Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    2.1 uPnP + rules not working

    Scheduled Pinned Locked Moved 2.1 Snapshot Feedback and Problems - RETIRED
    22 Posts 5 Posters 8.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rock.theory
      last edited by

      I have upgraded to the beta of pfSense 2.1 (pfSense-Full-Update-2.1-BETA0-i386-20121123-1854). I would like have my uPnP devices follow a rule, specifically one that allows modification of bandwidth usage, latency, packet-loss (i.e. using Traffic Shaper's "Limiter"). The rule is correctly applied to a specific IP however this does not work for a uPnP device. I have tested and my rule works correctly on any other non-uPnP device. Is there perhaps a fix on the way?

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        http://redmine.pfsense.org/issues/1575

        no plan to fix that for 2.1, too rare of a use case and one that companies don't care about hence not likely anyone is going to fund it.

        1 Reply Last reply Reply Quote 0
        • R
          rock.theory
          last edited by

          I wonder how much $$ it would take to get it fixed?

          1 Reply Last reply Reply Quote 0
          • R
            rock.theory
            last edited by

            What is the suggested donation to get this pushed? I have a lot of testing I'd like to do using this feature.

            1 Reply Last reply Reply Quote 0
            • C
              cmb
              last edited by

              That's a kernel project, which means it isn't easy and the people who can do the work don't come cheap. Talking upwards of $1000 USD. If that might be feasible I can get a more precise number.

              1 Reply Last reply Reply Quote 0
              • E
                eri--
                last edited by

                Try 2.1 from tomorrow and see the comment in this thread http://redmine.pfsense.org/issues/1575

                If it works for you that's a good thing otherwise it has to go through cmb suggestions.
                Also, consider the donation if it works.

                1 Reply Last reply Reply Quote 0
                • R
                  rock.theory
                  last edited by

                  Unfortunately it does not seem to work. I would love to be able to donate $1000 but as a freelance IT tech, I can't afford that (To be honest that's a lot more than I expected). I suppose I will have to have patience in this matter, and hope that it does get fixed.

                  1 Reply Last reply Reply Quote 0
                  • M
                    msi
                    last edited by

                    Depending on the time required, 1k USD maybe be quickly reached if you count the fact that one would need dedicate a couple of hours to investigate before
                    implementing even a single line of code. :-\

                    Is uPnP rather a home feature - maybe crowdfunding may be a good idea?

                    1 Reply Last reply Reply Quote 0
                    • X
                      xbipin
                      last edited by

                      works for me for some reason

                      1 Reply Last reply Reply Quote 0
                      • E
                        eri--
                        last edited by

                        Probably he did not reset states when trying.

                        1 Reply Last reply Reply Quote 0
                        • R
                          rock.theory
                          last edited by

                          I have tried resetting states and still do not have any luck with limiters.

                          Should I be adding these rules as floating or as standard LAN? Perhaps I am missing something.

                          I've disabled every rule. No devices should have access to WAN. None do, other than the uPnP device, which does. This is undesired as uPnP devices are not following the rules.

                          1 Reply Last reply Reply Quote 0
                          • X
                            xbipin
                            last edited by

                            i have the rules on floating tab and work just fine

                            1 Reply Last reply Reply Quote 0
                            • X
                              xbipin
                              last edited by

                              on further test it shows the limiter is active but not limiting as expected, i have set a upload limit but at times i see the spike going over it so still cant say if it works perfectly so will need to test further

                              1 Reply Last reply Reply Quote 0
                              • R
                                rock.theory
                                last edited by

                                Any new results? For me the rules are not obeyed at all regarding a uPnP device.

                                I disabled every single rule on every tab, then actively blocked the IP of my uPnP device but it ignored everything and continued to stream data.

                                1 Reply Last reply Reply Quote 0
                                • R
                                  rock.theory
                                  last edited by

                                  I don't mean to keep pushing this issue, but I do want to bring up the fact that the link http://redmine.pfsense.org/issues/1575 states this issue is resolved, however it is not.

                                  uPnP completely ignores all rules regardless of which tab it is on. I don't know who needs to change that link back to 0%, but I'd sure like to be able to monitor the progress of it.

