What is the proper way to set up UPnP (miniupnpd)?

waldo15a · Jul 23, 2024, 2:15 AM

Hello folks.

I have been using UPnP since I started using PFsense+ and so far I had not had any issues, until two days ago where suddenly my PFsense just "lost it" and was not able to properly set up and do the port forwarding via UPnP so all my online games had multiple errors and were unable to connect to their respective servers (Destiny 2, BF2042) yet the rest of my entire network and devices were accessing the Internet as normal.

I did a reboot of the PFsense box and things are working OK, however I got curious to see why it would have failed. I have seen a couple of forum entries here and elsewhere that maybe I need to add an extra rule to my Firewall for UPnP (UDP port 1900, TCP port 2189). I am unsure if this is absolutely needed but it is worth checking out.

As of today here are the rules I have set up WAN:

login-to-view

LAN rules (I believe they are default)

Upnp config

Access list

NAT outbound rule

Any help is greatly appreciated.

JonathanLee · Jul 23, 2024, 5:30 AM

@waldo15a did you follow the Netgate guide on static ports?

waldo15a · Jul 23, 2024, 5:01 PM

@JonathanLee not sure. I just followed the steps to assign static ips to my machines and configure the rest as shown in my pictures. Can you elaborate? Thanks in advance BTW.

JonathanLee · Jul 23, 2024, 6:15 PM

@waldo15a
do me a favor try and set static outbound for you game systems

login-to-view

waldo15a · Jul 23, 2024, 6:41 PM

@JonathanLee ok will try that later (I'm away from home atm).

Just so I get this straight, in your example the Nintendo_xbox source is the alias for the gaming devices correct?

And in my case the destination IP should be the home IP of my pfsense box? 192.168.1.1 for me. Any other details? Can you expand on the rule so I can see all options?

JonathanLee · Jul 23, 2024, 6:41 PM

@waldo15a you got it try that it fixed my issues

JonathanLee · Jul 23, 2024, 6:45 PM

@waldo15a My rule is alias gaming system ip can have static ports outbound to anything just !my private lan addresses

login-to-view

waldo15a · Jul 24, 2024, 1:51 AM

@JonathanLee Interesting. I had an almost exact copy of that rule already in place but it is missing the Destination IP. See below

login-to-view

Here are the options I have when I go to edit the rule. I see in your case you have WLAN subnets. I do not have any VLANs setup so all my internal devices are in the LAN. Should I use LAN as the destination then?

login-to-view

JonathanLee · Jul 24, 2024, 4:08 AM

@waldo15a my destination is a security ACL it’s negated so it can’t connect to anything else on the network because of Mac spoofing

Gblenn · Jul 24, 2024, 8:04 AM

@JonathanLee , @waldo15a Ever since the updates to UPnP a few releases back I have always kept my Outbound NAT to Automatic. If I'm not mistaken, the issue with static ports is being handled correctly by UPnP since the updates.

And in my ACL entries, I only allow for a few necessary ports 3074-3076 and 28960-28964 required by most (all) games.

login-to-view