Do UPnP rules not expire?
-
Do you still see the error in the upnp logs showing it failing to remove the forward though?
It looks like the forward is being opened without a leasetime and I'm unsure what should happen in that situation. I can create a similar lease manually by defining 0s specifically:
steve@steve-NUC9i9QNX:~$ upnpc -l upnpc : miniupnpc library test client, version 2.2.3. (c) 2005-2021 Thomas Bernard. Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://172.21.16.1:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://172.21.16.1:2189/ctl/IPConn Local LAN ip address : 172.21.16.8 Connection Type : IP_Routed Status : Connected, uptime=1291945s, LastConnectionError : ERROR_NONE Time started : Mon Dec 9 00:31:38 2024 MaxBitRateDown : 1000000000 bps (1000.0 Mbps) MaxBitRateUp 1000000000 bps (1000.0 Mbps) ExternalIPAddress = 45.89.45.8 i protocol exPort->inAddr:inPort description remoteHost leaseTime 0 UDP 8889->172.21.16.8:8889 'Test2' '' 0 GetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)I'll see what happens.
-
Also by omitting a lease time value.
I wonder if it should add a default and is not....
-
Mmm, this thread seems pretty revealing: https://miniupnp.tuxfamily.org/forum/viewtopic.php?p=5727#5727
Seems like the behaviour you're seeing is expected is the client opens forward with no lease time.
-
@stephenw10
Yes that forum thread explains the behavior. I cannot do anything except removing mapped port manually. From a security point of view the consoles have their own IP assigned so it is ok if the mapped port are there until I remove them manually. Only consoles have access to UPnP service with proper “allow” and IP, other IP are denied by default in the Service ACL.
Thanks for help and time. -
Mmm, I tried added min and max lifetime options to the conf and it made absolutely no difference I could see!
-
I would like to share the solution I put in place, using a script. I am on pfSense 25.11.
pfSense/miniupnpd does not expire UPnP mappings when the client doesn’t set the lease time.
The GUI flush works but cannot be automated.
This script performs a safe PF‑level flush only when no ACL‑authorized client has active UDP states, removing also the mapped ports.#!/bin/sh LOCK=/var/run/upnp_lock CONF=/var/etc/miniupnpd.conf [ -f "$LOCK" ] && exit 0 touch "$LOCK" ACL_IPS=$(grep "^allow" "$CONF" | awk '{print $3}' | cut -d/ -f1) [ -z "$ACL_IPS" ] && rm -f "$LOCK" && exit 0 for IP in $ACL_IPS; do pfctl -s state | grep "$IP" | grep udp >/dev/null && rm -f "$LOCK" && exit 0 done pfctl -a miniupnpd -s n | grep . >/dev/null || { rm -f "$LOCK"; exit 0; } logger -t upnp_cleanup "Flushing UPnP rules" pfctl -a miniupnpd -F nat rm -f "$LOCK"
Install
• Save as
/usr/local/bin/upnp-clean.sh
•chmod +x /usr/local/bin/upnp-clean.sh
• Add cron (e.g., every 5 minutes)
Notes
• Auto‑adapts to UPnP ACL
• No hard‑coded IPs
• No GUI scraping
• No flush while any console is active
