What is the proper way to set up UPnP (miniupnpd)?

waldo15a

Hello folks.

I have been using UPnP since I started using PFsense+ and so far I had not had any issues, until two days ago where suddenly my PFsense just "lost it" and was not able to properly set up and do the port forwarding via UPnP so all my online games had multiple errors and were unable to connect to their respective servers (Destiny 2, BF2042) yet the rest of my entire network and devices were accessing the Internet as normal.

I did a reboot of the PFsense box and things are working OK, however I got curious to see why it would have failed. I have seen a couple of forum entries here and elsewhere that maybe I need to add an extra rule to my Firewall for UPnP (UDP port 1900, TCP port 2189). I am unsure if this is absolutely needed but it is worth checking out.

As of today here are the rules I have set up WAN:

WAN rules.png

LAN rules (I believe they are default)

LAN rules.png

Upnp config

Upnp options.png

Access list

Upnp access list.png

NAT outbound rule

NAT rules.png

Any help is greatly appreciated.

JonathanLee

@waldo15a did you follow the Netgate guide on static ports?

waldo15a

@JonathanLee not sure. I just followed the steps to assign static ips to my machines and configure the rest as shown in my pictures. Can you elaborate? Thanks in advance BTW.

JonathanLee

@waldo15a
do me a favor try and set static outbound for you game systems

Screenshot 2024-07-23 at 11.14.44.png

waldo15a

@JonathanLee ok will try that later (I'm away from home atm).

Just so I get this straight, in your example the Nintendo_xbox source is the alias for the gaming devices correct?

And in my case the destination IP should be the home IP of my pfsense box? 192.168.1.1 for me. Any other details? Can you expand on the rule so I can see all options?

JonathanLee

@waldo15a you got it try that it fixed my issues

JonathanLee

@waldo15a My rule is alias gaming system ip can have static ports outbound to anything just !my private lan addresses

Screenshot 2024-07-23 at 11.45.03.png

waldo15a

@JonathanLee Interesting. I had an almost exact copy of that rule already in place but it is missing the Destination IP. See below

NAT missing destination.png

Here are the options I have when I go to edit the rule. I see in your case you have WLAN subnets. I do not have any VLANs setup so all my internal devices are in the LAN. Should I use LAN as the destination then?

NAT destination options.png

JonathanLee

@waldo15a my destination is a security ACL it’s negated so it can’t connect to anything else on the network because of Mac spoofing

Gblenn

@JonathanLee , @waldo15a Ever since the updates to UPnP a few releases back I have always kept my Outbound NAT to Automatic. If I'm not mistaken, the issue with static ports is being handled correctly by UPnP since the updates.

And in my ACL entries, I only allow for a few necessary ports 3074-3076 and 28960-28964 required by most (all) games.