2.4.5 broke UPNP

DmacDude

@jimp I agree. There are so many options out there, that limiting their service makes it less valuable. Hopefully pfsense will convince them to change or find another upnp daemon.

DmacDude

@stephenw10

So I setup openvpn per the directions on a site and inside the network it connects fine. The problem is I can't connect to the firewall through the google fiber router. I keep getting "waiting for server to respond" The google firewall has a port forward on 1194 on tcp and udp. The firewall is set on DMZ. I am not sure what I am missing. I can't find anything online. I am debating if I should start a new thread as I don't want to take this thread of miniupnpd in another direction as this might help someone. So should I start a new thread on my problem? Thanks again for everything.

stephenw10

Run a packet capture on the pfsense WAN on port 1194 (assuming you are using that port?). Make sure packets are arriving at all.
If not try using a different port. Hard to imagine Google fibre is blocking 1194 but it's possible.

Steve

DmacDude

@stephenw10

I figured out my screw up on the vpn. 1) because of google not passing external ip address I had to do custom on the vpn to manually put in the address. The default option put in google's 192.168.x.x. Hopefully the ip doesn't change often, or I am screwed. If there is a way to put in the network automatically that would be helpful.

2. The tunnel network is a different network than any you are using. My network starts at x.x.x.10. So I thought I could do just the small 2-9 ips. I was wrong, had to do another network.

So now everything works.

I don't know how many pfsense google home users you have but they are all screwed with miniupnpd. I have a few xbox's so I'll have to deal with that at another time that I am in the office.

Thanks again for your awesome help!!!

Bob.Dig

According to tixati, a torrent app for Windows, UPnP is not working on 2.4.5 for me. I did this test on 2.5.0 before and it also wasn't working.

Spoiler

@stephenw10 said in 2.4.5 broke UPNP:

It does look like this is a change to the minipnpd daemon that will not open a connection when the client requests a public IP if it does not have one to give. You might be able to override that by giving it a public IP to pass as suggested.

My ISP is using 1:1 CG-NAT for IPv4 (100.65..). I can open ports though and pfSense uses the "true" internet-IP for DDNS and stuff.

stephenw10

Hmm, interesting. Kinda seems pointless them using CGN if they are 1:1...

But, yes, this will fail if your WAN is not public until we get a fix for it.

Steve

Bob.Dig

@stephenw10 said in 2.4.5 broke UPNP:

Hmm, interesting. Kinda seems pointless them using CGN if they are 1:1...

Thank goodness it is pointless.

stephenw10

You can edit /var/etc/miniupnpd.conf and add ext_ip=x.x.x.x.
Of course that will be lost is you make any changes to the upnp config etc but it should at least allow it to start for now.

Steve

Bob.Dig

@stephenw10 That didn't do it for me:

Spoiler

stephenw10

Hmm, you still see errors from miniupnpd logged?

Bob.Dig

@stephenw10 I anonymized it.

Apr 11 22:47:50 	miniupnpd 	87475 	HTTP listening on port 2189
Apr 11 22:47:50 	miniupnpd 	87475 	HTTP IPv6 address given to control points : [2a02:2450:x:x:x:x:x:x]
Apr 11 22:47:50 	miniupnpd 	87475 	setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument
Apr 11 22:49:17 	miniupnpd 	87475 	shutting down MiniUPnPd 

stephenw10

Hmm, you're using IPv6? And that worked in 2.4.4p3?

stephenw10

You might also try this: https://forum.netgate.com/post/901337

However it looks like maybe you are hitting something different.

Steve

stephenw10

Adding the ext_ip line works for me, I looks like you're hitting some other issue:

steve@steve-MMLP7AP-00 ~ $ upnpc -s
upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://172.21.16.1:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found a (not connected?) IGD : http://172.21.16.1:2189/ctl/IPConn
Trying to continue anyway
Local LAN ip address : 172.21.16.5
Connection Type : IP_Routed
Status : Connected, uptime=17s, LastConnectionError : ERROR_NONE
  Time started : Sun Apr 12 00:45:45 2020
MaxBitRateDown : 1000000000 bps (1000.0 Mbps)   MaxBitRateUp 1000000000 bps (1000.0 Mbps)
ExternalIPAddress = 1.2.3.4
Bytes:   Sent: 2881492721	Recv: 853789240
Packets: Sent: 36156776	Recv: 52749504

Steve

stephenw10

Ha, I should have read the bug report more carefully.

So no need to edit the file, you can create that line from the webgui using the override WAN IP field anyway. But it still doesn't work because: https://redmine.pfsense.org/issues/10398#note-2

Steve

Bob.Dig

@stephenw10 Thanks Steve, Let's hope it'll get fixed ore something is done like "Merlin" did, which is btw a great product(-enhancement).

Bob.Dig

So they probably fixed it, to bad I can't test it myself, because I have no clue how I would and don't asky my why I have an account on github in the first place...

stephenw10

...my account on github is only for complaining...

UTxCipo

Hi folks, I've just solved that issue setting the WAN interface as PPPoE.

stephenw10

It allows you to use a private IP as WAN for UPnP?

How do you get the IP if that's the case?

Steve