UPnP and Port Forwarding

ech0wav3 · Jan 5, 2016, 4:36 AM

Hi all,

I feel like I'm missing something when it comes to UPnP and port forwarding on pfSense. I have a Plex server that I want to access the external web so I can stream things outside of my network. I have UPnP (miniupnpd) enabled on pfSense and it accepts announcements from UPnP and NAT-PMP devices. My external interface is WAN and my internal interface is LAN.

Plex is able to see my external IP through UPnP and miniupnpd correctly states the ports Plex wants to use, however no external connection can be made to Plex. Sadly, the logs (even though I have logging enabled) don't seem to be of much use. I tried adding the permission "allow 1024-65535 192.168.1.0/24 1024-65535" to the UPnP configuration page in hopes that I just had to "allow" miniupnpd to forward the ports programs/devices use. No luck though. Is there a specific rule that I have to create to allow miniupnpd to forward ports automagically?

If anyone can shed some light on what I might be missing or overlooking, I would greatly appreciate it.

All the best,
ech0wav3

kesawi · Jan 5, 2016, 4:56 AM

Although this doesn't address you issues with UPnP, you can set up a manual port forward under Firewall: NAT: Port Forward (https://doc.pfsense.org/index.php/How_can_I_forward_ports_with_pfSense) which will allow remote access to Plex. Further details on the specific ports and requirements for Plex are at https://support.plex.tv/hc/en-us/articles/200931138-Troubleshooting-myPlex-Server-connections. You just need to make sure your Plex server has a static IP address on your LAN.

johnpoz · Jan 5, 2016, 10:55 AM

Fist thing to check when port forwards don't work is pfsense even seeing the traffic.. Common issue is user place pfsense behind their isp device/nat router and wonder why forwards don't work.
https://doc.pfsense.org/index.php/Port_Forward_Troubleshooting

Does pfsense have public IP on its wan, or is it rfc1918? 192.168.x.x, 10.x.x.x, 172.16-31.x.x ??

If pfsense wan is behind a nat, then you need to forward ports you want to pfsense wan IP on that device, or place pfsense wan IP in the dmz host of that device. So pfsense can see the traffic to forward it.

UPnP is not going to work if pfsense wan never sees the traffic because its behind a NAT that is not forwarding the traffic.

ech0wav3 · Jan 6, 2016, 5:17 AM

Thank you all for the replies.

kesawi – I do have a static DHCP lease setup for my Plex server, so port forwarding is an option. (Actually, it's how I currently set it up for the time-being.) But it doesn't settle why miniupnpd wouldn't open up the port automagically when Plex told it to. Moreover, I don't have faith that it is opening up ports for other devices or servers now. Like I said, miniupnpd reports all the correct information, but nothing is accessible.

johnpoz -- pfSense does get a valid external IP address on the WAN device from my ISP's netblock. I specifically did not get a modem from my provider for this exact reason. I have a SurfBoard modem which goes to a unmanaged gigabit switch (in order to have 2 separate IP addresses -- 1 is required for something else unrelated to pfSense) which then goes to the pfSense server. pfSense does all the NAT'ing.

However, just to be sure pfSense is, in fact, seeing the traffic, where would I go to verify this? System Logs -> Firewall? Or Diagnostics -> States?

Thank you both for your help with my problem. I very much appreciate it.

Regards,
ech0wav3

kesawi · Jan 6, 2016, 6:17 AM

@ech0wav3:

However, just to be sure pfSense is, in fact, seeing the traffic, where would I go to verify this? System Logs -> Firewall? Or Diagnostics -> States?

You could try doing a packet capture on the WAN interface (Diagnostics: Packet Capture). You could also try setting up an incoming match floating rule on the WAN which logs packets to the external TCP port on the WAN. If there's a hit then this should show up in the Firewall Logs.

pahowart · Jan 6, 2016, 6:22 AM

I had a similar issue with an XBOX One over the holidays. UPNP would show xbox ports open on the status page but kids couldn't play multi player games.

The solution was to create an outbound nat rule for the UPNP device as per my screen capture. I am not sure why UPNP doesn't take care of this on its own. Oh and one more trick. The outbound nat rule should be the very first rule or you may get a match on an earlier rule.

If you create port forwarding rules manually the outbound nat rules are created automatically which is why it works that way and not with UPNP.

![Outbound NAT.jpg](/public/imported_attachments/1/Outbound NAT.jpg)
![Outbound NAT.jpg_thumb](/public/imported_attachments/1/Outbound NAT.jpg_thumb)

johnpoz · Jan 6, 2016, 12:13 PM

And that rule saying every nat done from that IP use static just breaks how napt is suppose to work.. Unless the xbox was your only device behind the nat.

That is not how it should be done.. If you have some ports that need to be static.. Then assign those specifically.

kesawi · Jan 6, 2016, 10:28 PM

@johnpoz:

And that rule saying every nat done from that IP use static just breaks how napt is suppose to work.. Unless the xbox was your only device behind the nat.

