Miniupnpd not denying access
-
I didn't have this problem with 2.0.1 and the config looks fine. I'm wondering if there is an issue with the version that is included with pfSense 2.1 or maybe an option wasn't built when it was being compiled.
Story short, I have a server that I can't disabled it from opening upnp ports (thanks Microsoft) but in the past I would deny HTTPS via miniupnpd. I changed my OpenVPN setup to use port 443, when miniupnpd opens the port for this windows server, i'm unable to connect OpenVPN until I restart the miniupnpd service.
Thanks in advance!
From status Page:
http keep state tcp 192.168.0.100 HTTP https keep state tcp 192.168.0.100 HTTPSProcess running:
root 36714 0.0 0.0 3364 1320 ?? Ss 6:47AM 0:00.98 /usr/local/sbin/miniupnpd -f /var/etc/miniupnpd.conf -P /var/run/miniupnpd.pidconfig file that is created:
ext_ifname=em3 port=2189 listening_ip=192.168.0.1/24 presentation_url=https://192.168.0.1:445/ uuid=fa3848fa-d09b-125b-0e85-b2f1510f282 serial=FA3848FA model_number=2.1-BETA0 deny 443 192.168.0.100/32 1024-65535 enable_upnp=yes enable_natpmp=no -
I'm still experiencing this issue. Can anyone else confirm that they are having the same issue? Would like to have confirmation of the issue before opening a bug ticket.
2.1-BETA0 (i386)
built on Wed Aug 15 08:44:35 EDT 2012
FreeBSD 8.3-RELEASE-p4 -
I have the default deny rule checked, and have setup an allow rule. This functions as expected and when I remove the rule, UPnP is effectively blocked.
ext_ifname=em1 port=2189 listening_ip=em0 packet_log=yes presentation_url=https://192.168.1.1:443/ uuid=6f74447a-95d8-bda3-0034-3693e415431 serial=6F74447A model_number=2.1-BETA0 allow 1024-65535 192.168.1.5 17349 deny 0-65535 0.0.0.0/0 0-65535 enable_upnp=yes enable_natpmp=no -
thanks onhel!! I'll have to do some more testing and figure out what i'm doing wrong
-
@onhel:
I have the default deny rule checked, and have setup an allow rule. This functions as expected and when I remove the rule, UPnP is effectively blocked.
Not really how I wanted it setup but if I default deny rule check, it will only open up when i put in the config… I would prefer the other way around but this is doable for now.
I'm up to using 3 of the 4 User specified permissions fields.... Hope I dont need more or I'll have to start hacking some php pages..
-
I'm up to using 3 of the 4 User specified permissions fields…. Hope I dont need more or I'll have to start hacking some php pages..
Or you can give them consecutive IPs and use a range?
-
sorry to barge in but has any1 tried upnp and had limiters set, there was a bug in 2.0.1 where upnp would break limiters so wanted to ask if its solved or no.
the bug was suppose u set a limiter on a client ip and that works but suppose if this client opened ports using upnp then they wouldn't be limited by limiter so suppose i set a speed of 1mbps on a client and suppose this client starts a torrent download and uses upnp to open ports then his downloads would be limited to 1mbps, it would break the limiter
-
sorry to barge in but has any1 tried upnp and had limiters set, there was a bug in 2.0.1 where upnp would break limiters so wanted to ask if its solved or no.
the bug was suppose u set a limiter on a client ip and that works but suppose if this client opened ports using upnp then they wouldn't be limited by limiter so suppose i set a speed of 1mbps on a client and suppose this client starts a torrent download and uses upnp to open ports then his downloads would be limited to 1mbps, it would break the limiter
I have not tried the limiter feature of upnp… Only the default queue which I dont think is working
-
looks like i had the syntax wrong.. I was able to have configured to allow all and deny what i want :-)
this seem to do the trick… Not sure why i didn't think of this before..
deny 443 192.168.0.100 443
deny 80 192.168.0.100 80 -
The default deny is working from what I can tell
I am currently using
2.1-BETA0 (i386)
built on Tue Aug 28 14:42:48 EDT 2012
FreeBSD 8.3-RELEASE-p4Simple test is just from any windows box that sees your router, just try and add something. Blocked from creating the rule - as you see from attachment was denied creating forward. But if I remove the default deny or come from my allow IP it works fine
allow 1024-65535 192.168.1.209/32 1024-65535
-
i wanted to ask how can we add multiple ips to a single permission entry to allow upnp
allow 1024-65535 192.168.0.11 1024-65535 (this allows 1 client to open ports)
i want to add multiple clients to this single entry like
192.168.0.11
192.168.0.30
192.168.0.2
etc -
you can do a mask, but not sure how you can do specific IPs like that without different entries?
-
I personally have all my gaming devices grouped together in my DHCP leases, so all of my UPnP enabled devices are statically assigned IPs 192.168.1.17 through 192.168.1.22. I then create the following allow rule in Services/UPnP using a mask bit of 29 to fit those 6 IPs.
allow 88-65535 192.168.1.16/29 88-65535Now thats one line for all of my UPnP devices. I do not statically assign any device to IPs 192.168.1.16 AND 192.168.1.23 just to avoid the confusion of the above mask's subnet ID and broadcast address. You can use any mask you like to accommodate a bigger or smaller set of devices but the main point is to group all your UPnP enabled devices with their IP range and setup the appropriate mask. I cheat sometimes and use the below website to help me figure out quickly the correct mask.
http://www.subnet-calculator.com/
