UPnP support
-
Yeah it doesn't look like the XBox is actually trying to map anything, but I can't be 100% sure - I'm just going off of what the logs say at this point. I'm bringing a hub home with me tonight so I'll be able to get a full capture of both sides of the conversation.
-
OK, I have some captures finally. :) They are in LibPCap format and were generated by Wireshark (the project formerly known as Ethereal) so should be viewable by just about anyone.
There are four .pcap files in a single .zip.
192.168.42.x is my internal range here. .1 is the pfsense box. .254 is a Linksys WRT54G running Sveasoft Talisman (which has working UPnP support). .2 is my Windows 2003 server - it does DHCP and DNS for the network, and it is what I was capturing from as well.
xbox360-startup.pcap is the dump from the bootup while connected to the pfsense box. Not much interesting here - you'll see the SSDP packets where it just checks for the router, and then a bunch of UDP as it connects to XBox Live.
xbox360-test_live_connection.pcap is the results of the "test my connection to Live" from the Xbox, while still routed through the pfsense box. You'll see a bunch of SSDP queries but then nothing else other than the UDP traffic once it signs in to Live.
xbox360-startup-linksys.pcap - the name is obvious. SAme as the first, but with the default route of .254 and the pfsense box off the LAN. The Linksys does UPnP. Since the Xbox doesn't yet need a hole punched in the firewall, it doesn't try to do any more with UPnP other than check for the router.
xbox360-test_linksys_works.pcap - this is the money shot. You can see that there's a brief SSDP exchange over multicasting, and then there's a unicast exchange, and then the 360 and the Linksys start a TCP conversation. It's not on port 80 so Wireshark doesn't decode it all pretty, but if you look at the data it's just SOAP/XML/HTTP exchange. I'm guessing that this is where it actually does the magic of opening the port in the firewall. If you can mimic the Linksys's responses here it should work.
Hmm. I think I might know what the problem is. The Location: line that miniupnpd spits back is "http://<firewall ip="">:1900/rootDesc.xml" Note the uppercase D in "rootDesc.xml". $5 says that the 360 does an lcase() on the URL and tries to hit it like that…? Although I don't see any such attempt and 404 - it never appears to even try a TCP connection with the PFSense box (or at least there's no packets showing this, and I logged *). The source for Sveasoft is open and we could port over their work, but it's probably GPL vs BSD license and I know that is frowned upon. :-\
I don't know the slightest bit about BSD developent or else I'd try to lend a hand. I've had some courses in C/C++ so I might be at least remotely helpful, but I don't have a clue about how to actually work on a real project (about all I've done is 2-3 source file jobs, with a header or two and maybe one library involved).</firewall>
-
The current installable package uses port 2869 perhaps this makes a difference.
This is defined in /etc/inc/system.inc near the bottom (last function).
Perhaps this makes a difference. Not sure though. I do that just to mimick other devices.
Cheers
-
Oh noes!
Do not run the miniupnpd on port 1900!
That's for the MCAST socket. Which is probably the cause of other programs stumbling
A random 2500-5000 high port for the HTTP server should suffice.start miniupnpd with -i vr0 -a 192.168.42.254 -p 2869
e.g. client send mcast query to port 1900.
miniupnpd responds with location http://$ip:$port
e.g. http://192.168.42.254:2869
Which is correct. So don't start miniupnpd on port 1900!
-
OK, I'll try this. I just used the copy of system.inc from your website and that was the value defined in it I guess. :)
I'll make the port change tonight and test again.
-
Changing the port (I used 2898) didn't do anything. Here's another capture after that change. (PCAP format again)
I'm starting to think that the SSDP packets (the response to the "M-SEARCH" queries) aren't thorough enough, since the Linksys provides more data than miniupnpd does.
For instance, the Xbox does a discovery for WANIPConnection:M-SEARCH * HTTP/1.1 Host: 239.255.255.250:1900 Man: "ssdp:discover" MX: 2 ST: urn:schemas-upnp-org:service:WANIPConnection:1And here are the two responses:
PFSense/miniupnpdHTTP/1.1 200 OK Cache-Control: max-age=120 ST: upnp:rootdevice USN: uuid:00000000-0000-0000-0000-000000000000::upnp:rootdevice EXT: Server: miniupnpd/1.0 Location: http://192.168.42.1:2898/rootDesc.xmlLinksys
HTTP/1.1 200 OK ST:urn:schemas-upnp-org:service:WANIPConnection:1 USN:uuid:000f-6657-a36802e44090::urn:schemas-upnp-org:service:WANIPConnection:1 Location: http://192.168.42.254:5431/dyndev/uuid:000f-6657-a36800e44090 Server: Custom/1.0 UPnP/1.0 Proc/Ver EXT: Cache-Control:max-age=1800 DATE: Tue, 22 Aug 2006 00:09:47 GMTAs you can see, the Linksys is outputting a few parts differently. On the Linksys, the "ST:" line is identical to the ST that the Xbox was requesting. On PF, it is not (miniupnpd appears to only have one type of response). I think this is the root of the problem - since the answer to the XBox's query doesn't exactly match, it doesn't attempt to connect to the daemon's unicast port and do a normal mapping routine.
