• Running a seed box behind a 2.1 firewall, just over a week or so ago the clients upnp built in test started to show as "port closed".
    Testing from canyouseeme.org also shows that the port is indeed closed.

    The upnp status (in pfsense) does show TCP and UDP ports for this IP, but no teredo (it was there before at some time, dunno if it missing now is the problem).
    It was working perfectly until I updated snapshots over a week ago.
    Is anyone else experiencing problems like this?
    Updated to today's snapshot and the issues persist…


  • Issue still persists. This is getting frustrating because the only reason I have this firewall installed to begin with is to protect the seedbox, not to restrict legitimate clients!
    Latest transmission client tested on 2 separate LAN PC's with UPNP enabled.
    Still both report ports closed and canyouseeme.org reports them as closed as well.

    This worked before with no issues and changes other than pfsense snapshot upgrades… one of the snapshots in the past while has broken this.
    The only changes to a default pfsense install are selecting "6to4 tunnel" for IPv6 on the WAN, and "track interface" for ipv6 on the LAN. Everything else is set at installer default.
    Would like to think that with 120+ ppl viewing this that at least one of them can either replicate the same issue or make a guess as to what has changed to affect this...

  • LAYER 8 Global Moderator

    Well I was able to duplicate the issue..

    I normally don't use upnp - but had set it up for my sons xbox limiting it to just his xbox IP..

    So I edited the allow rules to allow my test box at 192.168.1.210 to use UPnP..  And so I create a rule via UPnP from the test box for couple different things rdp 3389, didn't work and brought up webserver on 8080 and didn't work

    but according to the status in pfsense upnp had created the rule - see attached, just showing the 8080 test here.  But firewall log shows these connections blocked?  See second attached

    running
    2.1-BETA1 (i386)
    built on Sun Feb 10 22:04:57 EST 2013
    FreeBSD 8.3-RELEASE-p5

    With gitsync of earlier this morning with the dyndns widget fix (other thread)





  • Thanks for taking the time to verify and document this issue John, Was hopeing that we could do this to prove that there indeed is a problem so that it does not go ignored as user error as my first post did…
    Let's hope it gets priority over grammatical corrections in one of the upcoming snapshots  ;)

  • LAYER 8 Global Moderator

    No problem I don't have a use for UPnP myself, not really a fan - I had set it up for my sons xbox more just for reason to play with it and the rules of limiting UPnP access to specific devices for any possible future need (unlikely)

    I normally would just setup nat for his specific ports for his xbox..  But figure this would give some exp with UPnP - not a fan ;)

    But yeah if its going to be included as an option - it should work ;)  Which from my testing is not currently.

  • Rebel Alliance Developer Netgate

    There were some recent pf changes so I may need to rebuild the UPnP daemon again.

    I just did it now, try the next new snap (not up yet, will be dated later today) and see if it works.


  • @jimp:

    There were some recent pf changes so I may need to rebuild the UPnP daemon again.

    I just did it now, try the next new snap (not up yet, will be dated later today) and see if it works.

    Just ran up:
    2.1-BETA1 (amd64)
    built on Thu Feb 14 16:30:41 EST 2013

    There is now an additional entry on the table for Teredo that was not there in the last snapshot , however the results are the same as described previously. Both App and external client report closed port  :-\

  • Rebel Alliance Developer Netgate

    Any errors at all in the system log?

  • LAYER 8 Global Moderator

    Ok running

    2.1-BETA1 (i386)
    built on Fri Feb 15 04:06:54 EST 2013
    FreeBSD 8.3-RELEASE-p5

    Gitsync of couple of minutes ago..  Still seeing the same issue, rules look like there in place via upnp status, but blocked in the firewall.  I am not seeing anything in the system log about it. Or any other odd errors.

    BTW that Teredo is not related – thats just that you have not turned that off on your clients, unless you have some reason to be using it??  I for sure can not see one if your running ipv6 on your wan?

  • Rebel Alliance Developer Netgate

    Anything listed in "pfctl -sn -a miniupnpd" and "pfctl -sr -a miniupnpd"?


  • @jimp:

    Anything listed in "pfctl -sn -a miniupnpd" and "pfctl -sr -a miniupnpd"?

    2.1-BETA1 (amd64)
    built on Fri Feb 15 04:33:17 EST 2013
    FreeBSD 8.3-RELEASE-p5


    Second IP (192.168.1.110) is a user with skype on his iphone, 192.168.1.105 is the seedbox with UPNP port closed issues.

  • Rebel Alliance Developer Netgate

    Is igb0 actually your WAN/default route?


  • @jimp:

    Is igb0 actually your WAN/default route?

    Yep, igb0 is hooked to the cable router (WAN). Its a simple setup, Intel Gigabit ET2 Quad port server adapter (only using 2 ports -.-) in a HP Proiliant DL380 server.
    igb0 for WAN and igb1 for LAN. No errors show in system log at all.
    As i noted in an earlier post, The only changes to a default pfsense install are selecting "6to4 tunnel" for IPv6 on the WAN, and "track interface" for ipv6 on the LAN. Everything else is set at installer default.


  • Hi

    I can confirm this issue.  The "transmission" torrent application is a good tester because it both asks UPnP to open the port, then has it probed from the outside to confirm that the port has actually been opened.

