Miniupnpd issues with lastest snapshot

jimp

Well it takes more than a single guy with a bad attitude to knock a project off-track, but it still doesn't sit well. Can't please everyone. Especially people who have a faulty expectation of early beta snapshot images.

jimp

Keep an eye out for the next new snapshot.

upnp.png_thumb

Cino

@jimp:

Keep an eye out for the next new snapshot.

thank you Jim!! I will update my i386 install once its available for download…. I saw the post on redmine this afternoon and its a shame.. Yeah it sucks that upnp stop working but this is why we test and report our findings... I took the chance to use 2.1 beta in production. If something stops working, I can only blame myself and report that there is an issue... Not to flame on you or anyone on the pfsense team. I'll be honest, there are times I want too but we are adults here... At least most of us are anyways...

Thank you for all your hard work!

iFloris

Upnp works again in 2.1-BETA0 (i386)
built on Sun Aug 5 18:24:50 EDT 2012
FreeBSD 8.3-RELEASE-p3.

Really nice to have this working again, thanks for all the hard work.
The efforts by the pfsense team in building such a great firewall are appreciated enormously.

mikhe

2.1-BETA0 (amd64)
built on Sun Aug 5 17:20:36 EDT 2012
FreeBSD 8.3-RELEASE-p3
Thank you jimp

Cino

We are getting closer :-) It starts, but not interfacing with pf. i386


Aug 6 07:32:31 	miniupnpd[44199]: Failed to add NAT-PMP 52225 udp->192.168.0.100:52225 'NAT-PMP 52225 udp'
Aug 6 07:32:31 	miniupnpd[44199]: Failed to add NAT-PMP 52225 udp->192.168.0.100:52225 'NAT-PMP 52225 udp'
Aug 6 07:32:31 	miniupnpd[44199]: ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Operation not supported by device
Aug 6 07:32:31 	miniupnpd[44199]: ioctl(dev, DIOCCHANGERULE, ...) PF_CHANGE_GET_TICKET: Operation not supported by device
Aug 6 07:32:31 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:32:31 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:32:31 	miniupnpd[44199]: Failed to add NAT-PMP 52225 tcp->192.168.0.100:52225 'NAT-PMP 52225 tcp'
Aug 6 07:32:31 	miniupnpd[44199]: Failed to add NAT-PMP 52225 tcp->192.168.0.100:52225 'NAT-PMP 52225 tcp'
Aug 6 07:31:50 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:31:50 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:31:50 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:31:50 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:31:50 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:31:50 	miniupnpd[44199]: ioctl(dev, DIOCGETRULES, ...): Operation not supported by device
Aug 6 07:31:23 	miniupnpd[44199]: Listening for NAT-PMP traffic on port 5351
Aug 6 07:31:23 	miniupnpd[44199]: Listening for NAT-PMP traffic on port 5351
Aug 6 07:31:23 	miniupnpd[44199]: HTTP listening on port 2189
Aug 6 07:31:23 	miniupnpd[44199]: HTTP listening on port 2189

jimp

Yes it does start and function on amd64, I know that much for sure. i386 is a bit more of mystery. I copied the binary over to my i386 firewall and it works there. I updated my alix and it didn't work there.

jimp

Can someone else on i386 try this:

killall -9 miniupnpd
fetch -o /usr/local/sbin/miniupnpd http://files.chi.pfsense.org/jimp/miniupnpd-i386
chmod 555 /usr/local/sbin/miniupnpd

And then restart the miniupnpd service in the GUI, and see if it works.

That binary now works on my Alix.

catfish99

I am using pfSense 2.1-BETA0-pfSense (i386) on a Soekris 6501.

I tried the miniupnpd file replacement you mentioned. Activated miniupnpd, and then ran Skype and Transmission. Neither got added - ie. still doesn't work as it should.

However, miniupnpd keeps running - which is a good thing.

Below are the entries from my syslog file…


Aug 6 09:46:27	miniupnpd[12563]: Failed to remove NAT-PMP mapping eport 61079, protocol TCP
Aug 6 09:46:27	miniupnpd[12563]: Failed to remove NAT-PMP mapping eport 61079, protocol TCP
Aug 6 09:46:20	miniupnpd[12563]: Listening for NAT-PMP traffic on port 5351
Aug 6 09:46:20	miniupnpd[12563]: Listening for NAT-PMP traffic on port 5351
Aug 6 09:46:20	miniupnpd[12563]: HTTP listening on port 2189
Aug 6 09:46:20	miniupnpd[12563]: HTTP listening on port 2189

jimp

Any way to try that with UPnP rather than NAT-PMP?

catfish99

JMP, turned off NAT-PMP and tried again.

