Is UPnP the reason my games don't work?

semtex99

Hello, I've been trying to get UPnP working for a few days now and have had little luck so far. I'm on 2.7.2-RELEASE and my firewall has a public IP from my ISP. Behind that I have an ASUS RT-AXE7800 router in access point mode which I have connected my PC wirelessly to.

In particular, I'm trying to play Pavlov VR, but I also tried and failed to play among us, COD BO3 and No Mans Sky. Whenever I try to load in a match I see a lot of blocked requests from my PC to different addresses (blocked by the default deny rule):

I also don't see any active UPnP rules when I start a match. However, what I find so weird, is that when I start my Hamachi client, there are two UPnP rules that get made:

This led me to believe that UPnP (kind of) works? And if so, I am even more confused as to why all the UPnP requests get blocked by the default rule when I try to play a game. When I add an allow any to any rule, I can play the games just fine and the previously blocked requests get passed through that rule. Could there be something else that causes my games to not work? These are my settings for UPnP:

I have not enabled STUN and also no ACL (I first want to get it working before adding an ACL). I have also enabled Pure NAT

I have also enabled static port for the outbound NAT (the games alias is the static IP of my PC):

I have also added pass rules for the UPnP ports. The rule below is to allow the TCP port for the miniupnpd daemon
.

So... Is it my UPnP settings that could be blocking my games? Or is it something else? I also have Squid, Snort and PFBlockerNG running, but the blocked requests come from the default deny any rule.
Any help would be greatly appreciated. Thank you in advance!

Uglybrian

What are your firewall rules ?

semtex99

@Uglybrian These are the rules for my OPT2 interface (where my router is connected to) interface:


And these are for my WAN:

To be sure, this is the rule that blocked the requests:

Uglybrian

Your DNS rule, try OPT2 addressed instead of this fire wall. You can see by the 0/0 that the rule is not affective.

semtex99

@Uglybrian Like this?

Hmm it's still unaffective it seems, and the requests still get blocked

Uglybrian

YES, but sorry it didnt work, I took a second look at your rule set and see you have more DNS rules below.
To me it looks like you have something blocking UDP in your rule set. I am basing this on when you put a any/any rule it works. I will take a third look and see if i spot something.

semtex99

@Uglybrian Thank you very much! If I need to provide more screenshots or information let me know!
Another thing I maybe should mention is that I have a PiHole on OPT1 that is set as my DNS server (10.10.10.102)

Uglybrian

Just saw, on the firewall rule that you changed. it should be to addresses not to subnet.
like this:

semtex99

@Uglybrian Aah okay I have now changed it to this:

Does the source also need to be any? Because I still see blocked requests in the firewall logs

EDIT: that also doesn't seem to be the solution:

Uglybrian

Is port 22325 in your allowed port aliases?
The source in your DNS firewall rule be either be any or subnets.

I have mine as any because i am using this pfSense configuration recipes: https://docs.netgate.com/pfsense/en/latest/recipes/dns-block-external.html

Also for your reference and to double check your settings:
https://docs.netgate.com/pfsense/en/latest/services/upnp.html

semtex99

@Uglybrian I followed the UPnP guide from the docs, that's where I got my original configuration from: enable UPnP, no STUN because my WAN interface has a public IP, and enable static port for the outbound NAT rule. The 22325 is not in my alias, so I added it, but I still see the blocked requests and no active UPnP rules :(

I also checked if it was the pfBlockerNG rules, but they don't change anything