Will we ever get upnp to work behind private network IP?

Gblenn

I have enabled upnp and set up ACL for a few PC's and a PS4 which makes all gaming in the household run like clockwork. Especially after the modifications and updates that have been implemented in the last year or so.

I also have a second WAN, as failover, connected to a consumer LTE-router (DMZ not bridged). Even if the fiber connection from my current ISP never seems to fail, I would still want to feel certain that all things work in the same way on WAN2.

All my testing so far shows failover working smoothly, with only a short interruption in any realtime applications. And when using buffered services like Netflix or YouTube I don't even notice the switch.

The only thing that I have found not to be working is Upnp... and the ONLY reason it's not working is because it doesn't WANT TO. It refuses to work because it recognizes the WAN IP on WAN2 as a private IP.
If I change my LTE-router to provide an IP from a public range, Upnp works fine and I get Open NAT on games, despite being double NATed. It's all about some policy re private network IP's.

Why not provide a "switch" or tick box to allow manual override of this behavior and simply do the job even if the WAN IP happens to be from a private range?

Gblenn

The proposed solution is to use STUN or Override WAN address in this situation. So I did quite a bit of testing to see if I could make things work...

My setup is pfsense 23.01 in DMZ behind a 4G router. I'm testing a couple of CoD games known to create problems in the past. Specifically MW2 (2009 version) and MW3, but I also checked a few of the more recent titles as well.

My first test run is with pfsense in DMZ on a Private IP.

1. As a reference point, I'm only doing Port forwarding of relevant ports which in the test gives me Open NAT in all Games tested, except MW2 (2009) (Strict).
2. With the same port forwards in place, and UPnP activated,, as expected, the same set of games still get Open NAT (and MW2 still has Strict). The only visible change is that syslog shows minupnp complaining about private IP.
3. With port forwarding still in place and STUN activated, UPnP Status page now lists the expected ports requested by the games. HOWEVER, none of the games will connect and start!! MW2 shows an error popup about not reaching IW Servers.
4. With port forwarding in place and Override WAN address, same result as 3.

Changing the set up so that the 4G router provides pfsense with a fake Public IP , still in DMZ.

5. Port forwarding reference, same as in 1 above
6. Port forwarding and UPnP activated, all games now show Open NAT , including MW2.
7. No port forwarding, only UPnP, all games still show Open NAT
8. Activating STUN or Override WAN address IP doesn't change or break anything, same Open NAT as in 3.

Clearly there is something not working as it should. Either a bug in UPnP or in the communication between UPnP and pfsense. Using STUN, UPnP "takes charge" and even shows the requested ports in the list, but nothing get's thru...

Bob.Dig

@gblenn Here it is working fine with IPv4. Games are sometimes just stupid, don't you think?

Gblenn

@bob-dig Well, I agree games may be stupid, but consistent...

What exactly is it that you say is "working"? Could you please add some detail, what is your set up? Are you saying that you get Open NAT with UPnP behind Private IP on WAN using STUN?

Bob.Dig

@gblenn No. But when I start my favorite torrent application, it will open ports. And when I close that app, the ports get closed too.
I don't play any game at the moment, that would report things like open NAT.
And whatever "teredo" is, MS don't want you to block it, but the router in front of my pfSense can and is doing that. Maybe have a look there, if you got one too.

Gblenn

@bob-dig said in Will we ever get upnp to work behind private network IP?:

@gblenn No. But when I start my favorite torrent application, it will open ports. And when I close that app, the ports get closed too.
I don't play any game at the moment, that would report things like open NAT.
And whatever "teredo" is, MS don't want you to block it, but the router in front of my pfSense can and is doing that. Maybe have a look there, if you got one too.

Are you using UPnP at all?? And are you behind a Private IP?

Bob.Dig

@gblenn yes and yes...

Gblenn

@bob-dig And are you using STUN as well?

Bob.Dig

@gblenn I have to.

Here is a screenshot that shows that UPnP is working for me:

Bob.Dig

@gblenn And some more screenshots

Gblenn

@bob-dig Well it looks no different than it does on my side. UPnP appears to be working, as I stated in test #3. I see the list of ports normally being requested by the games, and the games behave as they would when they get confirmation of the port being opened, but nothing goes through.

In the case of Torrenting, port forward isn't really a necessity at all. So the fact that Tixati thinks the port is open (it only sais listening and mapped), isn't proof that it's actually being used.

Bob.Dig

@gblenn the proof is directly Next to it, the port test from grc.

Gblenn

Here's what it looks like in my case

Port 3074 is what MW3 is asking for and 28960/61 are used by MW2

A long time after trying to start gameplay, I get this message. Other games just sit there trying to log in...

