-
Thanks for taking the time to verify and document this issue John, Was hopeing that we could do this to prove that there indeed is a problem so that it does not go ignored as user error as my first post did…
Let's hope it gets priority over grammatical corrections in one of the upcoming snapshots ;) -
No problem I don't have a use for UPnP myself, not really a fan - I had set it up for my sons xbox more just for reason to play with it and the rules of limiting UPnP access to specific devices for any possible future need (unlikely)
I normally would just setup nat for his specific ports for his xbox.. But figure this would give some exp with UPnP - not a fan ;)
But yeah if its going to be included as an option - it should work ;) Which from my testing is not currently.
-
There were some recent pf changes so I may need to rebuild the UPnP daemon again.
I just did it now, try the next new snap (not up yet, will be dated later today) and see if it works.
-
There were some recent pf changes so I may need to rebuild the UPnP daemon again.
I just did it now, try the next new snap (not up yet, will be dated later today) and see if it works.
Just ran up:
2.1-BETA1 (amd64)
built on Thu Feb 14 16:30:41 EST 2013There is now an additional entry on the table for Teredo that was not there in the last snapshot , however the results are the same as described previously. Both App and external client report closed port :-\
-
Any errors at all in the system log?
-
Ok running
2.1-BETA1 (i386)
built on Fri Feb 15 04:06:54 EST 2013
FreeBSD 8.3-RELEASE-p5Gitsync of couple of minutes ago.. Still seeing the same issue, rules look like there in place via upnp status, but blocked in the firewall. I am not seeing anything in the system log about it. Or any other odd errors.
BTW that Teredo is not related – thats just that you have not turned that off on your clients, unless you have some reason to be using it?? I for sure can not see one if your running ipv6 on your wan?
-
Anything listed in "pfctl -sn -a miniupnpd" and "pfctl -sr -a miniupnpd"?
-
Anything listed in "pfctl -sn -a miniupnpd" and "pfctl -sr -a miniupnpd"?
2.1-BETA1 (amd64)
built on Fri Feb 15 04:33:17 EST 2013
FreeBSD 8.3-RELEASE-p5
Second IP (192.168.1.110) is a user with skype on his iphone, 192.168.1.105 is the seedbox with UPNP port closed issues. -
Is igb0 actually your WAN/default route?
-
Is igb0 actually your WAN/default route?
Yep, igb0 is hooked to the cable router (WAN). Its a simple setup, Intel Gigabit ET2 Quad port server adapter (only using 2 ports -.-) in a HP Proiliant DL380 server.
igb0 for WAN and igb1 for LAN. No errors show in system log at all.
As i noted in an earlier post, The only changes to a default pfsense install are selecting "6to4 tunnel" for IPv6 on the WAN, and "track interface" for ipv6 on the LAN. Everything else is set at installer default. -
Hi
I can confirm this issue. The "transmission" torrent application is a good tester because it both asks UPnP to open the port, then has it probed from the outside to confirm that the port has actually been opened.
[2.1-BETA1][root@xxx.xxx.xxx]/root(1): pfctl -sn -a miniupnpd rdr log quick on vr0 inet proto tcp from any to any port = 63839 keep state label "Transmission at 63839" rtable 0 -> 192.168.1.120 port 63839 rdr log quick on vr0 inet proto udp from any to any port = 63839 keep state label "Transmission at 63839" rtable 0 -> 192.168.1.120 port 63839 [2.1-BETA1][root@xxx.xxx.xxx]/root(2): pfctl -sr -a miniupnpd pass in log quick on vr0 inet proto tcp from any to any port = 63839 flags S/SA keep state label "Transmission at 63839" rtable 0 pass in log quick on vr0 inet proto udp from any to any port = 63839 flags S/SA keep state label "Transmission at 63839" rtable 0The best way I can describe the issue is that miniupnpd claims to have performed the requested operation, but didn't actually do it. Or, perhaps pf is now behaving differently (ignoring?) miniupnpd's request.
