2.1 uPnP + rules not working

rock.theory

I have upgraded to the beta of pfSense 2.1 (pfSense-Full-Update-2.1-BETA0-i386-20121123-1854). I would like have my uPnP devices follow a rule, specifically one that allows modification of bandwidth usage, latency, packet-loss (i.e. using Traffic Shaper's "Limiter"). The rule is correctly applied to a specific IP however this does not work for a uPnP device. I have tested and my rule works correctly on any other non-uPnP device. Is there perhaps a fix on the way?

cmb

http://redmine.pfsense.org/issues/1575

no plan to fix that for 2.1, too rare of a use case and one that companies don't care about hence not likely anyone is going to fund it.

rock.theory

I wonder how much $$ it would take to get it fixed?

rock.theory

What is the suggested donation to get this pushed? I have a lot of testing I'd like to do using this feature.

cmb

That's a kernel project, which means it isn't easy and the people who can do the work don't come cheap. Talking upwards of $1000 USD. If that might be feasible I can get a more precise number.

eri--

Try 2.1 from tomorrow and see the comment in this thread http://redmine.pfsense.org/issues/1575

If it works for you that's a good thing otherwise it has to go through cmb suggestions.
Also, consider the donation if it works.

rock.theory

Unfortunately it does not seem to work. I would love to be able to donate $1000 but as a freelance IT tech, I can't afford that (To be honest that's a lot more than I expected). I suppose I will have to have patience in this matter, and hope that it does get fixed.

msi

Depending on the time required, 1k USD maybe be quickly reached if you count the fact that one would need dedicate a couple of hours to investigate before
implementing even a single line of code. :-\

Is uPnP rather a home feature - maybe crowdfunding may be a good idea?

xbipin

works for me for some reason

eri--

Probably he did not reset states when trying.

rock.theory

I have tried resetting states and still do not have any luck with limiters.

Should I be adding these rules as floating or as standard LAN? Perhaps I am missing something.

I've disabled every rule. No devices should have access to WAN. None do, other than the uPnP device, which does. This is undesired as uPnP devices are not following the rules.

xbipin

i have the rules on floating tab and work just fine

xbipin

on further test it shows the limiter is active but not limiting as expected, i have set a upload limit but at times i see the spike going over it so still cant say if it works perfectly so will need to test further

rock.theory

Any new results? For me the rules are not obeyed at all regarding a uPnP device.

I disabled every single rule on every tab, then actively blocked the IP of my uPnP device but it ignored everything and continued to stream data.

rock.theory

I don't mean to keep pushing this issue, but I do want to bring up the fact that the link http://redmine.pfsense.org/issues/1575 states this issue is resolved, however it is not.

uPnP completely ignores all rules regardless of which tab it is on. I don't know who needs to change that link back to 0%, but I'd sure like to be able to monitor the progress of it.

Thanks.

eri--

Can you show the configuration you have.
A rules.debug attaached here would be useful as well.

rock.theory

set limit tables 3000
set optimization normal
set limit states 47000
set limit src-nodes 47000

#System aliases

loopback = "{ lo0 }"
WAN = "{ xl0 }"
LAN = "{ fxp0 }"
VLAN2 = "{ fxp0_vlan2 }"
pptp = "{ pptp }"

#SSH Lockout Table
table <sshlockout>persist
table <webconfiguratorlockout>persist
#Snort tables
table <snort2c>table <virusprot># User Aliases 
table <computers>{   192.168.1.30/31  192.168.1.32/28  192.168.1.48/31 } 
COMPUTERS = "<computers>"
table <dhcp>{   192.168.1.150/31  192.168.1.152/29  192.168.1.160/27  192.168.1.192/27  192.168.1.224/28  192.168.1.240/29  192.168.1.248/30  192.168.1.252/31  192.168.1.254/32 } 
DHCP = "<dhcp>"
table <gamesys>{   192.168.1.50/31  192.168.1.52/30  192.168.1.56/30 } 
GAMESYS = "<gamesys>"
table <phonestablets>{   192.168.1.60/30  192.168.1.64/28 } 
PHONESTABLETS = "<phonestablets>"
table <pptp>{   192.168.1.140/30  192.168.1.144/30  192.168.1.148/31 } 
PPTP = "<pptp>"
table <printers>{   192.168.1.20/30  192.168.1.24/30  192.168.1.28/31 } 
PRINTERS = "<printers>"
table <servers>{   192.168.1.10/31  192.168.1.12/30  192.168.1.16/30 } 
SERVERS = "<servers>"

