Do UPnP rules not expire?
-
The session time is set by the host requesting it be opened.
You can query the state of existing redirections using a upnp client like:
steve@steve-NUC9i9QNX:~$ upnpc -l upnpc : miniupnpc library test client, version 2.2.3. (c) 2005-2021 Thomas Bernard. Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://172.21.16.1:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://172.21.16.1:2189/ctl/IPConn Local LAN ip address : 172.21.16.8 Connection Type : IP_Routed Status : Connected, uptime=1115353s, LastConnectionError : ERROR_NONE Time started : Mon Dec 9 00:31:38 2024 MaxBitRateDown : 1000000000 bps (1000.0 Mbps) MaxBitRateUp 1000000000 bps (1000.0 Mbps) ExternalIPAddress = 45.89.45.8 i protocol exPort->inAddr:inPort description remoteHost leaseTime 0 TCP 8889->172.21.16.8:8889 'Test1' '' 3478 GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)
Where the one test forward I set has 3478s left before it expires.
Do you actually see the upnp anchors still present of have they in fact already been removed by something else which is why it shows the error?
[24.11-RELEASE][admin@fw1.stevew.lan]/root: pfctl -aminiupnpd -sn rdr pass quick on mvneta2 inet proto tcp from any to any port = 8889 keep state label "Test1" rtable 0 -> 172.21.16.8 port 8889
-
@stephenw10 said in Do UPnP rules not expire?:
Tried from my Windows PC, started PS5 and then put in OFF:PS C:\upnpc> .\upnpc-static -l upnpc : miniupnpc library test client, version 2.2.3. (c) 2005-2022 Thomas Bernard. Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://192.168.1.10:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://192.168.1.10:2189/ctl/IPConn Local LAN ip address : 192.168.1.81 Connection Type : IP_Routed Status : Connected, uptime=1815291s, LastConnectionError : ERROR_NONE Time started : Sun Dec 1 10:25:43 2024 MaxBitRateDown : 64000 bps (64 Kbps) MaxBitRateUp 64000 bps (64 Kbps) ExternalIPAddress = 82.84.92.142 i protocol exPort->inAddr:inPort description remoteHost leaseTime 0 UDP 9308->192.168.1.50:9308 '192.168.1.50:9308 to 9308 (UDP)' '' 0 GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid) PS C:\upnpc>
On pfSense Status/UPnP IGD & PCP I see the states on.
[24.11-RELEASE][admin@pfSense.home.arpa]/root: pfctl -aminiupnpd -sn nat log quick on pppoe0 inet proto udp from 192.168.1.50 port = 9308 to any keep state label "192.168.1.50:9308 to 9308 (UDP)" rtable 0 -> 82.84.92.142 port 9308 rdr pass log quick on pppoe0 inet proto udp from any to any port = 9308 keep state label "192.168.1.50:9308 to 9308 (UDP)" rtable 0 -> 192.168.1.50 port 9308 [24.11-RELEASE][admin@pfSense.home.arpa]/root:
Please note that Game Consoles have static port ON in the outbound rules.
-
@stephenw10
Tested after I removed manually the states:PS C:\upnpc> .\upnpc-static -l upnpc : miniupnpc library test client, version 2.2.3. (c) 2005-2022 Thomas Bernard. Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://192.168.1.10:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://192.168.1.10:2189/ctl/IPConn Local LAN ip address : 192.168.1.81 Connection Type : IP_Routed Status : Connected, uptime=1815912s, LastConnectionError : ERROR_NONE Time started : Sun Dec 1 10:25:44 2024 MaxBitRateDown : 64000 bps (64 Kbps) MaxBitRateUp 64000 bps (64 Kbps) ExternalIPAddress = 82.84.92.142 i protocol exPort->inAddr:inPort description remoteHost leaseTime GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid) PS C:\upnpc>
NO states shown in pfSense status
[24.11-RELEASE][admin@pfSense.home.arpa]/root: pfctl -aminiupnpd -sn [24.11-RELEASE][admin@pfSense.home.arpa]/root:
-
@Wolf666 said in Do UPnP rules not expire?:
Tested after I removed manually the states:
Like you just deleted the firewall states in Diag > States?
-
@stephenw10
No, I just manually cleared the mapped ports from UPnP status page. I used wrong wording. -
Hmm, it's odd that it doesn't show a session time for the port forward. Does it ever show a time? If you check just after it's been opened?
Does the error in the log appear after, say, 1 hr?
-
@stephenw10
Just clear all mapped ports while PS% was on, started to play Destiny:PS C:\upnpc> ./upnpc-static -l upnpc : miniupnpc library test client, version 2.2.3. (c) 2005-2022 Thomas Bernard. Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://192.168.1.10:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://192.168.1.10:2189/ctl/IPConn Local LAN ip address : 192.168.1.81 Connection Type : IP_Routed Status : Connected, uptime=76s, LastConnectionError : ERROR_NONE Time started : Mon Dec 23 18:09:32 2024 MaxBitRateDown : 1000000000 bps (1000.0 Mbps) MaxBitRateUp 300000000 bps (300.0 Mbps) ExternalIPAddress = 82.84.92.142 i protocol exPort->inAddr:inPort description remoteHost leaseTime 0 UDP 3074->192.168.1.50:3074 'DemonwarePortMapping' '' 0 GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid) PS C:\upnpc>
Now I will close the game, switch off the PS5 and see what's going to happen in 1 hour.
-
Still shows 0 leasetime though. I'm not sure how it determines when to 'expire' it.
-
@stephenw10
In fact the mapped port 3074 is still there.
There is only 1 state active not related to upnp:WAN tcp 82.84.92.142:65206 (192.168.1.50:65206) -> 34.214.130.96:443 ESTABLISHED:ESTABLISHED 714 / 364 50 KiB / 32 KiB
I am not an IT expert and I really don’t have any further idea on this.
-
Do you still see the error in the upnp logs showing it failing to remove the forward though?
It looks like the forward is being opened without a leasetime and I'm unsure what should happen in that situation. I can create a similar lease manually by defining 0s specifically:
steve@steve-NUC9i9QNX:~$ upnpc -l upnpc : miniupnpc library test client, version 2.2.3. (c) 2005-2021 Thomas Bernard. Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://172.21.16.1:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://172.21.16.1:2189/ctl/IPConn Local LAN ip address : 172.21.16.8 Connection Type : IP_Routed Status : Connected, uptime=1291945s, LastConnectionError : ERROR_NONE Time started : Mon Dec 9 00:31:38 2024 MaxBitRateDown : 1000000000 bps (1000.0 Mbps) MaxBitRateUp 1000000000 bps (1000.0 Mbps) ExternalIPAddress = 45.89.45.8 i protocol exPort->inAddr:inPort description remoteHost leaseTime 0 UDP 8889->172.21.16.8:8889 'Test2' '' 0 GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)
I'll see what happens.
-
Also by omitting a lease time value.
I wonder if it should add a default and is not....
-
Mmm, this thread seems pretty revealing: https://miniupnp.tuxfamily.org/forum/viewtopic.php?p=5727#5727
Seems like the behaviour you're seeing is expected is the client opens forward with no lease time.
-
@stephenw10
Yes that forum thread explains the behavior. I cannot do anything except removing mapped port manually. From a security point of view the consoles have their own IP assigned so it is ok if the mapped port are there until I remove them manually. Only consoles have access to UPnP service with proper “allow” and IP, other IP are denied by default in the Service ACL.
Thanks for help and time. -
Mmm, I tried added min and max lifetime options to the conf and it made absolutely no difference I could see!