miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Miniupnp not working in pfsense when WAN is private IP
Goto page 1, 2  Next
 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Bugs
View previous topic :: View next topic  
Author Message
Gblenn



Joined: 03 Mar 2023
Posts: 11
Location: Sweden

PostPosted: Fri Mar 03, 2023 2:54 pm    Post subject: Miniupnp not working in pfsense when WAN is private IP Reply with quote

The changes and updates to miniupnp which have been made in the last year have been much appreciated by everyone having gamers in their households, myself included.

However, there is still an issue for those who are stuck behind a modem or router providing a private IP to e.g. pfsense WAN. This applies on any devices where bridge mode is not available, such as most consumer 4G/5G routers.

The issue is not related to double NAT. Rather it simply seems to throw an error if a private IP is deteced on WAN and then it simply refuses to "work".

On pfsense Plus, all games tested (mostly various CoD games) do however get Open NAT despite the double NAT situation provided the IP on the WAN side is * not * of "private IP type". A further prerequisite is that pfsense is placed in DMZ (all ports open) on the upstream router. This testing has been verified on LTE-router which allows setting any IP range on LAN side.

Providing a simple override mechanism to manually force UPnP not to check for Private IP (or accept it even if), would solve this "bug" in a simple way...
Back to top
View user's profile Send private message
Gblenn



Joined: 03 Mar 2023
Posts: 11
Location: Sweden

PostPosted: Sat Mar 04, 2023 6:34 pm    Post subject: Re: Miniupnp not working in pfsense when WAN is private IP Reply with quote

Gblenn wrote:
The issue is not related to double NAT. Rather it simply seems to throw an error if a private IP is deteced on WAN and then it simply refuses to "work".

After receiving some information and suggestions that STUN or hard coded IP would solve the issue, I went through a lot of testing, and found the following.

First test run is with pfsense 23.01 behind a 4G router with pfsense in DMZ in a Private IP range.

1. Using only Port forwarding of relevant ports allows for Open NAT in all COD Games tested, except MW2 (2009).
2. With port forwarding still in place, and UPnP activated (as is), I have same games getting Open NAT. Only difference is syslog shows minupnp complaining about private IP.
3. With port forwarding in place and STUN activated, UPnP Status page lists the expected ports being requested by the games. HOWEVER, games are no longer able to connect at all. MW2 complains about not reaching IW Servers.
4. With port forwarding in place and Override WAN address, same result as 3.

Changing the set up so that 4G router provides pfsense with a fake Public IP, still in DMZ.

1. Only port forwarding, same as in 1 above
2. Port forwarding and UPnP activated, all games now show Open NAT, including MW2 (2009).
3. No port forwarding, only UPnP, all games still show Open NAT
4. STUN and Override WAN address IP gives same results as in 3.

Conclusion... There must be something more happening behind the scenes which makes miniupnp break the port forwarding scheme somehow?? STUN and hardcoding IP is not enough to make it work behind a Private IP apparently!
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Mon Mar 06, 2023 6:46 am    Post subject: Reply with quote

What's happens behind the scene is that if the game obtains a Private IP as the "external IP Address" it should complain that it won't be reachable from the internet.

Using the "DMZ" feature of the 1rst level router is probably working, but miniupnpd should know the actual external IP address so it must be hand configured.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Gblenn



Joined: 03 Mar 2023
Posts: 11
Location: Sweden

PostPosted: Tue Mar 07, 2023 1:58 pm    Post subject: Reply with quote

miniupnp wrote:
What's happens behind the scene is that if the game obtains a Private IP as the "external IP Address" it should complain that it won't be reachable from the internet.

I'm not sure I follow? Games don't complain, things work perfectly fine in the first scenario, with regular port forwarding, and private IP. Double NAT is not the issue here.

miniupnp wrote:
Using the "DMZ" feature of the 1rst level router is probably working, but miniupnpd should know the actual external IP address so it must be hand configured.

DMZ is being used, and miniupnp does in fact know the actual IP when using either STUN or Override WAN address. But it is when it does know the actual IP, that things stop working. Miniupnp then claims responsibility, reporting to the game that it has opened the ports, but doesn't let anything thru...

In the case of a fake public IP, where miniupnp doesn't know the actual external IP, it still works, as long as it "thinks" it is a valid IP...

It's all about some internal flaw in how it proceeds when the external IP happens to be Private...
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Wed Mar 08, 2023 3:30 pm    Post subject: Reply with quote

Gblenn wrote:
miniupnp wrote:
What's happens behind the scene is that if the game obtains a Private IP as the "external IP Address" it should complain that it won't be reachable from the internet.

I'm not sure I follow? Games don't complain, things work perfectly fine in the first scenario, with regular port forwarding, and private IP. Double NAT is not the issue here.

