IPv6 and Upnp?
-
Does pfsense support upnp with ipv6? How do you enable?
-
No. Don't do that.
-
What is the possible use case for this? I am with jk on this, that seems like a really bad idea to do.. I have seen some stuff related to PCP, where a ipv6 host could open up an inbound port to itself at the firewall. But without auth and control this is really bad idea just like UPnP is..
If you want to provide unsolicited traffic into your ipv6 device behind pfsense then just put in the firewall rules to allow the traffic you want. For example I allow icmp into my ipv6 hosts behind pfsense, and I allow ntp into my ntp server that is a member of the ntp pool via its ipv6 address. But other than all traffic blocked.
-
My case use would be for multiple Xbox Ones on the same network. I have them successfully connected via ipv6, but I still can't get open NAT. Lack of open NAT is limiting my connections. All of my gaming consoles are connected to the gaming LAN interface which is separate from my home LAN.
-
My case use would be for multiple Xbox Ones on the same network. I have them successfully connected via ipv6, but I still can't get open NAT. Lack of open NAT is limiting my connections. All of my gaming consoles are connected to the gaming LAN interface which is separate from my home LAN.
Don't do that either. Just stick them in a IPv4 network and disable IPv6 for them. Console networking is horrible. If you must use IPv6 for those consoles, simply remove the firewall from all console IPv6 connections. Also: don't do IPv6 NAT.
-
Well since IPv6 your multiple consoles would all have unique ipv6 address, why do you need UPnP? Just allow the traffic you want to allow on your firewall for your ipv6 traffic.
-
Well since IPv6 your multiple consoles would all have unique ipv6 address, why do you need UPnP? Just allow the traffic you want to allow on your firewall for your ipv6 traffic.
I think this is where I missed the mark. I will setup rules to allow all traffic for the ipv6 gaming subnets.
-
Don't do that either. Just stick them in a IPv4 network and disable IPv6 for them.
If I'm not mistaken, the XBOX requires IPv6 and will set up a Teredo tunnel if it can't find it.
-
@johnkeates:
My case use would be for multiple Xbox Ones on the same network. I have them successfully connected via ipv6, but I still can't get open NAT. Lack of open NAT is limiting my connections. All of my gaming consoles are connected to the gaming LAN interface which is separate from my home LAN.
Don't do that either. Just stick them in a IPv4 network and disable IPv6 for them. Console networking is horrible. If you must use IPv6 for those consoles, simply remove the firewall from all console IPv6 connections. Also: don't do IPv6 NAT.
IPv4 network with multiple Xb1s for me, worst performance and the most problems. Tried with Upnp and tried with port forwarding … Fail. I have gotten the best overall results with using IPv6 network but still have Strict NAT and experiencing some communication/multiplayer matchmaking issues.
-
Ummm… If you're running IPv6, where does NAT fit in? The only justification for NAT is the IPv4 address shortage.
-
The "strict nat" error is a bad description, it means incoming connection don't work, I think.
9 out of 10, it means your router doesn't do UPnP(good) and you didn't port-forward(bad)
for IPV6 they just took over this error and they never updated the message. Basically, unsollicited incoming traffic is blocked, as it normally should. The best solution at the moment is to manually add a rule to IPv6 and allow whatever port xbox is listening on to the entire internal subnet. This isn't ideal, but better than nothing untill a workable solution comes up.
For IPv4, please don't use UPnP, just manually do port forwarding as you normally do.
Part of the problem is that people forget that port forwarding is 2 things: Nat AND a firewall rule update. Most routers perform this firewall change transparantly without the user noticing. PFsense does this too, but for IPv6, the NAT part is gone, and it's just the manual firewall part that you need to fix :)
-
One problem with IPv6 Port forwarding is you don't know the IPv6 address.
I'm using SLAAC, so all my clients have a random IPv6 address (or the MAC-address IPv6). I have 8 IPv6 devices behind my router, and 1 of them needs to run a HTTP and PLEX server. Currently ipv4 works, but the firewall is blocking the ipv6 access. Within the LAN network it works fine via any of the IPv6 address.
So my options are:
- I can open up a port (lets say 8080) for ALL my IPv6 traffic. So all my devices now have IPv6:8080 open (not the best…)
- Enable UPnP-IPv6, and allow the computer to open a pin-hole port for just it's IPv6 (SLAAC address).
Seems like the UPnP option is better... And I know miniupnpd does support IPv6... Another option is to reconfigure the router from stateless to "stateless+stateful" or "stateful (no android devices since they only do SLAAC)" IPv6. Disable SLAAC on the target machine, and make sure it gets a global public IPv6 address. However this is not good either, cuz the Prefix Delegation is random, so even setting a firewall rule for this machine will be good until my ISP decides to delegate a new prefix to me...
Seems like the best option is UPnP. Or is opening the port for all my ipv6 traffic on all my devices the preferred method?
-
And I know miniupnpd does support IPv6…
Been already tested and failed pretty much for everyone. (There's a feature request about this somewhere in Redmine.)
-
@codster SLAAC addresses are not random. Some are based on MAC address (ie they will not change unless you MAC changes), and others (the windows default) are randomly generated at install time so they will remain persistent across reboots until you change configuration or reinstall the os. The last 64bits of the address will also remain static if your prefix changes or you connect the device to a completely separate physical network.
On the other hand, "privacy extensions" create random addresses, but these are only used for outbound connections - your device should still have a permanent SLAAC address which it can use for inbound.