    
    [2.1-BETA1][root@xxx.xxx.xxx]/root(1): pfctl -sn -a miniupnpd
    rdr log quick on vr0 inet proto tcp from any to any port = 63839 keep state label "Transmission at 63839" rtable 0 -> 192.168.1.120 port 63839
    rdr log quick on vr0 inet proto udp from any to any port = 63839 keep state label "Transmission at 63839" rtable 0 -> 192.168.1.120 port 63839
    [2.1-BETA1][root@xxx.xxx.xxx]/root(2): pfctl -sr -a miniupnpd
    pass in log quick on vr0 inet proto tcp from any to any port = 63839 flags S/SA keep state label "Transmission at 63839" rtable 0
    pass in log quick on vr0 inet proto udp from any to any port = 63839 flags S/SA keep state label "Transmission at 63839" rtable 0
    
    

    The best way I can describe the issue is that miniupnpd claims to have performed the requested operation, but didn't actually do it.  Or, perhaps pf is now behaving differently (ignoring?) miniupnpd's request.

    My version with issue: 2.1-BETA1 (i386) built on Fri Feb 15 15:43:49 EST 2013

    Reverting back to: 2.1-BETA1 (i386) built on Thu Jan 24 19:53:22 EST 2013

    …resolves the issue

    Same commands in the earlier snapshot (that works):

    
    [2.1-BETA1][root@xxx.xxx.xxx]/root(1): pfctl -sn -a miniupnpd
    rdr log quick on vr0 inet proto tcp from any to any port = 59130 keep state label "Transmission at 59130" rtable 0 -> 192.168.1.120 port 59130
    rdr log quick on vr0 inet proto udp from any to any port = 59130 keep state label "Transmission at 59130" rtable 0 -> 192.168.1.120 port 59130
    [2.1-BETA1][root@xxx.xxx.xxx]/root(2): pfctl -sr -a miniupnpd
    pass in log quick on vr0 inet proto tcp from any to any port = 59130 flags S/SA keep state label "Transmission at 59130" rtable 0
    pass in log quick on vr0 inet proto udp from any to any port = 59130 flags S/SA keep state label "Transmission at 59130" rtable 0
    
    

    NOTE: Port numbers are different because Transmission is assigning random port numbers each time I test.

    I'm happy to run further tests.  Let me know what you want done.

    Thanks

  • Rebel Alliance Developer Netgate

    I updated to the latest snapshot (yesterday's) and I have no problem on i386. uTorrent opens a port and the port test succeeds.

    If the rules are there, it should be working. When UPnP was really broken, there were no rules added there.

  • LAYER 8 Global Moderator

    Still not working - showing it blocked in the firewall

    Canyouseeme saying closed..  But clearly the firewall is blocking it - even thouse the pfctl shows rules should be there?

    running
    2.1-BETA1 (i386)
    built on Sat Feb 16 10:53:05 EST 2013
    FreeBSD 8.3-RELEASE-p5

    [2.1-BETA1][root@pfsense.local.lan]/root(1): pfctl -sn -a miniupnpd
    rdr log quick on em1 inet proto tcp from any to any port = 3389 keep state label "test" rtable 0 -> 192.168.1.210 port 3389
    [2.1-BETA1][root@pfsense.local.lan]/root(2): pfctl -sr -a miniupnpd
    pass in log quick on em1 inet proto tcp from any to any port = 3389 flags S/SA keep state label "test" rtable 0

    yes em1 is my wan
    WAN (wan)      -> em1        -> v4/DHCP4: 24.13.snipped/21
                                      v6/DHCP6: 2001:558:6033:12c:snippedf:a3d3/128



  • Installed "2.1-BETA1 (amd64) built on Sat Feb 16 10:55:42 EST 2013"
    Still no go on upnp opening ports.

    tested with:
    www.grc.com (shields up!)
    www.canyouseeme.org
    and
    utorrent internal testing option…

    $ pfctl -sn -a miniupnpd
    rdr log quick on em0 inet proto udp from any to any port = 24927 keep state label "Skype UDP at 192.168.0.50:24927 (2238)" rtable 0 -> 192.168.0.50 port 24927
    rdr log quick on em0 inet proto tcp from any to any port = 24927 keep state label "Skype TCP at 192.168.0.50:24927 (2238)" rtable 0 -> 192.168.0.50 port 24927
    
    $ pfctl -sr -a miniupnpd
    pass in log quick on em0 inet proto udp from any to any port = 24927 flags S/SA keep state label "Skype UDP at 192.168.0.50:24927 (2238)" rtable 0
    pass in log quick on em0 inet proto tcp from any to any port = 24927 flags S/SA keep state label "Skype TCP at 192.168.0.50:24927 (2238)" rtable 0
    

    em0 is my WAN


  • @johnpoz:

    Still not working - showing it blocked in the firewall

    John, If you set a static port map do you still see packets being blocked as indicated in your screenshot?
    If so this would indicate an issue outside of the miniupnp daemon itself…

    @jimp:

    I updated to the latest snapshot (yesterday's) and I have no problem on i386. uTorrent opens a port and the port test succeeds.

    If the rules are there, it should be working. When UPnP was really broken, there were no rules added there.

    Do you think a clean install would make a difference Jim?

  • Rebel Alliance Developer Netgate

    Unlikely, but possible.


  • Jim,

    Please don't think I'm being confrontational, but what would it take to prove this issue exists for some of us?