Gblenn

@bob-dig said in Will we ever get upnp to work behind private network IP?:

@gblenn the proof is directly Next to it, the port test from grc.

Really weird stuff...

And game just sits there...

Turning off STUN obviously gives me this

And...

But GRC is still reporting stealth?! In fact it does that regardless of what I do...

Bob.Dig

@gblenn Port-tests usually work only for TCP, so in your case, this is expected.

Bob.Dig

@gblenn So you got open? Can it be any better?

I did some quick (and dirty) test by enabling Teredo in the first router (Fritzbox).
I then got a "strict" NAT type by the xbox networking test in Windows.
I then disabled Teredo in the fritzbox and now it shows me "blocked" again.
But in both cases UPnP wasn't used according to pfSense.

So whatever they are doing, I don't get it.

Gblenn

@bob-dig said in Will we ever get upnp to work behind private network IP?:

@gblenn So you got open? Can it be any better?

No no, that was when I turn OFF STUN and rely on regular port forwarding... Tests #1 and 2 above... But as I said, still stealth from GRC, and that is true also if I change the port forwarding to TCP/UDP. But I suppose nothing is listening to UDP on that port...

I did some quick (and dirty) test by enabling Teredo in the first router (Fritzbox).
I then got a "strict" NAT type by the xbox networking test in Windows.
I then disabled Teredo in the fritzbox and now it shows me "blocked" again.
But in both cases UPnP wasn't used according to pfSense.

So whatever they are doing, I don't get it.

I don't use IPv6 so Teredo shouldn't be relevant?? And I have not tested on an Xbox, never even used one... GRC simply needed a name for the port I guess - sounds better than the underlying application which is Activision Blizzards Demonware. There are a ton of games using that port, but often there are other ports used as well.

The whole point is that UPnP works perfectly fine IF I change the WAN IP to a fake public IP. Then all games get Open NAT, just like it does on my main WAN where I have fiber and a public IP on the WAN interface. I can even have STUN enabled for UPnP, as long as the WAN IP is a public one.

Can you change from that 172-IP to a fake public one to see what you get in your Xbox testing?

One thing to note... I do kill all states related to the PC I'm testing on, and do release/renew between any changes made...

Bob.Dig

@gblenn said in Will we ever get upnp to work behind private network IP?:

Can you change from that 172-IP to a fake public one to see what you get in your Xbox testing?

That is an option in Windows, has nothing to do with a real xbox. I did some more testing and now I am always blocked. So I say, forget this one (xbox in Windows).

Gblenn

@bob-dig said in Will we ever get upnp to work behind private network IP?:

@gblenn said in Will we ever get upnp to work behind private network IP?:

Can you change from that 172-IP to a fake public one to see what you get in your Xbox testing?

That is an option in Windows, has nothing to do with a real xbox. I did some more testing and now I am always blocked. So I say, forget this one (xbox in Windows).

Ok, any games you can test? Call of Duty series from MW2 (2009) and onward basically all use these ports. Quickest one to test with is MW2 or 3. No menu to check for connectivity, simply clicking play will reveal Strict, Moderate or Open NAT, or error as above.

Gblenn

As a way to simplify things, here is a much more straight forward testing and comparison between the two main scenarios:

Scenario 1.

Upstream router gives pfsense a Private IP in DMZ on WAN.
UPnP settings in pfsense GUI under Services > UPnP & NAT-PMP: Enable, Allow UPnP Port mapping, Allow NAT-PMP Port mapping, External interface WAN, Internal interface LAN, and I activate STUN (using google server) or Override WAN address using the actual Public IP.

Result : in pfsense Status / UPnP & NAT-PMP rules list, the requested port no 3074 UDP is listed together with correct internal IP.
WAN udp any 3074 192.168.1.91 3074 DemonwarePortMapping
None of the games are able to connect at all = worse than Strict NAT

Scenario 2.

Upstream router gives pfsense a fake public IP in DMZ on WAN.
All other settings as in scenario 1: Enable, Allow UPnP Port mapping, Allow NAT-PMP Port mapping, External interface WAN, Internal interface LAN.
However, I do not have to use STUN in order to inform UPnP about the correct external IP. I can use either STUN (google server) OR Override WAN address using the actual Public IP, but doing so makes no difference to the result in this scenario.

Result : in pfsense Status / UPnP & NAT-PMP rules list, the requested port no 3074 UDP is listed together with correct internal IP.
WAN udp any 3074 192.168.1.91 3074 DemonwarePortMapping
All games report Open NAT