Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    UPnP support

    Expired/Withdrawn Bounties
    28
    363
    229194
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      ZPrime last edited by

      I would pay at least $100 for someone to put working UPnP support in the base image.  It can be disabled by default, and even require 10 different check marks to enable if you want to be that crazy about it (I know that many consider it a huge security hole).

      I want it because I have multiple machines at home, using things like BitTorrent that function best if they have dedicated ports.  While I can forward ports, it then requires setting up DHCP reservations for each machine, and there are some apps that don't allow you to change their default port.  I also have two XBoxes and an XBox360, all of which like to be able to poke holes so they can host games.  There's no way to configure a port range on either game system.  It can and does "work" behind a normal NAT box, but your system is never able to become a host for outsiders, which can make finding a game to play more difficult at times.

      I only ask that UPnP be in base (as opposed to an add-on) because I'm using a Soekris with a CF card, and I don't have access to the packages system.  It doesn't necessarily have to be tied into the main code tree, I just want it to be something that gets distributed as part of a "vanilla" system.

      I'd be willing to go higher if you can do it quickly (by the end of Feb. would be great).  I welcome anyone else that wants UPnP support to tack on more money to this bounty.  It would make pfSense the only embedded-type platform short of junky consumer boxes (Linksys/etc) that handles UPnP.

      For those who aren't familiar, UPnP itself is actually not all that complicated.  It's a series of HTTP messages that are multicasted to the LAN, and then from there it looks like a SOAP exchange, with XML data going back and forth between devices.  It does have periodic multicasting ("advertisement") built in to the spec, so a proper system would probably use a daemon, although I could also see it being implemented with straight PHP I suppose.

      Here's all the technical info you should need to implement (some of this didn't look right in Firefox 1.5, not sure why):
      http://www.upnp.org/download/UPnPDA10_20000613.htm

      You can find more information on what a router (aka "Internet Gateway Device") is required to implement here:
      http://www.upnp.org/standardizeddcps/igd.asp

      I don't even really care about a fully compliant implementation - as long as my devices can talk to pfSense and get it to open ports as needed (and then dispose of them), I'll consider the bounty fulfilled.  A fully compliant system would kick ass though.  :)

      1 Reply Last reply Reply Quote 0
      • J
        jeroen234 last edited by

        there is upnp suport for freebsd but not many use it if you need it then you use this in a shell on the pfsense system:

        pkg_add -r http://www.gigaload.org/freebsd.org/ports/i386/packages-6.0-release/net/linuxigd-0.92_2.tbz

        1 Reply Last reply Reply Quote 0
        • S
          sullrich last edited by

          Does that open up the respective PF ports automatically?  Last I tested this, it didn't work.

          1 Reply Last reply Reply Quote 0
          • B
            billm last edited by

            @jeroen234:

            there is upnp suport for freebsd but not many use it if you need it then you use this in a shell on the pfsense system:

            pkg_add -r http://www.gigaload.org/freebsd.org/ports/i386/packages-6.0-release/net/linuxigd-0.92_2.tbz

            I'd be willing to take a look at this again at some point, but the last I looked at this package I couldn't even get Windows to see that there was a UPnP gateway on the network.  Obviously pf stuff won't work out of the box either, but w/out a client that sees it, it'll be somewhat difficult to implement.

            FWIW, I believe the "package" is still in our package XML, just commented out.  Should be easy for someone interested to get the package working once the communication issue is straightened out.

            –Bill

            pfSense core developer
            blog - http://www.ucsecurity.com/
            twitter - billmarquette

            1 Reply Last reply Reply Quote 0
            • Z
              ZPrime last edited by

              Bill, very interesting.

              Another place to get WORKING UPnP is the Linksys code for their WRT series of routers.  There are other free implementations/extensions of their code, but AFAIK it should be available as open source already (since they based the whole thing on Linux).  I know that Linux isn't BSD, but as I said before, UPnP is mostly multicasted HTTP and then SOAP-like exchanges…

              1 Reply Last reply Reply Quote 0
              • S
                Skud last edited by

                I'm just wondering if there has been an update to this?

