UPnP support

rsw686

@EldarXP:

no bridging on this one,

Making all default and trying again was my first try and it didn't work for msn.
Azerus was talking with upnp and i was able to see log with miniupnp mark on it.

I just tried the miniupnp client for win32 and it seem that the rules are set for msn -.-; wat's going on…
It just don't log anything and don't allow me to connect to an other computer...
an other funny bug is it crash msn messenger on other computer when i try the video...

What version of MSN mesenger is this? I am going to download it and see if I can get it to work. Does it always forward the ports or only when you start video or voice chat as I don't have a webcam or mic on this machine.

Also if the rules are set they should show on the miniupnpd status page. So maybe thats the issue. I will look into it. A link to the msn messenger you are using would be great.

rsw686

Alright I downloaded and tested out MSN Messenger. From what I can tell it works. Like said above I don't have a webcam or mic so I didn't connect to anybody, but when I click the phone button and view the miniupnpd status page I receive the following mappings:

62514  udp  10.10.1.150  msncall (10.10.1.150:14696) 62514 UDP
50735 tcp 10.10.1.150 msncall (10.10.1.150:9306) 50735 TCP

Using the miniupnpd client it shows:

00 - UDP 62514->10.10.1.150:14696      enabled=1 leaseDuration=0
    desc='msncall (10.10.1.150:14696) 62514 UDP' rHost=''
01 - TCP 50735->10.10.1.150:9306        enabled=1 leaseDuration=0
    desc='msncall (10.10.1.150:9306) 50735 TCP' rHost=''

What would be helpful is the printout from the miniupnpd client showing the rules created. I still don't get how it shows them but the pfSense miniupnpd status page doesn't.

You are using version 1.0.1 and miniupnpd package 20061110 correct? At the very least you need to be on pfSense 1.0.

EldarXP

Well i've tried both Msn 7.5 and Msn live (8.0.0812).

My Rules are default:

LAN
Prot: any /source: lan net /destination address: any / destination port: any /gateway: any

WAN
NONE

DMZ
Allow out -> any destination (DNS, HTTP, HTTPS)
Allow out -> LAN net (ICMP, IDENT)

My network testing conf is like this:

Internet -> routeur -> 4 interner address -> IP1 Linksys -> client 1
                                                        -> IP2 PFsense -> client 2

Funny enougth in this configuration it's not working and the log are showing something wrong when trying to connect via audio…
client 1 open port udp 6016 / 6017
client 2 open port udp client2:32912 -> ip2:23827 / client2:2036 -> ip2:23828
all i see on the pflog are block match (rule 47/0) and sometimes for different port....

pflogs:

block in on wan ip1.6016 -> client 2.32912
block in on wan ip1.6017 -> client 2.2036
block in on wan ip1.6017 -> ip2.57520
block in on wan ip1.6016 -> ip2.58676

Thanks for your help
cheers,

rsw686

What version pfSense are you using?? The version is important.

The client is connected on the LAN port correct? I tested with Live Messenger 8.0.0812.00 and it properly mapped the ports.

Also in Live Messenger goto Tools -> Options menu. When that dialog appears click Connection on the left.

Mine says

"You are directly connected to .NET Messenger Service.

You are connected to the Internet through a UPnP symmetric NAT."

If it does not say that it should enable the connection troubleshooter below. Click start and see what it finds.

EldarXP

pfsense 1.01

For Msn I'will see this tomorow no power again here -.-;

ZPrime

I don't understand why you have the linksys where it is?

PF can handle multiple WAN IP addresses and can do 1:1 NAT for you if that's what you want…  there's really no reason to use the Linksys as a router that I can think of...

EldarXP

ok
So i have a internet connection with 2 spare public ip addresse.
For the test i use 2 public ip addresse one is connected to the linksys and the other one to pfsense.
Make the test more realistic…

Cheers.

EldarXP

msn tell me whith:
                    pfsense that i'm connected thru a UPNP symetric NAT. (Administrator)
                    Linksys that i'm connected thru a UPnP Port Restricted NAT. (Administrator)

Both are directly connected to .NET Messenger Service.

Cheers,

EldarXP

Arg
I've actually tried to connect to each other while connected directly on internet and i had the same problem -.-;
Wondering what's wrong with my computer…

Thanks for your time and you great support.

tec

Hi,
does this Package work without any Problems on an Multi-Wan Setup?
Regards

ZPrime

@EldarXP:

Arg
I've actually tried to connect to each other while connected directly on internet and i had the same problem -.-;
Wondering what's wrong with my computer…

Thanks for your time and you great support.

I'm guessing maybe you have a software firewall installed on the PC that was behind the Linksys, something other than the XP firewall.  This would stop certain ports from working, even if the Linksys is allowing all of the mappings…

rsw686

I committed version 20061123. This addresses the address in use error, which can happen if other services are using the interface assigned to miniupnpd. Full installs just reinstall the package. Embeddeds you can update via the usual instructions.

Superman

Just a note, this package is working EXCELLENT now!! No more 100% CPU problems, no address in use problems in the case of a service restart, really no problems!!

Thanks for all your hard work everyone involved!!

sullrich

Excellent.  This package indeed has turned out to be a first class package.

We will be merging this into -BASE for future versions due to it working so well.

So all you embedded users, rejoice.

Skud

Agreed…

This has come such a long way... Congratulations for making this such a first class package and helping to make pfsense even better..

Riley

ZPrime

Yay for putting it in -BASE!

All your -BASE are belong to us?  ;D

Again, it is really great that pfSense is now the only free firewall implementation to properly handle UPnP.  I have a feeling that once it goes into -BASE we might get more XBox owners looking for a good firewall system…  :)

Phobia

Nice looking package.  I have a question - I appologise if it has already been answered.

Is this package able to handle Multi/Dual WAN setups, or does it simply route traffic through one of the two links? (is it possible to choose which?)

Thanks!

– Phob

sullrich

Single WAN only ATM.

rsw686

@sullrich:

Single WAN only ATM.

I could be wrong on this but can't they just use the external address field to specify which wan to use? This would require have a static ip or a dynamic one that rarely changes.

sullrich

@rsw686:

@sullrich:

Single WAN only ATM.

I could be wrong on this but can't they just use the external address field to specify which wan to use? This would require have a static ip or a dynamic one that rarely changes.

It needs to also add reply-to against the firewall rules to make this work properly iirc.