Not sure about rules for a dynamically delegated prefix, can you just use the last 64 bits of the address as is done with the dhcpv6 configuration (eg :12341234)
-
@bert64 A couple of notes based on my experience. Some Xbox One services, but not all, will use, and prefer IPv6. IPv6 does make the experience better.
I think IPv4 is still required because not everyone has IPv6 and consoles are sometimes chosen to host chats and games. As a result, I suspect Xbox Live carries a lot of baggage when negotiating multiplayer game sessions.
It follows that UPnP, or fixed NAT port forwarding, is still required for the IPv4 components. Port forwarding for IPv6 does not appear to be necessary although Microsoft has been pretty good at withholding details. Their manual port forward instructions tell us to open these ports using NAT port forward:
Port 88 (UDP), Port 3074 (UDP and TCP), Port 53 (UDP and TCP), Port 80 (TCP) , Port 500 (UDP), Port 3544 (UDP), Port 4500 (UDP)
As a result, their manual port forward instructions excludes the ability to have more than One Xbox on IPv4.
These are pretty common ports which you need to dedicate to your Xbox, if you aren't using UPnP.
They don't specify the IP version which pretty much leaves us in the dark when it comes to IPv6. Furthermore, Microsoft went out of their way to make it difficult to port forward IPv6 in residential settings. The console changes its adapters' DUID on every reboot. That is different from Windows 7, 10 and 11. This makes it impossible to create a static lease which leaves no convenient way to give the Xbox a stable address using DHCPv6. If I am wrong about this I would like to know how to work around. The only reason I can think of is that they don't want static ports gong forward. Does IPv6 have a mechanism that allows both sides of a connection to safely negotiate additional connections? I don't know.
From all my research, the bottom line is that either fixed port forwarding or UPnP is required and if you have two Xbox consoles running at the same time then "moderate" or "strict" NAT connections will occur on one or both of them. This will negatively affect fireteam, chat and game negotiation on any console that has been deemed less that "OPEN".
With that said, I did manage to get one Xbox console to reliably connect with "OPEN NAT" using pfSense; no such luck getting two to work. To get a reliable "OPEN" NAT, I had to switch to Manual Outbound NAT and add a mapping to the Xbox's IPv4 address. I then added these permissions to UPnP: "allow 88-65535 myxboxlanaddress/32 88-65535"
-
@bigtfromaz Ahh interesting, i don't have an xbox but my brother is a pretty obsessive xbox player and has 2 xbox ones plus several older models and i set up a pfsense firewall for him.
He basically has a dedicated vlan and switch for the xboxes, as he often has friends visiting. The ISP routes a /56 so i assigned a dedicated /64 to the "xbox network" and just configured it to allow everything in/out. I never checked on the rotating DUIDs. How about SLAAC - does the xbox get the same address every time from SLAAC? I will have to double check.
As i understand it, the xbox one pretty much requires IPv6 and will use teredo tunnelling if native IPv6 is not present.
I believe the 360 and original xbox don't support IPv6 at all, but i'm not sure if the online features for these consoles are even still active.According to the traffic graphs on pfsense 99.9% of the traffic is using IPv6, and there seems to be no problems having multiple xboxes online at the same time. In the area my brother stays the two largest ISPs both provide IPv6 by default and it's enabled by default on the routers they supply.
An increasing number of people are behind CGNAT these days and don't have the possibility to forward ports. IPv6 is the only way forward.
-
Sorry I was late to the party,
I was getting this error for the XBOX UPNP ..
setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument
Jan 3 09:06:45 miniupnpd 11721 Listening for NAT-PMP/PCP traffic on port 5351 Jan 3 09:06:45 miniupnpd 11721 setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument Jan 3 09:06:45 miniupnpd 11721 HTTP IPv6 address given to control points : [2001:REDCACTED] Jan 3 09:06:45 miniupnpd 11721 HTTP listening on port 2189 Jan 3 09:06:45 miniupnpd 11721 STUN: ext interface mvneta0 with IP address CLASSIFIED is now behind restrictive NAT with public IP address IP AWAS HERE: Port forwarding is now impossible Jan 3 09:06:45 miniupnpd 11721 perform_stun: 2 response out of 4 received Jan 3 09:06:09 radvd 55136 warning: AdvDNSSLLifetime <= 2*MaxRtrAdvInterval would allow stale DNS suffixes to be deleted faster Jan 3 09:06:09 radvd 55136 warning: (/var/etc/radvd.conf:52) AdvRDNSSLifetime <= 2*MaxRtrAdvInterval would allow stale DNS servers to be deleted faster Jan 3 09:06:09 radvd 55136 warning: AdvRDNSSLifetime <= 2*MaxRtrAdvInterval would allow stale DNS servers to be deleted faster Jan 3 09:06:09 radvd 55136 warning: AdvDNSSLLifetime <= 2*MaxRtrAdvInterval would allow stale DNS suffixes to be deleted faster Jan 3 09:06:09 radvd 55136 warning: (/var/etc/radvd.conf:24) AdvRDNSSLifetime <= 2*MaxRtrAdvInterval would allow stale DNS servers to be deleted faster Jan 3 09:06:09 radvd 55136 warning: AdvRDNSSLifetime <= 2*MaxRtrAdvInterval would allow stale DNS servers to be deleted faster Jan 3 09:06:09 radvd 55136 version 2.19 started Jan 3 08:21:25 miniupnpd 96990 Listening for NAT-PMP/PCP traffic on port 5351 Jan 3 08:21:25 miniupnpd 96990 setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument
Can you create a ACL in UpNp?
It only shows examples for Ipv4