Will we ever get upnp to work behind private network IP?
-
@bob-dig said in Will we ever get upnp to work behind private network IP?:
@gblenn So could it be a problem of your first router then?
I did a packet capture to check if UDP comes through to my LAN and it does. Still the torrent client was used on my part to initiate the UPnP portforwarding.
Why would you think it is my upstream router? Isn't it clear that things work perfectly fine as long as it is not a Private IP. I have done tests in the past using another LTE router which I recently swapped between my sites... Also, replacing pfsense with anything like a DDWRT router, Ubiquiti Edgerouter or Netgear with stock fw will work perfectly fine using UPnP.
I find that it is ONLY miniupnp in combination with a private IP that simply does not work...
It should be an easy fix as well, just add a selector where the user can force it to accept a private IP.I don't think torrenting is a good check, as it will work without any ports being open at all... Are you seeing traffic coming through the specific port listed by UPnP in the Status page?
You need to test with games... Do you have anything from the CoD series?BTW, is there a config file for miniupnp that I can go in and edit, and where do I find it?
-
@gblenn said in Will we ever get upnp to work behind private network IP?:
You need to test with games... Do you have anything from the CoD series?
It is working with a private IP fine here with my torrent client, that is a fact and has already been proven by me. So there must be something different if your game is doing it, then if my torrent client is doing it.
I play COD WZII but that doesn't need any open port or tell you about NAT-status.
-
@bob-dig Here's my result in trying to start WZ2.0 when STUN is activated.
And it actually does report NAT type, although this error means there is no "NAT" at all to report about.
When in the game Lobby, click Settings > Account and Network and scroll down to Network Info. You will get a screen showing a summary page where it will say Nat type: Open, Moderate or Strict.
I got NAT type Open when testing just now and only forwarding port 3074 in the firewall (no UPnP active at all).
If you get a different result there clearly must be something different in our setups?!
First of all, when making any changes I make sure the game is NOT started. Then go to Diagnostics, States, filter on my PC IP and clear all! Then I do ipconfig /reload and /renew from the PC before starting up the game again.
How can I be sure that UPnP actually has the right external IP using STUN? Alternatively, is it 100% certain that if I enter my public IP in the Override WAN address field, UPnP is definitely using that?
Oh, and like I said, Torrenting is very different. And you don't need UPnP or any ports forwarding for that to work...
-
This is what it looks like in WZ 2.0 if I don't have any port forward or UPnP active at all.
But I can still connect to servers and play. Normally this would also mean that I can only play with friends who have Open NAT. In WZ you hook up in teams anyway so I'm not sure what this would actually mean in that case.
BUT, if you were to try to set up a Private match in MWII (which WZ is based on), you would however run into trouble having Strict NAT. Only those with Open NAT could connect to you if you were hosting, and anyone with Moderate or Strict NAT will be left out.The issue here though is that when UPnP is enabled with STUN, I can't connect at all, as the picture in the previous post. This happens in the first startup phase before updating stats and getting all your player info from the servers.
-
@gblenn Sry, I only play DMZ and I don't have to deal with NAT there. I am not even sure what the actual name of that title is. But it is fun.
-
@bob-dig said in Will we ever get upnp to work behind private network IP?:
@gblenn Sry, I only play DMZ and I don't have to deal with NAT there. I am not even sure what the actual name of that title is. But it is fun.
It sure is..
Question... What is your setup exactly, wrt port forward and use of UPnP?In Firewall > NAT? Inbound and Outbound?
Services > UPnP & NAT-PMP?And would you mind checking in DMZ (cogwheel up right) under Account and Network and scroll down to Network info. What does it say?
-
@gblenn said in Will we ever get upnp to work behind private network IP?:
And would you mind checking in DMZ (cogwheel up right) under Account and Network and scroll down to Network info. What does it say?
It says: "Strict" . But it has never bothering me.
-
@gblenn I changed my outbound NAT to use static ports, now it says "Moderate". Still it doesn't do any port forwarding via UPnP according to pfSense.
Also it says relay connected. Most probably the first time too.
-
@bob-dig Strict is ok as long as you are not playing private matches with friends. And then it can still be ok if they have Open NAT...
Sounds like you are seeing the same thing as me then...
Try adding a port forward of 3074 and see if you can get Open NAT.
Do you have STUN active in UPnP??
-
@gblenn said in Will we ever get upnp to work behind private network IP?:
Try adding a port forward of 3074 and see if you can get Open NAT.
