2.4.5 broke UPNP
-
There's a big difference between a static IP address and passing dynamic public IP to pfSense.
I know that is it possible to do it with Google Fibre as others have written up how-tos here on the forum. However it is no easy especially if you're using any other services on the connection, IPTV, VoIP etc.
If you setup pfSense as the DMZ IP you should be able to get an OpenVPN remote access server setup though and that is a far, far better solution. I strongly recommend you go back to trying to get that setup and we can assist with that.
Steve
-
It's definitely a bad decision by miniupnpd to do this unilaterally.
https://redmine.pfsense.org/issues/10398
https://github.com/miniupnp/miniupnp/issues/433
At least by that last comment on that issue, they are going to make it a compile-time option.
I can't see why anyone would ever want it. It serves no real purpose other than trying to enforce someone's opinion about how they think things should work. In the real world, there are far too many exceptions to that rule for it to be viable.
-
@jimp I agree. There are so many options out there, that limiting their service makes it less valuable. Hopefully pfsense will convince them to change or find another upnp daemon.
-
So I setup openvpn per the directions on a site and inside the network it connects fine. The problem is I can't connect to the firewall through the google fiber router. I keep getting "waiting for server to respond" The google firewall has a port forward on 1194 on tcp and udp. The firewall is set on DMZ. I am not sure what I am missing. I can't find anything online. I am debating if I should start a new thread as I don't want to take this thread of miniupnpd in another direction as this might help someone. So should I start a new thread on my problem? Thanks again for everything.
-
Run a packet capture on the pfsense WAN on port 1194 (assuming you are using that port?). Make sure packets are arriving at all.
If not try using a different port. Hard to imagine Google fibre is blocking 1194 but it's possible.Steve
-
I figured out my screw up on the vpn. 1) because of google not passing external ip address I had to do custom on the vpn to manually put in the address. The default option put in google's 192.168.x.x. Hopefully the ip doesn't change often, or I am screwed. If there is a way to put in the network automatically that would be helpful.
- The tunnel network is a different network than any you are using. My network starts at x.x.x.10. So I thought I could do just the small 2-9 ips. I was wrong, had to do another network.
So now everything works.
I don't know how many pfsense google home users you have but they are all screwed with miniupnpd. I have a few xbox's so I'll have to deal with that at another time that I am in the office.
Thanks again for your awesome help!!!
-
According to tixati, a torrent app for Windows, UPnP is not working on 2.4.5 for me. I did this test on 2.5.0 before and it also wasn't working.
@stephenw10 said in 2.4.5 broke UPNP:
It does look like this is a change to the minipnpd daemon that will not open a connection when the client requests a public IP if it does not have one to give. You might be able to override that by giving it a public IP to pass as suggested.
My ISP is using 1:1 CG-NAT for IPv4 (100.65..). I can open ports though and pfSense uses the "true" internet-IP for DDNS and stuff.
-
Hmm, interesting. Kinda seems pointless them using CGN if they are 1:1...
But, yes, this will fail if your WAN is not public until we get a fix for it.
Steve
-
@stephenw10 said in 2.4.5 broke UPNP:
Hmm, interesting. Kinda seems pointless them using CGN if they are 1:1...
Thank goodness it is pointless.
-
You can edit /var/etc/miniupnpd.conf and add
ext_ip=x.x.x.x.
Of course that will be lost is you make any changes to the upnp config etc but it should at least allow it to start for now.Steve
-
-
Hmm, you still see errors from miniupnpd logged?
-
@stephenw10 I anonymized it.
Apr 11 22:47:50 miniupnpd 87475 HTTP listening on port 2189 Apr 11 22:47:50 miniupnpd 87475 HTTP IPv6 address given to control points : [2a02:2450:x:x:x:x:x:x] Apr 11 22:47:50 miniupnpd 87475 setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument Apr 11 22:49:17 miniupnpd 87475 shutting down MiniUPnPd -
Hmm, you're using IPv6? And that worked in 2.4.4p3?
-
You might also try this: https://forum.netgate.com/post/901337
However it looks like maybe you are hitting something different.
Steve
-
Adding the ext_ip line works for me, I looks like you're hitting some other issue:
steve@steve-MMLP7AP-00 ~ $ upnpc -s upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://172.21.16.1:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found a (not connected?) IGD : http://172.21.16.1:2189/ctl/IPConn Trying to continue anyway Local LAN ip address : 172.21.16.5 Connection Type : IP_Routed Status : Connected, uptime=17s, LastConnectionError : ERROR_NONE Time started : Sun Apr 12 00:45:45 2020 MaxBitRateDown : 1000000000 bps (1000.0 Mbps) MaxBitRateUp 1000000000 bps (1000.0 Mbps) ExternalIPAddress = 1.2.3.4 Bytes: Sent: 2881492721 Recv: 853789240 Packets: Sent: 36156776 Recv: 52749504Steve
-
stephenw10 Netgate Administratorlast edited by stephenw10 Apr 12, 2020, 11:03 AM Apr 11, 2020, 11:53 PM
Ha, I should have read the bug report more carefully.
So no need to edit the file, you can create that line from the webgui using the override WAN IP field anyway. But it still doesn't work because: https://redmine.pfsense.org/issues/10398#note-2
Steve
-
@stephenw10 Thanks Steve, Let's hope it'll get fixed ore something is done like "Merlin" did, which is btw a great product(-enhancement).
-
So they probably fixed it, to bad I can't test it myself, because I have no clue how I would and don't asky my why I have an account on github in the first place...
-
...my account on github is only for complaining...