Miniupnpd issues with lastest snapshot

Cino

We are getting closer :-) It starts, but not interfacing with pf. i386


Aug 6 07:32:31 	miniupnpd[44199]: Failed to add NAT-PMP 52225 udp->192.168.0.100:52225 'NAT-PMP 52225 udp'
Aug 6 07:32:31 	miniupnpd[44199]: Failed to add NAT-PMP 52225 udp->192.168.0.100:52225 'NAT-PMP 52225 udp'
Aug 6 07:32:31 	miniupnpd[44199]: ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Operation not supported by device
Aug 6 07:32:31 	miniupnpd[44199]: ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Operation not supported by device
Aug 6 07:32:31 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:32:31 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:32:31 	miniupnpd[44199]: Failed to add NAT-PMP 52225 tcp->192.168.0.100:52225 'NAT-PMP 52225 tcp'
Aug 6 07:32:31 	miniupnpd[44199]: Failed to add NAT-PMP 52225 tcp->192.168.0.100:52225 'NAT-PMP 52225 tcp'
Aug 6 07:31:50 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:31:50 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:31:50 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:31:50 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:31:50 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:31:50 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:31:23 	miniupnpd[44199]: Listening for NAT-PMP traffic on port 5351
Aug 6 07:31:23 	miniupnpd[44199]: Listening for NAT-PMP traffic on port 5351
Aug 6 07:31:23 	miniupnpd[44199]: HTTP listening on port 2189
Aug 6 07:31:23 	miniupnpd[44199]: HTTP listening on port 2189

jimp

Yes it does start and function on amd64, I know that much for sure. i386 is a bit more of mystery. I copied the binary over to my i386 firewall and it works there. I updated my alix and it didn't work there.

jimp

Can someone else on i386 try this:

killall -9 miniupnpd
fetch -o /usr/local/sbin/miniupnpd http://files.chi.pfsense.org/jimp/miniupnpd-i386
chmod 555 /usr/local/sbin/miniupnpd

And then restart the miniupnpd service in the GUI, and see if it works.

That binary now works on my Alix.

catfish99

I am using pfSense 2.1-BETA0-pfSense (i386) on a Soekris 6501.

I tried the miniupnpd file replacement you mentioned. Activated miniupnpd, and then ran Skype and Transmission. Neither got added - ie. still doesn't work as it should.

However, miniupnpd keeps running - which is a good thing.

Below are the entries from my syslog file…


Aug 6 09:46:27	miniupnpd[12563]: Failed to remove NAT-PMP mapping eport 61079, protocol TCP
Aug 6 09:46:27	miniupnpd[12563]: Failed to remove NAT-PMP mapping eport 61079, protocol TCP
Aug 6 09:46:20	miniupnpd[12563]: Listening for NAT-PMP traffic on port 5351
Aug 6 09:46:20	miniupnpd[12563]: Listening for NAT-PMP traffic on port 5351
Aug 6 09:46:20	miniupnpd[12563]: HTTP listening on port 2189
Aug 6 09:46:20	miniupnpd[12563]: HTTP listening on port 2189

jimp

Any way to try that with UPnP rather than NAT-PMP?

catfish99

JMP, turned off NAT-PMP and tried again.

Tried Skype & Transmission and neither was able to create an entry (as they should if it worked ok).

In summary - Still doesn't work as it should, but application is able to run without error.

Log entries & configuration below:

UPnP & NAT-PMP Settings

Enable UPnP & NAT-PMP - Enabled
Allow UPnP Port Mapping - Enabled
Allow NAT-PMP Port Mapping - DISABLED
Interfaces (generally LAN) - LAN

Aug 6 10:07:40	miniupnpd[53693]: HTTP listening on port 2189
Aug 6 10:07:40	miniupnpd[53693]: HTTP listening on port 2189
Aug 6 10:07:40	php[57805]: /pkg_edit.php: miniupnpd: Restarting service on interface: lan

Cino

@jimp:

Can someone else on i386 try this:
killall -9 miniupnpd
fetch -o /usr/local/sbin/miniupnpd http://files.chi.pfsense.org/jimp/miniupnpd-i386
chmod 555 /usr/local/sbin/miniupnpd
And then restart the miniupnpd service in the GUI, and see if it works.

That binary now works on my Alix.