                I'd be willing to throw in a little cashola for this as well..

                UPnP would make my Pfsense box the perfect home firewall IMO..

                Riley

                1 Reply Last reply Reply Quote 0
                • S
                  sullrich last edited by

                  No, I am affraid not.  Seth talked about working on it so maybe push him over the edge with a bounty :)

                  It requires some c work, so it's not a trivial patch to bring to life.

                  1 Reply Last reply Reply Quote 0
                  • S
                    Skud last edited by

                    Unfortunately, things may be a little tight for a bit as I'm moving to a new place, but I would offer up $50. It's not much I'm afraid..

                    So, uPnP support bounty is up to $150 now I guess.. :)

                    Riley

                    1 Reply Last reply Reply Quote 0
                    • D
                      databeestje last edited by

                      I am currently having a poke at it. I require at least a week.

                      Also, other upnp software came available that has no silly depencies which might make it easier to work on.

                      1 Reply Last reply Reply Quote 0
                      • D
                        databeestje last edited by

                        I have some proof of concept code and was wondering if there are any testers available.

                        1 Reply Last reply Reply Quote 0
                        • S
                          Superman last edited by

                          I'll try it out. Do you have a link or a file with some instructions?

                          1 Reply Last reply Reply Quote 0
                          • D
                            databeestje last edited by

                            replace /etc/inc/system.inc with http://iserv.nl/files/pfsense/system.inc
                            replace /etc/inc/filter.inc with http://iserv.nl/files/pfsense/filter.inc
                            replace /usr/local/www/interfaces_lan.php with http://iserv.nl/files/pfsense/interfaces_lan.txt
                            replace /usr/local/www/interfaces_opt.php with http://iserv.nl/files/pfsense/interfaces_opt.txt
                            execute this command, fetch -o /usr/local/sbin/miniupnpd http://iserv.nl/files/pfsense/miniupnpd
                            execute this command, chmod +x /usr/local/sbin/miniupnpd

                            enable it on the lan interface.

                            Check the sytem logs.

                            Currently unsupported

                            1 Reply Last reply Reply Quote 0
                            • S
                              Superman last edited by

                              Okay, files updated, service enabled. Stuff is happening in the system logs when I open uTorrent or MSN Messenger. I'll have to close some of my presently opened & NATed ports and check it out…

                              Thanks!

                              1 Reply Last reply Reply Quote 0
                              • S
                                Superman last edited by

                                Further testing seems to indicate that it's working properly.
                                I removed my NAT & Firewall Rules entries for uTorrent, enabled UPnP in the program, and it all worked!!
                                The port was opened when I opened the program.
                                And it seemed to be closed after I exited the program as indicated from a external port probe.

                                It passes these simple tests anyway!

                                Thanks again!

                                1 Reply Last reply Reply Quote 0
                                • S
                                  Superman last edited by

                                  Minor update.

                                  I did see this one error in the logs. It doesn't seem to stop it from working, but just for completeness here it is.

                                  miniupnpd[46767]: /dummy not found, responding ERROR 404
                                  
                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    databeestje last edited by

                                    That's a feature. No fix for that. The computer is requesting something from the daemon which it does not comprehend.

                                    Nice hearing that it appears working.

                                    It does need further fixing though. It currently does not remove the firewall rules, only the port forwards to the inside host. I hope to fix that at a later time.

                                    Cheers.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      Superman last edited by

                                      Cool!!

                                      It would be nice to have it as a package even in this state so we won't lose it across updates!
                                      Plus it would be easier to install!  ;) Not that it's terribly difficult, but… :D

                                      It may not be the best feature in a corporate environment, but it sure is nice in a small home/office setup!

                                      Thanks for your hard work so far!! :D

                                      JC (aka Superman)

                                      1 Reply Last reply Reply Quote 0
                                      • S
                                        Skud last edited by

                                        Cool great!!

                                        I'll have to give this a try and I'll let the OP (bradenmcg) know there has been progress as he is at the desk next to me.. :)

                                        Riley

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          databeestje last edited by

                                          It appears this wil be going into base instead of a package although that is still up for discussion

                                          It does make sense for some corporate workplaces though. If you have a lot of skype and videoconferencing then upnp is a good solution and far more granular then opening port ranges or creating static port ranges with static IP's.

