UPnP support

rsw686

I just committed version 20061107. Full installs reinstall the package via the package manager. Embedded install you can use the sh-update-miniupnpd.sh talked about a few posts back or reflash.

http://wgnrs.dynalias.com:81/pfsense/miniupnpd/sh-update-miniupnpd.sh
http://wgnrs.dynalias.com:81/pfsense/pfSense-1.0.1-Embedded-Miniupnpd.img.gz

miniupnpd 20061107: CB9C843FD9A01CFD55AD280F497A45E2

ZPrime

spectacular stuff.  Looking back at last Feb. I'm amazed at how far this project has come.  :)  My continued thanks to all of you who have put effort into UPnP as it has made my life at home a lot easier.  (No more screwing around with port forwards for random IM clients and stuff…)  Plus, I can have 2 xbox 360s under one roof without any problems.  ;D

Superman

It's seems with this latest package the 100% CPU usage problem is back.

I'm get the old error:```
miniupnpd[10622]: recv (state0): Operation timed out

It seems to happen every couple of days. I have to restart the miniupnpd service and then all is well. The earlier packages seemed to do it as well, but it took longer between times the problem would reappear.

I noticed that as of today (Nov 10/06) there is new version of miniupnpd on it's site, but the changelog doesn't mention any changes that would fix this problem.

rsw686

@Superman:

It's seems with this latest package the 100% CPU usage problem is back.

I'm get the old error:```
miniupnpd[10622]: recv (state0): Operation timed out

It seems to happen every couple of days. I have to restart the miniupnpd service and then all is well. The earlier packages seemed to do it as well, but it took longer between times the problem would reappear.

I noticed that as of today (Nov 10/06) there is new version of miniupnpd on it's site, but the changelog doesn't mention any changes that would fix this problem.

Hmm I've never experienced that. I really have no way to test this on as my box is using DHCP on the WAN interface and the lease is renewed every 12 hours. The packages are resynced when this happens and miniupnpd restarts.

The changes that have been made to the code were fixing a major memory leak (about 40kb leak per add/remove mapping) and additional code to read the bytes/packets in/out and system uptime. No major changes have occurred and I can't see how the changes would affect this.

I will contact Thomas the author of miniupnpd and see what he has to say. The latest version on his site has improved error handling and I was planning to update the pfsense package later today. I will hold off until I receive word from Thomas.

rsw686

I was looking at the code changes for the 20061110 version posted today and it might fix this issue. The error you receive is coming from upnphttp.c line 273: The new version adds the h->state = 100; which would close out that state instead of endlessly looping through it. I will build and update the package to the latest version and you can let me know if it addresses the issue. I sent Thomas another email asking what he thinks. I will let you know the response.

if(n<0)
{
syslog(LOG_ERR, "recv (state0): %m");
h->state = 100;
}

Superman

Thanks for the quick response. I will try out the package when it is available! I'll post my observations. Of course I'll probably have to wait a few days to see if the problem resurfaces.

Thanks!! :D

rsw686

@Superman:

Thanks for the quick response. I will try out the package when it is available! I'll post my observations. Of course I'll probably have to wait a few days to see if the problem resurfaces.

Thanks!! :D

I committed it a 15 min ago so you should be good to go. Just reinstall via package manager installed packages tab.

ZPrime

Let us know when/if you put out a binary update for the poor embedded users…

I'm starting to consider building my own "hybrid" system - soekris board, but using a notebook drive or perhaps a microdrive so I can have packages and logging and stuff.  I suppose that is better discussed in a different thread though...

rsw686

I have myself experienced this problem but was unable to reproduce it.
This last couple of days, I tested the Daemon behaviour when receiving for ill formed HTTP requests. in some cases I succeded in reproducing the bug.
I improved a lot the handling of unexpected HTTP requests, because it was also possible to make the daemon seg fault very easily.
So yes, I hope I've fixed this cpu usage issue but I cannot be sure.

Thanks

Thomas.

