Can't start miniupnpd service
I am running pfSense inside my LAN as an IPv6 tunnel appliance. The tunnel is working and I have complete IPv6 internet access from my clients, and I can successfully create firewall rules to manually open ports to specific hosts.
I can not get the UPnP service to start. Under "Services > UPnP & NAT-PMP", I have:
- Enable UPnP & NAT-PMP: checked
- Allow UPnP Port Mapping: checked
- Allow NAT-PMP Port Mapping: cleared (I have tried checked as well)
- External interface: HETUN6 (see below)
- Interfaces: LANV6 (see below)
- All other fields blank and checkboxes cleared
There is a red X at the top of the page saying "miniupnpd Service is Stopped", and the "Status > Services" page agrees. Selecting "Start miniupnpd Service" reports "miniupnpd has been started", but the Services and UPnP pages still report that the service is stopped.
Setup (let me know if there's any additional information I can provide):
pfSense: 2.2.4-RELEASE (amd64)
-> v4: 192.168.a.b/24
-> v6: 2001:c:d:e::1/64 <- HE routed /64
-> v6: 2001:c:d:f::2/128 <- HE tunnel endpoint
Omit the tunnel interface from the setup. IPv6 is not supported with "dig holes into your network" feature. And - if your v4 WAN is RFC1918, this feature is totally useless for you. The WAN traffic would need to be allowed and forwarded on whatever is in front of your pfSense box, and LAN -> LAN never goes through the firewall.
Edit: Submitted https://github.com/pfsense/pfsense/pull/1980 for proper input validation here.
Omit the tunnel interface from the setup. IPv6 is not supported with "dig holes into your network" feature.
If I'm following you (and the pull request you linked) correctly, the version of miniupnpd in 2.2.4 does not support UPnP or NAT-PMP for IPv6, and at the very least you would like the pfSense GUI to reflect this; is that accurate?
And - if your v4 WAN is RFC1918, this feature is totally useless for you. The WAN traffic would need to be allowed and forwarded on whatever is in front of your pfSense box, and LAN -> LAN never goes through the firewall.
I fail to see how this feature is useless for me. The pfSense firewall is indeed running between HETUN6 and LANV6; if I have no rules, all packets to IPv6 LAN hosts are filtered, while manually adding rules for e.g. ICMP or TCP port 80 passes those packets as expected. My IPv4 edge router/firewall/NAT does not get in the way because pfSense is already tunnelled to the HE endpoint, and all IPv6 WAN traffic goes over that tunnel.
Current state of affairs:
- I can manually create IPv4 firewall rules on my existing IPv4 edge router
- I can manually create IPv6 firewall rules on my pfSense instance
- Applications using UPnP can only create IPv4 rules on my edge router
Desired state (although sounds like not possible without mucking around with different miniupnpd binaries):
- Manual rules same as above
- Applications using UPnP can create IPv4 rules on my edge router and IPv6 rules on my pfSense instance