Can we change miniupnpd so it parrots back the right response?
-
I've tried it out and although I couldn't get the package to work, I did get it working via the manual instructions.
So far I've tested it with:
Limewire 4.12.4 (Rules add and delete properly)
uTorrent (Rules add and delete properly)
Windows Live Messenger (Again, works properly and the connection diagnostics report that I am "Connected to the internet via a uPnP Symmetric NAT"
uPnPTest (All Passed except for rule#6 because I don't use the windows firewall service and have it disabled)As for the package, it would install and it was listed on the main page. I chose my interface, but nothing would ever appear in the logs. I even ran "miniupnpd with -i xl0 -a 10.1.42.1 -p 2869" and still nothing. So, I did the manual installation and it worked.
Keep it up people!!
Since I don't have paypal (yes, I know I'm weird and all that stuff) I'm going to have bradenmcg paypal it for me and I'll just pay him back since we work together..
Thanks guys!!
Riley -
Spoke too soon.
The mappings still appear to work, but when I view the states in the web interface I get the following error:
"Fatal error: Call to undefined function: gettext() in /usr/local/www/status_upnp.php on line 57"
Riley
-
You need to upgrade to RC2e or later. Search the forum for RC2e.
-
Ahh, yeah, that's it..
I had installed 2e a couple of days ago and I bet when I installed the uPnP update manaully, I overwrote some of those files..
It's working now.
Riley
-
So Windows Messenger likes it, but not the 360. Weird.
I wonder if it would play nice with the original Xbox…
Would this UPnP book from Intel be useful at all? I'd donate a copy to databeestje or any of the other developers if it would help implementation along.
I've also found a "royalty free" UPnP framework from EBS Embedded Software. I'm inquiring about pricing as well as licensing terms - if I can just plunk down cash for a framework that is 100% compliant and it can just be dropped in, this would be fantastic… as PFSense could then lay claim to be the first open firewall that fully supports UPnP. It might be worth doing even if the UPnP subsystem would have to be distributed separately as binaries/no source due to licensing issues. Free/Open and most Linux flavors do this sort of thing already anyway and it doesn't hurt them at all. That part would of course be up to our wonderful dev team though. ;D
-
Well, EBS's royalty free framework is $12,000. I don't mind dropping some benjamins here and there to help progress along on OSS that i believe in, but I don't have 12k to blow for pfSense, unfortunately. ;D
-
I've been doing a little more testing and I found that it's working 100% on my LAN interface, but it's not quite working on my WLAN interface.
Quick rundown
WLAN –> Linksys WRT54G being used as an AP. It's UPnP and DHCP are turned off. The WLAN NIC in the pfsense box is connected to port 1 on the Linksys (not the WAN port)
Here is the log output from a MSN Live messenger sign-on from a laptop connected to the WLAN interface. MSN reports it is connected to the internet through a NON-UPnP symmetric NAT router.