That was his response. I forgot to mention that embeddeds can use the sh-update-miniupnpd.sh or reflash. It's been awhile so here are the instructions. The images I update after I commit the miniupnpd changes. The sh-update-miniupnpd.sh script always grabs the latest from the pfSense server.

http://wgnrs.dynalias.com:81/pfsense/pfSense-1.0.1-Embedded-Miniupnpd.img.gz

md5sums for the binaries: http://wgnrs.dynalias.com:81/pfsense/miniupnpd/md5sums

Either use the console terminal or ssh into the box. Select option 8 shell. Enter the following commands. If you use the webgui command prompt you will find the page just hangs.

fetch -o - "http://wgnrs.dynalias.com:81/pfsense/miniupnpd/sh-update-miniupnpd.sh" | sh -

The results should like similar to below. The current version prints the md5sum which you can compare to the above file.

-                                             100% of  868  B  294 kBps
/usr/local/sbin/miniupnpd                     100% of   50 kB  290 kBps
/usr/local/pkg/miniupnpd.inc                  100% of 5622  B 1316 kBps
/usr/local/pkg/miniupnpd.xml                  100% of 2904  B  923 kBps
/usr/local/www/status_upnp.php                100% of 4185  B 1029 kBps
MD5 (/usr/local/sbin/miniupnpd) = d0c92af435c82b52b591527227f07568
Syncing packages: miniupnpd.

EldarXP

Hello,
I try to find out what i'm missing here, i have installed the mini upnp on my pfsense firewall but it seem that nothing is happening (no rules created and upnp status is allways empty)
as i'm trying to play with msn messenger and be able to use voice (computer -> computer).
I always getting a lot of feed from the firwall telling me that it block some UDP or SIP or TCP port.

Exemple port:
    1886: UDP
    1892: UDP

Here is some of my firewall rules

TCP  LAN net  *  *  1863  *  Allow MSN -> ANY

UDP  LAN net  *  *  2001 - 2120  *  Allow MSN Voice to Phone -> ANY

TCP/UDP  LAN net  *  *  2869  *  Allow UPNP -> ANY

TCP  LAN net  *  *  3689  *  Allow Itune music share -> ANY

TCP/UDP  LAN net  *  *  5060  *  Allow SIP -> ANY

UDP  LAN net  *  *  6801  *  Allow MSN Voice to phone -> ANY

TCP  LAN net  *  *  6891 - 6900  *  Allow MSN File Transfert -> ANY

TCP/UDP  LAN net  *  *  6901  *  Allow MSN Voice to computer -> ANY

TCP/UDP  LAN net  *  *  7001  *  Allow MSN Voice to computer -> ANY

If any one got an idea :) you are welcome

rsw686

First off if your using a upnp application you shouldn't manually create the firewall rules. Miniupnpd will automatically create them behind the scenes. Maybe try turning off the winxp firewall if its enabled and see if that makes a difference. Also try out Azureus and see if its port forwards show up in the status. That will give you a starting point.

Superman

@EldarXP:

Hello,
I try to find out what i'm missing here, i have installed the mini upnp on my pfsense firewall but it seem that nothing is happening (no rules created and upnp status is allways empty)
as i'm trying to play with msn messenger and be able to use voice (computer -> computer).
I always getting a lot of feed from the firwall telling me that it block some UDP or SIP or TCP port.

Just too make sure, if this is a new install, you will have to go to the Miniupnpd tab under the Services heading (you might need to refresh the browser for it to show up…) and actually set it up to enable it. You'll see the miniupnpd Settings tab, where you choose the interface you want to run on, and a few other options and then click change. Check the Services tab under the Status heading to make sure the service is running...also check the System Logs for any errors. If you've already done all that, then it may be some other problem, but this is something that has caught a few so far...

Hope that's of some use.

EldarXP

Have done all that and more and still not working,
can someone tell me the basic firewall rules and nat to enable to make it work, i'm sure it's some problem around this…

jeroen234

yust the default lan rule
upnp will make all the nat rules for youre pc

EldarXP

Hey,
I've reset the pfsense and reinstall the upnp,
Default rules are working fine with azerus. but still no msn voice or web cam (file transfert is ok)….

