OPNSense uPNP/ NAT issues

[PCSarge]

i have installed opnsense and am bridging through my ISP's provided modem for now (it does not dhcp lease or have wireless enabled)

 

the issue im having is ive installed the upnp plugin, rebooted it and when i run a game on my PC, it instant warns of STRICT NAT and doesnt allow me to session host.

 

the issues ive found are as follows :

 

- UPNP registers no ports when i connect to online portions of games

- setting a firewall rule to port forward through the NAT doesnt seem to function either

 

everything else is flawless, besides a little bit of speed loss between the modem and opnsense (like 50mbps, not much on 8gbps fiber)

 

im stumped and alot of games im playing im the session host for friends and have the game saves, so we're sort of SOL until i get this working.

 

any help is appreciated greatly. as im sure someone has knowledge i dont.

[ENTERPRISE]

On 08/01/2024 at 22:41, PCSarge said:

i have installed opnsense and am bridging through my ISP's provided modem for now (it does not dhcp lease or have wireless enabled)

 

the issue im having is ive installed the upnp plugin, rebooted it and when i run a game on my PC, it instant warns of STRICT NAT and doesnt allow me to session host.

 

the issues ive found are as follows :

 

- UPNP registers no ports when i connect to online portions of games

- setting a firewall rule to port forward through the NAT doesnt seem to function either

 

everything else is flawless, besides a little bit of speed loss between the modem and opnsense (like 50mbps, not much on 8gbps fiber)

 

im stumped and alot of games im playing im the session host for friends and have the game saves, so we're sort of SOL until i get this working.

 

any help is appreciated greatly. as im sure someone has knowledge i dont.

UPNP I find to be junk personally. Always manually forward ports if you can. 

 

I assume that you have forwarded the ports in your ISP router to the IP of your Firewall box, then in the Firewall box forwarded the same ports to your PC's static IP ?

 

You essentially have to forward the port traffic to your Firewall, and then forward it again to your PC. 

 

I also assumed your PC has a static IP ? Or bonded an IP to your MAC address ?

[PCSarge]

7 hours ago, ENTERPRISE said:

UPNP I find to be junk personally. Always manually forward ports if you can. 

 

I assume that you have forwarded the ports in your ISP router to the IP of your Firewall box, then in the Firewall box forwarded the same ports to your PC's static IP ?

 

You essentially have to forward the port traffic to your Firewall, and then forward it again to your PC. 

 

I also assumed your PC has a static IP ? Or bonded an IP to your MAC address ?

the pc is is on a static IP, i have tried a few things including port forwarding, which got me down to moderate in some games and strict in others.

 

the ISP router is completely bypassed, it doesnt even see the pfsense box, as pfsense is using pppoe and connecting directly to internet service. which makes the ISP router basically a glorified conversion interface for the fiber line

[ENTERPRISE]

8 hours ago, PCSarge said:

the pc is is on a static IP, i have tried a few things including port forwarding, which got me down to moderate in some games and strict in others.

 

the ISP router is completely bypassed, it doesnt even see the pfsense box, as pfsense is using pppoe and connecting directly to internet service. which makes the ISP router basically a glorified conversion interface for the fiber line

 

Well the only thing I can think of at the moment is the ISP router is still either interfering, which you can fix by configuring the ISP router to put your Firewall Device in the DMZ, which means the ISP router will ignore your Firewall device completely regarding any security protocols and will auto forward all traffic.

 

Other than that, it has been known that CGNAT can cause issues with port forwarding. It is possible that your ISP uses CGNAT.

 

What is CGNAT? And why doesn't port forwarding work with CGNAT? | Brsk Help Center

HELP.BRSK.CO.UK

---

A technical article on what CGNAT is and its uses

 

[pio]

This was the same reason I went away from OPNsense on mine.  I do not have a solution, just sharing that I've faced the same problem before of port forwarding not working / UPNP not working correctly on OPNsense.

[ENTERPRISE]

12 hours ago, pioneerisloud said:

This was the same reason I went away from OPNsense on mine.  I do not have a solution, just sharing that I've faced the same problem before of port forwarding not working / UPNP not working correctly on OPNsense.

 

All I can saw is port forwarding works flawlessly with my setup, ISP Router forwards traffic to my PfSense FW and then my PfSense FW forwards the traffic on to my actual devices. It is possible CGNAT is the issue or something related to PPPOE, though I cannot see how the PPPOE would make any difference.

[Kaz]

My approach would be to use wireshark to figure out what ports are needed, and nmap to see if those ports are actually open.  Chances are they aren't and your ISP router is still in play.

 

Setting the pfsense to demilitarized from your ISP router is a reasonable solution, that should eliminate the isp router as a problem.

 

In my previous experiences with this, the ISP router was still in play and the ports from it had to be forwarded as well.