plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

os-upnp 1.5_5 - Not able to add port forwards

Open MorningLightMountain713 opened this issue 2 years ago • 10 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [x] The title contains the plugin to which this issue belongs

Describe the bug I upgraded to latest version. Port forwarding no longer works. This worked fine on os-upnp 1-5_4 opnsense version 23.7.9 with base and kernel 23.7.8. (I would downgrade but can't seem to get back to base 23.7.8, I reverted the kernel but it keeps the latest base)

To Reproduce On a client I run the following, and it usually opens a port:

davew@salad:~$ upnpc -a 192.168.44.10 14498 14498 tcp 600
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.44.1:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.44.1:2189/ctl/IPConn
Local LAN ip address : 192.168.44.10
GetSpecificPortMappingEntry() failed with code 714 (NoSuchEntryInArray)

However you can see above, it seems to add the port, but then fails to try and read the info. If I look at the gui, it seems to have added it, but it hasn't. See screenshot, you can see where I've added the same forward twice. (this shouldn't happen)

Screenshot 2024-01-06 at 8 45 15 AM

If I then run

davew@salad:~$ upnpc -L
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.44.1:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.44.1:2189/ctl/IPConn
Local LAN ip address : 192.168.44.10
 i protocol exPort->inAddr:inPort description remoteHost leaseTime

It doesn't see the port forward, even though the gui says it's there.

Running miniupnpd with -d this is the output:

root@OPNonsense:~ # /usr/local/sbin/miniupnpd -d -f /var/etc/miniupnpd.conf -P /var/run/miniupnpd.
miniupnpd 18578 - - version 2.3.3 starting UPnP-IGD ext if ovpnc1 BOOTID=1704530886
miniupnpd 18578 - - HTTP listening on port 2189
miniupnpd 18578 - - no HTTP IPv6 address, disabling IPv6
miniupnpd 18578 - - level=0 type=20
miniupnpd 18578 - - sdl_index = 1  vtnet0:26.de.4a.b8.c0.b
miniupnpd 18578 - - ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1 (ver=1)
miniupnpd 18578 - - SSDP M-SEARCH from 192.168.44.10:55756 ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
miniupnpd 18578 - - Single search found
miniupnpd 18578 - - SendSSDPResponse(): 0 bytes to 192.168.44.10:55756 ST: HTTP/1.1 200 OK
CACHE-CONTROL: max-age=120
ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
USN: uuid:309d5874-e90c-98d9-d8b1-7d90bc9d69e::urn:schemas-upnp-org:device:InternetGatewayDevice:1
EXT:
SERVER: FreeBSD/13.2-RELEASE-p7 UPnP/1.1 MiniUPnPd/2.3.3
LOCATION: http://192.168.44.1:2189/rootDesc.xml
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
01-NLS: 1704530886
BOOTID.UPNP.ORG: 1704530886
CONFIGID.UPNP.ORG: 1337

miniupnpd 18578 - - HTTP REQUEST from 192.168.44.10:58496 : GET /rootDesc.xml (HTTP/1.1)
miniupnpd 18578 - - Host: 192.168.44.1:2189
miniupnpd 18578 - - HTTP REQUEST from 192.168.44.10:58512 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 18578 - - Host: 192.168.44.1:2189
miniupnpd 18578 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetStatusInfo
miniupnpd 18578 - - HTTP REQUEST from 192.168.44.10:58528 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 18578 - - Host: 192.168.44.1:2189
miniupnpd 18578 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress
miniupnpd 18578 - - HTTP REQUEST from 192.168.44.10:58534 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 18578 - - Host: 192.168.44.1:2189
miniupnpd 18578 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress
miniupnpd 18578 - - HTTP REQUEST from 192.168.44.10:58536 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 18578 - - Host: 192.168.44.1:2189
miniupnpd 18578 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
miniupnpd 18578 - - AddPortMapping: ext port 2222 to 192.168.44.10:2222 protocol TCP for: libminiupnpc leaseduration=600 rhost=
miniupnpd 18578 - - UPnP permission rule 0 matched : port mapping accepted
miniupnpd 18578 - - Check protocol tcp for port 2222 on ext_if ovpnc1 10.0.2.2, 0202000A
miniupnpd 18578 - - 012ca8c0:2189 0a2ca8c0:58536 <=> 2222 0202000a:2222
miniupnpd 18578 - - 012ca8c0:2189 0a2ca8c0:58534 <=> 2222 0202000a:2222
miniupnpd 18578 - - 012ca8c0:2189 0a2ca8c0:58528 <=> 2222 0202000a:2222
miniupnpd 18578 - - 012ca8c0:2189 0a2ca8c0:58512 <=> 2222 0202000a:2222
miniupnpd 18578 - - 012ca8c0:2189 0a2ca8c0:58496 <=> 2222 0202000a:2222
miniupnpd 18578 - - 00000000:2189 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - 012ca8c0:22 692010ac:63494 <=> 2222 0202000a:2222
miniupnpd 18578 - - 0100007f:953 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - 00000000:53 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - 00000000:53 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - 00000000:80 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - 00000000:443 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - 012ca8c0:22 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - 0100007f:22 00000000:0 <=> 2222 0202000a:2222
miniupnpd 18578 - - redirecting port 2222 to 192.168.44.10:2222 protocol TCP for: libminiupnpc
miniupnpd 18578 - - HTTP REQUEST from 192.168.44.10:58540 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 18578 - - Host: 192.168.44.1:2189
miniupnpd 18578 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetSpecificPortMappingEntry
miniupnpd 18578 - - Returning UPnPError 714: NoSuchEntryInArray