                                          A socks proxy is even worse because then you can tunnel anything in and out.

                                          Cheers,

                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            nsumner last edited by

                                            Can you see what has been opened by UPNP? IE can a corporate firewall administrator who in a fit of insanity allows uPnP at least see what is going on with it?

                                            1 Reply Last reply Reply Quote 0
                                            • D
                                              databeestje last edited by

                                              Not yet.

                                              1 Reply Last reply Reply Quote 0
                                              • D
                                                databeestje last edited by

                                                pfctl -aminiupnpd -sr
                                                pfctl -aminiupnpd -sn

                                                1 Reply Last reply Reply Quote 0
                                                • J
                                                  Jonb last edited by

                                                  I have tested it and I think I have gone wrong some ware because I get this

                                                  XML error: not well-formed (invalid token) at line 99

                                                  Hosted desktops and servers with support without complication.
                                                  www.blueskysystems.co.uk

                                                  1 Reply Last reply Reply Quote 0
                                                  • D
                                                    databeestje last edited by

                                                    That's very interesting. I have not seen that happen on 3 different hosts I tried it on.

                                                    What does the config.xml look like at line 99?

                                                    It should (probably)  be in the interfaces, lan section
                                                    Which should have a <enableupnp>tag.</enableupnp>

                                                    1 Reply Last reply Reply Quote 0
                                                    • J
                                                      Jonb last edited by

                                                      well I have just tryed it on my other PFsense box and it works.  Hmm I must of broken something when I was playing around.

                                                      Hosted desktops and servers with support without complication.
                                                      www.blueskysystems.co.uk

                                                      1 Reply Last reply Reply Quote 0
                                                      • S
                                                        Superman last edited by

                                                        Okay, I just tested the latest version of miniupnpd…this time I decided to reboot to make sure to clear the tables...and I noticed a small bug, perhaps unique to me, but maybe not.

                                                        Miniupnpd did not restart at reboot. I had to go to the LAN page > disable it > apply > enable it > apply again, and then it was running.

                                                        Oh, and not much is being logged anymore.

                                                        1 Reply Last reply Reply Quote 0
                                                        • D
                                                          databeestje last edited by

                                                          It might not be included in the startup scripts. I think the code in HEAD does do this.

                                                          I have not rebooted my box yet. So I have not noticed.

                                                          1 Reply Last reply Reply Quote 0
                                                          • N
                                                            nsumner last edited by

                                                            I am unable to get it working properly.

                                                            First I tried utorrent and it seems to of half worked. I never turned green but the port was open doing a port scan…

                                                            Then I tried the following program to test http://fp.mgillespie.plus.com/upnphelp.htmhttp://fp.mgillespie.plus.com/upnphelp.htm. There is a link there to download. The program fails tests 7 and 8. In my experience if you pass his test uPnP will work. If you fail his test, it will be hit and miss at best. It of course could just be my setup.

                                                            I have my LAN set to 192.168.17.x (just incase there is a buglet there which I doubt), and am using PPPoE (which again I doubt has any effect).
                                                            If you have any other program you want me to test with just tell me please.

                                                            1 Reply Last reply Reply Quote 0
                                                            • D
                                                              databeestje last edited by

                                                              to make it startup on reboot

                                                              replace /etc/inc/pfsense-utils.inc with http://iserv.nl/files/pfsense/pfsense-utils.inc
                                                              replace /etc/inc/system.inc with http://iserv.nl/files/pfsense/system.inc
                                                              fetch -o /usr/local/sbin/miniupnpd http://iserv.nl/files/pfsense/miniupnpd
                                                              chmod +x /usr/local/sbin/miniupnpd

                                                              also updated the miniupnpd binary so it logs properly.

                                                              About that test program, ignore it. What it does is connect from the LAN to the WAN on the opened port and then gets bitten by the fact that there is not NAT reflection for that port.