                                  Thanks.

                                  1 Reply Last reply Reply Quote 0
                                  • E
                                    eri--
                                    last edited by

                                    Can you show the configuration you have.
                                    A rules.debug attaached here would be useful as well.

                                    1 Reply Last reply Reply Quote 0
                                    • R
                                      rock.theory
                                      last edited by

                                      
                                      set limit tables 3000
                                      set optimization normal
                                      set limit states 47000
                                      set limit src-nodes 47000
                                      
                                      #System aliases
                                      
                                      loopback = "{ lo0 }"
                                      WAN = "{ xl0 }"
                                      LAN = "{ fxp0 }"
                                      VLAN2 = "{ fxp0_vlan2 }"
                                      pptp = "{ pptp }"
                                      
                                      #SSH Lockout Table
                                      table <sshlockout>persist
                                      table <webconfiguratorlockout>persist
                                      #Snort tables
                                      table <snort2c>table <virusprot># User Aliases 
                                      table <computers>{   192.168.1.30/31  192.168.1.32/28  192.168.1.48/31 } 
                                      COMPUTERS = "<computers>"
                                      table <dhcp>{   192.168.1.150/31  192.168.1.152/29  192.168.1.160/27  192.168.1.192/27  192.168.1.224/28  192.168.1.240/29  192.168.1.248/30  192.168.1.252/31  192.168.1.254/32 } 
                                      DHCP = "<dhcp>"
                                      table <gamesys>{   192.168.1.50/31  192.168.1.52/30  192.168.1.56/30 } 
                                      GAMESYS = "<gamesys>"
                                      table <phonestablets>{   192.168.1.60/30  192.168.1.64/28 } 
                                      PHONESTABLETS = "<phonestablets>"
                                      table <pptp>{   192.168.1.140/30  192.168.1.144/30  192.168.1.148/31 } 
                                      PPTP = "<pptp>"
                                      table <printers>{   192.168.1.20/30  192.168.1.24/30  192.168.1.28/31 } 
                                      PRINTERS = "<printers>"
                                      table <servers>{   192.168.1.10/31  192.168.1.12/30  192.168.1.16/30 } 
                                      SERVERS = "<servers>"
                                      
                                      # Gateways
                                      GWWAN_DHCP = " route-to ( xl0 69.114.168.1 ) "
                                      
                                      set loginterface fxp0
                                      
                                      set skip on pfsync0
                                      
                                      scrub on $WAN all    fragment reassemble
                                      scrub on $LAN all    fragment reassemble
                                      scrub on $VLAN2 all    fragment reassemble
                                      
                                      no nat proto carp
                                      no rdr proto carp
                                      nat-anchor "natearly/*"
                                      nat-anchor "natrules/*"
                                      
                                      # Outbound NAT rules
                                      
                                      # Subnets to NAT 
                                      table <tonatsubnets>{ 192.168.1.0/24 192.168.2.0/24 192.168.1.140/32 192.168.1.140/30 192.168.1.144/30 192.168.1.148/31 127.0.0.0/8  }
                                      nat on $WAN  from <tonatsubnets>port 500 to any port 500 -> 69.114.172.72/32 port 500  
                                      nat on $WAN  from <tonatsubnets>to any -> 69.114.172.72/32 port 1024:65535  
                                      
                                      # Load balancing anchor
                                      rdr-anchor "relayd/*"
                                      # TFTP proxy
                                      rdr-anchor "tftp-proxy/*"
                                      table <negate_networks>{}
                                      # UPnPd rdr anchor
                                      rdr-anchor "miniupnpd"
                                      
                                      anchor "relayd/*"
                                      anchor "openvpn/*"
                                      anchor "ipsec/*"
                                      #---------------------------------------------------------------------------
                                      # default deny rules
                                      #---------------------------------------------------------------------------
                                      block in log inet all label "Default deny rule IPv4"
                                      block out log inet all label "Default deny rule IPv4"
                                      block in log inet6 all label "Default deny rule IPv6"
                                      block out log inet6 all label "Default deny rule IPv6"
                                      