I guess you either are using STUN or has correctly configured the external IP address using -o argument or ext_ip= in miniupnpd.conf

Gblenn wrote:
miniupnp wrote:
Using the "DMZ" feature of the 1rst level router is probably working, but miniupnpd should know the actual external IP address so it must be hand configured.

DMZ is being used, and miniupnp does in fact know the actual IP when using either STUN or Override WAN address. But it is when it does know the actual IP, that things stop working. Miniupnp then claims responsibility, reporting to the game that it has opened the ports, but doesn't let anything thru...

In the case of a fake public IP, where miniupnp doesn't know the actual external IP, it still works, as long as it "thinks" it is a valid IP...

It's all about some internal flaw in how it proceeds when the external IP happens to be Private...

If you wish someone to be able to help you find what is the problem, you should provide the relevant information about the configuration, the log files, and what exactly fails.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Gblenn



Joined: 03 Mar 2023
Posts: 11
Location: Sweden

PostPosted: Wed Mar 08, 2023 7:40 pm    Post subject: Reply with quote

miniupnp wrote:
If you wish someone to be able to help you find what is the problem, you should provide the relevant information about the configuration, the log files, and what exactly fails.
I honestly thought I did provide quite detailed information in the scenarios above, showing where things fail.

But let me try to be more detailed.

And I can also add that I, and others, have tried to raise bug reports in redmine but they have been refused, pointing towards miniupnp. With the additional comment that according to "miniupnp", STUN and/or Overrride WAN IP will sufficiently solve any issues related to Private IP.

My testing shows that they don't.

I'm doing this testing in two steps. The first scenario is where I have pfsense v23.01 sitting behind a router/modem giving it a WAN IP of 192.168.1.20 in DMZ.

As a reference I start off by doing regular Port Forwarding of the ports known to be required for the games tested (typically 3074 UDP). CoD MW2, MW3, Vanguard and MW2 2022 are the tested games, a bit old and very new.

Reference Test #1: No UPnP, only port forwarding.
All games using port 3074 show Open NAT as expected. (As an additional test, I moved pfsense out of DMZ in the upstream router, and games then report Moderate NAT instead).
One game, MW2 (2009) show Strict NAT, as I have not figured out the correct ports apparently.

Test #2: Without removing port forwards, I turn on UPnP without activating STUN.
Starting a game and the System Log (routing) shows last item being
2023-03-08 19:25:14.451357+01:00 miniupnpd 34071 private/reserved address 192.168.3.20 is not suitable for external IP
The Status > UPnP & NAT-PMP rules list is empty, as expected.
Games still show Open NAT as expected (remember, ports are forwarded)

Test #3: Without removing port forwards, I now turn on STUN for UPnP (using Google server on port 19302).
When a game is started, the rules list now gets populated with the requested ports and reads e.g.: WAN2 udp any 3074 192.168.1.91 3074 DemonwarePortMapping
So clearly UPnP is picking up the request for port 3074 as shown in the list. BUT games fail to connect and eventually show error like : Modern Warfare 3 server not available... etc.
Same thing applies to MW2 which no longer shows Strict NAT, but rather fails to connect at all.

--------------------------------------

In the second scenario I only change the LAN IP on the upstream router so that pfsense has a fake public IP on WAN. Any IP will do as long as it is not considered "private". All other settings in upstream router and pfsense are the same as in scenario 1.

Test #4: As a reference, again, old style port forwarding still works. Games get Open NAT (except MW2). Same as test #1.

Test #5: Turning on UPnP, without STUN. There is no longer any log entry about Private IP not being suitable.
When a game is started, the rules list gets populated with the requested ports like e.g.: WAN2 udp any 3074 192.168.1.91 3074 DemonwarePortMapping (exactly like in test #3).
HOWEVER, ALL games, including MW2, now get Open NAT!!

Test #6: Activating STUN makes no difference. Same result as in Test #5.

So as long as miniupnp "thinks" it has to do with a public IP, things run smoothly, despite the double NAT scenario. Port forwards are not needed at all, and setting Outbound NAT on fully automatic (vs Hybrid), still works 100%.
As soon as miniupnp becomes aware of a Private IP, it will no longer play ball even when it does know the actual public IP on the upstream router. In fact it actually "breaks" a working set up (manual port forwards).

Isn't this a bug or a flaw? Either in miniupnp or in the interworkings with pfsense?

This will apply to any and all users trying to play games behind a modem/router that doesn't do bridging (5G, Fiber/Cable doesn't matter). Or any scenario with CGNat which I have not tested other than simply using a random "reserved IP" instead of Public or Private, which gave the same results as in tests 1-3.