                                                              I do not plan on adding that. Furthermore, Azureus does not have this problem (which is what I test with).

                                                              1 Reply Last reply Reply Quote 0
                                                              • S
                                                                Superman last edited by

                                                                Okay, I tried this all out. Logging is working properly, but the daemon still doesn't seem to restart after a reboot. I'll check over all the files to make sure they're right, but I did follow all the directions…

                                                                1 Reply Last reply Reply Quote 0
                                                                • N
                                                                  nsumner last edited by

                                                                  I still get nothing in my log from UPNP. What should I be expecting? Is there anyway we can get another section added to the logs from upnp? It seems to me it is important enough it should have it's own log section.

                                                                  1 Reply Last reply Reply Quote 0
                                                                  • D
                                                                    databeestje last edited by

                                                                    replace /etc/rc.bootup with http://iserv.nl/files/pfsense/rc.bootup.txt

                                                                    This works for me.

                                                                    And the binary which is currently on my site is logging for me. Although it does core dump immediately after reboot :-/
                                                                    Something to do with azureus referencing non-existant rules after a reboot I think.

                                                                    I have updated system.inc and pfsense-utils.inc as well.

                                                                    1 Reply Last reply Reply Quote 0
                                                                    • N
                                                                      nsumner last edited by

                                                                      I just updated all relevant files again (including system.ini and pfsense-utils.inc) as well as the bootup. I rebooted my PfSense and it started on bootup, and NOW is logging. Now that I see how much it is logging I can tell you before it definately was not logging anything.

                                                                      I will probably now turn of uPnP as I don't actually want it running on my network but I think it is a major addition to PfSense and am happy to help test it.

                                                                      1 Reply Last reply Reply Quote 0
                                                                      • S
                                                                        Superman last edited by

                                                                        I also can confirm that it is logging fine and that it starts at bootup!! Cool!!

                                                                        Thanks!

                                                                        1 Reply Last reply Reply Quote 0
                                                                        • D
                                                                          databeestje last edited by

                                                                          This leaves the following points I want fixed.

                                                                          • The firewall rule needs to be stricter in the destination address.
                                                                          • The firewall rule needs to have a label with a description the program provides.
                                                                          • It needs to clear the redirect and rules table when stopping or restarting miniupnpd.
                                                                          • We need a page to list the port redirections with the label description.

                                                                          I would like to claim this bounty and on payment this program will be made into a package for 1.0.
                                                                          Payment may be sent to seth.mos@xs4all.nl

                                                                          1 Reply Last reply Reply Quote 0
                                                                          • S
                                                                            Skud last edited by

                                                                            Cool, how does the payment process work? (Yes, bradenmcg and I will pay.. :) )

                                                                            Do we pay after the items you listed to be fixed are fixed?

                                                                            Also, the OP stated that he would like this to not be a package as he is using this on a soekris box with no access to the package system. Is there a way for him to install it by just replacing files as we have been doing so far? I'm sure that would be OK with him..

                                                                            Thanks!!
                                                                            Riley

                                                                            1 Reply Last reply Reply Quote 0
                                                                            • D
                                                                              databeestje last edited by

                                                                              The payment can be sent using PayPal to the email address seth.mos@xs4all.nl

                                                                              From the issues, 1 - currently on hold for a bit, 2 - working on it, 3 - allready fixed (not online yet), 4 - needs labels on rules first.

                                                                              Replacing files on the embedded platform works exactly the same. And the binary is not large either. So he can test it as it stands now.

                                                                              Cheers

                                                                              1 Reply Last reply Reply Quote 0
                                                                              • Z
                                                                                ZPrime last edited by

                                                                                I believe my original post mentioned that I want it in the main system…  I use a soekris (CF-based) embedded box so it's useless to me as a package.  I'm willing and able to pay bounty but I need to be able to use it first.  :)
                                                                                [edit]
                                                                                OK, I'll give the above a try.  What base revision should I be running?  I think I'm still on beta2 or something (since the embedded stuff is such a pain in the arse to flash, I've been putting it off).  I'm also going to be putting it to the extreme test - I want to see how it functions with the Xbox 360.  The 360 and Azureus are the two reasons I wanted UPnP at all.