  • Rebel Alliance Developer Netgate

    A few things:

    1. A screenshot of the UPnP status screen showing the client ports that should be open. Use uTorrent or similar that has a built-in test.
    2. The pfctl commands mentioned above.
    3. The parsed and raw firewall log entries for the packets that should be matching the rule, but are not.
    4. The full contents of /tmp/rules.debug, pfctl -vvsr, and pfctl -vvsn
    5. The contents of netstat -rn
    6. A screenshot showing that the test failed.
    7. Repeat the same test with a manual port forward instead of UPnP and see if that works.

    I don't doubt that it's not working, but given the rest of the context, I'm not entirely sure it's UPnP and not something else just getting blamed on UPnP.


  • A snipped from "/tmp/rules.debug"
    Why is the miniupnpd anchor not ending in "/*"

    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    
    # Setup Squid proxy redirect
    no rdr on em1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
    rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
    
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd" (Why NOT "miniupnpd/*" ???)
    
    anchor "relayd/*"
    anchor "openvpn/*"
    anchor "ipsec/*"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    

    pfctl -vvsr results in no anchors named "miniupnpd"

    $ pfctl -vvsr
    @0 scrub on em0 all fragment reassemble
      [ Evaluations: 28002     Packets: 9561      Bytes: 1992949     States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @1 scrub on em1 all fragment reassemble
      [ Evaluations: 18441     Packets: 18225     Bytes: 3932485     States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @0 anchor "relayd/*" all
      [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @1 anchor "openvpn/*" all
      [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @2 anchor "ipsec/*" all
      [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @3 block drop in inet all label "Default deny rule IPv4"
      [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @4 block drop out inet all label "Default deny rule IPv4"
      [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @5 block drop in inet6 all label "Default deny rule IPv6"
      [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @6 block drop out inet6 all label "Default deny rule IPv6"
      [ Evaluations: 567       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @7 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @8 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @9 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @10 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @11 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @12 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @13 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @14 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @15 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @16 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @17 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @18 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @19 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @20 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @21 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @22 pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @23 pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @24 pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @25 pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @26 block drop quick inet proto tcp from any port = 0 to any
      [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @27 block drop quick inet proto tcp from any to any port = 0
      [ Evaluations: 1904      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @28 block drop quick inet proto udp from any port = 0 to any
      [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @29 block drop quick inet proto udp from any to any port = 0
      [ Evaluations: 985       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @30 block drop quick inet6 proto tcp from any port = 0 to any
      [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @31 block drop quick inet6 proto tcp from any to any port = 0
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @32 block drop quick inet6 proto udp from any port = 0 to any
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @33 block drop quick inet6 proto udp from any to any port = 0
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @34 block drop quick from <snort2c:0> to any label "Block snort2c hosts"
      [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @35 block drop quick from any to <snort2c:0> label "Block snort2c hosts"
      [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @36 block drop in log quick proto tcp from <sshlockout:0> to any port = ssh label "sshlockout"
      [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @37 block drop in log quick proto tcp from <webconfiguratorlockout:0> to any port = http label "webConfiguratorlockout"
      [ Evaluations: 1812      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @38 block drop in quick from <virusprot:0> to any label "virusprot overload table"
      [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @39 block drop in quick on em0 from <bogons:4652> to any label "block bogon IPv4 networks from WAN"
      [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @40 block drop in quick on em0 from <bogonsv6:68028> to any label "block bogon IPv6 networks from WAN"
      [ Evaluations: 139       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @41 block drop in on ! em0 inet from 84.xxx.xxx.0/23 to any
      [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @42 block drop in inet from 84.xxx.xxx.221 to any
      [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @43 block drop in on em0 inet6 from fe80::6a05:caff:fe0f:c58 to any
      [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @44 block drop in quick on em0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
      [ Evaluations: 139       Packets: 139       Bytes: 50929       States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @45 block drop in quick on em0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @46 block drop in quick on em0 inet from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @47 block drop in quick on em0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @48 block drop in quick on em0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @49 block drop in quick on em0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @50 pass in on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @51 pass out on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
      [ Evaluations: 567       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @52 block drop in on ! em1 inet from 192.168.0.0/24 to any
      [ Evaluations: 2754      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @53 block drop in inet from 192.168.0.1 to any
      [ Evaluations: 2187      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @54 block drop in on em1 inet6 from fe80::6a05:caff:fe0f:c59 to any
      [ Evaluations: 2187      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @55 pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 2181      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @56 pass in quick on em1 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @57 pass out quick on em1 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
      [ Evaluations: 934       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @58 pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
      [ Evaluations: 2754      Packets: 108       Bytes: 9072        States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @59 pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
      [ Evaluations: 12        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @60 pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      [ Evaluations: 12        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @61 pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @62 pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
      [ Evaluations: 2754      Packets: 108       Bytes: 9072        States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @63 pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
      [ Evaluations: 567       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @64 pass out route-to (em0 84.xxx.xxx.1) inet from 84.xxx.xxx.221 to ! 84.xxx.xxx.0/23 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 567       Packets: 4352      Bytes: 2038614     States: 17    ]
      [ Inserted: uid 0 pid 73134 ]
    @65 anchor "userrules/*" all
      [ Evaluations: 2754      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @66 pass in quick on em1 inet proto tcp from <managementhosts:1> to 192.168.0.1 port = https flags S/SA keep state label "USER_RULE: Allow access to firewall management"
      [ Evaluations: 2754      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @67 pass in quick on em1 inet proto tcp from <managementhosts:1> to 192.168.0.1 port = ssh flags S/SA keep state label "USER_RULE: Allow access to firewall management"
      [ Evaluations: 1714      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @68 pass in quick on em1 inet proto tcp from <managementhosts:1> to 192.168.0.1 port = http flags S/SA keep state label "USER_RULE: Allow access to firewall management"
      [ Evaluations: 1714      Packets: 1197      Bytes: 890290      States: 2     ]
      [ Inserted: uid 0 pid 73134 ]
    @69 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = domain flags S/SA keep state label "USER_RULE: Allow internal network to DNS forwarder"
      [ Evaluations: 1694      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @70 pass in quick on em1 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = domain keep state label "USER_RULE: Allow internal network to DNS forwarder"
      [ Evaluations: 369       Packets: 628       Bytes: 66445       States: 1     ]
      [ Inserted: uid 0 pid 73134 ]
    @71 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = ntp flags S/SA keep state label "USER_RULE: Allow internal network to NTPd server"
      [ Evaluations: 1696      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @72 pass in quick on em1 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = ntp keep state label "USER_RULE: Allow internal network to NTPd server"
      [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @73 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 2189 flags S/SA keep state label "USER_RULE: Allow internal network to upnp and nat-pmp"
      [ Evaluations: 1696      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @74 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 5153 flags S/SA keep state label "USER_RULE: Allow internal network to upnp and nat-pmp"
      [ Evaluations: 1694      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @75 pass in quick on em1 inet from 192.168.0.0/24 to 224.0.0.0/8 flags S/SA keep state label "USER_RULE: Allow multicast"
      [ Evaluations: 1847      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @76 pass in quick on em1 inet from 192.168.0.0/24 to 239.0.0.0/30 flags S/SA keep state label "USER_RULE: Allow multicast"
      [ Evaluations: 1847      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @77 pass in quick on em1 inet proto icmp from 192.168.0.0/24 to 192.168.0.1 keep state label "USER_RULE: Allow internal network to ping LAN IP"
      [ Evaluations: 1847      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @78 block drop in quick on em1 inet from any to 192.168.0.1 label "USER_RULE: Reject all else to LAN IP"
      [ Evaluations: 1847      Packets: 1694      Bytes: 86336       States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @79 pass in quick on em1 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
      [ Evaluations: 153       Packets: 4824      Bytes: 2762700     States: 18    ]
      [ Inserted: uid 0 pid 73134 ]
    @80 anchor "tftp-proxy/*" all
      [ Evaluations: 573       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @81 pass in quick on em1 proto tcp from any to ! (em1:2) port = http flags S/SA keep state
      [ Evaluations: 573       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]
    @82 pass in quick on em1 proto tcp from any to ! (em1:2) port = 3128 flags S/SA keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 73134 ]</managementhosts:1></managementhosts:1></managementhosts:1></bogonsv6:68028></bogons:4652></virusprot:0></webconfiguratorlockout:0></sshlockout:0></snort2c:0></snort2c:0>
    
