UPNP clients bypass limiters

  • Just checking if this is normal behavior. When I setup a limiter, it appears to work correctly and limits bandwidth on that specific system. However, if that system is using any app that utilizes UPNP, it will setup its own ports and traffic will flow at unlimited speed. Seems like once UPNP kicks in, limiters are bypassed.

    FYI, using 2.0 RC with snapshot of yesterday.  Rules are set for all ports/protocols on the limited IP's. I don't want to disable UPNP, its useful for some apps. (backup,xbox)

    Thanks for any help,

  • I created http://redmine.pfsense.org/issues/1575.
    Will check it later on to have something done in this regard.

  • Rebel Alliance Developer Netgate

    On the UPnP settings you can set a traffic shaping queue, does it not work to place the limiter name there?

  • Nope.

    Actually even the queue setting there should be removed since the Queue/match action now available in firewall rules can provide this functionality even for rules added from upnpd.

  • Cool, thanks Ermal.

    I should have noted as well, that I also tried to setup a reject rule to that particular system as a source to anything and another with that as destination from anything, and UPNP still allowed traffic through from that sys bypassing the rules.

  • Hmm that should not happen actually.
    The issue might have been that your rule must not have been taking into consideration nat rules added by upnp.

  • same symptoms of ports opened by upnp bypass limiter

  • Show me:
    pfctl -vsr and pfctl -vsn
    pfctl -a miniupnpd -vsr and pfctl -a miniupnpd -vsn

    when this happens

  • Ermal,
    thanks for the reply, and very sorry to take so long to reply. (had to put this aside for a while)  I removed all the rules and kept things simple and have not been using limiters, but I will take some time this evening and setup the rules and tests again.  Will report output on those commands you listed.  Could be not an issue at this point, since I've updated to RC3 since. But will report back.

    Thank you!

Log in to reply