UPnP w/CARP and general UPnP issues

  • OK I moved recently to pfSense from Cisco ASAs to specifically get consumer features, mainly UPnP.  I have (2)XBOX ONE, (2)PS4, and (2)XBOX 360.  Yes I have spending issues, but that's not what I need help with right now.

    My first question is can I expect UPnP to work with the CARP interface as the default gateways of the game systems?  .1?

    My issue is I cannot get the ONEs to consistently register UPnP. Sometimes I get OPEN and see it in the pfSense GUI, sometimes moderate, but mostly strict.  Here is what I have done to troubleshoot:

    1. Turn off IGMP snooping and/or filtering on my Cisco 3750 switch.
    2. Had the issue on v2.1.5, defaulted both boxes and upgraded to 2.2RC (December 9th date).
    3. I use Linux as my DHCP server not pfSense, I send the default gateway of .2 to my boxes right now bypassing the .1 virtual IP–-this is the only way I got it to work as OPEN, but again it's not consistent, and doesn't work more than it works.


    1. I have not done very much troubleshooting with the 360s
    2. Both PS4s show NAT type 2 but I see no entry in the UPnP status page--have not tested multiplayer, etc.
    3. The ONEs are what I am concerned with and my son has been having issues playing multiplayer
    4. I have a lot of apps showing up in UPnP, and they are using .1 as the gateway

    Attached are some screen shots of my config

    ![UPnP Config.png_thumb](/public/imported_attachments/1/UPnP Config.png_thumb)

    ![UPnP Config.png](/public/imported_attachments/1/UPnP Config.png)
    ![UPnP status.png](/public/imported_attachments/1/UPnP status.png)
    ![UPnP status.png_thumb](/public/imported_attachments/1/UPnP status.png_thumb)

  • So no ideas? I hate to bump, but bump…

    I would even be OK if someone says this is a bug and be patient. But if this is never going to work I am going to have to find a different FW. And I don't want to because I really like pfSense.  And not even sure I can find an alternative.

  • Hi.

    Did you ever resolve this issue?  I'm having the same problem.

    I have been able to get NAT-PMP working with a bit of a fudge.  Basically I have created a NAT rule that forwards traffic on the CARP IP (UDP port 5351) to the non-CARP IP on the same port.  This is obviously less than ideal because when the rule is mirrored to the CARP backup node it will be redirecting to the wrong IP (i.e. still the IP of the now-offline master).

    I haven't been able to make the same trick work for UPnP though.


  • My findings lead me to believe that UPnP in the XBOX ONE is is just broken, or flaky at best.

    First, I think it is now well documented if you use "instant on" mode with ONE it does not ask UPnP to reopen ports after you wake up the box.  Which just sucks because it is so nice to resume games without having to re-load.

    Secondarily, based on some threads below, the ONE is just not listening to the routers all the time on what ports to use, this really affects the 2nd ONE you put, it asks for 3074, the router returns can't use it you should use port 8765 or whatever. Then the ONE just ignores it.  Or maybe it does sometimes, haven't confirmed that 100%.

    One other theory I ready is even though the 2nd ONE might show STRICT NAT, it might actually be OPEN or MODERATE.  I have not tested this theory.

    Finally, there was an ONE update that came out on the 6th, I have done zero testing on this version.

    I don't think pfSense or really miniunpd is broken, I think this falls under M$ and they need to fix this ASAP.


    Would love to hear if anyone else has theories around this or if you think my theories are wrong.  And would also love to know what version of miniunpnpd pfSense 2.2 is using.

  • There is another post on here about adding multicast subnets to your LAN profile. Since doing that on mine, my 360 has been able to use uPNP correctly every time.

    Proto	Source	Port	Destination	Port	Gateway	Queue	Schedule	Description
    IPv4*   LAN net	*	*	*	none	 	Allow Multicast 	
    IPv4*   LAN net	*	*	*	none	 	Allow Multicast

Log in to reply