Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Miniupnpd not denying access

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    13 Posts 5 Posters 5.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • AhnHELA
      AhnHEL
      last edited by

      I have the default deny rule checked, and have setup an allow rule.  This functions as expected and when I remove the rule, UPnP is effectively blocked.

      
      ext_ifname=em1
      port=2189
      listening_ip=em0
      packet_log=yes
      presentation_url=https://192.168.1.1:443/
      uuid=6f74447a-95d8-bda3-0034-3693e415431
      serial=6F74447A
      model_number=2.1-BETA0
      
      allow 1024-65535 192.168.1.5 17349
      deny 0-65535 0.0.0.0/0 0-65535
      enable_upnp=yes
      enable_natpmp=no
      

      AhnHEL (Angel)

      1 Reply Last reply Reply Quote 0
      • C
        Cino
        last edited by

        thanks onhel!! I'll have to do some more testing and figure out what i'm doing wrong

        1 Reply Last reply Reply Quote 0
        • C
          Cino
          last edited by

          @onhel:

          I have the default deny rule checked, and have setup an allow rule.  This functions as expected and when I remove the rule, UPnP is effectively blocked.

          Not really how I wanted it setup but if I default deny rule check, it will only open up when i put in the config… I would prefer the other way around but this is doable for now.

          I'm up to using 3 of the 4 User specified permissions fields.... Hope I dont need more or I'll have to start hacking some php pages..

          1 Reply Last reply Reply Quote 0
          • S
            SeventhSon
            last edited by

            @Cino:

            I'm up to using 3 of the 4 User specified permissions fields…. Hope I dont need more or I'll have to start hacking some php pages..

            Or you can give them consecutive IPs and use a range?

            1 Reply Last reply Reply Quote 0
            • X
              xbipin
              last edited by

              sorry to barge in but has any1 tried upnp and had limiters set, there was a bug in 2.0.1 where upnp would break limiters so wanted to ask if its solved or no.

              the bug was suppose u set a limiter on a client ip and that works but suppose if this client opened ports using upnp then they wouldn't be limited by limiter so suppose i set a speed of 1mbps on a client and suppose this client starts a torrent download and uses upnp to open ports then his downloads would be limited to 1mbps, it would break the limiter

              1 Reply Last reply Reply Quote 0
              • C
                Cino
                last edited by

                @xbipin:

                sorry to barge in but has any1 tried upnp and had limiters set, there was a bug in 2.0.1 where upnp would break limiters so wanted to ask if its solved or no.

                the bug was suppose u set a limiter on a client ip and that works but suppose if this client opened ports using upnp then they wouldn't be limited by limiter so suppose i set a speed of 1mbps on a client and suppose this client starts a torrent download and uses upnp to open ports then his downloads would be limited to 1mbps, it would break the limiter

                I have not tried the limiter feature of upnp… Only the default queue which I dont think is working

                1 Reply Last reply Reply Quote 0
                • C
                  Cino
                  last edited by

                  looks like i had the syntax wrong.. I was able to have configured to allow all and deny what i want :-)

                  this seem to do the trick… Not sure why i didn't think of this before..
                  deny 443 192.168.0.100 443
                  deny 80 192.168.0.100 80

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    The default deny is working from what I can tell

                    I am currently using
                    2.1-BETA0 (i386)
                    built on Tue Aug 28 14:42:48 EDT 2012
                    FreeBSD 8.3-RELEASE-p4

                    Simple test is just from any windows box that sees your router, just try and add something.  Blocked from creating the rule - as you see from attachment was denied creating forward.  But if I remove the default deny or come from my allow IP it works fine
                    allow 1024-65535 192.168.1.209/32 1024-65535

                    defaultdeny.png
                    defaultdeny.png_thumb

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • X
                      xbipin
                      last edited by

                      i wanted to ask how can we add multiple ips to a single permission entry to allow upnp

                      allow 1024-65535 192.168.0.11 1024-65535 (this allows 1 client to open ports)

                      i want to add multiple clients to this single entry like
                      192.168.0.11
                      192.168.0.30
                      192.168.0.2
                      etc

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        you can do a mask, but not sure how you can do specific IPs like that without different entries?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • AhnHELA
                          AhnHEL
                          last edited by

                          I personally have all my gaming devices grouped together in my DHCP leases, so all of my UPnP enabled devices are statically assigned IPs 192.168.1.17 through 192.168.1.22.  I then create the following allow rule in Services/UPnP using a mask bit of 29 to fit those 6 IPs.

                          allow 88-65535 192.168.1.16/29 88-65535
                          

                          Now thats one line for all of my UPnP devices.  I do not statically assign any device to IPs 192.168.1.16 AND 192.168.1.23 just to avoid the confusion of the above mask's subnet ID and broadcast address.  You can use any mask you like to accommodate a bigger or smaller set of devices but the main point is to group all your UPnP enabled devices with their IP range and setup the appropriate mask.  I cheat sometimes and use the below website to help me figure out quickly the correct mask.

                          http://www.subnet-calculator.com/

                          AhnHEL (Angel)

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.