2.4.5 broke UPNP
-
@stephenw10
From Google's faq
Q: Which Google Fiber customers are eligible to order static IPs?
A: Only Fiber small business and Community Connection customers can sign up for static IPs.So you can not have public ip's unless you are a small business account. Which is twice as much and gives you 10% the bandwidth.
https://support.google.com/fiber/answer/4650342
Shows what how google does the DMZ. They just reserve a 192.168.X.X ip in the network to your DMZ and all the port forwarding, etc. to it. They probably do it, like many other ISP's to upset their business service. Especially since most of their home users won't have a firewall (except for the one that comes on windows)
As far as the VPN, that is probably one of the many reasons why I sucked so bad at trying to create one. The company has one with Sophos that does all the configs, etc for you and you just hook up tunnelblick on your end and add the keys. Sophos is why beyond my skillset.
I really wish there was some warning about miniupnpd changing the rules in 2.4.5. Even if I do reinstall and downgrade, it isn't a great solution as I couldn't update the firewall again.
Is there any packages that do UPNP to replace miniupnpd? It might be beyond my skills, but that is another option.
I will do a search for setting up openvpn on a 192. network. If you know of a quick link that would be helpful, please feel free to pass it along.
Thanks again for your time.
-
Strangely enough, there are no errors when trying to do UPNP in status>system logs>system>routing. It really should have an error there.
Is there another spot I should be looking for the routing errors? I do see errors in the log for miniupnpd but they are unrelated and hours ago.
Example:
Apr 5 07:48:16 miniupnpd 41799 Failed to add NAT-PMP 29826 tcp->10.5.0.239:32400 'NAT-PMP 29826 tcp'
Apr 5 08:00:07 miniupnpd 41799 Failed to add NAT-PMP 13150 tcp->10.5.0.20:32400 'NAT-PMP 13150 tcp'
Apr 5 08:05:22 miniupnpd 41799 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
Apr 5 08:05:22 miniupnpd 41799 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
Apr 5 08:05:22 miniupnpd 41799 Failed to get IP for interface igb0
Apr 5 08:05:22 miniupnpd 41799 SendNATPMPPublicAddressChangeNotification: cannot get public IP address, stopping
Apr 5 08:05:22 miniupnpd 41799 PCPSendUnsolicitedAnnounce() sendto(): No route to host
Apr 5 08:05:22 miniupnpd 41799 PCPSendUnsolicitedAnnounce() IPv6 sendto(): Bad file descriptor
Apr 5 08:05:23 miniupnpd 41799 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
Apr 5 08:05:23 miniupnpd 41799 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
Apr 5 08:05:23 miniupnpd 41799 Failed to get IP for interface igb0
Apr 5 08:05:23 miniupnpd 41799 SendNATPMPPublicAddressChangeNotification: cannot get public IP address, stopping
Apr 5 08:05:23 miniupnpd 41799 PCPSendUnsolicitedAnnounce() sendto(): No route to host
Apr 5 08:05:23 miniupnpd 41799 PCPSendUnsolicitedAnnounce() IPv6 sendto(): Bad file descriptor
Apr 5 08:05:24 miniupnpd 41799 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
Apr 5 08:05:24 miniupnpd 41799 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
Apr 5 08:05:24 miniupnpd 41799 Failed to get IP for interface igb0
Apr 5 08:05:24 miniupnpd 41799 SendNATPMPPublicAddressChangeNotification: cannot get public IP address, stopping
Apr 5 08:05:24 miniupnpd 41799 PCPSendUnsolicitedAnnounce() sendto(): No route to host
Apr 5 08:05:24 miniupnpd 41799 PCPSendUnsolicitedAnnounce() IPv6 sendto(): Bad file descriptorThanks again.
-
There's a big difference between a static IP address and passing dynamic public IP to pfSense.
I know that is it possible to do it with Google Fibre as others have written up how-tos here on the forum. However it is no easy especially if you're using any other services on the connection, IPTV, VoIP etc.
If you setup pfSense as the DMZ IP you should be able to get an OpenVPN remote access server setup though and that is a far, far better solution. I strongly recommend you go back to trying to get that setup and we can assist with that.
Steve
-
It's definitely a bad decision by miniupnpd to do this unilaterally.
https://redmine.pfsense.org/issues/10398
https://github.com/miniupnp/miniupnp/issues/433
At least by that last comment on that issue, they are going to make it a compile-time option.
