Bug #15448
open``miniupnpd`` lacks IGDv2 support
0%
Description
The pfSense documentation here claims that miniupnpd on current versions of pfSense supports IPv6, but as far as I can tell, while it can be connected to via IPv6, it does not support the IGDv2 functionality that IPv6 clients would want to use. When I use upnpc to query my pfSense 2.7.2 machine, it reports that it is both not "Firewall Enabled" and that it does not allow inbound pinholes:
$ upnpc -6 -S upnpc : miniupnpc library test client, version 2.2.3. (c) 2005-2021 Thomas Bernard. Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://[2001:xxxx::aaaa]:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://[2001:xxxx::aaaa]:2189/ctl/IPConn Local LAN ip address : 2001:xxxx::bbbb FirewallEnabled: 0 & Inbound Pinhole Allowed: 0 GetFirewallStatus: Firewall Enabled: No Inbound Pinhole Allowed: No Bytes: Sent: 1545513490 Recv: 3089380226 Packets: Sent: 49235841 Recv: 55804417
If I try to open a pinhole using upnpc, I get an invalid action error:
$ upnpc -6 -A 0 0 2001:xxxx::bbbb 808080 tcp 30 upnpc : miniupnpc library test client, version 2.2.3. (c) 2005-2021 Thomas Bernard. Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/ for more information. List of UPNP devices found on the network : desc: http://[2001:xxxx::aaaa]:2189/rootDesc.xml st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 Found valid IGD : http://[2001:xxxx::aaaa]:2189/ctl/IPConn Local LAN ip address : 2001:xxxx::bbbb AddPinhole([0]:0 -> [2001:xxxx::bbbb]:808080) failed with code 401 (Invalid Action)
Looking at the (verbose) logs for miniupnpd in pfSense, I see this:
Apr 28 22:50:05 miniupnpd 20189 HTTP REQUEST from [2001:xxxx::bbbb]:47348 : POST / (HTTP/1.1) Apr 28 22:50:05 miniupnpd 20189 SOAPAction: #AddPinhole Apr 28 22:50:05 miniupnpd 20189 SoapMethod: Unknown: AddPinhole Apr 28 22:50:05 miniupnpd 20189 Returning UPnPError 401: Invalid Action
which suggests that miniupnpd was not compiled with IGDv2 support.
While investigating this, I came across Issue #4321, whose related patch contains a 'UPNP_IGDV2' option that no longer exists in modern versions of 'miniupnpd_SET_FORCE' in the ports make.conf file. I also found Issue #5730, which suggests that the IGDv2 functionality was removed in order to fix interop issues with Windows/Xboxes.
Would it be possible to allow for a toggle or opt-in between IGD versions? I'm currently investigating several use cases for IPv6 pinholing (ie: users that may be dealing with IPv4 CGNAT but have IPv6 GUAs), but a prerequisite is a working IGDv2 implementation on my router.
Also, the online documentation is misleading regarding the state of IPv6 support and could probably use additional details about the limitations of the current implementation.
Updated by Jim Pingle 7 months ago
- Subject changed from miniupnpd lacks support for IPv6 pinholing (disabled IGDv2 support?) to ``miniupnpd`` lacks IGDv2 support
- Target version set to 2.8.0
- Plus Target Version set to 24.07
The choice between v1 and v2 is a compile-time option so we can't make it a GUI selection, however, given the age of the other issues it's probably worth trying to turn it back on during the next release cycle. The previous bugs from 8/9 years ago are unlikely still an issue now, especially as the consoles in question are a couple generations old.
We do have IPv6 support enabled in miniupnpd but support is likely limited to certain clients/protocols. Just because it doesn't work in your case doesn't mean it doesn't work at all.
Updated by Jim Pingle 6 months ago
- Plus Target Version changed from 24.07 to 24.08
Updated by Jim Pingle about 1 month ago
- Plus Target Version changed from 24.08 to 24.11
Updated by Jim Pingle about 1 month ago
- Plus Target Version changed from 24.11 to 25.01