# Gateways
GWWAN_DHCP = " route-to ( xl0 69.114.168.1 ) "

set loginterface fxp0

set skip on pfsync0

scrub on $WAN all    fragment reassemble
scrub on $LAN all    fragment reassemble
scrub on $VLAN2 all    fragment reassemble

no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"

# Outbound NAT rules

# Subnets to NAT 
table <tonatsubnets>{ 192.168.1.0/24 192.168.2.0/24 192.168.1.140/32 192.168.1.140/30 192.168.1.144/30 192.168.1.148/31 127.0.0.0/8  }
nat on $WAN  from <tonatsubnets>port 500 to any port 500 -> 69.114.172.72/32 port 500  
nat on $WAN  from <tonatsubnets>to any -> 69.114.172.72/32 port 1024:65535  

# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
table <negate_networks>{}
# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "relayd/*"
anchor "openvpn/*"
anchor "ipsec/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all label "Default deny rule IPv4"
block out log inet all label "Default deny rule IPv4"
block in log inet6 all label "Default deny rule IPv6"
block out log inet6 all label "Default deny rule IPv6"

# IPv6 ICMP is not auxilary, it is required for operation
# See man icmp6(4)
# 1    unreach         Destination unreachable
# 2    toobig          Packet too big
# 128  echoreq         Echo service request
# 129  echorep         Echo service reply
# 133  routersol       Router solicitation
# 134  routeradv       Router advertisement
# 135  neighbrsol      Neighbor solicitation
# 136  neighbradv      Neighbor advertisement
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state

# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state

# We use the mighty pf, we cannot be fooled.
block quick inet proto { tcp, udp } from any port = 0 to any
block quick inet proto { tcp, udp } from any to any port = 0
block quick inet6 proto { tcp, udp } from any port = 0 to any
block quick inet6 proto { tcp, udp } from any to any port = 0

# Snort package
block quick from <snort2c>to any label "Block snort2c hosts"
block quick from any to <snort2c>label "Block snort2c hosts"

# SSH lockout
block in log quick proto tcp from <sshlockout>to any port 22 label "sshlockout"

# webConfigurator lockout
block in log quick proto tcp from <webconfiguratorlockout>to any port 443 label "webConfiguratorlockout"
block in quick from <virusprot>to any label "virusprot overload table"
table <bogons>persist file "/etc/bogons"
table <bogonsv6>persist file "/etc/bogonsv6"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
antispoof for xl0
# block anything from private networks on interfaces with the option set
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
# allow our DHCP client out to the WAN
pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.
antispoof for fxp0

# allow access to DHCP server on LAN
pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $LAN proto udp from any port = 68 to 192.168.1.1 port = 67 label "allow access to DHCP server"
pass out quick on $LAN proto udp from 192.168.1.1 port = 67 to any port = 68 label "allow access to DHCP server"
antispoof for fxp0_vlan2

# allow access to DHCP server on VLAN2
pass in quick on $VLAN2 proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $VLAN2 proto udp from any port = 68 to 192.168.2.1 port = 67 label "allow access to DHCP server"
pass out quick on $VLAN2 proto udp from 192.168.2.1 port = 67 to any port = 68 label "allow access to DHCP server"

# loopback
pass in on $loopback inet all label "pass IPv4 loopback"
pass out on $loopback inet all label "pass IPv4 loopback"
pass in on $loopback inet6 all label "pass IPv6 loopback"
pass out on $loopback inet6 all label "pass IPv6 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to ( xl0 69.114.168.1 ) from 69.114.172.72 to !69.114.168.0/21 keep state allow-opts label "let out anything from firewall host itself"
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on fxp0 proto tcp from any to (fxp0) port { 443 80 } keep state label "anti-lockout rule"
# PPTPd rules
pass in on $WAN proto tcp from any to 69.114.172.72 port = 1723 modulate state label "allow pptpd 69.114.172.72"
pass in on $WAN proto gre from any to any keep state label "allow gre pptpd"