                                      # IPv6 ICMP is not auxilary, it is required for operation
                                      # See man icmp6(4)
                                      # 1    unreach         Destination unreachable
                                      # 2    toobig          Packet too big
                                      # 128  echoreq         Echo service request
                                      # 129  echorep         Echo service reply
                                      # 133  routersol       Router solicitation
                                      # 134  routeradv       Router advertisement
                                      # 135  neighbrsol      Neighbor solicitation
                                      # 136  neighbradv      Neighbor advertisement
                                      pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state
                                      
                                      # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
                                      pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
                                      pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
                                      pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
                                      pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
                                      pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state
                                      
                                      # We use the mighty pf, we cannot be fooled.
                                      block quick inet proto { tcp, udp } from any port = 0 to any
                                      block quick inet proto { tcp, udp } from any to any port = 0
                                      block quick inet6 proto { tcp, udp } from any port = 0 to any
                                      block quick inet6 proto { tcp, udp } from any to any port = 0
                                      
                                      # Snort package
                                      block quick from <snort2c>to any label "Block snort2c hosts"
                                      block quick from any to <snort2c>label "Block snort2c hosts"
                                      
                                      # SSH lockout
                                      block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"
                                      
                                      # webConfigurator lockout
                                      block in log quick proto tcp from <webconfiguratorlockout>to any port 443 label "webConfiguratorlockout"
                                      block in quick from <virusprot>to any label "virusprot overload table"
                                      table <bogons>persist file "/etc/bogons"
                                      table <bogonsv6>persist file "/etc/bogonsv6"
                                      # block bogon networks
                                      # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
                                      # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
                                      block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
                                      block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
                                      antispoof for xl0
                                      # block anything from private networks on interfaces with the option set
                                      antispoof for $WAN
                                      block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
                                      block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
                                      block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
                                      block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
                                      block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
                                      block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
                                      # allow our DHCP client out to the WAN
                                      pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
                                      pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
                                      # Not installing DHCP server firewall rules for WAN which is configured for DHCP.
                                      antispoof for fxp0
                                      
                                      # allow access to DHCP server on LAN
                                      pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
                                      pass in quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
                                      pass out quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
                                      antispoof for fxp0_vlan2
                                      
                                      # allow access to DHCP server on VLAN2
                                      pass in quick on $VLAN2 proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
                                      pass in quick on $VLAN2 proto udp from any port = 68 to 192.168.2.1 port = 67 label "allow access to DHCP server"
                                      pass out quick on $VLAN2 proto udp from 192.168.2.1 port = 67 to any port = 68 label "allow access to DHCP server"
                                      
                                      # loopback
                                      pass in on $loopback inet all label "pass IPv4 loopback"
                                      pass out on $loopback inet all label "pass IPv4 loopback"
                                      pass in on $loopback inet6 all label "pass IPv6 loopback"
                                      pass out on $loopback inet6 all label "pass IPv6 loopback"
                                      # let out anything from the firewall host itself and decrypted IPsec traffic
                                      pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
                                      pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
                                      pass out route-to ( xl0 69.114.168.1 ) from 69.114.172.72 to !69.114.168.0/21 keep state allow-opts label "let out anything from firewall host itself"
                                      # make sure the user cannot lock himself out of the webConfigurator or SSH
                                      pass in quick on fxp0 proto tcp from any to (fxp0) port { 443 80 } keep state label "anti-lockout rule"
                                      # PPTPd rules
                                      pass in on $WAN proto tcp from any to 69.114.172.72 port = 1723 modulate state label "allow pptpd 69.114.172.72"
                                      pass in on $WAN proto gre from any to any keep state label "allow gre pptpd"
                                      
                                      # User-defined rules follow
                                      
                                      anchor "userrules/*"
                                      block  in  quick  on $LAN inet from any to any  label "USER_RULE: BLOCK ALL"
                                      block  in  quick  on $VLAN2  from 192.168.2.1/24 to 192.168.1.0/24  label "USER_RULE: Block VLAN2-LAN"
                                      block  in  quick  on $VLAN2  from 192.168.2.1/24 to { 192.168.1.140/30 192.168.1.144/30 192.168.1.148/31 }  label "USER_RULE: Block VLAN2-PPTP"
                                      