    $ pfctl -sn -a miniupnpd
    rdr log quick on em0 inet proto udp from any to any port = 17040 keep state label "Skype UDP at 192.168.0.51:17040 (2239)" rtable 0 -> 192.168.0.51 port 17040
    rdr log quick on em0 inet proto tcp from any to any port = 17040 keep state label "Skype TCP at 192.168.0.51:17040 (2239)" rtable 0 -> 192.168.0.51 port 17040
    
  • LAYER 8 Global Moderator

    So yeah if I do a manual nat - its works no problem, see attached

    canyouseeme goes back to 80 when you do the test, but clearly in the ouput you see that its saying 3389 is open  to the public.  When UPnP says that it opens this port, firewall blocks it and canyouseeme reports closed/timeout/etc.





  • @Tikimotel:

    Why is the miniupnpd anchor not ending in "/*"

    The INSTALL file of the source code (miniupnpd-1.8.20130207.tar.gz) suggests the following:

    - add "rdr-anchor miniupnpd" and "anchor miniupnpd" lines to /etc/pf.conf
    - some FreeBSD users reported that it is also necessary for them
      to explicitly allow udp traffic on 239.0.0.0/8 by adding the two following
      lines to /etc/pf.conf :
       pass out on $int_if from any to 239.0.0.0/8 keep state
       pass in on $int_if from any to 239.0.0.0/8 keep state
    
    pfctl -vvsn
    

    show the following on my system:

    @7 rdr-anchor "miniupnpd" all
      [ Evaluations: 46940     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 48152 ]
    

    But I am no using UPNP, so that's OK.
    Would be interesting to see, if your systems show non-zero values there.

    Edit: and it would be good to have the actual raw firewall logs of the blocked traffic.


  • the INSTALL file says to add both, rdr-anchor and anchor entries.

