Setting up pfsense UPnP for a VLAN

I’m trying to run programs for crypto that specifically require UPnP to be active.
I’m currently running pfsense v 23.09.1.
I have my regular LAN set for 192.168.2.0/24 for my desktops.
I have several Vlans and all are isolated by firewall rules so they can’t communicate to each other.
I setup a separate Vlan 192.168.10.0/24 called Vlan10 for these crypto programs.

The program requires the ability to be connected by random ports from outside the network at various times, thus the need for UPnP.

I was instructed to setup the outbound nat this way as well.
I am still getting errors with the program complaining ports are not reachable from outside.
Error:
Benchmark failed
Reason:
Failed: Error on FluxOs response - Ports tested not reachable from outside, DMZ or UPNP required! All ports that have failed: [12843,12844,12845,12846,12847,12848,12849,12850,12851,12852,12853,12854,12855,12856,12857,12858,12859,12860,12861,12862,12863,12864,12865,12866,12867,12868,12869,12870,12871,12872,12873,12874,12875,12876,12877,12878,12879,12880,12881,12882,12883,12885,12886,12442,12467,12468,12469,12470,12471,12472,12473,12474,12475,12476,12477,12478,12479,12480,12481,12482,12483,12484,12485,12486,12487,12488,12489,12490,12491,12492,12493,12494,12495,12496,12497,12498,12499,12500,12501,12502,12503,12504,12505,12506,12507,12508,12509,12510,12511,12512,12513,12514,12515,12516,12517,12518,12519,12520,12394,11238

There are no firewall rules setup for this Vlan10 so as not to conflict.

FWI I have another entirely different program for another crypto on my Vlan30 that is also setup for UPnP that does not have this problem so right now I’m only focused on the problem above.

Can anyone tell me how to correct this problem?

What are your ACL Entries? You can have this on and with the proper interfaces, but you have to have ACL’s too.

On a side note, it would probably be easier to setup a NAT rule instead of using UPnP.

Here is my ACL. The group says I need to allow 1 - 65535 for their software to work.

I’ve tried to get support from their Discord group but I keep getting conflicting info so that’s
why I’m seeking advice here.

Also they will only support UPnP!

No one else got any ideas?? I know there are some real sharp people up here.

The crypto program developers only support UPnP and said no firewall rules, including Nat.
I have pfsense set to Pure Nat and they said to set the outbound Nat the way I have it but that’s it. Their support for pfsense is seriously lacking. I get conflicting info from them.

Allowing machines to configure port openings on a firewall is a security risk for the VLAN that you allow opening ports for unless that VLAN cannot access anything else in your network and all machines in the VLAN are expendable.

Just use a search engine there are many articles on that.

Have you tried to go to Services>UPnP & NAT-PMP click on stop service in the upper right hand corner and then start service to see if that fixes your issue… What does your firewall rules look like for Vlan10? Can this Vlan10 get out to the Internet?

Yea, every forum has a smart ass who wants to tell people how to do things the way “THEY” should do things. You do you and I’ll do myself. You must not know how to harden a firewall and still be highly careful in isolating networks.

Yes, it can go out to the Internet and only a select set of ports appear to be blocked from coming in. I have rebooted the router and tried restarting the service many times. Once I reboot it, everything is fine for about 5 hours and then I get the errors. From what I understand if you use UPnP, most firewall rules will screw it up. The only rule I have for Vlan10 is to isolate it’s communication from all other Vlans so everything is protected. The crypto program developers expressly say do not use firewall rules because it negates UPnP. It never was a problem (for 2 years) until last week when they incorporated port checking in their software. They say their software is not causing this problem and the problem is with pfsense. I don’t know if they’re correct but it’s my decision to participate and support it as long as my network is protected.

I’m curious if you simply create a NAT rule (port forward) to allow to your subnet and your port range and see if that solves your problem.

Is this what you’re suggesting?

Do you have a single IP in that VLAN or are you using the entire subnet of IP’s? If you are trying to do the entire subnet, I don’t think that is going to work. The routes need to know where they are needing to go and you can’t specify the entire subnet. If that makes sense.

I have 8 VMs, so separate IPs. 192.168.10.5 - 192.168.10.12.
So you’re saying I should have a rule for each one?

Think about it. If a packet arrives to your external address (assuming you have only one external IP address), how would your router know which of the 8 internal IP addresses it should be forwarded to?