miniUPnPd not working since 23.09 (worked in 23.05.1)

PiAxel

Since 23.09 miniupnpd is not working, with a fresh install. it was working well in 23.05.1.
the daemon is up and running but port forwarding can't be created by any peripherals.
the upnp & nat pmp status is empty.
i tried to reboot pfsense, stop and restart miniupnpd, but it doesn't work.
I can't find the config file for miniupnpd.
I know upnp is unsafe but it is not the problem here :)

My lan interface is a bridge with every ethernet nic
is there anyone who can help ?
ask me what you want to know

thank you

stephenw10

The config file is in /var/etc/miniupnpd.conf

Is there anything in the UPnP status or routing logs?

Bob.Dig

@PiAxel said in miniUPnPd not working since 23.09 (worked in 23.05.1):

My lan interface is a bridge with every ethernet nic

It is working here.

But my LAN is not a bridge with every interface. :)

PiAxel

@stephenw10
the UPnP status is empty
in the routing logs:

Nov 17 04:30:35	miniupnpd	69075	could not find redirect rule to delete eport=64203
Nov 17 04:30:35	miniupnpd	69075	could not find redirect rule to delete eport=32001
Nov 16 21:48:59	miniupnpd	69075	Listening for NAT-PMP/PCP traffic on port 5351
Nov 16 21:48:59	miniupnpd	69075	setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument
Nov 16 21:48:59	miniupnpd	69075	HTTP IPv6 address given to control points : [* lan ipv6 address*]
Nov 16 21:48:59	miniupnpd	69075	HTTP listening on port 2189
Nov 16 21:48:59	miniupnpd	69075	Port forwarding is now disabled
Nov 16 21:48:59	miniupnpd	69075	Check configuration of firewall on local machine and also on upstream router
Nov 16 21:48:59	miniupnpd	69075	STUN: ext interface ix0 has now public IP address *external ipv4* but firewall filters incoming connections set by miniunnpd
Nov 16 21:48:59	miniupnpd	69075	perform_stun: 1 response out of 4 received
Nov 16 21:48:49	miniupnpd	71106	shutting down MiniUPnPd

Nov 16 21:47:59	miniupnpd	71106	ioctl(dev, DIOCGETRULES, ...): Invalid argument
Nov 16 21:47:59	miniupnpd	71106	ioctl(dev, DIOCGETRULES, ...): Invalid argument
Nov 16 21:47:59	miniupnpd	71106	Listening for NAT-PMP/PCP traffic on port 5351
Nov 16 21:47:59	miniupnpd	71106	setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument
Nov 16 21:47:59	miniupnpd	71106	HTTP IPv6 address given to control points : [* lan ipv6 address*]
Nov 16 21:47:59	miniupnpd	71106	HTTP listening on port 2189
Nov 16 21:47:45	miniupnpd	30526	shutting down MiniUPnPd
Nov 16 21:33:47	miniupnpd	30526	Listening for NAT-PMP/PCP traffic on port 5351
Nov 16 21:33:47	miniupnpd	30526	setsockopt(udp, IPV6_RECVPKTINFO): Invalid argument
Nov 16 21:33:47	miniupnpd	30526	HTTP IPv6 address given to control points : [*lan ipv6 address*]
Nov 16 21:33:47	miniupnpd	30526	HTTP listening on port 2189
Nov 16 21:33:47	miniupnpd	7414	shutting down MiniUPnPd
...

i have create the rules top permit traffic on port 2189 and 5351 and 1900 but that does not change anything

thank you

stephenw10

Are those errors shown when trying to open ports from some internal application?

PiAxel

@stephenw10
Yes, it seems to be the ports for my NAS

stephenw10

Hmm, so you don't see any errors until the NAS tries to open port forwards?

PiAxel

@stephenw10
maybe, but it was working with 23.05.1
I have an ip intercom which needs upnp and it doesn't work.
in the logs I see

Nov 16 21:48:59	miniupnpd	69075	Port forwarding is now disabled

how can I enable it ?

