upnp

FINALLY!! PfSense UPnP and Multiple Consoles Playing the Same Game


Summary

I’ve been running PfSense since 2014 and was never able to get UPnP to work with multiple consoles trying to play the same game and get open NAT. I’m currently running version 220.01/2.6.0 and still no resolution to the issue. Every few months the complaint would come up in the house; one person trying to convince the other to stop playing so they could play with open NAT, etc. So, I would do my regular check and test my Google-fu to see if the problem had been solved and try different options others claim have fixed the issue with no resolution. Finally, after years of let down I stumbled across a promising thread involving a Netgate employee and developer, and the community destined to solve this issue. Thank you! Thank you! Thank you!!

So, here are my documented steps following the forum post, which you can find below in the references…


*** This Patch is No Longer Needed if Using

PfSense 2.7.0 ***


Add and Apply Patch

PfSense Dashboard->System => Patches = Add New Patch

Add New Patch
PfSense Dashboard->System => Patches = Add New Patch

The patch can be applied using the System Patches package.

to create a new entry. Click the commit id to copy it to your clipboard and paste it into the URL/Commit ID box.

3b50f7656967fbb4daa869a7ae6d18bc5ab6eec3

Then save and apply changes.

Alternately, you can paste in the added rules. Diagnostic->Edit File and browse to /etc/inc/filter.inc

NAT Patch Rules
NAT Rules Patch

The patch will appear in the table with the option to revert the patch.

Patch Applied
Patch Applied

After applying the fix, either reboot the firewall OR trigger a filter reload (Status > Filter Reload) and then reset the state table (Diagnostics > States).

Settings

After applying the patch, port forwards were removed for UPnP services and outbound NAT mappings were removed, and Outbound NAT Mode was set to “Automatic outbound NAT rule generation”. Before this, it was set to Manual Outbound NAT with an attempt to manually map services with no luck.

Outbound NAT
Outbound NAT

I set up ACL entries in the UPnP Access Control Lists for the consoles that I want to limit UPnP to.

Services->UPnP & NAT-PMP = UPnP Access Control Lists

UPnP ACL
Services->UPnP & NAT-PMP = UPnP Access Control Lists

Conclusion

After applying the patch and changing settings above, all the consoles and PC’s had open NAT even when two consoles/PC’s were playing the same game. I received much praise after this but of course we are only standing on the shoulder of giants. Much thanks to JIMP and the community who made this possible!

References

Last piece of the puzzle – The discussion that led to the fix

The Fix – The documented fix with additional solutions of other community members