Do UPnP rules not expire?
-
-
@stephenw10 Thank you. So looks like it will be resolved in 2.8.0. I appreciate it.
-
When we use the Xbox they disappear after it’s done with the games. The states don’t close?
-
@stephenw10
Hi, I am still having this issue on pfSense Plus 24.11, see my old post:
https://forum.netgate.com/topic/181043/status-upnp-nat-pmp-persistent-rules -
Testing....
-
@stephenw10 Here it does work fine, no PS5 though.
-
Yup working OK here too. Sessions are removed when they expire. Tested using 1hr.
Dec 18 12:14:27 miniupnpd 86687 remove port mapping 5554 TCP because it has expired Dec 18 12:14:37 miniupnpd 86687 remove port mapping 5553 TCP because it has expired Dec 18 12:15:24 miniupnpd 86687 remove port mapping 5552 TCP because it has expiredPerhaps it's adding very long sessions?
-
@stephenw10
Yes, normally very long sessions, it is a PS5.
I need to test some additional things. I think the problem could be because it is put in rest mode and not completly off when I finished the play sessions.
I will report back this weekend, I will shut down the PS5 and see if the state remains on or not. -
@stephenw10
Just asked my daughter yesterday to shut down the PS5 completely, states remains up, this is today:
Here the log:
Seems it failed to remove the state.
I will try with other console we have at home, PS4 and Nintendos to see more.
Where can I set the port expiration value? -
The session time is set by the host requesting it be opened.
You can query the state of existing redirections using a upnp client like:
steve@steve-NUC9i9QNX:~$ upnpc -l upnpc : miniupnpc library test client, version 2.2.3. (c) 2005-2021 Thomas Bernard. Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://172.21.16.1:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://172.21.16.1:2189/ctl/IPConn Local LAN ip address : 172.21.16.8 Connection Type : IP_Routed Status : Connected, uptime=1115353s, LastConnectionError : ERROR_NONE Time started : Mon Dec 9 00:31:38 2024 MaxBitRateDown : 1000000000 bps (1000.0 Mbps) MaxBitRateUp 1000000000 bps (1000.0 Mbps) ExternalIPAddress = 45.89.45.8 i protocol exPort->inAddr:inPort description remoteHost leaseTime 0 TCP 8889->172.21.16.8:8889 'Test1' '' 3478 GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)Where the one test forward I set has 3478s left before it expires.
Do you actually see the upnp anchors still present of have they in fact already been removed by something else which is why it shows the error?
[24.11-RELEASE][admin@fw1.stevew.lan]/root: pfctl -aminiupnpd -sn rdr pass quick on mvneta2 inet proto tcp from any to any port = 8889 keep state label "Test1" rtable 0 -> 172.21.16.8 port 8889 -
@stephenw10 said in Do UPnP rules not expire?:
Tried from my Windows PC, started PS5 and then put in OFF:PS C:\upnpc> .\upnpc-static -l upnpc : miniupnpc library test client, version 2.2.3. (c) 2005-2022 Thomas Bernard. Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://192.168.1.10:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://192.168.1.10:2189/ctl/IPConn Local LAN ip address : 192.168.1.81 Connection Type : IP_Routed Status : Connected, uptime=1815291s, LastConnectionError : ERROR_NONE Time started : Sun Dec 1 10:25:43 2024 MaxBitRateDown : 64000 bps (64 Kbps) MaxBitRateUp 64000 bps (64 Kbps) ExternalIPAddress = 82.84.92.142 i protocol exPort->inAddr:inPort description remoteHost leaseTime 0 UDP 9308->192.168.1.50:9308 '192.168.1.50:9308 to 9308 (UDP)' '' 0 GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid) PS C:\upnpc>On pfSense Status/UPnP IGD & PCP I see the states on.
[24.11-RELEASE][admin@pfSense.home.arpa]/root: pfctl -aminiupnpd -sn nat log quick on pppoe0 inet proto udp from 192.168.1.50 port = 9308 to any keep state label "192.168.1.50:9308 to 9308 (UDP)" rtable 0 -> 82.84.92.142 port 9308 rdr pass log quick on pppoe0 inet proto udp from any to any port = 9308 keep state label "192.168.1.50:9308 to 9308 (UDP)" rtable 0 -> 192.168.1.50 port 9308 [24.11-RELEASE][admin@pfSense.home.arpa]/root:Please note that Game Consoles have static port ON in the outbound rules.