Aug 23 23:06:19 miniupnpd[541]: SSDP M-SEARCH packet received from 192.168.1.200:62964 Aug 23 23:06:19 miniupnpd[541]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1 Aug 23 23:06:19 miniupnpd[541]: SSDP M-SEARCH packet received from 192.168.1.200:62964 Aug 23 23:06:19 miniupnpd[541]: ST: urn:schemas-upnp-org:service:WANIPConnection:1 Aug 23 23:06:18 miniupnpd[541]: SSDP M-SEARCH packet received from 192.168.1.200:62964 Aug 23 23:06:18 miniupnpd[541]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1 Aug 23 23:06:18 miniupnpd[541]: SSDP M-SEARCH packet received from 192.168.1.200:62964 Aug 23 23:06:18 miniupnpd[541]: ST: urn:schemas-upnp-org:service:WANIPConnection:1 Aug 23 23:06:18 miniupnpd[541]: SSDP M-SEARCH packet received from 192.168.1.200:62964 Aug 23 23:06:18 miniupnpd[541]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1 Aug 23 23:06:18 miniupnpd[541]: SSDP M-SEARCH packet received from 192.168.1.200:62964 Aug 23 23:06:18 miniupnpd[541]: ST: urn:schemas-upnp-org:service:WANIPConnection:1 Aug 23 23:06:17 miniupnpd[541]: SSDP M-SEARCH packet received from 192.168.1.200:62964 Aug 23 23:06:17 miniupnpd[541]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1 Aug 23 23:06:17 miniupnpd[541]: SSDP M-SEARCH packet received from 192.168.1.200:62964 Aug 23 23:06:17 miniupnpd[541]: ST: urn:schemas-upnp-org:service:WANIPConnection:1 Aug 23 23:06:17 miniupnpd[541]: SSDP M-SEARCH packet received from 192.168.1.200:62964 Aug 23 23:06:17 miniupnpd[541]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1 Aug 23 23:06:17 miniupnpd[541]: SSDP M-SEARCH packet received from 192.168.1.200:62964 Aug 23 23:06:17 miniupnpd[541]: ST: urn:schemas-upnp-org:service:WANIPConnection:1 Aug 23 23:06:16 miniupnpd[541]: SSDP M-SEARCH packet received from 192.168.1.200:62964 Aug 23 23:06:16 miniupnpd[541]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1 Aug 23 23:06:16 miniupnpd[541]: SSDP M-SEARCH packet received from 192.168.1.200:62964 Aug 23 23:06:16 miniupnpd[541]: ST: urn:schemas-upnp-org:service:WANIPConnection:1Here is a WORKING sample from a MSN Live messenger sign-on from a PC connected to the LAN side. MSN reports it is connected to the internet through a UPnP Symmetric NAT router. As you can see there is quite a bit more output and more stuff going on.
Aug 23 23:16:33 miniupnpd[2952]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping Aug 23 23:16:33 miniupnpd[2952]: HTTP REQUEST : POST /control/WANIPConnection (HTTP/1.1) Aug 23 23:16:33 miniupnpd[2952]: Port 42193 protocol TCP allready redirected to 10.1.42.100:42193 Aug 23 23:16:33 miniupnpd[2952]: AddportMapping TCP, for 10.1.42.100, port 42193, description : miniupnpd Aug 23 23:16:33 miniupnpd[2952]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping Aug 23 23:16:33 miniupnpd[2952]: HTTP REQUEST : POST /control/WANIPConnection (HTTP/1.1) Aug 23 23:16:33 miniupnpd[2952]: GetSpecificPortMappingEntry : rhost='(null)' 42193 TCP found => 10.1.42.100:42193 desc='miniupnpd' Aug 23 23:16:33 miniupnpd[2952]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetSpecificPortMappingEntry Aug 23 23:16:33 miniupnpd[2952]: HTTP REQUEST : POST /control/WANIPConnection (HTTP/1.1) Aug 23 23:16:33 miniupnpd[2952]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress Aug 23 23:16:33 miniupnpd[2952]: HTTP REQUEST : POST /control/WANIPConnection (HTTP/1.1) Aug 23 23:16:33 miniupnpd[2952]: GetSpecificPortMappingEntry : rhost='(null)' 42193 TCP found => 10.1.42.100:42193 desc='miniupnpd' Aug 23 23:16:33 miniupnpd[2952]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetSpecificPortMappingEntry Aug 23 23:16:33 miniupnpd[2952]: HTTP REQUEST : POST /control/WANIPConnection (HTTP/1.1) Aug 23 23:16:33 miniupnpd[2952]: AddportMapping TCP, for 10.1.42.100, port 42193, description : MSGR Aug 23 23:16:33 miniupnpd[2952]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping Aug 23 23:16:33 miniupnpd[2952]: HTTP REQUEST : POST /control/WANIPConnection (HTTP/1.1) Aug 23 23:16:33 miniupnpd[2952]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetSpecificPortMappingEntry Aug 23 23:16:33 miniupnpd[2952]: HTTP REQUEST : POST /control/WANIPConnection (HTTP/1.1) Aug 23 23:16:33 miniupnpd[2952]: QueryStateVariable(0"><m:varname>ConnectionStatusAug 23 23:16:33 miniupnpd[2952]: SOAPAction: urn:schemas-upnp-org:control-1-0#QueryStateVariable Aug 23 23:16:33 miniupnpd[2952]: HTTP REQUEST : POST /control/WANIPConnection (HTTP/1.1) Aug 23 23:16:33 miniupnpd[2952]: QueryStateVariable(0"><m:varname>ConnectionStatusAug 23 23:16:33 miniupnpd[2952]: SOAPAction: urn:schemas-upnp-org:control-1-0#QueryStateVariable Aug 23 23:16:33 miniupnpd[2952]: HTTP REQUEST : POST /control/WANIPConnection (HTTP/1.1) Aug 23 23:16:33 miniupnpd[2952]: SSDP M-SEARCH packet received from 10.1.42.100:47879 Aug 23 23:16:33 miniupnpd[2952]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1 Aug 23 23:16:33 miniupnpd[2952]: SSDP M-SEARCH packet received from 10.1.42.100:47879 Aug 23 23:16:33 miniupnpd[2952]: ST: urn:schemas-upnp-org:service:WANIPConnection:1 Aug 23 23:16:33 miniupnpd[2952]: SSDP M-SEARCH packet received from 10.1.42.100:47879 Aug 23 23:16:33 miniupnpd[2952]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1 Aug 23 23:16:33 miniupnpd[2952]: SSDP M-SEARCH packet received from 10.1.42.100:47879 Aug 23 23:16:33 miniupnpd[2952]: ST: urn:schemas-upnp-org:service:WANIPConnection:1 Aug 23 23:16:32 miniupnpd[2952]: SSDP M-SEARCH packet received from 10.1.42.100:47879 Aug 23 23:16:32 miniupnpd[2952]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1 Aug 23 23:16:32 miniupnpd[2952]: SSDP M-SEARCH packet received from 10.1.42.100:47879 Aug 23 23:16:32 miniupnpd[2952]: ST: urn:schemas-upnp-org:service:WANIPConnection:1 Aug 23 23:16:32 miniupnpd[2952]: SSDP M-SEARCH packet received from 10.1.42.100:47879 Aug 23 23:16:32 miniupnpd[2952]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1 Aug 23 23:16:32 miniupnpd[2952]: SSDP M-SEARCH packet received from 10.1.42.100:47879 Aug 23 23:16:32 miniupnpd[2952]: ST: urn:schemas-upnp-org:service:WANIPConnection:1 Aug 23 23:16:31 miniupnpd[2952]: SSDP M-SEARCH packet received from 10.1.42.100:47879 Aug 23 23:16:31 miniupnpd[2952]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1 Aug 23 23:16:31 miniupnpd[2952]: SSDP M-SEARCH packet received from 10.1.42.100:47879 Aug 23 23:16:31 miniupnpd[2952]: ST: urn:schemas-upnp-org:service:WANIPConnection:1 Aug 23 23:16:31 miniupnpd[2952]: SSDP M-SEARCH packet received from 10.1.42.100:47879 Aug 23 23:16:31 miniupnpd[2952]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1 Aug 23 23:16:31 miniupnpd[2952]: SSDP M-SEARCH packet received from 10.1.42.100:47879 Aug 23 23:16:31 miniupnpd[2952]: ST: urn:schemas-upnp-org:service:WANIPConnection:1</m:varname></m:varname>I will do a little bit more testing in case it might actually be the Linksys that I am using as an AP. Maybe it is trying to proxy the UPnP packets even though it's UPnP is turned off.
I was originally using my pfsense box as an AP with a wireless card, but it started dropping packets tonight and I needed it. So I hooked up the linksys to use as an AP instead.
Thanks!!
Riley -
Unfortunately right now the package is limited to LAN. We can expand it down the road once we verify it works correctly on the LAN interface.
-
Unfortunately right now the package is limited to LAN. We can expand it down the road once we verify it works correctly on the LAN interface.
Gotcha..
Riley
-
Anyone else tested UPnP?
-
I have it running!
It's been working fine since I got direction how to enable it. The few applications I use that employ it have worked fine so far. But without more extensive logging (I have the package version) I'm unable to tell if Microsoft Live Messenger is working or not, or if any communication is being made. My client works fine, it always did, uPnP or not.
Anyway all seems well so far!
Thanks! :D
-
Okay a further update.
I could not get Windows Live Messenger to work properly. Just regular chat works fine, but video/audio doesn't. I saw in the status page that port 0 had been opened to my internal IP, which of course didn't work. Nothing more was in the regular system log, so I don't have any more information to give.
Just that when I received an invite and accepted it didn't show that I had on the other end, when I made an invite the invite wasn't even showing on the other end…
Thanks.
-
Can you try nuking the package and installing the standalone by hand? there have been some updates made to the miniupnpd binary and it's possible that whoever made the original package didn't update it when DB (i can't spell his handle right now) updated the binary on his site… ?
-
Interestingly, just as I was about to try the above suggestion, a new version of Windows Live Messenger came down the pipe. It still opens port "0" in miniupnpd but it works. At least it worked when testing it out talking to my brother who interestingly is also behind a pfSense firewall, but without miniupnpd installed! I'll have to try it out with some of my friends who are behind Linksys/D-Link or whatever variety of home routers and see if it works with them too. I think M$ must of fixed/changed something with it's upnp protocol in the newest client…
(Just in case I wasn't clear enough, this is still with the package version installed.)