Project

General

Profile

Actions

Bug #15448

open

``miniupnpd`` lacks IGDv2 support

Added by Allan Hsu 7 months ago. Updated 7 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
UPnP/NAT-PMP
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Plus-Next
Release Notes:
Default
Affected Version:
2.7.2
Affected Architecture:
All

Description

The pfSense documentation here claims that miniupnpd on current versions of pfSense supports IPv6, but as far as I can tell, while it can be connected to via IPv6, it does not support the IGDv2 functionality that IPv6 clients would want to use. When I use upnpc to query my pfSense 2.7.2 machine, it reports that it is both not "Firewall Enabled" and that it does not allow inbound pinholes:

$ upnpc -6 -S
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://[2001:xxxx::aaaa]:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://[2001:xxxx::aaaa]:2189/ctl/IPConn
Local LAN ip address : 2001:xxxx::bbbb
FirewallEnabled: 0 & Inbound Pinhole Allowed: 0
GetFirewallStatus:
   Firewall Enabled: No
   Inbound Pinhole Allowed: No
Bytes:   Sent: 1545513490       Recv: 3089380226
Packets: Sent: 49235841 Recv: 55804417

If I try to open a pinhole using upnpc, I get an invalid action error:

$ upnpc -6 -A 0 0 2001:xxxx::bbbb 808080 tcp 30
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://[2001:xxxx::aaaa]:2189/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://[2001:xxxx::aaaa]:2189/ctl/IPConn
Local LAN ip address : 2001:xxxx::bbbb
AddPinhole([0]:0 -> [2001:xxxx::bbbb]:808080) failed with code 401 (Invalid Action)

Looking at the (verbose) logs for miniupnpd in pfSense, I see this:

Apr 28 22:50:05    miniupnpd    20189    HTTP REQUEST from [2001:xxxx::bbbb]:47348 : POST / (HTTP/1.1)
Apr 28 22:50:05    miniupnpd    20189    SOAPAction: #AddPinhole
Apr 28 22:50:05    miniupnpd    20189    SoapMethod: Unknown: AddPinhole
Apr 28 22:50:05    miniupnpd    20189    Returning UPnPError 401: Invalid Action

which suggests that miniupnpd was not compiled with IGDv2 support.

While investigating this, I came across Issue #4321, whose related patch contains a 'UPNP_IGDV2' option that no longer exists in modern versions of 'miniupnpd_SET_FORCE' in the ports make.conf file. I also found Issue #5730, which suggests that the IGDv2 functionality was removed in order to fix interop issues with Windows/Xboxes.

Would it be possible to allow for a toggle or opt-in between IGD versions? I'm currently investigating several use cases for IPv6 pinholing (ie: users that may be dealing with IPv4 CGNAT but have IPv6 GUAs), but a prerequisite is a working IGDv2 implementation on my router.

Also, the online documentation is misleading regarding the state of IPv6 support and could probably use additional details about the limitations of the current implementation.

Actions

Also available in: Atom PDF