    pfctl -vvsn

    $ pfctl -vvsn
    @0 no nat proto carp all
      [ Evaluations: 13505     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @1 nat-anchor "natearly/*" all
      [ Evaluations: 13505     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @2 nat-anchor "natrules/*" all
      [ Evaluations: 13505     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @3 nat on em0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 84.xxx.xx3.221 port 500
      [ Evaluations: 13505     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @4 nat on em0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 84.xxx.xx3.221 port 500
      [ Evaluations: 883       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @5 nat on em0 inet from 192.168.0.0/24 to any -> 84.xxx.xx3.221 port 1024:65535
      [ Evaluations: 13457     Packets: 4057605   Bytes: 3705179324  States: 267   ]
      [ Inserted: uid 0 pid 31155 ]
    @6 nat on em0 inet from 127.0.0.0/8 to any -> 84.xxx.xx3.221 port 1024:65535
      [ Evaluations: 883       Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @0 no rdr proto carp all
      [ Evaluations: 28718     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @1 rdr-anchor "relayd/*" all
      [ Evaluations: 28718     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @2 rdr-anchor "tftp-proxy/*" all
      [ Evaluations: 28718     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @3 no rdr on em1 inet proto tcp from any to 192.168.0.0/16 port = http
      [ Evaluations: 28718     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @4 no rdr on em1 inet proto tcp from any to 172.16.0.0/12 port = http
      [ Evaluations: 5241      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @5 no rdr on em1 inet proto tcp from any to 10.0.0.0/8 port = http
      [ Evaluations: 5241      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @6 rdr on em1 inet proto tcp from any to ! (em1:1) port = http -> 127.0.0.1 port 3128
      [ Evaluations: 5241      Packets: 5044      Bytes: 3257109     States: 1     ]
      [ Inserted: uid 0 pid 31155 ]
    @7 rdr-anchor "miniupnpd" all
      [ Evaluations: 28566     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    
    

    pfctl -vvsr

    $ pfctl -vvsr
    @0 scrub on em0 all fragment reassemble
      [ Evaluations: 14128596  Packets: 7067707   Bytes: 986362156   States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @1 scrub on em1 all fragment reassemble
      [ Evaluations: 7060889   Packets: 7060521   Bytes: 989205780   States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @0 anchor "relayd/*" all
      [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @1 anchor "openvpn/*" all
      [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @2 anchor "ipsec/*" all
      [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @3 block drop in log inet all label "Default deny rule IPv4"
      [ Evaluations: 39657     Packets: 12604     Bytes: 796042      States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @4 block drop out log inet all label "Default deny rule IPv4"
      [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @5 block drop in log inet6 all label "Default deny rule IPv6"
      [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @6 block drop out log inet6 all label "Default deny rule IPv6"
      [ Evaluations: 12655     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @7 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @8 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @9 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @10 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @11 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @12 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @13 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @14 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @15 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @16 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @17 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @18 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @19 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @20 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @21 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @22 pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @23 pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @24 pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @25 pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @26 block drop quick inet proto tcp from any port = 0 to any
      [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @27 block drop quick inet proto tcp from any to any port = 0
      [ Evaluations: 18915     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @28 block drop quick inet proto udp from any port = 0 to any
      [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @29 block drop quick inet proto udp from any to any port = 0
      [ Evaluations: 20680     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @30 block drop quick inet6 proto tcp from any port = 0 to any
      [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @31 block drop quick inet6 proto tcp from any to any port = 0
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @32 block drop quick inet6 proto udp from any port = 0 to any
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @33 block drop quick inet6 proto udp from any to any port = 0
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @34 block drop quick from <snort2c:0>to any label "Block snort2c hosts"
      [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @35 block drop quick from any to <snort2c:0>label "Block snort2c hosts"
      [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @36 block drop in log quick proto tcp from <sshlockout:0>to any port = ssh label "sshlockout"
      [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @37 block drop in log quick proto tcp from <webconfiguratorlockout:0>to any port = http label "webConfiguratorlockout"
      [ Evaluations: 14044     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @38 block drop in quick from <virusprot:0>to any label "virusprot overload table"
      [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @39 block drop in log quick on em0 from <bogons:10>to any label "block bogon IPv4 networks from WAN"
      [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @40 block drop in log quick on em0 from <bogonsv6:0>to any label "block bogon IPv6 networks from WAN"
      [ Evaluations: 12846     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @41 block drop in on ! em0 inet from 84.xxx.xx2.0/23 to any
      [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @42 block drop in inet from 84.xxx.xx3.221 to any
      [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @43 block drop in on em0 inet6 from fe80::6a05:caff:fe0f:c58 to any
      [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @44 block drop in log quick on em0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
      [ Evaluations: 12846     Packets: 242       Bytes: 89350       States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @45 block drop in log quick on em0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
      [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @46 block drop in log quick on em0 inet from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
      [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @47 block drop in log quick on em0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
      [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @48 block drop in log quick on em0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
      [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @49 block drop in log quick on em0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
      [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @50 pass in on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
      [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @51 pass out on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
      [ Evaluations: 18042     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @52 block drop in on ! em1 inet from 192.168.0.0/24 to any
      [ Evaluations: 39415     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @53 block drop in inet from 192.168.0.1 to any
      [ Evaluations: 26783     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @54 block drop in on em1 inet6 from fe80::6a05:caff:fe0f:c59 to any
      [ Evaluations: 26760     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @55 pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 14132     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @56 pass in quick on em1 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps keep state label "allow access to DHCP server"
      [ Evaluations: 2         Packets: 3         Bytes: 1232        States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @57 pass out quick on em1 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
      [ Evaluations: 19931     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @58 pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
      [ Evaluations: 39413     Packets: 184       Bytes: 14796       States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @59 pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
      [ Evaluations: 48        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @60 pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      [ Evaluations: 48        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @61 pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
      [ Evaluations: 24        Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @62 pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
      [ Evaluations: 39413     Packets: 1502      Bytes: 388250      States: 2     ]
      [ Inserted: uid 0 pid 31155 ]
    @63 pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
      [ Evaluations: 12655     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @64 pass out route-to (em0 84.xxx.xx2.1) inet from 84.xxx.xx3.221 to ! 84.xxx.xx2.0/23 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
      [ Evaluations: 12655     Packets: 4049547   Bytes: 3701333567  States: 177   ]
      [ Inserted: uid 0 pid 31155 ]
    @65 anchor "userrules/*" all
      [ Evaluations: 39413     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @66 pass in quick on em1 inet proto tcp from <managementhosts:1>to 192.168.0.1 port = https flags S/SA keep state label "USER_RULE: Allow access to firewall management"
      [ Evaluations: 39413     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @67 pass in quick on em1 inet proto tcp from <managementhosts:1>to 192.168.0.1 port = ssh flags S/SA keep state label "USER_RULE: Allow access to firewall management"
      [ Evaluations: 1987      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @68 pass in quick on em1 inet proto tcp from <managementhosts:1>to 192.168.0.1 port = http flags S/SA keep state label "USER_RULE: Allow access to firewall management"
      [ Evaluations: 1987      Packets: 2933      Bytes: 2349344     States: 2     ]
      [ Inserted: uid 0 pid 31155 ]
    @69 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = domain flags S/SA keep state label "USER_RULE: Allow internal network to DNS forwarder"
      [ Evaluations: 1960      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @70 pass in quick on em1 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = domain keep state label "USER_RULE: Allow internal network to DNS forwarder"
      [ Evaluations: 7279      Packets: 940       Bytes: 91307       States: 5     ]
      [ Inserted: uid 0 pid 31155 ]
    @71 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = ntp flags S/SA keep state label "USER_RULE: Allow internal network to NTPd server"
      [ Evaluations: 1968      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @72 pass in quick on em1 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = ntp keep state label "USER_RULE: Allow internal network to NTPd server"
      [ Evaluations: 8         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @73 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 2189 flags S/SA keep state label "USER_RULE: Allow internal network to upnp and nat-pmp"
      [ Evaluations: 1968      Packets: 452       Bytes: 90991       States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @74 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 5153 flags S/SA keep state label "USER_RULE: Allow internal network to upnp and nat-pmp"
      [ Evaluations: 1921      Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @75 pass in quick on em1 inet from 192.168.0.0/24 to 224.0.0.0/8 flags S/SA keep state label "USER_RULE: Allow multicast"
      [ Evaluations: 13597     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @76 pass in quick on em1 inet from 192.168.0.0/24 to 239.0.0.0/30 flags S/SA keep state label "USER_RULE: Allow multicast"
      [ Evaluations: 13597     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @77 pass in quick on em1 inet proto icmp from 192.168.0.0/24 to 192.168.0.1 keep state label "USER_RULE: Allow internal network to ping LAN IP"
      [ Evaluations: 13597     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @78 block drop in quick on em1 inet from any to 192.168.0.1 label "USER_RULE: Reject all else to LAN IP"
      [ Evaluations: 13597     Packets: 1926      Bytes: 98442       States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @79 pass in quick on em1 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
      [ Evaluations: 11671     Packets: 4049388   Bytes: 3702156825  States: 164   ]
      [ Inserted: uid 0 pid 31155 ]
    @80 anchor "tftp-proxy/*" all
      [ Evaluations: 25283     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @81 pass in quick on em1 proto tcp from any to ! (em1:2) port = http flags S/SA keep state
      [ Evaluations: 25283     Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]
    @82 pass in quick on em1 proto tcp from any to ! (em1:2) port = 3128 flags S/SA keep state
      [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
      [ Inserted: uid 0 pid 31155 ]</managementhosts:1></managementhosts:1></managementhosts:1></bogonsv6:0></bogons:10></virusprot:0></webconfiguratorlockout:0></sshlockout:0></snort2c:0></snort2c:0> 
    

