2.4.5 broke UPNP
-
The miniupnpd shows to be working in the dashboard. Not sure if that could be a false positive.
As far as errors go, I don't see anything that stands out in the logs. Though I am not really that knowledgeable to know what to look for. But the main warnings doesn't show anything other than pfsenseng MaxMind now needs a license.
None of the upnp connections show up, that is correct. Qnap has a feature in their myqnapcloud configuration that let's you try to apply your upnp settings to the firewall. They are just not doing anything. In Qnaps diagnostics I get the following (it might not be helpful since this isn't the qnap forum, but I thought it might give some indications):
------ NAT PMP Diagnostics ------
initnatpmp() returned 0 (SUCCESS)
using gateway : 10.5.0.1
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned -52 (FAILED)
------ UPnP Diagnostics ------
upnpc : miniupnpc library test client. (c) 2006-2011 Thomas Bernard
List of UPNP devices found on the network :
desc: 10.5.0.1:2189/rootDesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1Found valid IGD : 10.5.0.1:2189/ctl/IPConn
Local LAN ip address : 10.5.0.224
Connection Type : IP_Routed
Status : Connected, uptime=93s, LastConnectionError : ERROR_NONE
Time started : Sun Apr 5 07:56:06 2020
MaxBitRateDown : 1000000000 bps MaxBitRateUp 1000000000 bps
GetExternalIPAddress() returned 501
GetExternalIPAddress failed.
GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)
INFO: No any UPnP port mapping entry is found.CPU Info:
Intel(R) Celeron(R) CPU J1900 @ 1.99GHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: NoVersion:
2.4.5-RELEASE (amd64)
built on Tue Mar 24 15:25:50 EDT 2020
FreeBSD 11.3-STABLEA VPN is a much better solution than what I am doing. I have tried and failed a few times. UPNP has just been more idiot proof (me :) ). I will look into that again.
I am not sure what I am supposed to glean from that link. From it I did try to restart miniupnpd. Nothing changed.
I have google fiber and it does give me a 192.168.X.X ip for the firewall. My Internal network is a 10.X.X.X. This wasn't a problem in 2.4.4_3. Hopefully this isn't a new feature that killed upnp. If so I would need to figure out how to go back.
If there is anything else in the link that I missed, please let me know.
Thanks to both of your feedback.
-
I have google fiber and it does give me a 192.168.X.X ip for the firewall. My Internal network is a 10.X.X.X. This wasn't a problem in 2.4.4_3. Hopefully this isn't a new feature that killed upnp. If so I would need to figure out how to go back.
On this point, google fiber does not allow you to disable the DHCP stuff. My firewall is in the DMZ so there is no double nat, etc. If this is an issue, then miniupnpd's decision will affect millions of people as I don't think google fiber is the only ISP that won't let you disable DHCP. Also, google fiber does not have an option to buy a static ip. So I really hope that this isn't the issue as I would have to figure out how to go back a version (2.4.4.p3) or I don't know what.
-
It does look like this is a change to the minipnpd daemon that will not open a connection when the client requests a public IP if it does not have one to give. You might be able to override that by giving it a public IP to pass as suggested.
It's hard to believe Google fibre cannot pass a public IP. That would also make setting up a VPN more difficult but I would suggest you stick with that as it will be a MUCH better solution.
Steve
-
DMZ does not mean you have the public ip passed to the firewall
192.168.x.x is rfc1918 so you are doing double nat.
you can try to use Override WAN address
the new version of miniupnp refuse to work if wan address is rfc1918you have it on your log
GetExternalIPAddress() returned 501 GetExternalIPAddress failed.anyway the best solution woud be to use a vpn as stephenw10 suggested
-
Yeah, check the routing log in pfSense, that's where I would expect to see that miniupnp error.
Steve
-
@stephenw10
From Google's faq
Q: Which Google Fiber customers are eligible to order static IPs?
A: Only Fiber small business and Community Connection customers can sign up for static IPs.So you can not have public ip's unless you are a small business account. Which is twice as much and gives you 10% the bandwidth.
https://support.google.com/fiber/answer/4650342
Shows what how google does the DMZ. They just reserve a 192.168.X.X ip in the network to your DMZ and all the port forwarding, etc. to it. They probably do it, like many other ISP's to upset their business service. Especially since most of their home users won't have a firewall (except for the one that comes on windows)
As far as the VPN, that is probably one of the many reasons why I sucked so bad at trying to create one. The company has one with Sophos that does all the configs, etc for you and you just hook up tunnelblick on your end and add the keys. Sophos is why beyond my skillset.
I really wish there was some warning about miniupnpd changing the rules in 2.4.5. Even if I do reinstall and downgrade, it isn't a great solution as I couldn't update the firewall again.
Is there any packages that do UPNP to replace miniupnpd? It might be beyond my skills, but that is another option.
I will do a search for setting up openvpn on a 192. network. If you know of a quick link that would be helpful, please feel free to pass it along.
Thanks again for your time.
-
Strangely enough, there are no errors when trying to do UPNP in status>system logs>system>routing. It really should have an error there.
Is there another spot I should be looking for the routing errors? I do see errors in the log for miniupnpd but they are unrelated and hours ago.
