Regression #15470
closed
Port forward rules created by ``miniupnpd`` do not expire
Added by Steve Wheeler 7 months ago.
Updated about 1 month ago.
Plus Target Version:
24.11
Description
Testing in 24.03 on a 3100 I added some test values with a 3600s lifetime:
UPnP & NAT-PMP Rules
WAN tcp any any personal-agent 172.21.16.8 5555 Test
WAN tcp any any 5554 172.21.16.8 5554 Test
WAN tcp any any 5553 172.21.16.8 5553 Test
15hrs later they are still shown as active in the UPnP status and as present in the running ruleset:
miniupnpd rules/nat contents:
rdr pass quick on mvneta2 inet proto tcp from any to any port = personal-agent keep state label "Test" rtable 0 -> 172.21.16.8 port 5555
rdr pass quick on mvneta2 inet proto tcp from any to any port = 5554 keep state label "Test" rtable 0 -> 172.21.16.8 port 5554
rdr pass quick on mvneta2 inet proto tcp from any to any port = 5553 keep state label "Test" rtable 0 -> 172.21.16.8 port 5553
Steve Wheeler wrote:
Testing in 24.03 on a 3100 I added some test values with a 3600s lifetime:
[...]
15hrs later they are still shown as active in the UPnP status and as present in the running ruleset:
[...]
I'm seeing this problem as well and this may be related: https://github.com/miniupnp/miniupnp/issues/715
Similar to the GitHub issue I'm seeing issues with UnPnP and NAT-PMP on pfSense 24.03 with many log entries reading:
ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_ADD_TAIL: File exists
and others reading:
Failed to add NAT-PMP 22493 udp->192.168.7.156:22475 'NAT-PMP 22493 udp'
The GitHub issue would suggest that this affects pfSense releases based on FreeBSD 14 and FreeBSD 15 though I've only recently become aware of the issue following an investigation of issues with a ZeroTier deployment.
- Status changed from New to Feedback
- Assignee set to Kristof Provost
- Status changed from Feedback to Resolved
With the fix, port mappings correctly automatically expire and can be removed on client request.
Marcos M wrote in #note-3:
With the fix, port mappings correctly automatically expire and can be removed on client request.
May I ask for a Patch for this? Would be nice to have it early.
It's not something that can be patched at runtime but an updated pkg is available in 24.03:
[24.03-RELEASE][admin@4200.stevew.lan]/root: pkg upgrade miniupnpd
Updating pfSense-core repository catalogue...
pfSense-core repository is up to date.
Updating pfSense repository catalogue...
pfSense repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
Installed packages to be UPGRADED:
miniupnpd: 2.3.3_2,1 -> 2.3.6,1 [pfSense]
Number of packages to be upgraded: 1
73 KiB to be downloaded.
Proceed with this action? [y/N]: y
[1/1] Fetching miniupnpd-2.3.6,1.pkg: 100% 73 KiB 75.1kB/s 00:01
Checking integrity... done (0 conflicting)
[1/1] Upgrading miniupnpd from 2.3.3_2,1 to 2.3.6,1...
[1/1] Extracting miniupnpd-2.3.6,1: 100%
Steve Wheeler wrote in #note-5:
It's not something that can be patched at runtime but an updated pkg is available in 24.03:
[...]
Thank you. Open Ports will be closed again right after closing the p2p-app.
- Plus Target Version changed from 24.07 to 24.08
- Subject changed from Forwards created by miniupnpd do not expire to Port forward rules created by ``miniupnpd`` do not expire
- Plus Target Version changed from 24.08 to 24.11
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by 
Updated by