                                                                                1 Reply Last reply Reply Quote 0
                                                                                • H
                                                                                  hoba last edited by

                                                                                  Reflash your box with RC2 and upgrade to RC2e following these instructions: http://forum.pfsense.org/index.php/topic,1820.msg10603.html#msg10603 (yes, it works for embeddeds too).

                                                                                  1 Reply Last reply Reply Quote 0
                                                                                  • Z
                                                                                    ZPrime last edited by

                                                                                    OK, it's working well with Azureus, but not with an Xbox (360, although the normal one should behave the same way).

                                                                                    Bunch of this in the logs:

                                                                                    Aug 18 01:22:22 	miniupnpd[682]: Unknown udp packet received from 192.168.42.36:1025
                                                                                    Aug 18 01:22:22 	miniupnpd[682]: Unknown udp packet received from 192.168.42.36:1025
                                                                                    Aug 18 01:22:22 	miniupnpd[682]: Unknown udp packet received from 192.168.42.36:4776
                                                                                    Aug 18 01:22:22 	miniupnpd[682]: Unknown udp packet received from 192.168.42.36:4776
                                                                                    Aug 18 01:22:22 	last message repeated 9 times
                                                                                    Aug 18 01:22:23 	miniupnpd[682]: ST: urn:schemas-upnp-org:service:WANIPConnection:1
                                                                                    Aug 18 01:22:23 	miniupnpd[682]: SSDP M-SEARCH packet received from 192.168.42.36:3039
                                                                                    Aug 18 01:22:23 	miniupnpd[682]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1
                                                                                    Aug 18 01:22:23 	miniupnpd[682]: SSDP M-SEARCH packet received from 192.168.42.36:2306
                                                                                    Aug 18 01:22:23 	miniupnpd[682]: ST: urn:schemas-upnp-org:service:WANIPConnection:1
                                                                                    Aug 18 01:22:23 	miniupnpd[682]: SSDP M-SEARCH packet received from 192.168.42.36:3039
                                                                                    Aug 18 01:22:22 	last message repeated 9 times
                                                                                    

                                                                                    pfctl -aminiupnpd -sn (and -sr) don't show anything mapping to the Xbox (it is .36 here, the pfsense is 42.1).

                                                                                    I can probably provide an ethereal/tcpdump capture of the wire from the 360 while it is starting up/probing for UPnP if that would be helpful, but don't expect it until Saturday or Sunday (I'm busy Friday and Saturday and probably won't get to a dump until Sat. PM or Sunday).

                                                                                    I found a bit more info about Microsoft's requirements for an "XBox Live compatible router"…

                                                                                    The Xbox implementation of UPnP follows the InternetGatewayDevice:1 specification- more information is available at http://www.upnp.org.

                                                                                    I didn't read through the specs at all, are you following this specification or is it a more limited implementation?

                                                                                    They also make a stink about UDP port assignment and which method they "prefer":

                                                                                    1. The NAT can assign one UDP port to each UDP source port used by a client device, regardless of the destination of the UDP packet. We call this “minimal port assignment policy” because it results in the minimum number of UDP ports being assigned by the NAT. This is also sometimes called a “cone” NAT.
                                                                                    2. The NAT can assign a different UDP port for each UDP destination. We call this an “aggressive port assignment policy” because it results in the NAT assigning many ports. This is also sometimes called a “symmetric” NAT.

                                                                                    Microsoft specifies a "cone" NAT device as their favorite.  I'm not sure which method pf follows since I haven't been watching it that closely.  ;)

                                                                                    The full document about Xbox-Live compatible routers is found at Microsoft in a Word Doc.  Google does have it cached & available in HTML too though.  I obviously don't expect pfSense to be shooting for MS Logo certification here or anything, I just want UPnP to work so I can have multiple XBoxes behind a single pf router/firewall.

                                                                                    Thanks for all your work so far, it's very impressive!

                                                                                    1 Reply Last reply Reply Quote 0
                                                                                    • First post
                                                                                      Last post