I can't see why anyone would ever want it. It serves no real purpose other than trying to enforce someone's opinion about how they think things should work. In the real world, there are far too many exceptions to that rule for it to be viable.
-
@jimp I agree. There are so many options out there, that limiting their service makes it less valuable. Hopefully pfsense will convince them to change or find another upnp daemon.
-
So I setup openvpn per the directions on a site and inside the network it connects fine. The problem is I can't connect to the firewall through the google fiber router. I keep getting "waiting for server to respond" The google firewall has a port forward on 1194 on tcp and udp. The firewall is set on DMZ. I am not sure what I am missing. I can't find anything online. I am debating if I should start a new thread as I don't want to take this thread of miniupnpd in another direction as this might help someone. So should I start a new thread on my problem? Thanks again for everything.
-
Run a packet capture on the pfsense WAN on port 1194 (assuming you are using that port?). Make sure packets are arriving at all.
If not try using a different port. Hard to imagine Google fibre is blocking 1194 but it's possible.Steve
-
I figured out my screw up on the vpn. 1) because of google not passing external ip address I had to do custom on the vpn to manually put in the address. The default option put in google's 192.168.x.x. Hopefully the ip doesn't change often, or I am screwed. If there is a way to put in the network automatically that would be helpful.
- The tunnel network is a different network than any you are using. My network starts at x.x.x.10. So I thought I could do just the small 2-9 ips. I was wrong, had to do another network.
So now everything works.
I don't know how many pfsense google home users you have but they are all screwed with miniupnpd. I have a few xbox's so I'll have to deal with that at another time that I am in the office.
Thanks again for your awesome help!!!
-
According to tixati, a torrent app for Windows, UPnP is not working on 2.4.5 for me. I did this test on 2.5.0 before and it also wasn't working.
@stephenw10 said in 2.4.5 broke UPNP:
It does look like this is a change to the minipnpd daemon that will not open a connection when the client requests a public IP if it does not have one to give. You might be able to override that by giving it a public IP to pass as suggested.
My ISP is using 1:1 CG-NAT for IPv4 (100.65..). I can open ports though and pfSense uses the "true" internet-IP for DDNS and stuff.
-
Hmm, interesting. Kinda seems pointless them using CGN if they are 1:1...
But, yes, this will fail if your WAN is not public until we get a fix for it.
Steve
-
@stephenw10 said in 2.4.5 broke UPNP:
Hmm, interesting. Kinda seems pointless them using CGN if they are 1:1...
Thank goodness it is pointless.
-
You can edit /var/etc/miniupnpd.conf and add
ext_ip=x.x.x.x.
Of course that will be lost is you make any changes to the upnp config etc but it should at least allow it to start for now.Steve
-
-
Hmm, you still see errors from miniupnpd logged?
-
@stephenw10 I anonymized it.
Apr 11 22:47:50 miniupnpd 87475 HTTP listening on port 2189 Apr 11 22:47:50 miniupnpd 87475 HTTP IPv6 address given to control points : [2a02:2450:x:x:x:x:x:x] Apr 11 22:47:50 miniupnpd 87475 setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument Apr 11 22:49:17 miniupnpd 87475 shutting down MiniUPnPd -
Hmm, you're using IPv6? And that worked in 2.4.4p3?
-
You might also try this: https://forum.netgate.com/post/901337
However it looks like maybe you are hitting something different.
Steve
-
Adding the ext_ip line works for me, I looks like you're hitting some other issue:
steve@steve-MMLP7AP-00 ~ $ upnpc -s upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://172.21.16.1:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found a (not connected?) IGD : http://172.21.16.1:2189/ctl/IPConn Trying to continue anyway Local LAN ip address : 172.21.16.5 Connection Type : IP_Routed Status : Connected, uptime=17s, LastConnectionError : ERROR_NONE Time started : Sun Apr 12 00:45:45 2020 MaxBitRateDown : 1000000000 bps (1000.0 Mbps) MaxBitRateUp 1000000000 bps (1000.0 Mbps) ExternalIPAddress = 1.2.3.4 Bytes: Sent: 2881492721 Recv: 853789240 Packets: Sent: 36156776 Recv: 52749504Steve
-
Ha, I should have read the bug report more carefully.
So no need to edit the file, you can create that line from the webgui using the override WAN IP field anyway. But it still doesn't work because: https://redmine.pfsense.org/issues/10398#note-2
Steve
-
@stephenw10 Thanks Steve, Let's hope it'll get fixed ore something is done like "Merlin" did, which is btw a great product(-enhancement).