Do you have STUN active in UPnP??
Yes and yes.
-
-
-
-
-
-
-
-
-
-
-
@bob-dig said in Will we ever get upnp to work behind private network IP?:
@gblenn said in Will we ever get upnp to work behind private network IP?:
Try adding a port forward of 3074 and see if you can get Open NAT.
Do you have STUN active in UPnP??
Yes and yes.
Ok so this is interesting, you now have Open NAT from manually forwarding port 3074.
But you have UPnP enabled, with STUN. What settings do you have in UPnP?
Any ACL's?? And what server are you using for STUN? -
@gblenn I already had posted my settings here.
-
@bob-dig Ah, yes sorry about that!
It's the exact same settings I have...And 192.168.1.10 is the gaming PC I assume?
What other settings can possibly play a role in this??
-
@gblenn I don't know. Now it gives me strict again, although the port forward is still active... Maybe I will try plugging in my machine to the first router and see what happens but not today.
@gblenn said in Will we ever get upnp to work behind private network IP?:
And 192.168.1.10 is the gaming PC I assume?
Sure.
-
@bob-dig Ah, yes this is frustrating.
I do believe that killing states and doing release reload on the PC is key to consistent results. But sometimes it seems it's the order you do things that matter...
-
@gblenn I reenabled static port Outbound NAT and now it is "working" again...Good for me that this game doesn't need it.
-
@bob-dig Seems it's you manual port forward that's actually doing the trick, not UPnP.
I found the miniupnpd.config file and I can see that it is picking up any changes I make, including entering the actual external IP. But no connection at all for any of the games when I have that (or STUN) active...
-
@bob-dig said in Will we ever get upnp to work behind private network IP?:
... Maybe I will try plugging in my machine to the first router and see what happens but not today.
Today I plugged in my main machine directly into the first router, which is a good router for a consumer device, and NAT type was "Moderate" for COD DMZ.
It was not using UPnP although it was allowed to do so.
I then started my torrent client and it was again able to use UPnP and the router shows it.
So my conclusion is this, it is the fault of that game, it is not using UPnP.
Also that screenshot of that torrent program shows some errors, it showed less errors with pfSense.
The reason for being "Moderate" instead of "Strict" most probably comes from the port randomization pfSense does and you can disable this in the Outbound-NAT options, so I see no real advantage of my first router against pfSense. -
@bob-dig Well, there is no question about games "using" UPnP, they definitely are, all of them! That part has bee thoroughly hammered out in e.g. this and other threads: https://forum.netgate.com/topic/169837/upnp-fix-for-multiple-clients-consoles-playing-the-same-game/109
And the patch that was developed and subsequently added to the later releases (22.05 and on), solve most to all issues, except Private IP.UPnP does report all used ports in Status > UPnP... where e.g. 3074 gets listed the instant you start a game. Of course when behind private IP nothing happens there since UPnP just refuses to work and points out that private IP is not suited for external IP. Unless you activate STUN or Override WAN address which makes UPnP engage, and list the ports when a game starts, but no luck connecting...
Another example is MW2 which asks for 29060 and 29061 and they also show up in that list. But with that game I have only been able to get Open NAT when using UPnP.
Testing using multiple computers trying to run the same game, the next one uses a higher port number like 3075 for example. Also showing up in UPnP listings.
In my production environment, where I do have a public IP on WAN (but not on my failover WAN), all this works perfectly fine using only UPnP and outbound NAT set to Automatic. I have no ports forwarded for any games at all, and I get Open NAT every single time.
I have no idea why you don't see that with your router? All I can say is make sure to kill states and release IP on PC, only then start the game.
I have tested with several other routers behind the current upstream router, like Edgerouter X and DDWRT-based routers. Everything works perfectly fine with them, (as many others state in the threads I linked to) regardless of upstream IP being private or not. They also show the same listing of ports under UPnP status. So no question that games "use" UPnP. How could they even choose not to? I mean, they need the ports, they try to use them, and if UPnP is available it will provide the port unless it's already taken...
What happens if you change your IP on the upstream router to a random public IP? Then try changing Outbound NAT to Automatic, closing the port forwards you added (3074) and disabling STUN in UPnP...
BTW, what version pfsense are you running? -
@gblenn said in Will we ever get upnp to work behind private network IP?:
BTW, what version pfsense are you running?
I am on 23.01-RELEASE. And I am out for now, having the luck that DMZ doesn't care. But I'll be back sometime.