Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    UPnP Help and Questions

    Scheduled Pinned Locked Moved
    Gaming
    1
    1
    2.9k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      Rhongomiant
      last edited by

      Hello all,

      I could use some help with UPnP in pfSense.

      1. I thought I was having an issue with UPnP in pfSense with my game consoles, but I used a port mapper utility and verified that UPnP in pfSense is working. Using the utility I found what I believe is the problem. There are two devices advertising themselves as UPnP routers, my pfSense router and a TRENDnet TEW-680MB Wireless Media Bridge. I have no idea why the TEW-680MB is doing this and I cannot find an option to disable UPnP on the TEW-680MB. I have tried adding the TEW-680MB's IP to my UPnP rules and that does not help. When I use the port mapper utility it asks me which one to use. The Xbox must just fail when it encounters more than one UPnP router.

      1a) Has any one found a work around for this kind of situation?

      1b) With the TEW-680MB I have this UPnP issue and all devices come through using the same MAC address, so frankly I am fine with tossing it. Anyone know of a good Wireless Media Bridge that does not have these issues or other issues that make them hard to work with. I am also interested in your experience with good MoCA and Powerline adapters that do not have these issues.

      1c) Eventually I will have two pfSense routers up for fail-over. Given the problem I am having with two UPnP devices advertising themselves as routers, if I resolve that issue, will having two pfSense routers create the same issue our does pfSense address this and only the active router runs UPnP?

      I do not see UPnP in CARP settings so I am not hopeful, but I guess I could manually control this. Maybe someone already has a cron to disable UPnP on the inactive router and enable it on the active router?

      1. I see that there is an "Override WAN address", but I am not sure what this really does. I know that it adds the ext_ip= line to the miniupnpd config file used in pfSense, /var/etc/miniupnpd.conf, but for me having it there or not makes no difference. Maybe I just think that I should need it in my setup, but it is actually for other setups, so I will explain my setup below.

      • Redundant pfSense devices. I on have one on, but my setup is designed for two.

      • Dual WAN, but that does not really matter since UPnP in pfSense does not work with more than one WAN so I will explain the setup for that WAN below.

      • FIOS -> MoCA adapter -> NAT Router -> pfSense

      • I use a MoCA adapter because I do not have an easy way to get Ethernet from the ONT to my inside equipment and I do not want to use the FIOS provided router.

      • I use a NAT Router between the MoCA adapter and pfSense because FIOS, at least in my area, is ridiculous about giving out public IPs. The cost is far more than getting a nice, but not cisco, juniper, etc. device. Anyway, I am using a TP-LINK TL-ER6120 and it is setup to send all traffic to the DMZ which is 192.168.120.2.

      2 cont) 192.168.120.2 is a CARP IP with the active pfSense router using 192.168.120.3 on the FIOS WAN. I can leave the "Override WAN address" blank or set it to 192.168.120.2 which does set that in the config and UPnP works with either setting. The state table shows the following with "Override WAN address" set or not, notice 192.168.120.2 in the state table.

      tcp 	192.168.121.113:55542 <- 192.168.120.2:55542 <- 173.241.194.40:60298 	ESTABLISHED:ESTABLISHED 	
tcp 	173.241.194.40:60298 -> 192.168.121.113:55542 	ESTABLISHED:ESTABLISHED

      Regardless of the "Override WAN address" setting the UPnP rule is the same, see below.

      pfctl -sn -a miniupnpd

rdr pass log quick on em0_vlan52 inet proto tcp from any to any port = 55542 keep state label "Test_55542" rtable 0 -> 192.168.121.113 port 55542

      Notice that there is no 192.168.120.2 in the rule and I believe any is where 192.168.120.2 would/should be. This means that pf will translate packets with the destination port 55542 and the destination IP set to any IP on the interface em0_vlan52.

      Let me know if my interpretation is wrong.

      1. In the following forum post databeestje stated that he had issues without multicast rules and he submitted code to automatically add a rle for multicast.

      http://forum.pfsense.org/index.php/topic,13887.0.html

      I cannot find a rule to allow 224.x.x.x or 239.x.x.x, but when I run the port mapping tool and a packet capture, I see that it sends a request to 239.255.255.250 and I do not have an allow all or other rule that should allow to 224.x.x.x or 239.x.x.x IPs. Am I just missing what allows this by default or must I have a rule that allows this.

      In case I have a rule I am missing, below is the list of rules I have set for the interface on which I am running the port mapping tool and the IP on the system I am using to run the tool is 192.168.121.80. The tables Internal_IPv4_Subnets_01 and CORP_Internal_Addresses do not contain entries for 224.x.x.x or 239.x.x.x or blocks that would include them, see block below the rules for details.