Thanks for your help,

An other question:
Once you've enable upnp you need to block the port you don't whant your user to access (directly from the client if you got a proxy http, or at all if you don't whant them to send or receive email)...
Is it right?

Thanks,

rsw686

@EldarXP:

Hey,
I've reset the pfsense and reinstall the upnp,
Default rules are working fine with azerus. but still no msn voice or web cam (file transfert is ok)….

Thanks for your help,

An other question:
Once you've enable upnp you need to block the port you don't whant your user to access (directly from the client if you got a proxy http, or at all if you don't whant them to send or receive email)...
Is it right?

Thanks,

I'm confused by your other question. Upnp only opens ports that the application requests. After you close the application it closes the ports. So no you don't need to block anything. Unless specifically added in the NAT and Firewall Rules everything coming in from the WAN side is blocked by default. Now if you don't want users on the LAN side to access to certain ports then yes you need to block them.

As far as MSN voice and web cam when you try and use them do you see miniupnpd errors in your pfSense system log? If so what are they. If its something like unsupported soap method, etc then there is some incompatibility between miniupnpd and msn messenger.

If that is the case I would recommend emailing Thomas Bernard at miniupnp AT free DOT fr as he is the creator of miniupnpd http://miniupnp.free.fr/

ZPrime

We already know MSN Messenger works OK, several people have tried it in the past.  Unless a regression bug has cropped up as the code has advanced…

Are you running all of the proper WinXP Services that make UPNP work?  MSN Messenger doesn't do the UPNP on its own, it calls the Windows services to do it.  This means you need both the "SSDP Discovery Service" as well as the "Universal Plug and Play Device Host" service running for it to work.  If you have used one of those stupid "Windows service tweak guides," please go out back and shoot yourself (those guides are mostly pointless and often wrong).

EldarXP

Hello,

Ok i've a downloaded a program from this address to test UPNP and it give some tips to fix the computer if you have any problem

http://fp.mgillespie.plus.com/upnphelp.htm

I've run the program on both site and the result is clear.

But still it's like msn is not trying to use Upnp…
Azerus work fine and i see in the pflog new rules created by upnp for azerus.
i only see port blocked on udp for msn.

on the computer itself the internet connection (unpnp tools) show dynamic created rules but they are not showing on the log or in miniupnp status

finaly i just allow all port udp from 5006 to 65000 on the wan interface from internet to my lan subnet and it work -.-;

As i'm quite new to upnp (i'm sure you gess it...)

Any idea how to set up a secure environement with upnp and limit outbound connection to internet (i just whant them to be able to connect to msn and web thru a proxy on the dmz...)

Thanks for all your kind help.
Best Regards,

ZPrime

UPnP and Secure do not belong in the same sentence together.

By definition, UPnP allows any program to open any port that it wants.  If you want to use UPnP, then your firewall will never be secure.  You can't keep users from doing anything, because a program that speaks UPnP will just open the ports it needs.

Now, I'm not exactly sure where the UPnP rules fall in the list on pfSense.  I'm guessing you have a "Deny all" rule in your firewall to keep people from accessing anything, and then you ALLOW port 80 to your proxy?  I think that the deny all will "win" against the rules created by miniupnpd, so even if UPnP is working properly, MSN will not be able to get out.

I would backup all of your rules, and then start over with NO rules other than the default and UPnP.  See if it works.  Slowly start adding in rules until it breaks…

Oh, and you aren't trying to do bridging with pfSense, right?  I don't think miniupnpd works in bridge mode.

EldarXP

no bridging on this one,

Making all default and trying again was my first try and it didn't work for msn.
Azerus was talking with upnp and i was able to see log with miniupnp mark on it.

I just tried the miniupnp client for win32 and it seem that the rules are set for msn -.-; wat's going on…
It just don't log anything and don't allow me to connect to an other computer...
an other funny bug is it crash msn messenger on other computer when i try the video...