SSDP / UPNP: Want to allow a second subnet to send packets.



  • version: PFSense 2.3.1

    For a while I've been dabbling around, trying to solve the following error message from the Routing section:

    "miniupnpd 40648 SSDP packet sender 10.10.1.100:52364 not from a LAN, ignoring"

    I can understand the message itself, as the LAN's direct subnet is 10.10.0/24.
    On the same LAN however, I have a secondary network in the 10.10.1/24 subnet and I would wish to allow two specific hosts to use UPNP (being 10.10.1.100 and 10.10.1.50 to be exact)

    The main thing I had expected to work would've been when I changed the following setting:
    In the Services-> UPnP & NAT-PMP menu, I've tried to create two ACL entries:
    allow 1024-65535 10.10.1.50 1024-65535
    allow 1024-65535 10.10.1.100 1024-65535

    But still receive the logs and at this point am not sure which way to look further.
    Could anyone perhaps give me some insight as to how I can try to narrow this down? I'm starting to get the feeling I'm not really looking in the right direction at this time…


  • LAYER 8 Global Moderator

    So you have a downstream router?  Or your running 2 layer3 networks over the same layer 2?  If its a downstream network why would its connection to pfsense not be over a transit network.  Are there no hosts on your "lan" ?  /24 seems quite large for a transit.

    Your going to have all kinds of asymmetrical routing problems unless your doing host routing on all the boxes in your lan, or nothing in your downstream network ever talks to your lan clients?

    To be honest I don't think its possible even when you create a rule that allows that.  Be it you run transit network or not.. UPnP is normally only from clients directly on that network that pfsense is on.. You can use those rules to block or allow specific clients on the lan, etc.  Even if your other network was behind a nat, the client would send its IP, the nat router downstream would not modify this, etc.  This sort of thing has come up before.. I don't think miniupnpd is designed to work how your trying to use it..  You could check over on their forums.. http://miniupnp.tuxfamily.org/forum/



  • Thanks for the link to the forum john.
    I might've wanted to clarify some things beforehand:

    Some things aren't based on any best-practice because, to make the story short, I (again since a short while) live in-house with my parents and dad tends to make a lot of mis-assumptions as soon as I step away from /24 subnets to keep my and his networks seperate/destinguishable.
    I've tried many, many times to explain how subnets worked when I was still using a more suitable 192.168.1/26 subnet, which would've suited my needs fine and by now have resolved to using the 10.10.0/24 subnet for the "backend" (network which should generally be reachable from the other two. Mainly harbouring the central switch, firewall, NAS and two printers), 10.10.1/24 for the switch holding my desktop, servers and all behind that.
    The rest of the family resides on the 10.10.2/24 network.

    I'll agree in a heartbeat that the subnets are WAY too big. It's sadly a workaround to prevent confusion if anything goes wrong and we're trying to diagnose things. (Mainly in preventing the otherwise usual hour in catching up to how subnets worked again, regards to dad.)

    All things I do know are self-taught, and I've mainly taken up these things to try and learn more about networking and security, and try to find any misunderstandings I may have built-up during this.

    The 10.10.1/24 network is behind a layer3-device (Sitecom wlr-5000, 10.10.1.1 at 10.10.0.2), the 10.10.2/24 device is behind another layer3 device (Netgear x6 R8000 , 10.10.2.1 at 10.10.0.3). The 10.10.0/24 network uses my single somewhat bigger switch (Layer 2), a Netgear GS716T v2, residing on 10.10.0.1 .

    The sole reasons for using a router, not a switch between the other two networks is just to keep them seperate from each other (I explicitly do not wish the 10.10.1 and 10.10.2 network to talk directly to each-other) . This caused 10.10.0.x to become my transit net, I thought that would be the simplest approach untill I'd understand the rest more clearly… but I may be wrong there. At least now it's clear to the rest of the household that 10.10.0- addresses should not be handed out to any actual clients.

    I got a tip from someone that the wlr-5000 does not support IGMP proxy. the specific hosts however, 10.10.1.100 and 10.10.1.50 are Server 2012 VM's, which I reckon should be able to act as an IGMP proxy/router nonetheless... Though I'm now trying to backtrack how that exactly would tie-in... I simply tried to get multicast to work from the 10.10.1-range, and thought IGMP would get me there the easiest way.

    It's not that I have a dire need for multicast, The issues in trying to get things to work however have hinted me to a lack or misunderstanding of the subjects related, and hence wanted to investigate more.

    I'm a bit confused in that hosts from behind the Netgear-router seem to have no issue in employing multicast from internet sources while the ones behind my Sitecom-router have no such luck. Though it might be simply because it's router does not seem to support IGMP...

    Am I approaching this from the wrong direction?


  • LAYER 8 Global Moderator

    Dude if you want different networks then connect them to pfsense..  You can then allow upnp on any network you have..  Why are you using downstream routers??  Make NO sense to do so.  And causing you grief in what you want to do..  if you need stuff like mdns or multicast between segments then you could ahavi or igmp proxy, etc.

    You should have nothing behind pfsense doing routing, let pfsense route/firewall your segments and your problems with upnp all go away.  You can keep your stuff isolated from your family, etc..  Be it you want 3 segments or 100 segments.



  • I ended up using multiple downstream routers when at first I had tried running multiple VLAN's on one NIC to accomplish the three networks each to the PfSense host, which didn't work (when mirroring this nic's port and using wireshark it appeared no VLAN-tag was actually attached. At that point I'd assumed it some problem related to the NIC and avoided VLAN on the PfSense box itself).

    I had originally assumed it shouldn't cause any problems providing I'd make some adjustments. Guess that assumption was wrong…

    If VLAN works properly on PfSense I could quite easily re-route some cables and have all networks reach the same NIC in their own VLAN (I already do this at the Layer2 router, anyway ), though I must admit it's been a few updates back that I've tried employing VLAN.

    If I understood you correctly:
    By having the traffic tagged again, and re-adding the VLAN networks (assuming it works now) I should not run into these issues?

    Thanks for your patience!


  • LAYER 8 Global Moderator

    be it your networks are tagged or untagged doesn't really matter.  I run multiple untagged and tagged (vlans) on pfsense works without any issues.  What switch are you using?

    "I already do this at the Layer2 router"

    There is no such thing as a layer 2 router, routing happens at layer 3.

    Yes the removal of downstream routing will simplify your network and allow for better control.

    You can have multiple network segments without he use of "tagging" if you want as long as you have physical interfaces in pfsense, and you setup your smart/managed switch appropriately or use different dumb switches for each network.


Log in to reply