plugins
plugins copied to clipboard
opnsense
net/upnp UPnP is not responding to requests
- [X] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
- [X] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
- [X] The title contains the plugin to which this issue belongs
Describe the bug UPnP does not respond to any requests - my UPnP test application (UPnP Wizard) cannot find the service and thus neither can any of my Windows apps
To Reproduce Steps to reproduce the behavior:
- Set up UPnP
Expected behavior UPnP service should respond to requests
Relevant log files The only thing I can find is this in the logs
2022-02-17T14:45:10 Error php-cgi /services_upnp.php: miniupnpd: Starting service on interface: lan 2022-02-10T20:18:49 Error php-cgi /services_upnp.php: miniupnpd: Starting service on interface: lan 2022-02-10T20:17:43 Error php-cgi /services_upnp.php: miniupnpd: Starting service on interface: lan 2022-02-10T20:13:29 Error php-cgi /services_upnp.php: miniupnpd: Starting service on interface: lan 2022-02-10T20:00:33 Error php-cgi /services_upnp.php: miniupnpd: Starting service on interface: lan
Additional context Config file
ext_ifname=pppoe0 port=2189 listening_ip=igb1 secure_mode=yes system_uptime=yes presentation_url=https://192.168.1.1/ uuid=5redacted2 serial=5redactedC model_number=22.1 allow 1025-65535 192.168.1.14 1025-65535 allow 1025-65535 192.168.1.6 1025-65535 allow 1025-65535 192.168.1.30 1025-65535 deny 0-65535 0.0.0.0/0 0-65535 enable_upnp=yes enable_natpmp=no clean_ruleset_interval=600 min_lifetime=120 max_lifetime=86400
Environment OPNsense 22.1-amd64 FreeBSD 13.0-STABLE OpenSSL 1.1.1m 14 Dec 2021
Can someone let me know how to better log what is going on, perhaps enable some debugging? I can't even find any direct logs from the service to look at.
I'm sorry to chime in, but, I feel I must.
UPnP is widely considered to be a security risk and in my view, and that of many others, has no place in a proper firewall at all. I would prefer to see UPnP retired completely from OPNsense, it's just so insecure.
https://www.minim.com/blog/the-upnp-security-exploit-affecting-millions-of-home-devices https://www.howtogeek.com/122487/htg-explains-is-upnp-a-security-risk/ https://www.lepide.com/blog/what-is-upnp-and-is-it-safe/
I'm sorry to chime in, but, I feel I must.
You're preaching to the choir, unrelated and not helpful.
OPNsense at least lets you control what can use the service and what they can use as ports. I use it in a couple of places one of which being my gaming PC where I'd rather not open a permanent ports just for one machine, and the randomness of what port gets used is quite useful along with the port being fully closed off after it's finished with.
So my question still stands, how can I better debug this to see why it still doesn't work.
...I use it in a couple of places one of which being my gaming PC where I'd rather not open a permanent ports just for one machine, and the randomness of what port gets used is quite useful along with the port being fully closed off after it's finished with...
I have a Sony PS5 and before that, PS3. I solved the issue with static NAT outbound port mapping. That way, I do not need UPnP at all then gaming machines are quite happy.
Another irrelevant post, this is not a discussion forum, totally off topic. Please remove them.
Hello,
I don't think that you have a mistake in your configuration file. I checked it against mine and for me it is working with similar settings.
Maybe a Firewall rule is blocking (or a NAT rule is interfering) OPNsense Web Interface -> Firewall: Log Files: Live View Keep an eye out for = Source: [Your UPnP Wizard PCs' IP(s)]:[Some dynamic Port] - Destination: [OPNsense IP]:2189 This is usually covered by the 'Default allow LAN to any rule'
I think you have upgraded your OPNsense to the most recent version meanwhile!? There was no update in the UPnP plugin but maybe it helps. Maybe the PHP updates remove the error message above.
Are you sure that it's not only a problem with UPnP Wizard? Get the newest version of it! Older versions have problems with e.g. Hyper-V/Virtual NICs. If you use the correct binding IP it should automatically recognize your router as the UPnP Device.
If this doesn't help maybe reinstalling the plugin helps.
Kind regards
PS btw. This should not matter but I think you want the port range to start at 1024 and not 1025. 'We' start counting at 0 ;)
UPnP is widely considered to be a security risk...
The past security problems came from exposing the UPnP service to the WAN Port / public internet. IMHO When it is configured at the correct NIC(s) with proper ACLs then you may only get a problem with malware in your intranet but then UPnP is your smallest problem!
Unfortunately nothing you have written is of help, yes I am up to date, always a few days after patches are released and I have tested uPnP from several systems including the game I am trying to use with it, and they all fail, I just use the Windows tool as it's the most convenient. It used to work many versions ago, I just didn't notice until a few months back when investigating the game's network performance.
It works fine just once and then it stops working until I stop then start the service again - restart is does not work. This is why I keep asking for help on enabling any kind of logging for the plug-in itself as nothing shows up currently.
PS, because 1024 is a reserved port: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.
For anyone else coming here from Google with this same issue, I had both upnp and NAT-PMP ticked. When they were both ticked - opnsense would not response to upnp requests. As soon as I unticked that... everything started working as it should
For anyone else coming here from Google with this same issue, I had both upnp and NAT-PMP ticked. When they were both ticked - opnsense would not response to upnp requests. As soon as I unticked that... everything started working as it should
Sorry but I've tried this with every release of plug-in, you will see in my config in the first post that NAT-PMP is disabled, and it makes no difference with it enabled or not. I thought it did one release but some time later after the connection was no longer needed it broke again and the same PC could no longer create a new session.
Yeah you're right. It timed out for me after a while. A simple test I use is upnpc -s If I restart the service, it works, then after a few minutes it breaks again
I figured out my problem - turned out it wasn't opnsense at all. It was a multicast issue. I tracked this down by running tcpdump on the lan interface on opnsense for host 239.255.255.250. When doing upnpc -s on the client - nothing was getting to opnsense. I was using Proxmox, which for some reason puts a firewall on the network adaptor of the vm. Turned this off for both the client and opnsense - upnp started working consistently
I figured out my problem - turned out it wasn't opnsense at all. It was a multicast issue. I tracked this down by running tcpdump on the lan interface on opnsense for host 239.255.255.250. When doing
upnpc -son the client - nothing was getting to opnsense. I was using Proxmox, which for some reason puts a firewall on the network adaptor of the vm. Turned this off for both the client and opnsense - upnp started working consistently
Been trying to figure out if this relates to my setup, but it doesn't seem to. I testing from two different Windows clients and both behave the same way. After disabling/enabling the service on OPNsense, my test tool can connect continuously for several minutes, even closing/reopening the tool, but then after a while it starts to fail until I disable/enable it again on the firewall. I ran a packet trace on OPNsense to trace the IP 239.255.255.250 and I get plenty of connections to port 1900 from not just my test machines but many others on the LAN including the firewall itself, then it just stops.
So I had the exact error msg. When i installed OPNsense I converted my Asus Wireless routers to Access points. One of them had upnp still on from previously. I turned it off and for the first time ever mines working. At least your post inspired me to dig further. Hope you get yours working.
On my box I noticed that firewall rules on the LAN interface for gateway group policy routing (multi WAN failover) prevent miniupnpd from seeing any traffic. Yes, I do have a rule just before it that puts the default gateway on local traffic. What I needed was another for destination 239.255.255.250:1900.
edit: One should in fact not route any multicast addresses, according to iana. So excluding 224.0.0.0/4 would be more correct.
