

Seems it failed to remove the state.
I will try with other console we have at home, PS4 and Nintendos to see more.
Where can I set the port expiration value?

stephenw10

The session time is set by the host requesting it be opened.

You can query the state of existing redirections using a upnp client like:

steve@steve-NUC9i9QNX:~$ upnpc -l
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://172.21.16.1:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://172.21.16.1:2189/ctl/IPConn
Local LAN ip address : 172.21.16.8
Connection Type : IP_Routed
Status : Connected, uptime=1115353s, LastConnectionError : ERROR_NONE
  Time started : Mon Dec  9 00:31:38 2024
MaxBitRateDown : 1000000000 bps (1000.0 Mbps)   MaxBitRateUp 1000000000 bps (1000.0 Mbps)
ExternalIPAddress = 45.89.45.8
 i protocol exPort->inAddr:inPort description remoteHost leaseTime
 0 TCP  8889->172.21.16.8:8889  'Test1' '' 3478
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)

Where the one test forward I set has 3478s left before it expires.

Do you actually see the upnp anchors still present of have they in fact already been removed by something else which is why it shows the error?

[24.11-RELEASE][admin@fw1.stevew.lan]/root: pfctl -aminiupnpd -sn
rdr pass quick on mvneta2 inet proto tcp from any to any port = 8889 keep state label "Test1" rtable 0 -> 172.21.16.8 port 8889

Wolf666

@stephenw10 said in Do UPnP rules not expire?:
Tried from my Windows PC, started PS5 and then put in OFF:

PS C:\upnpc> .\upnpc-static -l
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2022 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.1.10:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.1.10:2189/ctl/IPConn
Local LAN ip address : 192.168.1.81
Connection Type : IP_Routed
Status : Connected, uptime=1815291s, LastConnectionError : ERROR_NONE
  Time started : Sun Dec  1 10:25:43 2024
MaxBitRateDown : 64000 bps (64 Kbps)   MaxBitRateUp 64000 bps (64 Kbps)
ExternalIPAddress = 82.84.92.142
 i protocol exPort->inAddr:inPort description remoteHost leaseTime
 0 UDP  9308->192.168.1.50:9308  '192.168.1.50:9308 to 9308 (UDP)' '' 0
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)
PS C:\upnpc>

On pfSense Status/UPnP IGD & PCP I see the states on.

[24.11-RELEASE][admin@pfSense.home.arpa]/root: pfctl -aminiupnpd -sn
nat log quick on pppoe0 inet proto udp from 192.168.1.50 port = 9308 to any keep state label "192.168.1.50:9308 to 9308 (UDP)" rtable 0 -> 82.84.92.142 port 9308
rdr pass log quick on pppoe0 inet proto udp from any to any port = 9308 keep state label "192.168.1.50:9308 to 9308 (UDP)" rtable 0 -> 192.168.1.50 port 9308
[24.11-RELEASE][admin@pfSense.home.arpa]/root:

Please note that Game Consoles have static port ON in the outbound rules.

Wolf666

@stephenw10
Tested after I removed manually the states:

PS C:\upnpc> .\upnpc-static -l
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2022 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.1.10:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.1.10:2189/ctl/IPConn
Local LAN ip address : 192.168.1.81
Connection Type : IP_Routed
Status : Connected, uptime=1815912s, LastConnectionError : ERROR_NONE
  Time started : Sun Dec  1 10:25:44 2024
MaxBitRateDown : 64000 bps (64 Kbps)   MaxBitRateUp 64000 bps (64 Kbps)
ExternalIPAddress = 82.84.92.142
 i protocol exPort->inAddr:inPort description remoteHost leaseTime
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)
PS C:\upnpc>

NO states shown in pfSense status

[24.11-RELEASE][admin@pfSense.home.arpa]/root:  pfctl -aminiupnpd -sn
[24.11-RELEASE][admin@pfSense.home.arpa]/root:

stephenw10

@Wolf666 said in Do UPnP rules not expire?:

Tested after I removed manually the states:

Like you just deleted the firewall states in Diag > States?

Wolf666

@stephenw10
No, I just manually cleared the mapped ports from UPnP status page. I used wrong wording.

stephenw10

Hmm, it's odd that it doesn't show a session time for the port forward. Does it ever show a time? If you check just after it's been opened?

Does the error in the log appear after, say, 1 hr?

Wolf666

@stephenw10
Just clear all mapped ports while PS% was on, started to play Destiny:

PS C:\upnpc> ./upnpc-static -l
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2022 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.1.10:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.1.10:2189/ctl/IPConn
Local LAN ip address : 192.168.1.81
Connection Type : IP_Routed
Status : Connected, uptime=76s, LastConnectionError : ERROR_NONE
  Time started : Mon Dec 23 18:09:32 2024
MaxBitRateDown : 1000000000 bps (1000.0 Mbps)   MaxBitRateUp 300000000 bps (300.0 Mbps)
ExternalIPAddress = 82.84.92.142
 i protocol exPort->inAddr:inPort description remoteHost leaseTime
 0 UDP  3074->192.168.1.50:3074  'DemonwarePortMapping' '' 0
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)
PS C:\upnpc>

Now I will close the game, switch off the PS5 and see what's going to happen in 1 hour.

stephenw10

Still shows 0 leasetime though. I'm not sure how it determines when to 'expire' it.

Wolf666

@stephenw10
In fact the mapped port 3074 is still there.
There is only 1 state active not related to upnp:

WAN	tcp	82.84.92.142:65206 (192.168.1.50:65206) -> 34.214.130.96:443	ESTABLISHED:ESTABLISHED	714 / 364	50 KiB / 32 KiB

I am not an IT expert and I really don’t have any further idea on this.

stephenw10

Do you still see the error in the upnp logs showing it failing to remove the forward though?

It looks like the forward is being opened without a leasetime and I'm unsure what should happen in that situation. I can create a similar lease manually by defining 0s specifically:

steve@steve-NUC9i9QNX:~$ upnpc -l
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://172.21.16.1:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://172.21.16.1:2189/ctl/IPConn
Local LAN ip address : 172.21.16.8
Connection Type : IP_Routed
Status : Connected, uptime=1291945s, LastConnectionError : ERROR_NONE
  Time started : Mon Dec  9 00:31:38 2024
MaxBitRateDown : 1000000000 bps (1000.0 Mbps)   MaxBitRateUp 1000000000 bps (1000.0 Mbps)
ExternalIPAddress = 45.89.45.8
 i protocol exPort->inAddr:inPort description remoteHost leaseTime
 0 UDP  8889->172.21.16.8:8889  'Test2' '' 0
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)

I'll see what happens.

stephenw10

Also by omitting a lease time value.

I wonder if it should add a default and is not....

stephenw10

Mmm, this thread seems pretty revealing: https://miniupnp.tuxfamily.org/forum/viewtopic.php?p=5727#5727

Seems like the behaviour you're seeing is expected is the client opens forward with no lease time.