    That is with utorrent opening 22425 (tcp/udp) using upnp. (internal utorrent portforwarding test states OK, but traffic get blocked by the default rule)
    RAW firewall logging

    Feb 17 14:29:10	pf: 208.94.246.12.59207 > 84.xxx.xxx.xxx.52631: Flags [s], cksum 0x8c13 (correct), seq 3040150792, win 7300, options [mss 1460,sackOK,TS val 93819911 ecr 0,nop,wscale 0], length 0
    Feb 17 14:29:10	pf: 00:00:00.032232 rule 3/0(match): block in on em0: (tos 0x0, ttl 52, id 37135, offset 0, flags [DF], proto TCP (6), length 60)
    Feb 17 14:29:10	pf: 90.38.197.137.61089 > 192.168.0.51.22425: Flags [s], cksum 0x8c47 (correct), seq 106599862, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
    Feb 17 14:29:10	pf: 00:00:00.000701 rule 3/0(match): block in on em0: (tos 0x0, ttl 115, id 20243, offset 0, flags [DF], proto TCP (6), length 52)
    Feb 17 14:29:10	pf: 90.38.197.137.28344 > 192.168.0.51.22425: UDP, length 30
    Feb 17 14:29:10	pf: 00:00:00.007670 rule 3/0(match): block in on em0: (tos 0x0, ttl 115, id 20242, offset 0, flags [none], proto UDP (17), length 58)
    Feb 17 14:29:10	pf: 213.220.227.57.53390 > 192.168.0.51.22425: Flags [s], cksum 0x43d8 (correct), seq 3521645254, win 8960, options [mss 8960,sackOK,TS val 120667621 ecr 0,nop,wscale 4], length 0
    Feb 17 14:29:10	pf: 00:00:00.040965 rule 3/0(match): block in on em0: (tos 0x0, ttl 54, id 14115, offset 0, flags [DF], proto TCP (6), length 60)
    Feb 17 14:29:10	pf: 77.41.15.219.55721 > 84.xxx.xxx.xxx.46657: UDP, length 20
    Feb 17 14:29:10	pf: 00:00:00.750937 rule 3/0(match): block in on em0: (tos 0x0, ttl 115, id 28101, offset 0, flags [none], proto UDP (17), length 48)
    Feb 17 14:29:10	pf: 95.236.57.133.18746 > 192.168.0.51.22425: Flags [s], cksum 0x113d (correct), seq 2237709668, win 8192, options [mss 1442,nop,wscale 8,nop,nop,sackOK], length 0
    netstat -rn
    [code]$ netstat -rn
    Routing tables
    
