Regression #15470
closedPort forward rules created by ``miniupnpd`` do not expire
0%
Description
Testing in 24.03 on a 3100 I added some test values with a 3600s lifetime:
UPnP & NAT-PMP Rules WAN tcp any any personal-agent 172.21.16.8 5555 Test WAN tcp any any 5554 172.21.16.8 5554 Test WAN tcp any any 5553 172.21.16.8 5553 Test
15hrs later they are still shown as active in the UPnP status and as present in the running ruleset:
miniupnpd rules/nat contents: rdr pass quick on mvneta2 inet proto tcp from any to any port = personal-agent keep state label "Test" rtable 0 -> 172.21.16.8 port 5555 rdr pass quick on mvneta2 inet proto tcp from any to any port = 5554 keep state label "Test" rtable 0 -> 172.21.16.8 port 5554 rdr pass quick on mvneta2 inet proto tcp from any to any port = 5553 keep state label "Test" rtable 0 -> 172.21.16.8 port 5553
Updated by Wyatt Childers 8 months ago
Steve Wheeler wrote:
Testing in 24.03 on a 3100 I added some test values with a 3600s lifetime:
[...]15hrs later they are still shown as active in the UPnP status and as present in the running ruleset:
[...]
I'm seeing this problem as well and this may be related: https://github.com/miniupnp/miniupnp/issues/715
Similar to the GitHub issue I'm seeing issues with UnPnP and NAT-PMP on pfSense 24.03 with many log entries reading:
ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists
and others reading:
Failed to add NAT-PMP 22493 udp->192.168.7.156:22475 'NAT-PMP 22493 udp'
The GitHub issue would suggest that this affects pfSense releases based on FreeBSD 14 and FreeBSD 15 though I've only recently become aware of the issue following an investigation of issues with a ZeroTier deployment.
Updated by Kristof Provost 8 months ago
- Status changed from New to Feedback
- Assignee set to Kristof Provost
I've updated miniupnpd to the latest version and adjusted the libpfctl patch in https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/commit/6e7d96166c051915155356546474a1c6e68cf2aa
That fixes the lack of expiring entries.
Updated by Steve Wheeler 7 months ago
It's not something that can be patched at runtime but an updated pkg is available in 24.03:
[24.03-RELEASE][admin@4200.stevew.lan]/root: pkg upgrade miniupnpd Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. The following 1 package(s) will be affected (of 0 checked): Installed packages to be UPGRADED: miniupnpd: 2.3.3_2,1 -> 2.3.6,1 [pfSense] Number of packages to be upgraded: 1 73 KiB to be downloaded. Proceed with this action? [y/N]: y [1/1] Fetching miniupnpd-2.3.6,1.pkg: 100% 73 KiB 75.1kB/s 00:01 Checking integrity... done (0 conflicting) [1/1] Upgrading miniupnpd from 2.3.3_2,1 to 2.3.6,1... [1/1] Extracting miniupnpd-2.3.6,1: 100%
Updated by Jim Pingle 7 months ago
- Plus Target Version changed from 24.07 to 24.08
Updated by Jim Pingle 3 months ago
- Subject changed from Forwards created by miniupnpd do not expire to Port forward rules created by ``miniupnpd`` do not expire
Updated by Jim Pingle 2 months ago
- Plus Target Version changed from 24.08 to 24.11