Although it provides a work around, faking a public IP is not good practice and can lead to all sorts of problems obviously.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Wed Mar 08, 2023 11:55 pm    Post subject: Reply with quote

you don't provide any miniupnpd configuration, pf rules or even miniupnpd version.

also how one should interpret
Quote:
The Status > UPnP & NAT-PMP rules list is empty, as expected.
Games still show Open NAT as expected (remember, ports are forwarded)


What "Open NAT" means ?
How can you say "ports are forwarded" and "UPnP & NAT-PMP rules list is empty" at the same time ? Which ports are forwarded ? to which IP ?
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Wed Mar 08, 2023 11:59 pm    Post subject: Reply with quote

Also, have you tried to declare the real ExternaIPAddress to miniupnpd using -o command line option or ext_ip= in miniupnpd.conf ?
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Gblenn



Joined: 03 Mar 2023
Posts: 11
Location: Sweden

PostPosted: Thu Mar 09, 2023 10:23 am    Post subject: Reply with quote

miniupnp wrote:
you don't provide any miniupnpd configuration, pf rules or even miniupnpd version.
Where do I find which miniupnp version is used in pfsense? I'm using the latest stable version of pfsense Plus (v23.01), as stated, which I assume has a known version of miniupnp doesn't it?

The config is simple enough:
In tests 2, 3, 5 and 6, when UPnP is ON, in the pfsense GUI under Services > UPnP & NAT-PMP, I have the settings to Enable, Allow UPnP Port mapping, Allow NAT-PMP Port mapping, External interface WAN, Internal interface LAN.
And just to be clear, this is the exact same setting that I'm using in the production environment and it's also the exact same setting that works 100% when WAN IP is NOT an private IP. It is also the setting you will find in pretty much any description or guide available, from e.g. Netgate.
https://docs.netgate.com/pfsense/en/latest/services/upnp.html

In addition, for the testing I select or deselect STUN, enter Google server and port. As an alternative I can enter an Override WAN address using the actual Public IP, which I have also tested with same result as selecting STUN.

miniupnp wrote:

also how one should interpret
Quote:
The Status > UPnP & NAT-PMP rules list is empty, as expected.
Games still show Open NAT as expected (remember, ports are forwarded)


What "Open NAT" means ?
How can you say "ports are forwarded" and "UPnP & NAT-PMP rules list is empty" at the same time ? Which ports are forwarded ? to which IP ?

Again, as a reference (test 1) I do regular port forwarding in pfsense (Firewall / NAT / Port Forward) of port 3074 UDP. Obviously I'm using the IP of the test PC running the games.
https://docs.netgate.com/pfsense/en/latest/nat/port-forwards.html
I'm also saying that I am not removing these rules in e.g. test 2, which you refer to here.

Further, as I wrote: Under Status > UPnP / NAT-PMP rules (in pfsense UI), there is a list that will show any ports that have been opened through UPnP. This list is empty, which is expected since miniupnp is refusing any connections due to what shows in System Log (which I'm also mentioning) private/reserved address 192.168.3.20 is not suitable for external IP

So, because UPnP is NOT engaging in this scenario, BUT I have manually forwarded ports in the FW, games keep reporting Open NAT, as in the reference test no 1.

And, in test no 3, none of the games can connect, at all, when STUN, or Override WAN IP is used. Regardless if I have the port forwarding in the firewall active or not (port 3074 as mentioned above).

Open NAT, is an expression used by pretty much all games, be it on PC, Xbox or Playstation as a way to inform the user of the connection status. You have Open, Moderate and Strict. Where Strict typically means you will have trouble connecting with other gamers unless they have Open NAT. Moderate will typically allow connecting to those with Moderate or Open NAT.


Last edited by Gblenn on Thu Mar 09, 2023 10:31 am; edited 2 times in total
Back to top
View user's profile Send private message
Gblenn



Joined: 03 Mar 2023
Posts: 11
Location: Sweden

PostPosted: Thu Mar 09, 2023 10:24 am    Post subject: Reply with quote

miniupnp wrote:
Also, have you tried to declare the real ExternaIPAddress to miniupnpd using -o command line option or ext_ip= in miniupnpd.conf ?
I'm using the UI in pfsense, but yes, there is the ability to use Override WAN address, where I have entered the actual public IP. Exact same result as when using STUN.
Back to top
View user's profile Send private message
Gblenn



Joined: 03 Mar 2023
Posts: 11
Location: Sweden

PostPosted: Thu Mar 09, 2023 12:03 pm    Post subject: Reply with quote

Perhaps I can simplify things even more. Same equipment as previously mentioned. PfSense stable 23.01, "stock config" with no specific fw rules at all.

Scenario 1.

