Project

General

Profile

Actions

Bug #15448

open

``miniupnpd`` lacks IGDv2 support

Added by Allan Hsu 8 months ago. Updated about 1 month ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
UPnP IGD & PCP
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Plus-Next
Release Notes:
Default
Affected Version:
2.7.2
Affected Architecture:
All

Description

The pfSense documentation here claims that miniupnpd on current versions of pfSense supports IPv6, but as far as I can tell, while it can be connected to via IPv6, it does not support the IGDv2 functionality that IPv6 clients would want to use. When I use upnpc to query my pfSense 2.7.2 machine, it reports that it is both not "Firewall Enabled" and that it does not allow inbound pinholes:

$ upnpc -6 -S
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://[2001:xxxx::aaaa]:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://[2001:xxxx::aaaa]:2189/ctl/IPConn
Local LAN ip address : 2001:xxxx::bbbb
FirewallEnabled: 0 & Inbound Pinhole Allowed: 0
GetFirewallStatus:
   Firewall Enabled: No
   Inbound Pinhole Allowed: No
Bytes:   Sent: 1545513490       Recv: 3089380226
Packets: Sent: 49235841 Recv: 55804417

If I try to open a pinhole using upnpc, I get an invalid action error:

$ upnpc -6 -A 0 0 2001:xxxx::bbbb 808080 tcp 30
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://[2001:xxxx::aaaa]:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://[2001:xxxx::aaaa]:2189/ctl/IPConn
Local LAN ip address : 2001:xxxx::bbbb
AddPinhole([0]:0 -> [2001:xxxx::bbbb]:808080) failed with code 401 (Invalid Action)

Looking at the (verbose) logs for miniupnpd in pfSense, I see this:

Apr 28 22:50:05    miniupnpd    20189    HTTP REQUEST from [2001:xxxx::bbbb]:47348 : POST / (HTTP/1.1)
Apr 28 22:50:05    miniupnpd    20189    SOAPAction: #AddPinhole
Apr 28 22:50:05    miniupnpd    20189    SoapMethod: Unknown: AddPinhole
Apr 28 22:50:05    miniupnpd    20189    Returning UPnPError 401: Invalid Action

which suggests that miniupnpd was not compiled with IGDv2 support.

While investigating this, I came across Issue #4321, whose related patch contains a 'UPNP_IGDV2' option that no longer exists in modern versions of 'miniupnpd_SET_FORCE' in the ports make.conf file. I also found Issue #5730, which suggests that the IGDv2 functionality was removed in order to fix interop issues with Windows/Xboxes.

Would it be possible to allow for a toggle or opt-in between IGD versions? I'm currently investigating several use cases for IPv6 pinholing (ie: users that may be dealing with IPv4 CGNAT but have IPv6 GUAs), but a prerequisite is a working IGDv2 implementation on my router.

Also, the online documentation is misleading regarding the state of IPv6 support and could probably use additional details about the limitations of the current implementation.

Actions #1

Updated by Jim Pingle 8 months ago

  • Subject changed from miniupnpd lacks support for IPv6 pinholing (disabled IGDv2 support?) to ``miniupnpd`` lacks IGDv2 support
  • Target version set to 2.8.0
  • Plus Target Version set to 24.07

The choice between v1 and v2 is a compile-time option so we can't make it a GUI selection, however, given the age of the other issues it's probably worth trying to turn it back on during the next release cycle. The previous bugs from 8/9 years ago are unlikely still an issue now, especially as the consoles in question are a couple generations old.

We do have IPv6 support enabled in miniupnpd but support is likely limited to certain clients/protocols. Just because it doesn't work in your case doesn't mean it doesn't work at all.

Actions #2

Updated by Jim Pingle 7 months ago

  • Plus Target Version changed from 24.07 to 24.08
Actions #3

Updated by Jim Pingle 2 months ago

  • Plus Target Version changed from 24.08 to 24.11
Actions #4

Updated by Jim Pingle 2 months ago

  • Plus Target Version changed from 24.11 to 25.01
Actions #5

Updated by Marcos M about 1 month ago

  • Target version changed from 2.8.0 to CE-Next
  • Plus Target Version changed from 25.01 to Plus-Next

Searching around, it looks like compatibility is still enough of a potential issue that this is not worth switching over yet.

Actions

Also available in: Atom PDF