My version with issue: 2.1-BETA1 (i386) built on Fri Feb 15 15:43:49 EST 2013
Reverting back to: 2.1-BETA1 (i386) built on Thu Jan 24 19:53:22 EST 2013
…resolves the issue
Same commands in the earlier snapshot (that works):
[2.1-BETA1][root@xxx.xxx.xxx]/root(1): pfctl -sn -a miniupnpd rdr log quick on vr0 inet proto tcp from any to any port = 59130 keep state label "Transmission at 59130" rtable 0 -> 192.168.1.120 port 59130 rdr log quick on vr0 inet proto udp from any to any port = 59130 keep state label "Transmission at 59130" rtable 0 -> 192.168.1.120 port 59130 [2.1-BETA1][root@xxx.xxx.xxx]/root(2): pfctl -sr -a miniupnpd pass in log quick on vr0 inet proto tcp from any to any port = 59130 flags S/SA keep state label "Transmission at 59130" rtable 0 pass in log quick on vr0 inet proto udp from any to any port = 59130 flags S/SA keep state label "Transmission at 59130" rtable 0NOTE: Port numbers are different because Transmission is assigning random port numbers each time I test.
I'm happy to run further tests. Let me know what you want done.
Thanks
-
I updated to the latest snapshot (yesterday's) and I have no problem on i386. uTorrent opens a port and the port test succeeds.
If the rules are there, it should be working. When UPnP was really broken, there were no rules added there.
-
Still not working - showing it blocked in the firewall
Canyouseeme saying closed.. But clearly the firewall is blocking it - even thouse the pfctl shows rules should be there?
running
2.1-BETA1 (i386)
built on Sat Feb 16 10:53:05 EST 2013
FreeBSD 8.3-RELEASE-p5[2.1-BETA1][root@pfsense.local.lan]/root(1): pfctl -sn -a miniupnpd
rdr log quick on em1 inet proto tcp from any to any port = 3389 keep state label "test" rtable 0 -> 192.168.1.210 port 3389
[2.1-BETA1][root@pfsense.local.lan]/root(2): pfctl -sr -a miniupnpd
pass in log quick on em1 inet proto tcp from any to any port = 3389 flags S/SA keep state label "test" rtable 0yes em1 is my wan
WAN (wan) -> em1 -> v4/DHCP4: 24.13.snipped/21
v6/DHCP6: 2001:558:6033:12c:snippedf:a3d3/128
-
Installed "2.1-BETA1 (amd64) built on Sat Feb 16 10:55:42 EST 2013"
Still no go on upnp opening ports.tested with:
www.grc.com (shields up!)
www.canyouseeme.org
and
utorrent internal testing option…$ pfctl -sn -a miniupnpd rdr log quick on em0 inet proto udp from any to any port = 24927 keep state label "Skype UDP at 192.168.0.50:24927 (2238)" rtable 0 -> 192.168.0.50 port 24927 rdr log quick on em0 inet proto tcp from any to any port = 24927 keep state label "Skype TCP at 192.168.0.50:24927 (2238)" rtable 0 -> 192.168.0.50 port 24927$ pfctl -sr -a miniupnpd pass in log quick on em0 inet proto udp from any to any port = 24927 flags S/SA keep state label "Skype UDP at 192.168.0.50:24927 (2238)" rtable 0 pass in log quick on em0 inet proto tcp from any to any port = 24927 flags S/SA keep state label "Skype TCP at 192.168.0.50:24927 (2238)" rtable 0em0 is my WAN
-
Still not working - showing it blocked in the firewall
John, If you set a static port map do you still see packets being blocked as indicated in your screenshot?
If so this would indicate an issue outside of the miniupnp daemon itself…I updated to the latest snapshot (yesterday's) and I have no problem on i386. uTorrent opens a port and the port test succeeds.
If the rules are there, it should be working. When UPnP was really broken, there were no rules added there.
Do you think a clean install would make a difference Jim?
-
Unlikely, but possible.
-
Jim,
Please don't think I'm being confrontational, but what would it take to prove this issue exists for some of us?
-
A few things:
1. A screenshot of the UPnP status screen showing the client ports that should be open. Use uTorrent or similar that has a built-in test.
2. The pfctl commands mentioned above.
3. The parsed and raw firewall log entries for the packets that should be matching the rule, but are not.
4. The full contents of /tmp/rules.debug, pfctl -vvsr, and pfctl -vvsn
5. The contents of netstat -rn
6. A screenshot showing that the test failed.
7. Repeat the same test with a manual port forward instead of UPnP and see if that works.I don't doubt that it's not working, but given the rest of the context, I'm not entirely sure it's UPnP and not something else just getting blamed on UPnP.
