Upnp not working

RpR

Hi,

I am installing pfsense as a personal firewall for a family. One of the kids uses utorrent for downloads and some other programs who rely on upnp to open ports.
I enabled upnp but it don't work. Is there a way to debug upnp? Are there any test tools?

Msn don't see the gateway as an upnp enabled gateway.

jimp

It should be fairly straightforward. Services > UPnP, select an interface (e.g. LAN), click Change, and it should work.

If you have the standard "allow all from LAN Net -> *" rule on the LAN it should work.

That's all I have on mine at home and both Skype and uTorrent talk to UPnP fine. You can also see the router show up when browsing the local network from a windows workstation.

RpR

@jimp:

It should be fairly straightforward. Services > UPnP, select an interface (e.g. LAN), click Change, and it should work.

If you have the standard "allow all from LAN Net -> *" rule on the LAN it should work.

That's all I have on mine at home and both Skype and uTorrent talk to UPnP fine. You can also see the router show up when browsing the local network from a windows workstation.

I've got the same settings.
I was running vista x64 SP2.

My network is 192.168.0.0/16
My firewall is 192.168.5.1 and all my users are in 192.168.2.x (x= 0-254)
Still utorrent can't seem to open a port.

jimp

Are you sure the subnet mask is right on the workstations? UPnP works with multicast/broadcast so if the subnet masks aren't right, it wouldn't get sent or picked up as it should.

I haven't tried UPnP on anything larger than a /24 so I'm not sure if that might have something to do with it or not.

RpR

@jimp:

Are you sure the subnet mask is right on the workstations? UPnP works with multicast/broadcast so if the subnet masks aren't right, it wouldn't get sent or picked up as it should.

I haven't tried UPnP on anything larger than a /24 so I'm not sure if that might have something to do with it or not.

The server is 192.168.5.1/16

My client for instance is 192.168.2.1 255.255.0.0

danswartz

Silly question: can you try with a /24?  e.g. renumber if you have to just for the test?  I have found various software that have hard-coded assumptions about subnet masks being /24 or /8 depending on the pre-CIDR class.  Also, do you really need that big of a subnet for a family?

RpR

@danswartz:

Silly question: can you try with a /24?  e.g. renumber if you have to just for the test?  I have found various software that have hard-coded assumptions about subnet masks being /24 or /8 depending on the pre-CIDR class.  Also, do you really need that big of a subnet for a family?

Needing is a big word. I just like the notation.

BTW did some testing yesterday. I created another virtual machine (windows xp) and that one found the upnp right away. I am thinking that the upnp is blocked by vmware networking some way. Will do some test after Christmas and report back.

RpR

Check some things out and it seems vista don't see the upnp but xp is.

Going to do some more testing later when my pc is back installed.

lotacus

I did some quick testing and it seems that this problem may have something to do with VMware.

I am using VMWare 7 with PFSense and a Windows 7 installation as clients.

Inside of VMWare, uPnP shows connections from the Windows 7 client when applications such as utorrent and Windows Live Messenger make requests to open ports. On the host machine when connected to the firewall, it also shows requests being made by the same programs.

When testing outside of VMWare and the Host, at least with the PS3, it shows no connections being made. As a side note, the PS3 always says uPnP is unavailable :S So this test is not really conclusive until I can get the PS3 to detect a uPnP server, or find another computer willing to join the network to do further testing.

jimp

Perhaps you need a setting like this?

http://doc.pfsense.org/index.php/Configuring_pfSense_Hardware_Redundancy_%28CARP%29#VMware_ESX_Users

lotacus

nah, i dont think that's going to work with VMWare 7 since it has no vswitch. I'm just going to give up on it. I suppose some things just can't be tested in a virtual environment.

edit:

Loaded up smoothwall, enabled PNP within smooth wall, did a connection test with the PS3 and all tests passed. Was even able to find the FreeNAS media server. So it looks like there is probably either something broken in 2.0, an incompatibility with multi-wan, or most likely, some configuration problems…though I had the firewall wide open like a filthy little... ok..shh..

I'll just have to start from scratch this time working on single wan first.

lotacus

Got it all working.

UPnPTest.exe pointed me to enable the service on the VMWare host. grumble what an oversight.

PS3 connection test was still flakey. Decided to remove all the gateways and render OPT1 aka: WAN2 inoperable and disabled the NIC for good measure. Then in uPnP made rules that applied to all devices. Again, i'm starting with everything wide open then secure it as necessary.

allow 3000-65535 192.168.1.1/24 3000-65535

ALAS! PS3 Reported uPnP as available.

I must mention too, that UPnP doesn't work the way it appears it should. If the rule "block by default" in the page is not checked off, then every device should be able to use UPnP. THIS IS NOT SO. that little tick box has NO merit. It wasn't until I had to explicitly set an allow rule, that devices where able to access UPnP regardless of that little darned check box.(at least in my installation).

NAT Type: NAT 3 :(

Decided to impliment AON since passthrough wasn't working. In the AON rules
WAN  192.168.1.239/32 * * * * *    YES

Which brought the ps3 NAT Type down to NAT 2! :)

However. I was having one more little problem. The entire test didn't complete and was getting the "router does not support fragments" message and the ps3 wouldn't complete the speed test. My last resort? I took the WAN interface out of the forward facing routers DMZ.
Ran the PS3 test and everything completed with flying colors.

So at least with my experience, it seems that Multi-WAN doesn't work all to well, at least in a load balancing scenerio. UPnP deny's all traffic regardless of the "always block rule" being set or unset. and that if your installation is behind another router in order to have a multiwan as a workaround for multiple gateways, DO NOT put your firewall's local WAN ip in that routers DMZ.

I think i got it right.

lotacus

nope not working anymore