Miniupnpd not denying access



  • I didn't have this problem with 2.0.1 and the config looks fine. I'm wondering if there is an issue with the version that is included with pfSense 2.1 or maybe an option wasn't built when it was being compiled.

    Story short, I have a server that I can't disabled it from opening upnp ports (thanks Microsoft) but in the past I would deny HTTPS via miniupnpd. I changed my OpenVPN setup to use port 443, when miniupnpd opens the port for this windows server, i'm unable to connect OpenVPN until I restart the miniupnpd service.

    Thanks in advance!

    From status Page:

    
    http keep state 	tcp 	192.168.0.100 	HTTP
    https keep state 	tcp 	192.168.0.100 	HTTPS 
    
    

    Process running:

    
    root   36714  0.0  0.0  3364  1320  ??  Ss    6:47AM   0:00.98 /usr/local/sbin/miniupnpd -f /var/etc/miniupnpd.conf -P /var/run/miniupnpd.pid
    
    

    config file that is created:

    
    ext_ifname=em3
    port=2189
    listening_ip=192.168.0.1/24
    presentation_url=https://192.168.0.1:445/
    uuid=fa3848fa-d09b-125b-0e85-b2f1510f282
    serial=FA3848FA
    model_number=2.1-BETA0
    
    deny 443 192.168.0.100/32 1024-65535
    enable_upnp=yes
    enable_natpmp=no
    
    


  • I'm still experiencing this issue. Can anyone else confirm that they are having the same issue? Would like to have confirmation of the issue before opening a bug ticket.

    2.1-BETA0 (i386)
    built on Wed Aug 15 08:44:35 EDT 2012
    FreeBSD 8.3-RELEASE-p4



  • I have the default deny rule checked, and have setup an allow rule.  This functions as expected and when I remove the rule, UPnP is effectively blocked.

    
    ext_ifname=em1
    port=2189
    listening_ip=em0
    packet_log=yes
    presentation_url=https://192.168.1.1:443/
    uuid=6f74447a-95d8-bda3-0034-3693e415431
    serial=6F74447A
    model_number=2.1-BETA0
    
    allow 1024-65535 192.168.1.5 17349
    deny 0-65535 0.0.0.0/0 0-65535
    enable_upnp=yes
    enable_natpmp=no
    


  • thanks onhel!! I'll have to do some more testing and figure out what i'm doing wrong



  • @onhel:

    I have the default deny rule checked, and have setup an allow rule.  This functions as expected and when I remove the rule, UPnP is effectively blocked.

    Not really how I wanted it setup but if I default deny rule check, it will only open up when i put in the config… I would prefer the other way around but this is doable for now.

    I'm up to using 3 of the 4 User specified permissions fields.... Hope I dont need more or I'll have to start hacking some php pages..



  • @Cino:

    I'm up to using 3 of the 4 User specified permissions fields…. Hope I dont need more or I'll have to start hacking some php pages..

    Or you can give them consecutive IPs and use a range?



  • sorry to barge in but has any1 tried upnp and had limiters set, there was a bug in 2.0.1 where upnp would break limiters so wanted to ask if its solved or no.

    the bug was suppose u set a limiter on a client ip and that works but suppose if this client opened ports using upnp then they wouldn't be limited by limiter so suppose i set a speed of 1mbps on a client and suppose this client starts a torrent download and uses upnp to open ports then his downloads would be limited to 1mbps, it would break the limiter



  • @xbipin:

    sorry to barge in but has any1 tried upnp and had limiters set, there was a bug in 2.0.1 where upnp would break limiters so wanted to ask if its solved or no.

    the bug was suppose u set a limiter on a client ip and that works but suppose if this client opened ports using upnp then they wouldn't be limited by limiter so suppose i set a speed of 1mbps on a client and suppose this client starts a torrent download and uses upnp to open ports then his downloads would be limited to 1mbps, it would break the limiter

    I have not tried the limiter feature of upnp… Only the default queue which I dont think is working



  • looks like i had the syntax wrong.. I was able to have configured to allow all and deny what i want :-)

    this seem to do the trick… Not sure why i didn't think of this before..
    deny 443 192.168.0.100 443
    deny 80 192.168.0.100 80


  • Rebel Alliance Global Moderator

    The default deny is working from what I can tell

    I am currently using
    2.1-BETA0 (i386)
    built on Tue Aug 28 14:42:48 EDT 2012
    FreeBSD 8.3-RELEASE-p4

    Simple test is just from any windows box that sees your router, just try and add something.  Blocked from creating the rule - as you see from attachment was denied creating forward.  But if I remove the default deny or come from my allow IP it works fine
    allow 1024-65535 192.168.1.209/32 1024-65535




  • i wanted to ask how can we add multiple ips to a single permission entry to allow upnp

    allow 1024-65535 192.168.0.11 1024-65535 (this allows 1 client to open ports)

    i want to add multiple clients to this single entry like
    192.168.0.11
    192.168.0.30
    192.168.0.2
    etc


  • Rebel Alliance Global Moderator

    you can do a mask, but not sure how you can do specific IPs like that without different entries?



  • I personally have all my gaming devices grouped together in my DHCP leases, so all of my UPnP enabled devices are statically assigned IPs 192.168.1.17 through 192.168.1.22.  I then create the following allow rule in Services/UPnP using a mask bit of 29 to fit those 6 IPs.

    allow 88-65535 192.168.1.16/29 88-65535
    

    Now thats one line for all of my UPnP devices.  I do not statically assign any device to IPs 192.168.1.16 AND 192.168.1.23 just to avoid the confusion of the above mask's subnet ID and broadcast address.  You can use any mask you like to accommodate a bigger or smaller set of devices but the main point is to group all your UPnP enabled devices with their IP range and setup the appropriate mask.  I cheat sometimes and use the below website to help me figure out quickly the correct mask.

    http://www.subnet-calculator.com/


Locked