    Internet:
    Destination        Gateway            Flags    Refs      Use  Netif Expire
    default            84.xxx.xx2.1       UGS         0   174916    em0
    84.xxx.xx2.0/23    link#1             U           0      704    em0
    84.xxx.xx3.221     link#1             UHS         0        0    lo0
    127.0.0.1          link#5             UH          0       58    lo0
    192.168.0.0/24     link#2             U           0  7241831    em1
    192.168.0.1        link#2             UHS         0      832    lo0
    
    Internet6:
    Destination                       Gateway                       Flags      Netif Expire
    ::1                               ::1                           UH          lo0
    fe80::%em0/64                     link#1                        U           em0
    fe80::6a05:caff:fe0f:c58%em0      link#1                        UHS         lo0
    fe80::%em1/64                     link#2                        U           em1
    fe80::6a05:caff:fe0f:c59%em1      link#2                        UHS         lo0
    fe80::%lo0/64                     link#5                        U           lo0
    fe80::1%lo0                       link#5                        UHS         lo0
    ff01::%em0/32                     fe80::6a05:caff:fe0f:c58%em0  U           em0
    ff01::%em1/32                     fe80::6a05:caff:fe0f:c59%em1  U           em1
    ff01::%lo0/32                     ::1                           U           lo0
    ff02::%em0/32                     fe80::6a05:caff:fe0f:c58%em0  U           em0
    ff02::%em1/32                     fe80::6a05:caff:fe0f:c59%em1  U           em1
    ff02::%lo0/32                     ::1                           U           lo0[/code]
    cat /tmp/rules.debug
    [code]$ cat /tmp/rules.debug
    set limit tables 3000
    set optimization normal
    set timeout { adaptive.start 0, adaptive.end 0 }
    set limit states 894000
    set limit src-nodes 894000
    
    #System aliases
    
    loopback = "{ lo0 }"
    WAN = "{ em0 }"
    LAN = "{ em1 }"
    
    #SSH Lockout Table
    table <sshlockout> persist
    table <webconfiguratorlockout> persist
    #Snort tables
    table <snort2c>
    table <virusprot>
    table <negate_networks> 
    
    # User Aliases 
    table <managementhosts> {   192.168.0.0/25 } 
    ManagementHosts = "<managementhosts>"
    ManagementPorts = "{   443  22  80 }"
    ProxyPorts = "{   3128 }"
    UpnpPorts = "{   2189  5153 }"
    
    # Gateways
    GWWAN = " route-to ( em0 84.xxx.xx2.1 ) "
    
    set loginterface em1
    
    set skip on pfsync0
    
    scrub on $WAN all    fragment reassemble
    scrub on $LAN all    fragment reassemble
    
    no nat proto carp
    no rdr proto carp
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    
    # Outbound NAT rules
    
    # Subnets to NAT 
    tonatsubnets	= "{ 192.168.0.0/24 127.0.0.0/8  }"
    nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 84.xxx.xx3.221/32 port 500  
    nat on $WAN  from $tonatsubnets to any -> 84.xxx.xx3.221/32 port 1024:65535  
    
    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    
    # Setup Squid proxy redirect
    no rdr on em1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
    rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128
    
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "relayd/*"
    anchor "openvpn/*"
    anchor "ipsec/*"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log inet all label "Default deny rule IPv4"
    block out log inet all label "Default deny rule IPv4"
    block in log inet6 all label "Default deny rule IPv6"
    block out log inet6 all label "Default deny rule IPv6"
    
    # IPv6 ICMP is not auxilary, it is required for operation
    # See man icmp6(4)
    # 1    unreach         Destination unreachable
    # 2    toobig          Packet too big
    # 128  echoreq         Echo service request
    # 129  echorep         Echo service reply
    # 133  routersol       Router solicitation
    # 134  routeradv       Router advertisement
    # 135  neighbrsol      Neighbor solicitation
    # 136  neighbradv      Neighbor advertisement
    pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state
    
    # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state
    
    # We use the mighty pf, we cannot be fooled.
    block quick inet proto { tcp, udp } from any port = 0 to any
    block quick inet proto { tcp, udp } from any to any port = 0
    block quick inet6 proto { tcp, udp } from any port = 0 to any
    block quick inet6 proto { tcp, udp } from any to any port = 0
    
    # Snort package
    block quick from <snort2c> to any label "Block snort2c hosts"
    block quick from any to <snort2c> label "Block snort2c hosts"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"
    
