Do UPnP rules not expire?

stephenw10

The session time is set by the host requesting it be opened.

You can query the state of existing redirections using a upnp client like:

steve@steve-NUC9i9QNX:~$ upnpc -l
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://172.21.16.1:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://172.21.16.1:2189/ctl/IPConn
Local LAN ip address : 172.21.16.8
Connection Type : IP_Routed
Status : Connected, uptime=1115353s, LastConnectionError : ERROR_NONE
  Time started : Mon Dec  9 00:31:38 2024
MaxBitRateDown : 1000000000 bps (1000.0 Mbps)   MaxBitRateUp 1000000000 bps (1000.0 Mbps)
ExternalIPAddress = 45.89.45.8
 i protocol exPort->inAddr:inPort description remoteHost leaseTime
 0 TCP  8889->172.21.16.8:8889  'Test1' '' 3478
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)

Where the one test forward I set has 3478s left before it expires.

Do you actually see the upnp anchors still present of have they in fact already been removed by something else which is why it shows the error?

[24.11-RELEASE][admin@fw1.stevew.lan]/root: pfctl -aminiupnpd -sn
rdr pass quick on mvneta2 inet proto tcp from any to any port = 8889 keep state label "Test1" rtable 0 -> 172.21.16.8 port 8889

Wolf666

@stephenw10 said in Do UPnP rules not expire?:
Tried from my Windows PC, started PS5 and then put in OFF:

PS C:\upnpc> .\upnpc-static -l
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2022 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.1.10:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.1.10:2189/ctl/IPConn
Local LAN ip address : 192.168.1.81
Connection Type : IP_Routed
Status : Connected, uptime=1815291s, LastConnectionError : ERROR_NONE
  Time started : Sun Dec  1 10:25:43 2024
MaxBitRateDown : 64000 bps (64 Kbps)   MaxBitRateUp 64000 bps (64 Kbps)
ExternalIPAddress = 82.84.92.142
 i protocol exPort->inAddr:inPort description remoteHost leaseTime
 0 UDP  9308->192.168.1.50:9308  '192.168.1.50:9308 to 9308 (UDP)' '' 0
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)
PS C:\upnpc>

On pfSense Status/UPnP IGD & PCP I see the states on.

[24.11-RELEASE][admin@pfSense.home.arpa]/root: pfctl -aminiupnpd -sn
nat log quick on pppoe0 inet proto udp from 192.168.1.50 port = 9308 to any keep state label "192.168.1.50:9308 to 9308 (UDP)" rtable 0 -> 82.84.92.142 port 9308
rdr pass log quick on pppoe0 inet proto udp from any to any port = 9308 keep state label "192.168.1.50:9308 to 9308 (UDP)" rtable 0 -> 192.168.1.50 port 9308
[24.11-RELEASE][admin@pfSense.home.arpa]/root:

Please note that Game Consoles have static port ON in the outbound rules.

Wolf666

@stephenw10
Tested after I removed manually the states:

PS C:\upnpc> .\upnpc-static -l
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2022 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.1.10:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.1.10:2189/ctl/IPConn
Local LAN ip address : 192.168.1.81
Connection Type : IP_Routed
Status : Connected, uptime=1815912s, LastConnectionError : ERROR_NONE
  Time started : Sun Dec  1 10:25:44 2024
MaxBitRateDown : 64000 bps (64 Kbps)   MaxBitRateUp 64000 bps (64 Kbps)
ExternalIPAddress = 82.84.92.142
 i protocol exPort->inAddr:inPort description remoteHost leaseTime
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)
PS C:\upnpc>

NO states shown in pfSense status

[24.11-RELEASE][admin@pfSense.home.arpa]/root:  pfctl -aminiupnpd -sn
[24.11-RELEASE][admin@pfSense.home.arpa]/root:

stephenw10

@Wolf666 said in Do UPnP rules not expire?:

Tested after I removed manually the states:

Like you just deleted the firewall states in Diag > States?

Wolf666

@stephenw10
No, I just manually cleared the mapped ports from UPnP status page. I used wrong wording.

stephenw10

Hmm, it's odd that it doesn't show a session time for the port forward. Does it ever show a time? If you check just after it's been opened?

Does the error in the log appear after, say, 1 hr?

Wolf666

@stephenw10
Just clear all mapped ports while PS% was on, started to play Destiny:

PS C:\upnpc> ./upnpc-static -l
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2022 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.1.10:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.1.10:2189/ctl/IPConn
Local LAN ip address : 192.168.1.81
Connection Type : IP_Routed
Status : Connected, uptime=76s, LastConnectionError : ERROR_NONE
  Time started : Mon Dec 23 18:09:32 2024
MaxBitRateDown : 1000000000 bps (1000.0 Mbps)   MaxBitRateUp 300000000 bps (300.0 Mbps)
ExternalIPAddress = 82.84.92.142
 i protocol exPort->inAddr:inPort description remoteHost leaseTime
 0 UDP  3074->192.168.1.50:3074  'DemonwarePortMapping' '' 0
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)
PS C:\upnpc>

Now I will close the game, switch off the PS5 and see what's going to happen in 1 hour.

stephenw10

Still shows 0 leasetime though. I'm not sure how it determines when to 'expire' it.

Wolf666

@stephenw10
In fact the mapped port 3074 is still there.
There is only 1 state active not related to upnp:

WAN	tcp	82.84.92.142:65206 (192.168.1.50:65206) -> 34.214.130.96:443	ESTABLISHED:ESTABLISHED	714 / 364	50 KiB / 32 KiB

I am not an IT expert and I really don’t have any further idea on this.

stephenw10

Do you still see the error in the upnp logs showing it failing to remove the forward though?

It looks like the forward is being opened without a leasetime and I'm unsure what should happen in that situation. I can create a similar lease manually by defining 0s specifically:

steve@steve-NUC9i9QNX:~$ upnpc -l
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://172.21.16.1:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://172.21.16.1:2189/ctl/IPConn
Local LAN ip address : 172.21.16.8
Connection Type : IP_Routed
Status : Connected, uptime=1291945s, LastConnectionError : ERROR_NONE
  Time started : Mon Dec  9 00:31:38 2024
MaxBitRateDown : 1000000000 bps (1000.0 Mbps)   MaxBitRateUp 1000000000 bps (1000.0 Mbps)
ExternalIPAddress = 45.89.45.8
 i protocol exPort->inAddr:inPort description remoteHost leaseTime
 0 UDP  8889->172.21.16.8:8889  'Test2' '' 0
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)

I'll see what happens.

stephenw10

Also by omitting a lease time value.

I wonder if it should add a default and is not....

stephenw10

Mmm, this thread seems pretty revealing: https://miniupnp.tuxfamily.org/forum/viewtopic.php?p=5727#5727

Seems like the behaviour you're seeing is expected is the client opens forward with no lease time.

Wolf666

@stephenw10
Yes that forum thread explains the behavior. I cannot do anything except removing mapped port manually. From a security point of view the consoles have their own IP assigned so it is ok if the mapped port are there until I remove them manually. Only consoles have access to UPnP service with proper “allow” and IP, other IP are denied by default in the Service ACL.
Thanks for help and time.

stephenw10

Mmm, I tried added min and max lifetime options to the conf and it made absolutely no difference I could see!