That is not how it should be done.. If you have some ports that need to be static.. Then assign those specifically.

According to this other thread that's exactly how it needs to be done for the xBox with uPNP (/index.php?topic=13887.0)

pahowart · Jan 7, 2016, 2:32 AM

The thread I followed to get UPNP working on XBOX One is here:

https://forum.pfsense.org/index.php?topic=73012.0

johnpoz · Jan 7, 2016, 12:26 PM

All fine and dandy - doens't mean its not a broken config..

And is NOT required, since you have list of ports, forward them specifically static you want. But telling the system that every single port that this boxes need when you nead it outbound needs to be static breaks how napt is suppose to work with multiple clients behind a single IP.

So the article he links to shows the typical open, mod and strict terms that ms likes to use.. But then he gets back ""Your network is behind a port-symmetric NAT"" What is that not in the article if that is one of the possible types?

But you can not set 1 host in your network to get every port it uses outbound to be static, and not mess up shit.. When you trying to use napt for the rest of your clients.. If you had multiple public IP then sure, set your static basically 1:1 nat setup for ipA and let the rest of your clients doing napt (network address port translation) use the other pubic ipB

Here is the thing with all those documentation out there - you sure and the hell do not need 53 inbound to your xbox… And that if MS requires inbound 80.. Shit many isp block inbound 80.. So how would anything work for those people that ISP block 80, or they are using 80 forwarded to something else?

So your Pc talking out to some website comes from random source port, and pfsense napt to that to be souce 20014 on the outside connection to dest:80 which is in the listing of both tcp and udp ports needed for titanfall.. Now you fire up your xbox and it tries to use 20014 as its source, how does pfsense static port map that??

The odds of that sort of issue are slim when your talking a handful of clients with light amount of sessions.. But my point of doing something like that is broken idea.. You can not say hey IP address A, all its traffic make sure you map source:dest on the public side the exact same on the outside... When you have other clients that it randomly maps too... Your fine if your 1 IP takes all the ports it needs first before you fire up other clients.. But if you have other clients talking and then you fire up xbox using port X, and X has already been mapped to client B session you have a problem don't you.

That why this idea is a bad one... If you need to specific ports to be static, then they should be forwarded in so that pfsense does not use in napt for all your other clients.

This is my point of saying that sort of stetup breaks napt.

ech0wav3 · Jan 8, 2016, 1:40 AM

So first off, thank you all again for commenting on this thread.

After testing via packet capture, I can say for sure that pfSense sees and detects the external traffic but simply drops it/doesn't accept it. So definitely there is something wrong with miniupnpd, my config, or pfSense's rules.

I'm going to have to agree with johnpoz and say the guides/instructions posted are not really the ideal setup. As referenced here (https://forum.pfsense.org/index.php?topic=104964.0), setting up pfSense in the way the guides describe causes other devices to fail. I don't know for sure how the OP of that topic set up his config, but it seems to fit with how those guides describe. Basically those guides tell all the traffic of the specified ports (no matter what it's intended destination) to go to one device. If another device tried to use those ports, pfSense doesn't know how to route the traffic OR all the traffic goes to the wrong device.

But more importantly setting it up in the way those guides describe is basically just opening up all the ports to one device and exposing it to the web. For an Xbox, it's probably not that big of a deal, but I have Plex running on a NAS server. I definitely want to keep it locked down as much as possible. Moreover, those guides are just circumventing UPnP all together anyway… They just go about it the long-way around.

So with all that out of the way, my main problem still remains: miniupnpd will not forward the ports my Plex server is requesting. Forwarding the ports manually is successful, so pfSense knows which device to route the traffic to and the device itself can talk to pfSense without issue.

Where else can I look for what might be causing this problem to occur.

Thank you all again for your help.

Best,
ech0wav3

kesawi · Jan 9, 2016, 12:25 PM

I had a play around with static vs non-static NAT port mapping for my son's xBox One. Under my current setup the only port forward I have is in on port 3074 for both TCP and UDP, and run a transparent proxy for HTTP traffic. With static NAT port mapping switched off it reports a strict network configuration and an open configuration with it on. Ran some packet captures and examined the states tables for both configurations. In both scenarios the xBox only generated the following traffic:

DNS requests on TCP port 53
Teredo tunnelling from UDP port 3074 to port 3544 on a remote sever
Queries to TCP port 443 on several remote servers
Queries to TCP port 80 on several remote servers

All originating ports from the xBox to TCP 443 and 80 were all in the range 49916 to 49930, however I'm sure this range will increase when multiplayer gaming so unless I want to forward a rather large range of ports to the xBox, static NAT mapping appears to be the only way for it to work. I'd need to do some more packet captures under various usage scenarios to see if maybe I can narrow down the static NAT mapping port range to something smaller rather than all 65535 ports.