PiAxel

@stephenw10
I find a solution
I changed in /var/etc/miniupnpd.conf
port=2189 to port=1900
and now It works
there are some rules in upnp status

stephenw10

Hmm, interesting. That's not any different to 23.05.1. That's the port miniupnpd itself uses.
https://docs.netgate.com/pfsense/en/latest/services/upnp.html#upnp-nat-pmp

johnpoz

@stephenw10 so I not a fan or a user of upnp.. But I just enabled it to have it create the .conf file and yup it put in 2189 which doesn't make any sense

[23.09-RELEASE][admin@sg4860.local.lan]/var/etc: cat miniupnpd.conf 
ext_ifname=igb1
port=2189
listening_ip=igb4
secure_mode=yes
presentation_url=https://192.168.200.1:8443/
uuid=da5797c4-0daa-f185-0994-a6afe6c2ecb
serial=DA5797C4
model_number=23.09-RELEASE
enable_upnp=yes
enable_natpmp=yes
[23.09-RELEASE][admin@sg4860.local.lan]/var/etc: 

But it is listening on 1900 as well

[23.09-RELEASE][admin@sg4860.local.lan]/var/etc: sockstat | grep 1900
root     miniupnpd  77102 7   udp4   *:1900                *:*
[23.09-RELEASE][admin@sg4860.local.lan]/var/etc: sockstat | grep 2189
root     miniupnpd  77102 4   tcp6   *:2189                *:*
root     miniupnpd  77102 6   tcp4   *:2189                *:*
[23.09-RELEASE][admin@sg4860.local.lan]/var/etc: 

stephenw10

Because that's the port minipnpd listens on the http:
curl http://192.168.200.1:2189/rootDesc.xml

As far as I know that can be omitted entirely and miniupnpd will use a random port.

Setting it to 1900 is probably a bad idea since it should already be listening there. Though for udp.

johnpoz

@stephenw10 were they come up with that port, I don't show it registered as that.. Pretty sure radware has that registered for something they do radware-rpm-s

And I concur - setting that port in the config to 1900 prob not a good idea, and I would think really had nothing to do with his issue.. UPnP is UDP.

stephenw10

Yeah, unclear. Looks like they removed that over on the other side after deciding it was pointless setting it.

PiAxel

@stephenw10
I disable port in the conf file and now miniupnpd use a random port.
It's still working
How can I know if the port 2189 is already use by another service ?

johnpoz

@PiAxel said in miniUPnPd not working since 23.09 (worked in 23.05.1):

How can I know if the port 2189 is already use by another service ?

do the command I did with sockstat

PiAxel

@johnpoz
ok thank you
but it is not used...

johnpoz

@PiAxel well if its running and you want to know what port it is using do

sockstat | grep miniupnpd

PiAxel

@johnpoz

/root: sockstat | grep miniupnpd
root     miniupnpd  36049 4   tcp6   *:51760               *:*
root     miniupnpd  36049 5   dgram  -> /var/run/log
root     miniupnpd  36049 6   tcp4   *:51760               *:*
root     miniupnpd  36049 7   udp4   *:1900                *:*
root     miniupnpd  36049 8   stream /var/run/php-fpm.socket
root     miniupnpd  36049 9   udp6   *:1900                *:*
root     miniupnpd  36049 10  udp4   192.168.1.1:55617     *:*
root     miniupnpd  36049 11  udp6   *:64174               *:*
root     miniupnpd  36049 12  stream /var/run/php-fpm.socket
root     miniupnpd  36049 14  udp4   192.168.1.1:5351      *:*
root     miniupnpd  36049 15  udp6   *:5351                *:*

stephenw10

That seems fine. I have no explanation as to why changing the port value to 1900 seemed to allow it work though. That really shouldn't have changed anything significant.