Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    UPnP/NAT-PMP Possible Bug? Dhcpd/DNSmasq questions.

    Scheduled Pinned Locked Moved
    2.0-RC Snapshot Feedback and Problems - RETIRED
    3
    5
    3.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Trym
      last edited by

      I'm using the OpenVPN-client of pfsense 2 to connect to a commercial VPN-provider (which is why I ended up on 2.0 to begin with, 1.2.3 does not accept the auth-user-pass argument) and everything is working beautifully (except for some random shutdowns which, fingers crossed, are now solved.) I use firewall rules to direct specific light-duty client-PC's to the PPPoE gateway, everything else goes through the VPN-tunnel, and I'm very happy with the setup.

      I'd like the light-duty clients to have access to UPnP and NAT-PMP, so I checked the "By default deny access to UPnP & NAT-PMP" and used the "allow" option for those specific clients.

      However, clients which should be denied access, even if they cannot open ports, can find the "real" external IP from NAT-PMP, an address they are not supposed to know of. (Overriding the address is of no use of course, since that would mess up the legitimate clients.) I don't know if this is just a limitiation in the design of NAT-PMP, or if further restrictions should be set in place. As it is now, I cannot enable NAT-PMP at all for any client if I want other clients to remain "sandboxed". (I'm a complete pfsense-noob, if this is just an easy firewall rule, forgive me. Advice welcome.)

      Then there's the dchp-daemon. I came from router os's like dd-wrt and tomato, both of which could use dnsmasq as the dhcp-server, and both have an input field for custom options. That made it easy to include specific dhcp-options, like instructing clients to release their ip on shutdown, and to de-activate Netbios in windows clients etc. Can anyone point me to how I would go about doing similar configs for the dhcp-daemon in pfsense 2?

      Lastly, dnsmasq itself. I cannot find any dnsmasq.conf or similiar. I can find only one file which references the cache-size, /etc/inc/services.inc. Modifying this file before re-starting dnsmasq has no effect, the log shows it still starts with a cache of 10000 (More than enough for my needs, this is just out of curiosity.) This cache-size is one parameter I think should be in the GUI, but since it isn't, anyone know where I can change it and other dnsmasq-options?

      ::Trym

      1 Reply Last reply Reply Quote 0
      • T
        Tikimotel
        last edited by

        Is this what you are looking for?
        http://forum.pfsense.org/index.php/topic,11159.0.html

        1 Reply Last reply Reply Quote 0
        • T
          Trym
          last edited by

          Thanks, looks like it might work, I have to try it out later.

          I solved the UPnP/NAT-PMP problem after a lot of headscratching. I added some simple firewall rules to block out NAT-PMP for certain clients first, but whatever I did, they did not take. To make a long story short: It works, but you have to disable the Anti-lockout rule for the webinterface. One would think that that rule would only insure access to the port(s) the webinterface and SSH is listening on, but no, the rule allows access to ALL ports on the Pfsense box, so any other rules to prevent it will not take effect unless it's disabled.

          So, for anyone else looking to disable NAT-PMP and UPnP access for some clients on the LAN, but not for all:

          Disable the Anti-lockout rule for the webinterface. (System/Advanced/Admin access.)
          Add a reject-rule for the LAN-interface for

          source: clients you wish to block (EDIT: Make sure you make this a NOT-rule, so that undefined clients are blocked by default. Make an alias of the clients you wish to have access, then NOT that alias in the rule.)

          destination ports: 1900,2189,5000,5351,49152. (some are udp, some are tcp, but it doesn't hurt to just put them in one alias and use both TCP/UDP).

          ::Trym

          1 Reply Last reply Reply Quote 0
          • E
            Efonnes
            last edited by

            The allow and deny options for UPnP/NAT-PMP only specify what IP addresses and ports can be configured, not which systems can access it.  For example, if you allowed 192.168.1.7 and denied everything else, any system could use it to make port forwards that go to 192.168.1.7.

            1 Reply Last reply Reply Quote 0
            • T
              Trym
              last edited by

              Thanks for clarifying, that is what I concluded after having messed about with it a bit, hence the firewall rule mentioned in the previous post. It is far from clear if going by the wording on the setup-page though. "By default deny access to UPnP & NAT-PMP?" surely sounds like it controls which clients should access it, not which clients can be forwarded to.

              To Tikomotel: Thanks, the dnsmasq link you gave me had the information I needed, the correct location of dnsmasq.conf, which is: /usr/local/etc/. It also turns out that editing the service.inc file probably works as well, it looked like it didn't work because dnsmasq has a hardcoded limit of 10000 as cache-size.

              ::Trym

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.