    # webConfigurator lockout
    block in log quick proto tcp from <webconfiguratorlockout> to any port 80 label "webConfiguratorlockout"
    block in quick from <virusprot> to any label "virusprot overload table"
    table <bogons> persist file "/etc/bogons"
    table <bogonsv6> persist file "/etc/bogonsv6"
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
    block in log quick on $WAN from <bogons> to any label "block bogon IPv4 networks from WAN"
    block in log quick on $WAN from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
    antispoof for em0
    # block anything from private networks on interfaces with the option set
    antispoof for $WAN
    block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
    block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
    block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
    block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
    block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
    block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
    # allow our DHCP client out to the WAN
    pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
    pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
    # Not installing DHCP server firewall rules for WAN which is configured for DHCP.
    antispoof for em1
    # allow access to DHCP server on LAN
    pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in quick on $LAN proto udp from any port = 68 to 192.168.0.1 port = 67 label "allow access to DHCP server"
    pass out quick on $LAN proto udp from 192.168.0.1 port = 67 to any port = 68 label "allow access to DHCP server"
    
    # loopback
    pass in on $loopback inet all label "pass IPv4 loopback"
    pass out on $loopback inet all label "pass IPv4 loopback"
    pass in on $loopback inet6 all label "pass IPv6 loopback"
    pass out on $loopback inet6 all label "pass IPv6 loopback"
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to ( em0 84.xxx.xx2.1 ) from 84.xxx.xx3.221 to !84.xxx.xx2.0/23 keep state allow-opts label "let out anything from firewall host itself"
    
    # User-defined rules follow
    
    anchor "userrules/*"
    pass  in  quick  on $LAN  proto tcp  from   $ManagementHosts to 192.168.0.1 port $ManagementPorts  flags S/SA keep state  label "USER_RULE: Allow access to firewall management"
    pass  in  quick  on $LAN  proto { tcp udp }  from 192.168.0.0/24 to 192.168.0.1 port 53  keep state  label "USER_RULE: Allow internal network to DNS forwarder"
    pass  in  quick  on $LAN  proto { tcp udp }  from 192.168.0.0/24 to 192.168.0.1 port 123  keep state  label "USER_RULE: Allow internal network to NTPd server"
    pass  in  quick  on $LAN  proto tcp  from 192.168.0.0/24 to 192.168.0.1 port $UpnpPorts  flags S/SA keep state  label "USER_RULE: Allow internal network to upnp and nat-pmp"
    pass  in  quick  on $LAN  from 192.168.0.0/24 to   224.0.0.0/8 keep state  label "USER_RULE: Allow multicast"
    pass  in  quick  on $LAN  from 192.168.0.0/24 to   239.0.0.0/30 keep state  label "USER_RULE: Allow multicast"
    pass  in  quick  on $LAN  proto icmp  from 192.168.0.0/24 to 192.168.0.1 keep state  label "USER_RULE: Allow internal network to ping LAN IP"
    block  in  quick  on $LAN  from any to 192.168.0.1  label "USER_RULE: Reject all else to LAN IP"
    pass  in  quick  on $LAN  from 192.168.0.0/24 to any keep state  label "USER_RULE: Default LAN -> any"
    
    # Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients
    
    # VPN Rules
    anchor "tftp-proxy/*"
    
    # Setup squid pass rules for proxy
    pass in quick on em1 proto tcp from any to !(em1) port 80 flags S/SA keep state
    pass in quick on em1 proto tcp from any to !(em1) port 3128 flags S/SA keep state
    [/code]
    
    ![Utorrent-test.png](/public/_imported_attachments_/1/Utorrent-test.png)
    ![Utorrent-test.png_thumb](/public/_imported_attachments_/1/Utorrent-test.png_thumb)
    ![pfsense_unpnstatus.png](/public/_imported_attachments_/1/pfsense_unpnstatus.png)
    ![pfsense_unpnstatus.png_thumb](/public/_imported_attachments_/1/pfsense_unpnstatus.png_thumb)[/s][/s][/s][/s]</bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></managementhosts></managementhosts></negate_networks></virusprot></snort2c></webconfiguratorlockout></sshlockout>
    
  • Rebel Alliance Developer Netgate

    OK, I found it. It wasn't the upnp daemon, but a recent change broke the test that puts the rules anchor in rules.debug.

    Should be fixed by https://github.com/pfsense/pfsense/commit/290296cdc05747b65145077e2715e7c4e2ae60aa

    Not sure how mine worked without that anchor, but it was working for me.

  • LAYER 8 Global Moderator

    just did a gitsync - and shazam there you go Working!

    I don't really use it, but sure the guys that do will be happy its working again..  Sweet how some reporting of details and issue fixed..

    Got to love the pfsense crew!  Thanks guys!!


  • gitsync saved the day!
    miniupnpd is working again thanks. ;D


  • @jimp:

    OK, I found it. It wasn't the upnp daemon, but a recent change broke the test that puts the rules anchor in rules.debug.

    Should be fixed by https://github.com/bsdperimeter/pfsense/commit/290296cdc05747b65145077e2715e7c4e2ae60aa

    Not sure how mine worked without that anchor, but it was working for me.

    Well Jim, since you figured it out before I had to go through your list of tasks, I made a small donation to the project.  ;D

    Oh, and thanks, of course!!!

  • Rebel Alliance Developer Netgate

    Thanks!


  • @johnpoz:

    just did a gitsync - and shazam there you go Working!

    I don't really use it, but sure the guys that do will be happy its working again..  Sweet how some reporting of details and issue fixed..

    Got to love the pfsense crew!  Thanks guys!!

    Yep, quite impressive, Everything running smoothly, cant ask for more.