Nested routers - miniupnpd: SSDP packet sender … not from a LAN, ignoring
-
Having been a sys admin for more than a decade, I'm no stranger to networking, though far from a wiz either. I'm managing a pfSense instance, which shares an internet connection in an apartment complex.
I have read the stickies and other threads regarding the dreaded "strict NAT" problem. However, there could be multiple consoles on our LAN behind a consumer router, so static IPs, ports etc. is not an option, which rules out most of the suggestions.
Other threads concerns older versions of pfSense, different symptoms or does not seem to include sufficient information for me to determine if it in fact even concerns the same issue.
This is my first post here. Hope I have posted this in an appropriate place, that have provided enough info and shown that I've put thoughts and effort into attempting to solve this on my own :).
General setup
-
54 apartments connected to shared fibre internet connection
-
We advise tenants to buy and connect their own router, as we limit the MAC addresses per tenant switch port
-
1 WAN, 3 tenant LAN's, 1 admin LAN, 1 DMZ
-
Each LAN has a /24 subnet within 172.16.0.0/16
-
pfSense runs virtual (on ESXi)
-
LAN's uses VLAN tagging, a single physical interface and a single vNIC on the pfSense virtual machine
For more details, see the "Edit: What We Ended Up With" paragraph in my previous question at ServerFault.com.
My problem
A tenant complains that his XBox report "Strict NAT". I have enabled UPnP in pfSense and instructed tenant to do the same in his consumer router. I don't have an Xbox myself, so I don't know how much can actually be confiured on the console.I do see SSDP packets being logged by miniupnpd, which indicated to me the tenant's router is in fact using UPnP, but I see these messages like this in the logs a handful of times every 30 seconds:
miniupnpd[17877]: SSDP packet sender 192.168.1.1:38665 not from a LAN, ignoringWe don't use 192.168.1.0/24 in our part of the network, so it's probably safe to say this is the tenant's internal LAN.
Also, UPnP status show no connected sessions.
-
UPnP and NAT-PMP enabled
-
All tenant interfaces selected as LAN
-
Listen on interface instead of interface IP enabled (have also tried disabled)
-
Have tried adding miniunpnd allow rule, but it doesn't make a difference
Questions
The bleeding obvious: Can the miniupnpd config easily be tweaked to consider the packages as coming from a LAN? Does UPnP ever work through nested routers?
Follow-up questions, if the above is not possible:
-
Since UPnP should listen on the interface, not the actual interface IP, why isn't a package originating from the LAN seens coming from a LAN?
-
I understand pfSense cannot route to the 192.168.1.0/24 subnet, but why is this seen as the source, instead of the IP address pfSense has assigned to his router's WAN interface? Is this UPnP not tagging the SSDP packets properly?
-
As far as I can think, I shouldn't need to (or want to) enable RIP - if I were to solve this by allowing routing, we need to manage what subnet each tenant uses for LAN.
-
Then I thought the NAT configuration might need to be tweaked, but in that case I'm not sure what. Outbound NAT maybe? It doesn't seem to make a difference if I select Auto Outbound NAT or AON though.
-
Is there anything in paticular I should instruct the tenant to configure in his router (or XBox) or inquire about?
Any ideas or suggestions would be highly appreciated. Please let me know if you need me to get more information.
Thank you!
-
-
It is generally considered that Double NAT and UPNP will not work. I would be surprised if PFSense supported an ability to forward UPNP requests and even more surprised if the client NATs supported this.
They're better off talking directly to PFSense and not going through their firewall. They may be using it for WIFI access, but they can simply disable DHCP on their device, then plug a LAN port into your PFSense instead of their WAN port.
-
It is generally considered that Double NAT and UPNP will not work. I would be surprised if PFSense supported an ability to forward UPNP requests and even more surprised if the client NATs supported this.
They're better off talking directly to PFSense and not going through their firewall. They may be using it for WIFI access, but they can simply disable DHCP on their device, then plug a LAN port into your PFSense instead of their WAN port.
Thanks for your reply - I appreciate it.
This is what I started to worry about and it certainly doesn't appear to work.
I see that you write "generally considered" and "would be surprised". Can you (or anyone else) conclusive say that it cannot work, or that it will only work if such and such conditions are met?
-
"miniupnpd[17877]: SSDP packet sender 192.168.1.1:38665 not from a LAN, ignoring"
that seems to be the IP address of tenets router lan IP. So you have lots of double nats going on which is going to make for issues for any inbound traffic you need.
Off the top I know of now way of, and sure not any soho routers that your tenants would be using that would support forwarding UPnP
Here is what you have going on
internet –-- public IP - pfsense - 172.16.1.1 --- 172.16.1.2 - tenant router - 192.168.1.1 --- 192.168.1.100 - client
So client for some game needs port xyz, so using UPnP, the upnp client says hey router, forward xyz to me 192.168.1.100
So what you would need to happen is router to say ok, I will do that, and I will also let pfsense know to forward xyz to 172.16.1.2 (me)
I know of no soho routers that do something like than, nor do I know of any sort of forwarder of that??
Your options are to setup the ports the tenents needs on pfsense.. And then have them forward on their routers to their client. Or you could have the tenant put their devices that need inbound services directly on your pfsense lan. So put a switch in front of their router, now their router gets 172.16.1.2 and their ps4 or whatever gets 172.16.1.3 for example.
It can then send upnp to pfsense and say hey I need port xyz please send it to 172.16.1.3 which pfsense can do.
Or you could have your clients not use routers, but switches - and give them all their own segment. For isolation, and you just have a bunch of vlans on pfsense for all your apartments. Now say each apartment gets their own /24 on the 172.16 for example.
-
Thanks for your input johnpoz!
Or you could have the tenant put their devices that need inbound services directly on your pfsense lan. So put a switch in front of their router, now their router gets 172.16.1.2 and their ps4 or whatever gets 172.16.1.3 for example.
This ended up being our recommendation.
We already have "protectected port" setup (Cisco switches) separating each tenant, though they're on the same subnet. I'm not very keen on re-designing the network, which otherwise works great. Hence the recommendation :)
Thanks!
