uPnP not working properly
Hello Guys. I hope you are doing well. I'm new on the forums and this is my very first post.
I recently bought a SG-2100 MAX and I am very satisfied with it. My current setup is pretty simple and nothing complicated. Just wanted to have more security / control over my home network. My setup is like as follows:
ISP is providing a Fiber Gateway. I have IPTV,VOIP, and Internet services. so I can't really move the fiber into my SG-2100 MAX. I can only connect a UTP cable to SG-2100 MAX. Sadly my WAN interface will get a RFC 1918 IP Address from 192.168.X.X range. Everything works perfectly fine except uPnP / games.
Now before I installed and configured SG-2100 MAX, I had a Netgear Orbi RBK50 and still does. But now instead of running it Router mode, it is running in bridged mode. uPnP was working as expected. It comes enabled by default and had 0 issues with it. Now after SG-2100 MAX came into the picture, Games are not working properly. PlayStation 5 or PC unless I do some kind of outbound NAT then it will work fine.
It seems uPnP is not working properly with pfsense release 21.05.1. I also keep getting this message in the logs : "private/reserved address 192.168.x.x is not suitable for external IP" and the uPnP status page is always empty and does not show any entry.
I have attached a screenshot from my previous setup where I had 0 issues turning on uPnP. Any way I could make uPnP work as expected with out doing any NAT rules ?
UPnP generally does not work across double NAT. It's on of the few things that cannot work in that sort of setup and it's not intended to.
I assume you have the ISP router running some sort of DMZ mode or otherwise forwarding traffic to the internal router? Otherwise I would not have expected the Orbi to work there either.
The UPnP daemon in pfSense, miniupnpd, will not allow connections at all if the upstream interface is in a private subnet and throws the error messages you're seeing. However that's a relatively recent upstream design decision: https://redmine.pfsense.org/issues/10398
One ugly option here might be to use a public subnet between the ISP router the 2100. That might cause problems for anything else in that subnet. I would not do that unless there no other option though. It would be better (more secure) just to not use UPnP.
Thanks Stephen for your reply. Just to give you a better under standing I have attached 2 files. old setup and new setup. Also please note I don't have much control over the fiber gateway. A restriction from the ISP. I also can't just move the fiber connection to PFSENSE WAN port as the configuration of the fiber gateway is only accessible from the ISP and it is not shared with end users.
As you can see from the drawing, RBR50 WAN ports connects to one of the Fiber gateway LAN ports and gets an IP from 192.168.100.0 / 24. And RBR50 was acting as Router / DHCP for LAN and devices gets and IP Address from 192.168.10.0 / 24. So any traffic leaving LAN will get NAT-ed to the WAN port of RBR50 , then gets NAT-ed again to the public IP address of the fiber gateway. So double NAT-ing was already working in the old setup and uPnP was working fine without any problems.
It's slightly similar to the old setup but PFSENSE came between the fiber gateway and RBR50. In this setup , RBR50 is running in bridged mode. and PFSENSE is doing all the routing / DHCP, etc. However uPnP does not work. The only way to make games work on consoles or PC properly is do an outbound NAT.
So I take it from the link you shared, that uPnP will not work in this setup ? However it was working perfectly fine in the previous setup. and it was a double NAT setup as well.
Indeed UPnP won't work in pfSense with that setup.
You would need to make changes in the Fiver Gateway router. Do you not have any access to it?
There is very little changes I can do with it. Port forwarding , dhcp leases and other basic configs .i cant even change DNS on the DHCP scopes or the subnet for the lan (192.168.100.0) . Natting configuration is disabled but it is pre configured (port restricted port nat) the account i use has very limited privileges .
What configuration changes you are thinking of ? I might try and convince them to do them for me.
You would need to change the LAN subnet to something public so miniupnpd accepts the pfSense WAN IP.
You would need to set the pfSense WAN IP as a DMZ or port forward all traffic to it.
UPnP does not forward requests to other routers so unless it's forwarding all traffic to pfSense already it doesn't matter what pfSense is doing.
I'll give it a try and let you know.