Example:
Apr 5 07:48:16 miniupnpd 41799 Failed to add NAT-PMP 29826 tcp->10.5.0.239:32400 'NAT-PMP 29826 tcp'
Apr 5 08:00:07 miniupnpd 41799 Failed to add NAT-PMP 13150 tcp->10.5.0.20:32400 'NAT-PMP 13150 tcp'
Apr 5 08:05:22 miniupnpd 41799 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
Apr 5 08:05:22 miniupnpd 41799 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
Apr 5 08:05:22 miniupnpd 41799 Failed to get IP for interface igb0
Apr 5 08:05:22 miniupnpd 41799 SendNATPMPPublicAddressChangeNotification: cannot get public IP address, stopping
Apr 5 08:05:22 miniupnpd 41799 PCPSendUnsolicitedAnnounce() sendto(): No route to host
Apr 5 08:05:22 miniupnpd 41799 PCPSendUnsolicitedAnnounce() IPv6 sendto(): Bad file descriptor
Apr 5 08:05:23 miniupnpd 41799 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
Apr 5 08:05:23 miniupnpd 41799 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
Apr 5 08:05:23 miniupnpd 41799 Failed to get IP for interface igb0
Apr 5 08:05:23 miniupnpd 41799 SendNATPMPPublicAddressChangeNotification: cannot get public IP address, stopping
Apr 5 08:05:23 miniupnpd 41799 PCPSendUnsolicitedAnnounce() sendto(): No route to host
Apr 5 08:05:23 miniupnpd 41799 PCPSendUnsolicitedAnnounce() IPv6 sendto(): Bad file descriptor
Apr 5 08:05:24 miniupnpd 41799 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
Apr 5 08:05:24 miniupnpd 41799 ioctl(s, SIOCGIFADDR, ...): Can't assign requested address
Apr 5 08:05:24 miniupnpd 41799 Failed to get IP for interface igb0
Apr 5 08:05:24 miniupnpd 41799 SendNATPMPPublicAddressChangeNotification: cannot get public IP address, stopping
Apr 5 08:05:24 miniupnpd 41799 PCPSendUnsolicitedAnnounce() sendto(): No route to host
Apr 5 08:05:24 miniupnpd 41799 PCPSendUnsolicitedAnnounce() IPv6 sendto(): Bad file descriptorThanks again.
-
There's a big difference between a static IP address and passing dynamic public IP to pfSense.
I know that is it possible to do it with Google Fibre as others have written up how-tos here on the forum. However it is no easy especially if you're using any other services on the connection, IPTV, VoIP etc.
If you setup pfSense as the DMZ IP you should be able to get an OpenVPN remote access server setup though and that is a far, far better solution. I strongly recommend you go back to trying to get that setup and we can assist with that.
Steve
-
It's definitely a bad decision by miniupnpd to do this unilaterally.
https://redmine.pfsense.org/issues/10398
https://github.com/miniupnp/miniupnp/issues/433
At least by that last comment on that issue, they are going to make it a compile-time option.
I can't see why anyone would ever want it. It serves no real purpose other than trying to enforce someone's opinion about how they think things should work. In the real world, there are far too many exceptions to that rule for it to be viable.
-
@jimp I agree. There are so many options out there, that limiting their service makes it less valuable. Hopefully pfsense will convince them to change or find another upnp daemon.
-
So I setup openvpn per the directions on a site and inside the network it connects fine. The problem is I can't connect to the firewall through the google fiber router. I keep getting "waiting for server to respond" The google firewall has a port forward on 1194 on tcp and udp. The firewall is set on DMZ. I am not sure what I am missing. I can't find anything online. I am debating if I should start a new thread as I don't want to take this thread of miniupnpd in another direction as this might help someone. So should I start a new thread on my problem? Thanks again for everything.
-
Run a packet capture on the pfsense WAN on port 1194 (assuming you are using that port?). Make sure packets are arriving at all.
If not try using a different port. Hard to imagine Google fibre is blocking 1194 but it's possible.Steve
-
I figured out my screw up on the vpn. 1) because of google not passing external ip address I had to do custom on the vpn to manually put in the address. The default option put in google's 192.168.x.x. Hopefully the ip doesn't change often, or I am screwed. If there is a way to put in the network automatically that would be helpful.
- The tunnel network is a different network than any you are using. My network starts at x.x.x.10. So I thought I could do just the small 2-9 ips. I was wrong, had to do another network.
So now everything works.
I don't know how many pfsense google home users you have but they are all screwed with miniupnpd. I have a few xbox's so I'll have to deal with that at another time that I am in the office.
Thanks again for your awesome help!!!
-
According to tixati, a torrent app for Windows, UPnP is not working on 2.4.5 for me. I did this test on 2.5.0 before and it also wasn't working.
@stephenw10 said in 2.4.5 broke UPNP:
It does look like this is a change to the minipnpd daemon that will not open a connection when the client requests a public IP if it does not have one to give. You might be able to override that by giving it a public IP to pass as suggested.
My ISP is using 1:1 CG-NAT for IPv4 (100.65..). I can open ports though and pfSense uses the "true" internet-IP for DDNS and stuff.
-
Hmm, interesting. Kinda seems pointless them using CGN if they are 1:1...
But, yes, this will fail if your WAN is not public until we get a fix for it.
Steve
-
@stephenw10 said in 2.4.5 broke UPNP:
Hmm, interesting. Kinda seems pointless them using CGN if they are 1:1...
Thank goodness it is pointless.
-
You can edit /var/etc/miniupnpd.conf and add
ext_ip=x.x.x.x.
Of course that will be lost is you make any changes to the upnp config etc but it should at least allow it to start for now.Steve
-
-
Hmm, you still see errors from miniupnpd logged?
-
@stephenw10 I anonymized it.
Apr 11 22:47:50 miniupnpd 87475 HTTP listening on port 2189 Apr 11 22:47:50 miniupnpd 87475 HTTP IPv6 address given to control points : [2a02:2450:x:x:x:x:x:x] Apr 11 22:47:50 miniupnpd 87475 setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument Apr 11 22:49:17 miniupnpd 87475 shutting down MiniUPnPd