Tried Skype & Transmission and neither was able to create an entry (as they should if it worked ok).

In summary - Still doesn't work as it should, but application is able to run without error.

Log entries & configuration below:

UPnP & NAT-PMP Settings

Enable UPnP & NAT-PMP - Enabled
Allow UPnP Port Mapping - Enabled
Allow NAT-PMP Port Mapping - DISABLED
Interfaces (generally LAN) - LAN

Aug 6 10:07:40	miniupnpd[53693]: HTTP listening on port 2189
Aug 6 10:07:40	miniupnpd[53693]: HTTP listening on port 2189
Aug 6 10:07:40	php[57805]: /pkg_edit.php: miniupnpd: Restarting service on interface: lan

Cino

@jimp:

Can someone else on i386 try this:
killall -9 miniupnpd
fetch -o /usr/local/sbin/miniupnpd http://files.chi.pfsense.org/jimp/miniupnpd-i386
chmod 555 /usr/local/sbin/miniupnpd
And then restart the miniupnpd service in the GUI, and see if it works.

That binary now works on my Alix.

So far so good!!! I did testing from my windows server running uTorrent… Enabling UPnP and NAT-PMP, each by itself within utorrent and in pfSense.

utorrent UPnP:
52225 keep state tcp 192.168.0.100 uTorrent (TCP)
52225 keep state udp 192.168.0.100 uTorrent (UDP)

utorrent NAT-PMP:
52225 keep state tcp 192.168.0.100 NAT-PMP 52225 tcp
52225 keep state udp 192.168.0.100 NAT-PMP 52225 udp

uTorrent was able to tear-down the session when the option was disabled

I'll do more testing this week: deny ports and default traffic queue... but Thank you Jim! And thanks again for sticking thru this!

catfish99

seeing the last post, I fetched the binary again and re-ran my testing.

Well, I am glad to report UPnP & NAT-PMP are both working.

Thanks!

pfsense-1.jpg_thumb

pfsense-2.jpg_thumb

strumf666

Thank you very much :)

edit: A question, after testing with uTorrent and skype, the ports for skype remain open even after I closed the program, but the uTorrent ports get closed. Why is that?

AhnHEL

I have been watching this thread intensely waiting for this issue to be resolved before trying out 2.1. Finally upgraded and it went smoothly and miniupnpd is working as well, many thanks to you Jimp.

johnpoz

Just updated
2.1-BETA0 (i386)
built on Tue Aug 7 04:03:30 EDT 2012
FreeBSD 8.3-RELEASE-p4

And working great, started right up. Test with just win7 upnp interface of device, sees pfsense as freebsd router due to discovery. Allowed me to create forward to .209 address, but got denied when tried to a different address. Which is per my settings. So that is working as well

allow 1024-65535 192.168.1.209/32 1024-65535

Side question, is there anyway to secure upnp other than allow disallow rules? How can there not be a signature, key, password portion to the protocol - that says hey without this key you can not do anything. Something like the rndc key with bind.

jimp

That's a question worthy of its own thread - I'm not aware of anything there, it's just how the protocol was designed, but someone else may know.

Cino

@johnpoz:

Side question, is there anyway to secure upnp other than allow disallow rules? How can there not be a signature, key, password portion to the protocol - that says hey without this key you can not do anything. Something like the rndc key with bind.

I've never heard of anything like that either… poke around here http://miniupnp.free.fr/

@strumf666:

edit: A question, after testing with uTorrent and skype, the ports for skype remain open even after I closed the program, but the uTorrent ports get closed. Why is that?

I want to say that is Skypes fault… The client tell miniupnpd the ports aren't needed anymore. I noticed it with UTorrent when using NAT-PMP... If I exit out the program, the ports down close, but if uncheck the option to use NAT-PMP; uTorrent tells miniupnp to tear down the session.

Only way to tell is to run a packet capture and see what is being sent/receive.

jimp

Yes it's up to the client to inform the server to close the ports, unless you clear them manually. I don't recall if miniupnpd will reap them after a while or if it leaves them indefinitely.

strumf666

OK, thanks for explaining.