UPNP Issues



  • Seems UPNP is no longer working correctly in 2.4.4p2, maybe even sooner (not sure when it stopped).

    Current Issue is UPNP is seemingly not mapping the port forwards even though it is responding to the client, and it is not even showing the mappings in the status page yet querying it from a Windows system via UPNP shows the mapping.

    UPNP Status shows nothing,
    0_1549553754029_BlankUPNP.PNG

    Yet Windows via UPNP can see it.
    0_1549553765099_WindowsUPNPview.PNG

    Also it does appear that no traffic is being forwarded based on packet cap and moderate NAT being reported. Though I don't know commands or where exactly to look to confirm.

    UPNP Settings, same as they have been for along time (2 years?) and as they were when it previously worked.
    0_1549553881404_SettingsUPNP.PNG

    Packet cap of UPNP exchange between pfSense and Xbox, though this effects Windows 10 (Xbox App/Multiplayer framework) as well.
    0_1549553952482_UPNPFailing.pcapng.gz

    ONly 1 error in log, but I don't think it has anything to do with this problem.
    0_1549554687256_LogUPNP.PNG

    Let me know if what else I can provide.



  • I don't use PnP nor do I have any special insight into your problem, but what's up with those UPnP ACLs? They don't seem to make any sense to me at first glance.


  • LAYER 8 Global Moderator

    Sure hope someone else chimes in to help you.. I really don't feel like trying to duplicate this. I abhor UPnP to be honest... Only time I ever used it was with my son's console... And it was locked down where his console was on its own isolated segment, and only his console could request via ACL in UPnP... But since he moved out few years back.. Have not touched it, and its actually disabled on my main PC and not enabled on pfsense, I mostly filter multicast as well..

    So while I would love to help, I don't have the desire to go through the work to try and duplicate your problem.. If nobody else chimes in I will attempt to duplicate it at some point.

    But I would think with the amount of gamers that use it and amount of people on pfsense 2.4.4p1-2 I would have to assume there would be way more people screaming about it has failed to think its anything other then something odd in your system/network.

    I will check back in a while - or maybe I will get bored later and attempt to duplicate your problem.

    Off the top of my head - did you say update your switch or wireless that is doing anything with IGMP snooping this could be causing you issues if not correctly setup, etc.



  • @kom said in UPNP Issues:

    I don't use PnP nor do I have any special insight into your problem, but what's up with those UPnP ACLs? They don't seem to make any sense to me at first glance.

    1st, Blocks Xboxes from using port 3074 (workaround for Multiple Consoles and my ISPs CGNAT even though I have a 1:1 NAT/Public IP, as it forces them to use random ports)
    2nd, blocks ANY device from forwarding ALL external ports to ANY internal ports. Literally if a client ask for external port 0 that means ALL external ports. I mean I know UPNP kinda sucks but damn. And these would take effect before the manual port forwards.
    3rd, This one is really redundant as I don't have "deny access by default".



  • @johnpoz

    @johnpoz said in UPNP Issues:

    Off the top of my head - did you say update your switch or wireless that is doing anything with IGMP snooping this could be causing you issues if not correctly setup, etc.

    As you can see in the packet cap, UPNP is responding "OK" when asked to port forward, so the client is "finding" pfsense UPNP (via multicast) and asking it and getting replies about port forwards (via usicast). So it is not a Multicast issue.

    And again when querying pfSenses UPNPs via UPNP it tells/shows you an entry, so miniupnpd (i'm pretty sure that is what is being used) itself seems to know about the portforward, it's seems it is just not getting "communicated" to the status page or the NAT rules.

    So it does seem to be isolated pfSense, now whether its just mine (ill always accept this as a possibility) or 2.4.4p2 (or whatever) in general.

    @johnpoz said in UPNP Issues:

    But I would think with the amount of gamers that use it and amount of people on pfsense 2.4.4p1-2 I would have to assume there would be way more people screaming about it has failed to think its anything other then something odd in your system/network.

    I get that too, one reason I'm posting here vs redmine bug, just encase.

    Let me know if there are any commands/outputs you need from my system im more then willing to provide whatever is needed.


  • LAYER 8 Global Moderator

    why are you not on p2 would be my first question.

    Not out of the realm of possibility there was something in p1 that wasn't quite right in showing the status page for it.



  • @johnpoz

    @johnpoz said in UPNP Issues:

    why are you not on p2 would be my first question.

    Turns out I am... My bad.. I keep my pfsense's updated pretty religiously, I forgot about the last update.


Log in to reply