Expected behavior Run the command and a port is forwarded

Screenshots See above screenshot

Relevant log files See above miniupnpd logs

Additional context NA

Environment

os-upnp 1-5_5 opnsense 23.7.11 kernel 23.7.10

MorningLightMountain713 avatar Jan 06 '24 09:01 MorningLightMountain713

Of note, I have another box, running the exact same config, but on the above mentioned prior versions - working fine. As a test, I'd like to revert back to that firmware. If someone could let me know how to downgrade the base package, I'll try that and see if I can get it working again.

I downgraded the kernel with opnsense-update -kr 23.7.8 but that only did the kernel, not the base

MorningLightMountain713 avatar Jan 06 '24 09:01 MorningLightMountain713

I uninstalled the os-upnp plugin and reinstalled it and now I get this:

root@OPNonsense:~ # /usr/local/sbin/miniupnpd -d -f /var/etc/miniupnpd.conf -P /var/run/miniupnpd.pid
miniupnpd 9122 - - version 2.3.3 starting UPnP-IGD ext if ovpnc1 BOOTID=1704534859
miniupnpd 9122 - - HTTP listening on port 2189
miniupnpd 9122 - - no HTTP IPv6 address, disabling IPv6
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - level=0 type=20
miniupnpd 9122 - - sdl_index = 1  vtnet0:26.de.4a.b8.c0.b
miniupnpd 9122 - - ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1 (ver=1)
miniupnpd 9122 - - SSDP M-SEARCH from 192.168.44.10:42181 ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
miniupnpd 9122 - - Single search found
miniupnpd 9122 - - SendSSDPResponse(): 0 bytes to 192.168.44.10:42181 ST: HTTP/1.1 200 OK
CACHE-CONTROL: max-age=120
ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
USN: uuid:309d5874-e90c-98d9-d8b1-7d90bc9d69e::urn:schemas-upnp-org:device:InternetGatewayDevice:1
EXT:
SERVER: FreeBSD/13.2-RELEASE-p7 UPnP/1.1 MiniUPnPd/2.3.3
LOCATION: http://192.168.44.1:2189/rootDesc.xml
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
01-NLS: 1704534859
BOOTID.UPNP.ORG: 1704534859
CONFIGID.UPNP.ORG: 1337

miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - HTTP REQUEST from 192.168.44.10:47308 : GET /rootDesc.xml (HTTP/1.1)
miniupnpd 9122 - - Host: 192.168.44.1:2189
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - HTTP REQUEST from 192.168.44.10:47324 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 9122 - - Host: 192.168.44.1:2189
miniupnpd 9122 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetStatusInfo
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - HTTP REQUEST from 192.168.44.10:47336 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 9122 - - Host: 192.168.44.1:2189
miniupnpd 9122 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - HTTP REQUEST from 192.168.44.10:47338 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 9122 - - Host: 192.168.44.1:2189
miniupnpd 9122 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - HTTP REQUEST from 192.168.44.10:47348 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd 9122 - - Host: 192.168.44.1:2189
miniupnpd 9122 - - SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
miniupnpd 9122 - - AddPortMapping: ext port 2222 to 192.168.44.10:2222 protocol TCP for: libminiupnpc leaseduration=600 rhost=
miniupnpd 9122 - - UPnP permission rule 0 matched : port mapping accepted
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument
miniupnpd 9122 - - Check protocol tcp for port 2222 on ext_if ovpnc1 10.0.2.2, 0202000A
miniupnpd 9122 - - 012ca8c0:2189 0a2ca8c0:47348 <=> 2222 0202000a:2222
miniupnpd 9122 - - 012ca8c0:2189 0a2ca8c0:47338 <=> 2222 0202000a:2222
miniupnpd 9122 - - 012ca8c0:2189 0a2ca8c0:47336 <=> 2222 0202000a:2222
miniupnpd 9122 - - 012ca8c0:2189 0a2ca8c0:47324 <=> 2222 0202000a:2222
miniupnpd 9122 - - 012ca8c0:2189 0a2ca8c0:47308 <=> 2222 0202000a:2222
miniupnpd 9122 - - 00000000:2189 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - 012ca8c0:22 692010ac:64749 <=> 2222 0202000a:2222
miniupnpd 9122 - - 0100007f:953 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - 00000000:53 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - 00000000:53 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - 00000000:80 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - 00000000:443 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - 012ca8c0:22 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - 0100007f:22 00000000:0 <=> 2222 0202000a:2222
miniupnpd 9122 - - redirecting port 2222 to 192.168.44.10:2222 protocol TCP for: libminiupnpc
miniupnpd 9122 - - ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Invalid argument
miniupnpd 9122 - - Returning UPnPError 501: ActionFailed
miniupnpd 9122 - - ioctl(dev, DIOCGETRULES, ...): Invalid argument

MorningLightMountain713 avatar Jan 06 '24 09:01 MorningLightMountain713

I rebooted, now back to the original issue

MorningLightMountain713 avatar Jan 06 '24 10:01 MorningLightMountain713

I can say with considerable confidence that pfSense likely broke this. It's a recurring pattern around libpfctl at the moment... https://github.com/opnsense/ports/commit/ea2bfadb1410934a2d9 -> https://github.com/freebsd/freebsd-ports/commit/81e8bb9834

# opnsense-revert -r 23.7.10 miniupnpd

fichtner avatar Jan 06 '24 10:01 fichtner

I can say with considerable confidence that pfSense likely broke this. It's a recurring pattern around libpfctl at the moment... opnsense/ports@ea2bfadb1410934a2d9 -> freebsd/freebsd-ports@81e8bb9834

# opnsense-revert -r 23.7.10 miniupnpd

Hey! I ran the above command - now my forwards are working again! Awesome! Just for my learnings, can you explain what it did please?

Thanks!!

MorningLightMountain713 avatar Jan 06 '24 10:01 MorningLightMountain713

The command reinstalled the miniupnpd package of OPNsense version 23.7.10 which doesn’t use libpfctl as it did for many years. 😉

Cheers, Franco

fichtner avatar Jan 06 '24 10:01 fichtner

If anyone wants to submit an upstream bug report be my guest... https://bugs.freebsd.org

I'm done dealing with libpfctl breakage.

fichtner avatar Jan 09 '24 10:01 fichtner

If anyone wants to submit an upstream bug report be my guest... https://bugs.freebsd.org

I'm done dealing with libpfctl breakage.

I'll get this logged and fight the good fight upstream!

MorningLightMountain713 avatar Jan 09 '24 15:01 MorningLightMountain713

Hey! I have exactly the same issue and your opnsense-revert command fixed this for me too!
Thank you @fichtner

gagx2 avatar Jan 23 '24 23:01 gagx2

Thank you! I will stay tuned for updates

xmaka avatar Feb 23 '24 19:02 xmaka

I can say with considerable confidence that pfSense likely broke this. It's a recurring pattern around libpfctl at the moment... opnsense/ports@ea2bfadb1410934a2d9 -> freebsd/freebsd-ports@81e8bb9834

# opnsense-revert -r 23.7.10 miniupnpd

my opensense version is 24.1.7, Is there an suitable miniupnpd version which doesn’t use libpfctl? Thank you.

wuyue92tree avatar May 21 '24 08:05 wuyue92tree 

# opnsense-revert -z miniupnpd

This is a snapshot release of 2.3.6 to try.

fichtner avatar May 29 '24 16:05 fichtner

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Jul 04 '24 08:07 OPNsense-bot