Project

General

Profile

Actions

Regression #15470

closed

Port forward rules created by ``miniupnpd`` do not expire

Added by Steve Wheeler 7 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Category:
UPnP/NAT-PMP
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
24.11
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

Testing in 24.03 on a 3100 I added some test values with a 3600s lifetime:

UPnP & NAT-PMP Rules
WAN     tcp     any     any     personal-agent     172.21.16.8     5555     Test
WAN     tcp     any     any     5554     172.21.16.8     5554     Test
WAN     tcp     any     any     5553     172.21.16.8     5553     Test 

15hrs later they are still shown as active in the UPnP status and as present in the running ruleset:

miniupnpd rules/nat contents:
rdr pass quick on mvneta2 inet proto tcp from any to any port = personal-agent keep state label "Test" rtable 0 -> 172.21.16.8 port 5555
rdr pass quick on mvneta2 inet proto tcp from any to any port = 5554 keep state label "Test" rtable 0 -> 172.21.16.8 port 5554
rdr pass quick on mvneta2 inet proto tcp from any to any port = 5553 keep state label "Test" rtable 0 -> 172.21.16.8 port 5553

Actions #1

Updated by Wyatt Childers 7 months ago

Steve Wheeler wrote:

Testing in 24.03 on a 3100 I added some test values with a 3600s lifetime:
[...]

15hrs later they are still shown as active in the UPnP status and as present in the running ruleset:
[...]

I'm seeing this problem as well and this may be related: https://github.com/miniupnp/miniupnp/issues/715

Similar to the GitHub issue I'm seeing issues with UnPnP and NAT-PMP on pfSense 24.03 with many log entries reading:

ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists

and others reading:

Failed to add NAT-PMP 22493 udp->192.168.7.156:22475 'NAT-PMP 22493 udp'

The GitHub issue would suggest that this affects pfSense releases based on FreeBSD 14 and FreeBSD 15 though I've only recently become aware of the issue following an investigation of issues with a ZeroTier deployment.

Actions #2

Updated by Kristof Provost 7 months ago

  • Status changed from New to Feedback
  • Assignee set to Kristof Provost

I've updated miniupnpd to the latest version and adjusted the libpfctl patch in https://gitlab.netgate.com/pfSense/FreeBSD-ports/-/commit/6e7d96166c051915155356546474a1c6e68cf2aa
That fixes the lack of expiring entries.

Actions #3

Updated by Marcos M 6 months ago

  • Status changed from Feedback to Resolved

With the fix, port mappings correctly automatically expire and can be removed on client request.

Actions #4

Updated by Bob Dig 6 months ago

Marcos M wrote in #note-3:

With the fix, port mappings correctly automatically expire and can be removed on client request.

May I ask for a Patch for this? Would be nice to have it early.

Actions #5

Updated by Steve Wheeler 6 months ago

It's not something that can be patched at runtime but an updated pkg is available in 24.03:

[24.03-RELEASE][admin@4200.stevew.lan]/root: pkg upgrade miniupnpd
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
    miniupnpd: 2.3.3_2,1 -> 2.3.6,1 [pfSense]

Number of packages to be upgraded: 1

73 KiB to be downloaded.

Proceed with this action? [y/N]: y
[1/1] Fetching miniupnpd-2.3.6,1.pkg: 100%   73 KiB  75.1kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Upgrading miniupnpd from 2.3.3_2,1 to 2.3.6,1...
[1/1] Extracting miniupnpd-2.3.6,1: 100%

Actions #6

Updated by Bob Dig 6 months ago

Steve Wheeler wrote in #note-5:

It's not something that can be patched at runtime but an updated pkg is available in 24.03:
[...]

Thank you. Open Ports will be closed again right after closing the p2p-app.

Actions #7

Updated by Jim Pingle 6 months ago

  • Plus Target Version changed from 24.07 to 24.08
Actions #8

Updated by Jim Pingle about 2 months ago

  • Subject changed from Forwards created by miniupnpd do not expire to Port forward rules created by ``miniupnpd`` do not expire
Actions #9

Updated by Jim Pingle about 1 month ago

  • Plus Target Version changed from 24.08 to 24.11
Actions

Also available in: Atom PDF