      pfctl -sr | grep "lagg0_vlan20" | more

scrub on lagg0_vlan20 all fragment reassemble
block drop in on ! lagg0_vlan20 inet from 192.168.121.0/24 to any
block drop in on ! lagg0_vlan20 inet from 192.168.110.0/24 to any
block drop in on lagg0_vlan20 inet6 from fe80::290:bff:fe1c:c41e to any
block drop in on ! lagg0_vlan20 inet6 from 2001:590:10:b6d::/64 to any
pass in quick on lagg0_vlan20 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on lagg0_vlan20 inet proto udp from any port = bootpc to 192.168.121.2 port = bootps keep state label "allow access to DHCP server"
pass out quick on lagg0_vlan20 inet proto udp from 192.168.121.2 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass quick on lagg0_vlan20 inet6 proto udp from fe80::/10 to fe80::/10 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on lagg0_vlan20 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass quick on lagg0_vlan20 inet6 proto udp from fe80::/10 to ff02::/16 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass quick on lagg0_vlan20 inet6 proto udp from ff02::/16 to fe80::/10 port = dhcpv6-server keep state label "allow access to DHCPv6 server"
pass in quick on lagg0_vlan20 inet6 proto udp from fe80::/10 to 2001:590:10:b6d::2 port = dhcpv6-client keep state label "allow access to DHCPv6 server"
pass out quick on lagg0_vlan20 inet6 proto udp from 2001:590:10:b6d::2 port = dhcpv6-server to fe80::/10 keep state label "allow access to DHCPv6 server"
pass in quick on lagg0_vlan20 proto tcp from any to (lagg0_vlan20) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on lagg0_vlan20 proto tcp from any to (lagg0_vlan20) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on lagg0_vlan20 proto tcp from any to (lagg0_vlan20) port = 22 flags S/SA keep state label "anti-lockout rule"
pass in quick on lagg0_vlan20 inet from 192.168.121.0/24 to <internal_ipv4_subnets_01> flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on lagg0_vlan20 inet from 192.168.121.0/24 to <corp_internal_addresses> flags S/SA keep state label "USER_RULE: Allow LAN to CORP Internal Addresses"
pass in log quick on lagg0_vlan20 inet from 192.168.121.101 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in log quick on lagg0_vlan20 route-to (em3_vlan52 24.x.x.x) inet from 192.168.121.101 to any flags S/SA keep state label "USER_RULE: Allow HS_Private01_Devices to any rule"
pass in log quick on lagg0_vlan20 inet from <one2one_nat_devices_wan02_inet_01> to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in log quick on lagg0_vlan20 route-to (em3_vlan52 24.x.x.x) inet from <one2one_nat_devices_wan02_inet_01> to any flags S/SA keep state label "USER_RULE: Allow ONE2ONE_NAT_Devices_WAN02_INET_01 to any rule"
pass in quick on lagg0_vlan20 inet from <hs_private01_devices> to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on lagg0_vlan20 route-to (em3_vlan51 192.168.120.1) inet from <hs_private01_devices> to any flags S/SA keep state label "USER_RULE: Allow HS_Private01_Devices to any rule"
pass in quick on lagg0_vlan20 inet from 192.168.121.0/24 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on lagg0_vlan20 route-to { (em3_vlan52 24..x.x.x), (em3_vlan111 192.168.120.1) } round-robin inet from 192.168.147.0/24 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on lagg0_vlan20 inet6 from 2001:590:10:b6d::/64 to <negate_networks> flags S/SA keep state label "NEGATE_ROUTE: Negate policy routing for destination"
pass in quick on lagg0_vlan20 route-to (gif0 2001:590:9:b6d::1) inet6 from 2001:590:10:b6d::/64 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"
pass in quick on lagg0_vlan20 inet6 from fe80::/10 to any flags S/SA keep state label "USER_RULE: Default allow LAN to any rule"</negate_networks></negate_networks></hs_private01_devices></negate_networks></hs_private01_devices></one2one_nat_devices_wan02_inet_01></negate_networks></one2one_nat_devices_wan02_inet_01></negate_networks></corp_internal_addresses></internal_ipv4_subnets_01>

      To help show that the tables Internal_IPv4_Subnets_01 and CORP_Internal_Addresses do not contain entries for 224.x.x.x or 239.x.x.x or blocks that would include them, I ran the following which returned nothing.
pfctl -Ts -t Internal_IPv4_Subnets_01 | grep -E '/([0-9]|1[0-9]|2[0-3])$' | grep -E '^[\t ]*(222|223|224|225|226|237|238|239|240|241)\.'
pfctl -Ts -t CORP_Internal_Addresses | grep -E '/([0-9]|1[0-9]|2[0-3])$' | grep -E '^[\t ]*(222|223|224|225|226|237|238|239|240|241)\.'

      Since I have a bit of a special setup compared to most combining a business class environment (Multi-WAN, multiple public IPs and redundant pfSense devices setup for failover) and therefore requiring more options UPnP options than normal, I figured I would role my own config to do what I need and send it to the pfSense team for review. I am not having much luck finding a complete minuupnp config options list. Anyone have a resource for this?

      I would like to configure UPnP for the following scenarios. I am also interested if anyone has seen these abilities in other upnp daemons.

      1. Multi-WAN:

      1a) Allowing an internal IP or CIDR block to be mapped to a specific external IP.

      1b) Allowing an internal IP or CIDR block to be mapped to all or multiple specific external IPs. This case helps with the following scenario. A gateway group is set for the internal IP or CIDR block so that traffic can flow through more than one WAN if needed, in a failover situation. In order for this to work, the UPnP ports would need to be on all the WANs that could be used for the internal IP or CIDR block.

      1. 1:1 NAT and/or custom outbound NAT:

      Now this may seem strange to some as UPnP was likely designed with one to many NAT networks in mind. However, if you have looked at the PlatStation required ports lists and some games require more. Xbox Live's list is short, but some games need more. Regardless these systems use UPnP and the ports for these should only be open when the devices are no, so UPnP IMHO is still useful in 1:1 NAT and/or custom outbound NAT scenarios.

      Thanks for any help,

      Rhongomiant

      1 Reply Last reply Reply Quote 0
      • First post
        Last post