# User-defined rules follow

anchor "userrules/*"
block  in  quick  on $LAN inet from any to any  label "USER_RULE: BLOCK ALL"
block  in  quick  on $VLAN2  from 192.168.2.1/24 to 192.168.1.0/24  label "USER_RULE: Block VLAN2-LAN"
block  in  quick  on $VLAN2  from 192.168.2.1/24 to { 192.168.1.140/30 192.168.1.144/30 192.168.1.148/31 }  label "USER_RULE: Block VLAN2-PPTP"

# Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients

# VPN Rules
anchor "tftp-proxy/*"
# uPnPd
anchor "miniupnpd"</bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></negate_networks></tonatsubnets></tonatsubnets></tonatsubnets></servers></servers></printers></printers></pptp></pptp></phonestablets></phonestablets></gamesys></gamesys></dhcp></dhcp></computers></computers></virusprot></snort2c></webconfiguratorlockout></sshlockout> 

If by configuration you mean what my active rules are (while testing for verification) then:

Floating:
[Empty]

WAN:
	*	RFC 1918 networks	*	*	*	*	*	 	Block private networks	
 	*	Reserved/not assigned by IANA	*	*	*	*	*	*	Block bogon networks

LAN:
	*	*	*	LAN Address	443 80	*	*	 	Anti-Lockout Rule	
	IPv4 *	*	*	*	*	*	 none	  	BLOCK ALL 

VLAN2:
	 IPv4 *	 VLAN2 net	 *	 LAN net	 *	 *	 none	  	 Block VLAN2-LAN 		
  	 IPv4 *	 VLAN2 net	 *	 PPTP clients	 *	 *	 none	  	 Block VLAN2-PPTP 

PPTP VPN:
[Empty]

As you can see, aside anti-lockout the only rule enabled is "BLOCK ALL" on the LAN tab, and this does not interrupt a uPnP stream. Nothing else permits WAN access, but the uPnP stream continues without interruption.

eri--

Can you dump the content of the anchor miniupnpd with:
pfctl -a miniupnpd -vvsn
pfctl -a miniupnpd -vvsr

Maybe uPNP daemon is creating rdr pass rules and that would be the only reason from what i see.

rock.theory

These are two examples of uPnP that happen within my home:

$ pfctl -a miniupnpd -vvsn
@0 rdr quick on xl0 inet proto udp from any to any port = 3074 keep state label "Xbox (192.168.1.50:3074) 3074 UDP" rtable 0 -> 192.168.1.50 port 3074
  [ Evaluations: 31787     Packets: 79086     Bytes: 10132928    States: 0     ]
  [ Inserted: uid 0 pid 79384 ]
@1 rdr quick on xl0 inet proto tcp from any to any port = 44164 keep state label "Spotify" rtable 0 -> 192.168.1.40 port 44164
  [ Evaluations: 131       Packets: 1018      Bytes: 584381      States: 14    ]
  [ Inserted: uid 0 pid 79384 ]

$ pfctl -a miniupnpd -vvsr
@0 pass in quick on xl0 inet proto udp from any to any port = 3074 flags S/SA keep state label "Xbox (192.168.1.50:3074) 3074 UDP" rtable 0
  [ Evaluations: 29751     Packets: 79086     Bytes: 10132928    States: 0     ]
  [ Inserted: uid 0 pid 79384 ]
@1 pass in quick on xl0 inet proto tcp from any to any port = 44164 flags S/SA keep state label "Spotify" rtable 0
  [ Evaluations: 14        Packets: 966       Bytes: 581078      States: 14    ]
  [ Inserted: uid 0 pid 79384 ]

We have 2 XBOX consoles, multiple Skype users (Skype is unlisted at the moment), and multiple Spotify users although (apparently) not much uPnP has been used since upgrading the firmware today.

eri--

Can you do a pfctl -vvsr and pfctl -vvsn it seems not possible for this to happen with current postings of rules!

Normally it shouldn't be possible for upnp to get to its port.
Can you check if upnp is going through ipv6?