So far so good!!! I did testing from my windows server running uTorrent… Enabling UPnP and NAT-PMP, each by itself within utorrent and in pfSense.

utorrent UPnP:
52225 keep state tcp 192.168.0.100 uTorrent (TCP)
52225 keep state udp 192.168.0.100 uTorrent (UDP)

utorrent NAT-PMP:
52225 keep state tcp 192.168.0.100 NAT-PMP 52225 tcp
52225 keep state udp 192.168.0.100 NAT-PMP 52225 udp

uTorrent was able to tear-down the session when the option was disabled

I'll do more testing this week: deny ports and default traffic queue... but Thank you Jim! And thanks again for sticking thru this!

catfish99

seeing the last post, I fetched the binary again and re-ran my testing.

Well, I am glad to report UPnP & NAT-PMP are both working.

Thanks!

pfsense-1.jpg_thumb

pfsense-2.jpg_thumb

strumf666

Thank you very much :)

edit: A question, after testing with uTorrent and skype, the ports for skype remain open even after I closed the program, but the uTorrent ports get closed. Why is that?

AhnHEL

I have been watching this thread intensely waiting for this issue to be resolved before trying out 2.1. Finally upgraded and it went smoothly and miniupnpd is working as well, many thanks to you Jimp.

johnpoz

Just updated
2.1-BETA0 (i386)
built on Tue Aug 7 04:03:30 EDT 2012
FreeBSD 8.3-RELEASE-p4

And working great, started right up. Test with just win7 upnp interface of device, sees pfsense as freebsd router due to discovery. Allowed me to create forward to .209 address, but got denied when tried to a different address. Which is per my settings. So that is working as well

allow 1024-65535 192.168.1.209/32 1024-65535

Side question, is there anyway to secure upnp other than allow disallow rules? How can there not be a signature, key, password portion to the protocol - that says hey without this key you can not do anything. Something like the rndc key with bind.

jimp

That's a question worthy of its own thread - I'm not aware of anything there, it's just how the protocol was designed, but someone else may know.

Cino

@johnpoz:

Side question, is there anyway to secure upnp other than allow disallow rules? How can there not be a signature, key, password portion to the protocol - that says hey without this key you can not do anything. Something like the rndc key with bind.

I've never heard of anything like that either… poke around here http://miniupnp.free.fr/

@strumf666:

edit: A question, after testing with uTorrent and skype, the ports for skype remain open even after I closed the program, but the uTorrent ports get closed. Why is that?

I want to say that is Skypes fault… The client tell miniupnpd the ports aren't needed anymore. I noticed it with UTorrent when using NAT-PMP... If I exit out the program, the ports down close, but if uncheck the option to use NAT-PMP; uTorrent tells miniupnp to tear down the session.

Only way to tell is to run a packet capture and see what is being sent/receive.

jimp

Yes it's up to the client to inform the server to close the ports, unless you clear them manually. I don't recall if miniupnpd will reap them after a while or if it leaves them indefinitely.

strumf666

OK, thanks for explaining.

ZPrime

UPnP is a dumb protocol, there's no authentication because Microsoft designed it. :P

The access controls built in to miniupnp are actually above and beyond the spec, amazingly.

I'm just happy we have it, Xboxes (and to a lesser extent, PS3 and some PC games) are much happier having it in place!

I can't remember if miniupnp reaps old ports, but it would be nice to have that option. Most devices automatically re-add them every time they power up anyway. Alternatively, a "selective reap" option to kill just one entry would be handy too. I'm not sure if this would be something that pfSense devs would need to add, or if it would have to be an underlying feature in miniupnpd (at which point I should submit the request to that developer rather than redmine).

Ocid

@bradenmcg:

I can't remember if miniupnp reaps old ports, but it would be nice to have that option.

At least this shows in my logs:


Aug 7 22:13:03	miniupnpd[6959]: remove port mapping 4504 UDP because it has expired
Aug 7 22:13:03	miniupnpd[6959]: remove port mapping 4504 UDP because it has expired
Aug 7 22:13:03	miniupnpd[6959]: remove port mapping 5354 UDP because it has expired
Aug 7 22:13:03	miniupnpd[6959]: remove port mapping 5354 UDP because it has expired
Aug 8 03:06:15	miniupnpd[6959]: remove port mapping 9635 TCP because it has expired
Aug 8 03:06:15	miniupnpd[6959]: remove port mapping 9635 TCP because it has expired

tfbiii

"there is no authentication because M$ designed it" - what an idiotic statement

Anyway - to the admins/devs, thank you! This seems to be working much better now and makes my life a lot easier.