-
@stephenw10
Tested after I removed manually the states:PS C:\upnpc> .\upnpc-static -l upnpc : miniupnpc library test client, version 2.2.3. (c) 2005-2022 Thomas Bernard. Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://192.168.1.10:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://192.168.1.10:2189/ctl/IPConn Local LAN ip address : 192.168.1.81 Connection Type : IP_Routed Status : Connected, uptime=1815912s, LastConnectionError : ERROR_NONE Time started : Sun Dec 1 10:25:44 2024 MaxBitRateDown : 64000 bps (64 Kbps) MaxBitRateUp 64000 bps (64 Kbps) ExternalIPAddress = 82.84.92.142 i protocol exPort->inAddr:inPort description remoteHost leaseTime GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid) PS C:\upnpc>NO states shown in pfSense status
[24.11-RELEASE][admin@pfSense.home.arpa]/root: pfctl -aminiupnpd -sn [24.11-RELEASE][admin@pfSense.home.arpa]/root: -
@Wolf666 said in Do UPnP rules not expire?:
Tested after I removed manually the states:
Like you just deleted the firewall states in Diag > States?
-
@stephenw10
No, I just manually cleared the mapped ports from UPnP status page. I used wrong wording. -
Hmm, it's odd that it doesn't show a session time for the port forward. Does it ever show a time? If you check just after it's been opened?
Does the error in the log appear after, say, 1 hr?
-
@stephenw10
Just clear all mapped ports while PS% was on, started to play Destiny:PS C:\upnpc> ./upnpc-static -l upnpc : miniupnpc library test client, version 2.2.3. (c) 2005-2022 Thomas Bernard. Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://192.168.1.10:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://192.168.1.10:2189/ctl/IPConn Local LAN ip address : 192.168.1.81 Connection Type : IP_Routed Status : Connected, uptime=76s, LastConnectionError : ERROR_NONE Time started : Mon Dec 23 18:09:32 2024 MaxBitRateDown : 1000000000 bps (1000.0 Mbps) MaxBitRateUp 300000000 bps (300.0 Mbps) ExternalIPAddress = 82.84.92.142 i protocol exPort->inAddr:inPort description remoteHost leaseTime 0 UDP 3074->192.168.1.50:3074 'DemonwarePortMapping' '' 0 GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid) PS C:\upnpc>Now I will close the game, switch off the PS5 and see what's going to happen in 1 hour.
-
Still shows 0 leasetime though. I'm not sure how it determines when to 'expire' it.
-
@stephenw10
In fact the mapped port 3074 is still there.
There is only 1 state active not related to upnp:WAN tcp 82.84.92.142:65206 (192.168.1.50:65206) -> 34.214.130.96:443 ESTABLISHED:ESTABLISHED 714 / 364 50 KiB / 32 KiBI am not an IT expert and I really don’t have any further idea on this.
-
Do you still see the error in the upnp logs showing it failing to remove the forward though?
It looks like the forward is being opened without a leasetime and I'm unsure what should happen in that situation. I can create a similar lease manually by defining 0s specifically:
steve@steve-NUC9i9QNX:~$ upnpc -l upnpc : miniupnpc library test client, version 2.2.3. (c) 2005-2021 Thomas Bernard. Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://172.21.16.1:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://172.21.16.1:2189/ctl/IPConn Local LAN ip address : 172.21.16.8 Connection Type : IP_Routed Status : Connected, uptime=1291945s, LastConnectionError : ERROR_NONE Time started : Mon Dec 9 00:31:38 2024 MaxBitRateDown : 1000000000 bps (1000.0 Mbps) MaxBitRateUp 1000000000 bps (1000.0 Mbps) ExternalIPAddress = 45.89.45.8 i protocol exPort->inAddr:inPort description remoteHost leaseTime 0 UDP 8889->172.21.16.8:8889 'Test2' '' 0 GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)I'll see what happens.
-
Also by omitting a lease time value.
I wonder if it should add a default and is not....