-
A snipped from "/tmp/rules.debug"
Why is the miniupnpd anchor not ending in "/*"# Load balancing anchor rdr-anchor "relayd/*" # TFTP proxy rdr-anchor "tftp-proxy/*" # Setup Squid proxy redirect no rdr on em1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80 rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128 # UPnPd rdr anchor rdr-anchor "miniupnpd" (Why NOT "miniupnpd/*" ???) anchor "relayd/*" anchor "openvpn/*" anchor "ipsec/*" #--------------------------------------------------------------------------- # default deny rules #---------------------------------------------------------------------------pfctl -vvsr results in no anchors named "miniupnpd"
$ pfctl -vvsr @0 scrub on em0 all fragment reassemble [ Evaluations: 28002 Packets: 9561 Bytes: 1992949 States: 0 ] [ Inserted: uid 0 pid 73134 ] @1 scrub on em1 all fragment reassemble [ Evaluations: 18441 Packets: 18225 Bytes: 3932485 States: 0 ] [ Inserted: uid 0 pid 73134 ] @0 anchor "relayd/*" all [ Evaluations: 2893 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @1 anchor "openvpn/*" all [ Evaluations: 2893 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @2 anchor "ipsec/*" all [ Evaluations: 2893 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @3 block drop in inet all label "Default deny rule IPv4" [ Evaluations: 2893 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @4 block drop out inet all label "Default deny rule IPv4" [ Evaluations: 2893 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @5 block drop in inet6 all label "Default deny rule IPv6" [ Evaluations: 2893 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @6 block drop out inet6 all label "Default deny rule IPv6" [ Evaluations: 567 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @7 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @8 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @9 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @10 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @11 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @12 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @13 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @14 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @15 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @16 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @17 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @18 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @19 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @20 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @21 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @22 pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @23 pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @24 pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @25 pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @26 block drop quick inet proto tcp from any port = 0 to any [ Evaluations: 2893 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @27 block drop quick inet proto tcp from any to any port = 0 [ Evaluations: 1904 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @28 block drop quick inet proto udp from any port = 0 to any [ Evaluations: 2893 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @29 block drop quick inet proto udp from any to any port = 0 [ Evaluations: 985 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @30 block drop quick inet6 proto tcp from any port = 0 to any [ Evaluations: 2893 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @31 block drop quick inet6 proto tcp from any to any port = 0 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @32 block drop quick inet6 proto udp from any port = 0 to any [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @33 block drop quick inet6 proto udp from any to any port = 0 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @34 block drop quick from <snort2c:0> to any label "Block snort2c hosts" [ Evaluations: 2893 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @35 block drop quick from any to <snort2c:0> label "Block snort2c hosts" [ Evaluations: 2893 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @36 block drop in log quick proto tcp from <sshlockout:0> to any port = ssh label "sshlockout" [ Evaluations: 2893 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @37 block drop in log quick proto tcp from <webconfiguratorlockout:0> to any port = http label "webConfiguratorlockout" [ Evaluations: 1812 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @38 block drop in quick from <virusprot:0> to any label "virusprot overload table" [ Evaluations: 2326 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @39 block drop in quick on em0 from <bogons:4652> to any label "block bogon IPv4 networks from WAN" [ Evaluations: 2326 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @40 block drop in quick on em0 from <bogonsv6:68028> to any label "block bogon IPv6 networks from WAN" [ Evaluations: 139 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @41 block drop in on ! em0 inet from 84.xxx.xxx.0/23 to any [ Evaluations: 2326 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @42 block drop in inet from 84.xxx.xxx.221 to any [ Evaluations: 2326 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @43 block drop in on em0 inet6 from fe80::6a05:caff:fe0f:c58 to any [ Evaluations: 2326 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @44 block drop in quick on em0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8" [ Evaluations: 139 Packets: 139 Bytes: 50929 States: 0 ] [ Inserted: uid 0 pid 73134 ] @45 block drop in quick on em0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @46 block drop in quick on em0 inet from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @47 block drop in quick on em0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @48 block drop in quick on em0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @49 block drop in quick on em0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @50 pass in on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @51 pass out on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN" [ Evaluations: 567 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @52 block drop in on ! em1 inet from 192.168.0.0/24 to any [ Evaluations: 2754 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @53 block drop in inet from 192.168.0.1 to any [ Evaluations: 2187 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @54 block drop in on em1 inet6 from fe80::6a05:caff:fe0f:c59 to any [ Evaluations: 2187 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @55 pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 2181 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @56 pass in quick on em1 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps keep state label "allow access to DHCP server" [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @57 pass out quick on em1 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" [ Evaluations: 934 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @58 pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" [ Evaluations: 2754 Packets: 108 Bytes: 9072 States: 0 ] [ Inserted: uid 0 pid 73134 ] @59 pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback" [ Evaluations: 12 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @60 pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" [ Evaluations: 12 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @61 pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback" [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @62 pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself" [ Evaluations: 2754 Packets: 108 Bytes: 9072 States: 0 ] [ Inserted: uid 0 pid 73134 ] @63 pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself" [ Evaluations: 567 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @64 pass out route-to (em0 84.xxx.xxx.1) inet from 84.xxx.xxx.221 to ! 84.xxx.xxx.0/23 flags S/SA keep state allow-opts label "let out anything from firewall host itself" [ Evaluations: 567 Packets: 4352 Bytes: 2038614 States: 17 ] [ Inserted: uid 0 pid 73134 ] @65 anchor "userrules/*" all [ Evaluations: 2754 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @66 pass in quick on em1 inet proto tcp from <managementhosts:1> to 192.168.0.1 port = https flags S/SA keep state label "USER_RULE: Allow access to firewall management" [ Evaluations: 2754 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @67 pass in quick on em1 inet proto tcp from <managementhosts:1> to 192.168.0.1 port = ssh flags S/SA keep state label "USER_RULE: Allow access to firewall management" [ Evaluations: 1714 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @68 pass in quick on em1 inet proto tcp from <managementhosts:1> to 192.168.0.1 port = http flags S/SA keep state label "USER_RULE: Allow access to firewall management" [ Evaluations: 1714 Packets: 1197 Bytes: 890290 States: 2 ] [ Inserted: uid 0 pid 73134 ] @69 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = domain flags S/SA keep state label "USER_RULE: Allow internal network to DNS forwarder" [ Evaluations: 1694 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @70 pass in quick on em1 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = domain keep state label "USER_RULE: Allow internal network to DNS forwarder" [ Evaluations: 369 Packets: 628 Bytes: 66445 States: 1 ] [ Inserted: uid 0 pid 73134 ] @71 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = ntp flags S/SA keep state label "USER_RULE: Allow internal network to NTPd server" [ Evaluations: 1696 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @72 pass in quick on em1 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = ntp keep state label "USER_RULE: Allow internal network to NTPd server" [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @73 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 2189 flags S/SA keep state label "USER_RULE: Allow internal network to upnp and nat-pmp" [ Evaluations: 1696 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @74 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 5153 flags S/SA keep state label "USER_RULE: Allow internal network to upnp and nat-pmp" [ Evaluations: 1694 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @75 pass in quick on em1 inet from 192.168.0.0/24 to 224.0.0.0/8 flags S/SA keep state label "USER_RULE: Allow multicast" [ Evaluations: 1847 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @76 pass in quick on em1 inet from 192.168.0.0/24 to 239.0.0.0/30 flags S/SA keep state label "USER_RULE: Allow multicast" [ Evaluations: 1847 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @77 pass in quick on em1 inet proto icmp from 192.168.0.0/24 to 192.168.0.1 keep state label "USER_RULE: Allow internal network to ping LAN IP" [ Evaluations: 1847 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @78 block drop in quick on em1 inet from any to 192.168.0.1 label "USER_RULE: Reject all else to LAN IP" [ Evaluations: 1847 Packets: 1694 Bytes: 86336 States: 0 ] [ Inserted: uid 0 pid 73134 ] @79 pass in quick on em1 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any" [ Evaluations: 153 Packets: 4824 Bytes: 2762700 States: 18 ] [ Inserted: uid 0 pid 73134 ] @80 anchor "tftp-proxy/*" all [ Evaluations: 573 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @81 pass in quick on em1 proto tcp from any to ! (em1:2) port = http flags S/SA keep state [ Evaluations: 573 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ] @82 pass in quick on em1 proto tcp from any to ! (em1:2) port = 3128 flags S/SA keep state [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 73134 ]</managementhosts:1></managementhosts:1></managementhosts:1></bogonsv6:68028></bogons:4652></virusprot:0></webconfiguratorlockout:0></sshlockout:0></snort2c:0></snort2c:0>$ pfctl -sn -a miniupnpd rdr log quick on em0 inet proto udp from any to any port = 17040 keep state label "Skype UDP at 192.168.0.51:17040 (2239)" rtable 0 -> 192.168.0.51 port 17040 rdr log quick on em0 inet proto tcp from any to any port = 17040 keep state label "Skype TCP at 192.168.0.51:17040 (2239)" rtable 0 -> 192.168.0.51 port 17040 -
So yeah if I do a manual nat - its works no problem, see attached
canyouseeme goes back to 80 when you do the test, but clearly in the ouput you see that its saying 3389 is open to the public. When UPnP says that it opens this port, firewall blocks it and canyouseeme reports closed/timeout/etc.
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.