So I’ve spent the last few days test driving various “semi-professional” router packages (pfSense, OPNsense, UNtangle, and RouterOS) and I’ve yet to find any consistency.
Mikrotik appears to work the worst - Call of Duty: WWII on PC does not ever generate rules for the game. So, I went to File Manager → Network → “Network Infrastructure” and I see “Mikrotik Router”. Proof UPNP is alive!
I use this tool (built in to Windows) to generate a NAT exception:
When I hit OK on that window and its parent, I receive this response:
Over in the firewall, it appears things work:
And now as I’ve been typing this message, the Mikrotik Router icon disappeared from my network. UPnP is still enabled in Winbox:
Cycling the enable status of the UPnP service brought the Mikrotik Router icon back. That would appear the UPnP service crashed and didn’t auto-restart.
The only oddity of my configuration is that my “House LAN” interface is a bridge.
Any ideas? Do I go compile LEDE for x86 and call it done?
A while ago I had enabled UPnP and it worked. But now, it is widely advised to keep UPnP disabled because it is so dangerous, so
it probably does not get as much attention anymore. Maybe some change has broken it?
It made the rule, yes. But the UPnP daemon crashed and did not come back until I manually restarted it.
As for UPnP being insecure - anything that allows an anonymous third party to open ports on your network is a generally terrible idea - but the evil is necessary until there’s widespread IPv6 deployment or IPv6 is replaced by something that people want/can rapidly deploy…
The exact opposite trend is occurring in online gaming. Historically online games had a centralized server which was used a “meet point”. Modern games only offer finder services for P2P games.
The biggest problem is one of the most popular PC P2P games (Call of Duty, currently WW2) is programmed by Activision. They’ve never been good at writing multiplayer interfaces and this version is extra crappy. Unfortunately there are tons of reports that cheap consumer routers are handling the NAT/UPnP fine, offering “Open” NAT, even with multiple PCs/players behind a single IP. I’m fairly certain that Activision isn’t doing UPnP correctly, but its easier to work around issues in your code than get someone else to fix theirs (I’m guessing the consumer router firmware builders understand this)
I just picked up a hint off another forum that it could be ESXI (CHR installation) eating the data. I enabled Forged Transmits and Promiscuous mode on both the LAN and WAN interfaces (dedicated vswitch for each) and it appears things are now functional. I’ll do more testing this afternoon and update this post with my findings.
This totally explains why it refused to work with every firewall package I tried!
http://www.upnp-hacks.org/upnp.html just explained a lot about how the protocol works. Pretty sure VMWare was eating the multicast traffic by default. The windows UPnP firewall management now works “properly” (error box still pops up, but adding/deleting rules works fine) and doesn’t cause the UPnP daemon on the CHR side to crash.
