IOT Lan - SSDP and PIMD and all that (again)
-
There's a thread about this. Forget the title. Search for udpbroadcastrelay. There you will find instructions to build the utility from source and a link too just download the pre compiled version. Use shellcmd package to run it. Standard warning about packages not blessed by pfsense and so on applies...
It's a bit crude but it gets the job done.
This will be helpful:
https://github.com/marjohn56/udpbroadcastrelay/blob/master/README.md
-
@jwj Did see that, but as you say is long winded especially since I'd be having to spin up a bsd development environment to build it. I'd sort of hoped that someone had really tamed pmid for this one very useful thing, or got the udpbroadcast fix properly packaged up by now?
-
@thondwe Update - so downloaded a bsd image for hyper-v and built the package - turns out to be a very simple job.
So ran it to see it's working and I get port already in use. So poking around - it seems that "UDP & NAT-PMP" on my "Gaming" VLAN (for the xbox) is using 1900
*.1900 on both IPv4 and IPv6
So if I turn that off, bingo - run the udpbroadcastrelay and it all works. Both Roku and Sky+ Apps work across VLANS and the Plex server as DLNA in the garage turns up too.
So suspect that was the problem for PIMD too?
So how to tame the Upnp Package to limit it to the Gaming VLAN and WAN!???
xbox is likely to be a pain later - depends on what games my daughter picks up. At present it's on IPV6 anyway (so xbox live is fine), so the only upnp setup is for a P2P minecraft game with some friends which was unreliable even then - she's sorted that with a Realm anyway (much better)!
At least this is Progress!
-
And - seems that UPnP package will enable SSDP for general use if you select the VLANs/LANs required - seemed to work for Roku/Sky+ for me.
Needs further testing to see if the ACLs can then allow general SSDP, but block Upnp NAT expect for my gaming LAN?
-
Edited: You, obvously, already know this... Too early didn't read your posts carefully. Sorry.
Some device asked uPnP to open that port. You should be able to see that in Status->UPnP & NAT-PMP. Is it opening it on WAN?
You can allow or disallow uPnP from opening port forwards by using the 'ACL Entries' when setting uPnP up. There is a lot of u's and p's in that sentance ;)
As an example I had uPnP setup to disallow by default and then allow only my playstation. Looked like this: allow 1024-65535 192.168.30.100 1024-65535
-
@jwj I've been down that route with UPnP NAT package - so got the xbox to play nicely.
But the issue was that updbroadcastrelay moaned that it couldn't bind as 1900 already in use. Having looked at this
it seems there's a minissdpd package to allow local use of SSPD with miniupnp and they play nicely together. Will investigate that - same deal with git to grab the sources - but needs gmake rather than make. So next job is to get it on pfsense and get it started before miniupnpd to see if works...
-
@thondwe Another thought. You could use your switch to create broadcast groups to get SSDP working for Roku et al. How that works is dependent on what switch(es) you have. On my Cisco small business (now known as Designed by Cisco or some such thing) you can control the broadcast group on a very fined grained level. Port by port if you want.
I get a bit uneasy the more stuff outside of pfsense that is installed...
-
@jwj Note that clever my switches (Netgear's which are OK, but the web GUI is dire!) - I don't have SONOS, I was mostly interested in my Sky+ App and Roku Apps so I can isolate my IOTs nicely.
So compiled and tested minissdpd and ran in debug - sees lots of SSDP traffic, but neither Sky+ App not VLC (DLNA) App worked, unlike with upnpbroadcast - so am sticking with the latter for now.
Would be nice if minisspdpd could be bundled into the UPNP package though - clearly they should be run together.
-
@thondwe Generally L2 boundaries are meant to be respected. It's all a bit of a workaround when you want/need to do otherwise. These solutions exist mainly to do iptv in business environments. Those video screens at the mall, stuff like that.
-
This post is deleted! -
@jwj Can but hope that the home IOT/Router vendors up their game a bit so we don't need these "security" work arounds. "Work from Home" is going to be moving up the ladder as a security attack vector.