Upstream router gives pfsense a Private IP in DMZ on WAN.
UPnP settings in pfsense GUI under Services > UPnP & NAT-PMP: Enable, Allow UPnP Port mapping, Allow NAT-PMP Port mapping, External interface WAN, Internal interface LAN, and I activate STUN (using google server) or Override WAN address using the actual Public IP.

Result: in pfsense Status / UPnP & NAT-PMP rules list, the requested port no 3074 UDP is listed together with correct internal IP.
WAN udp any 3074 192.168.1.91 3074 DemonwarePortMapping
None of the games are able to connect at all = worse than Strict NAT

Scenario 2.


Upstream router gives pfsense a fake public IP in DMZ on WAN.
All other settings as in scenario 1: Enable, Allow UPnP Port mapping, Allow NAT-PMP Port mapping, External interface WAN, Internal interface LAN.
However, I do not have to use STUN in order to inform UPnP about the correct external IP. I can use either STUN (google server) OR Override WAN address using the actual Public IP, but doing so makes no difference to the result in this scenario.

Result : in pfsense Status / UPnP & NAT-PMP rules list, the requested port no 3074 UDP is listed together with correct internal IP.
WAN udp any 3074 192.168.1.91 3074 DemonwarePortMapping
All games report Open NAT
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Thu Mar 09, 2023 10:15 pm    Post subject: Reply with quote

You think that you are on some pfsense support forum here, which is not the case.

Good bye.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Thu Mar 09, 2023 11:29 pm    Post subject: Reply with quote

Quote:
Where do I find which miniupnp version is used in pfsense? I'm using the latest stable version of pfsense Plus (v23.01), as stated, which I assume has a known version of miniupnp doesn't it?

I don't know anything about pfsense. If you are not able to find which version of miniupnpd you are using, I cannot help you.

You problem may be related to the entry mentioned in the miniupnpd changelog :
Code:
pf: use external IP for NAT in double NAT setups


For enabling any investigation of your problem, please provide :
    miniupnpd version
    miniupnpd configuration file (miniupnpd.conf)
    logs
    pf rules (output of pfctl -s command)

_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Gblenn



Joined: 03 Mar 2023
Posts: 11
Location: Sweden

PostPosted: Fri Mar 10, 2023 6:17 pm    Post subject: Reply with quote

miniupnp wrote:
You think that you are on some pfsense support forum here, which is not the case.

Good bye.
No, I am all with you. And as I mentioned I have been trying to get traction via redmine/pfsense. But the issue I opened got closed rather quickly pointing towards "upstream" responsibilities = miniupnpd.

My thinking was that as it works perfectly fine when the WAN IP is not RFC1918, even though it's a fake one. Why not add a "switch" to manually force miniupnpd to accept also a Private IP fully, as if it was the correct external IP.

The comment I got was that minupnpd is supposed to work fine with STUN or Override WAN address. And when I test this, I can't get any games to connect at all.


Last edited by Gblenn on Fri Mar 10, 2023 6:45 pm; edited 1 time in total
Back to top
View user's profile Send private message
Gblenn



Joined: 03 Mar 2023
Posts: 11
Location: Sweden

PostPosted: Fri Mar 10, 2023 6:44 pm    Post subject: Reply with quote

miniupnp wrote:

For enabling any investigation of your problem, please provide :
    miniupnpd version
    miniupnpd configuration file (miniupnpd.conf)
    logs
    pf rules (output of pfctl -s command)

Code: miniupnpd --version
miniupnpd 2.2.1 Jan 7 2023
using pf backend

miniupnpd.conf - when using Override WAN address:
ext_ifname=vtnet0
port=2189
listening_ip=vtnet1
ext_ip=MY.ISP.158.254
secure_mode=yes
presentation_url=https://192.168.1.1/
model_number=23.01-RELEASE
allow 1024-65535 192.168.1.91/32 1024-65535
enable_upnp=yes
enable_natpmp=yes

Log file shows:
2023-03-10 19:11:54.690356+01:00 miniupnpd 4207 Listening for NAT-PMP/PCP traffic on port 5351
2023-03-10 19:11:54.690298+01:00 miniupnpd 4207 no HTTP IPv6 address, disabling IPv6
2023-03-10 19:11:54.690150+01:00 miniupnpd 4207 HTTP listening on port 2189

perhaps some help on the pfctl -s command?? What I see in the UI is that the rule listed is:WAN udp any 3074 192.168.1.91 3074 DemonwarePortMapping
This is the only port needed for e.g. MW3 to report "Open NAT" under normal circumstances.
Now, however, it doesn't connect and shows error: "server not available".

And that's it, nothing more in the logs after starting a game. And none of the games can connect.
I'll run a test with WAN IP set to a fake public one to see what may change...


Last edited by Gblenn on Fri Mar 10, 2023 7:05 pm; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Bugs All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.