                                      # Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients
                                      
                                      # VPN Rules
                                      anchor "tftp-proxy/*"
                                      # uPnPd
                                      anchor "miniupnpd"</bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></tonatsubnets></tonatsubnets></tonatsubnets></servers></servers></printers></printers></pptp></pptp></phonestablets></phonestablets></gamesys></gamesys></dhcp></dhcp></computers></computers></virusprot></snort2c></webconfiguratorlockout></sshlockout> 
                                      

                                      If by configuration you mean what my active rules are (while testing for verification) then:

                                      
                                      Floating:
                                      [Empty]
                                      
                                      WAN:
                                      	*	RFC 1918 networks	*	*	*	*	*	 	Block private networks	
                                       	*	Reserved/not assigned by IANA	*	*	*	*	*	*	Block bogon networks
                                      
                                      LAN:
                                      	*	*	*	LAN Address	443 80	*	*	 	Anti-Lockout Rule	
                                      	IPv4 *	*	*	*	*	*	 none	  	BLOCK ALL 
                                      
                                      VLAN2:
                                      	 IPv4 *	 VLAN2 net	 *	 LAN net	 *	 *	 none	  	 Block VLAN2-LAN 		
                                        	 IPv4 *	 VLAN2 net	 *	 PPTP clients	 *	 *	 none	  	 Block VLAN2-PPTP 
                                      
                                      PPTP VPN:
                                      [Empty]
                                      
                                      

                                      As you can see, aside anti-lockout the only rule enabled is "BLOCK ALL" on the LAN tab, and this does not interrupt a uPnP stream. Nothing else permits WAN access, but the uPnP stream continues without interruption.

                                      1 Reply Last reply Reply Quote 0
                                      • E
                                        eri--
                                        last edited by

                                        Can you dump the content of the anchor miniupnpd with:
                                        pfctl -a miniupnpd -vvsn
                                        pfctl -a miniupnpd -vvsr

                                        Maybe uPNP daemon is creating rdr pass rules and that would be the only reason from what i see.

                                        1 Reply Last reply Reply Quote 0
                                        • R
                                          rock.theory
                                          last edited by

                                          These are two examples of uPnP that happen within my home:

                                          
                                          $ pfctl -a miniupnpd -vvsn
                                          @0 rdr quick on xl0 inet proto udp from any to any port = 3074 keep state label "Xbox (192.168.1.50:3074) 3074 UDP" rtable 0 -> 192.168.1.50 port 3074
                                            [ Evaluations: 31787     Packets: 79086     Bytes: 10132928    States: 0     ]
                                            [ Inserted: uid 0 pid 79384 ]
                                          @1 rdr quick on xl0 inet proto tcp from any to any port = 44164 keep state label "Spotify" rtable 0 -> 192.168.1.40 port 44164
                                            [ Evaluations: 131       Packets: 1018      Bytes: 584381      States: 14    ]
                                            [ Inserted: uid 0 pid 79384 ]
                                          
                                          $ pfctl -a miniupnpd -vvsr
                                          @0 pass in quick on xl0 inet proto udp from any to any port = 3074 flags S/SA keep state label "Xbox (192.168.1.50:3074) 3074 UDP" rtable 0
                                            [ Evaluations: 29751     Packets: 79086     Bytes: 10132928    States: 0     ]
                                            [ Inserted: uid 0 pid 79384 ]
                                          @1 pass in quick on xl0 inet proto tcp from any to any port = 44164 flags S/SA keep state label "Spotify" rtable 0
                                            [ Evaluations: 14        Packets: 966       Bytes: 581078      States: 14    ]
                                            [ Inserted: uid 0 pid 79384 ]
                                          
                                          

                                          We have 2 XBOX consoles, multiple Skype users (Skype is unlisted at the moment), and multiple Spotify users although (apparently) not much uPnP has been used since upgrading the firmware today.

                                          1 Reply Last reply Reply Quote 0
                                          • E
                                            eri--
                                            last edited by

                                            Can you do a pfctl -vvsr and pfctl -vvsn it seems not possible for this to happen with current postings of rules!

                                            Normally it shouldn't be possible for upnp to get to its port.
                                            Can you check if upnp is going through ipv6?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.