• I would pay at least $100 for someone to put working UPnP support in the base image.  It can be disabled by default, and even require 10 different check marks to enable if you want to be that crazy about it (I know that many consider it a huge security hole).

    I want it because I have multiple machines at home, using things like BitTorrent that function best if they have dedicated ports.  While I can forward ports, it then requires setting up DHCP reservations for each machine, and there are some apps that don't allow you to change their default port.  I also have two XBoxes and an XBox360, all of which like to be able to poke holes so they can host games.  There's no way to configure a port range on either game system.  It can and does "work" behind a normal NAT box, but your system is never able to become a host for outsiders, which can make finding a game to play more difficult at times.

    I only ask that UPnP be in base (as opposed to an add-on) because I'm using a Soekris with a CF card, and I don't have access to the packages system.  It doesn't necessarily have to be tied into the main code tree, I just want it to be something that gets distributed as part of a "vanilla" system.

    I'd be willing to go higher if you can do it quickly (by the end of Feb. would be great).  I welcome anyone else that wants UPnP support to tack on more money to this bounty.  It would make pfSense the only embedded-type platform short of junky consumer boxes (Linksys/etc) that handles UPnP.

    For those who aren't familiar, UPnP itself is actually not all that complicated.  It's a series of HTTP messages that are multicasted to the LAN, and then from there it looks like a SOAP exchange, with XML data going back and forth between devices.  It does have periodic multicasting ("advertisement") built in to the spec, so a proper system would probably use a daemon, although I could also see it being implemented with straight PHP I suppose.

    Here's all the technical info you should need to implement (some of this didn't look right in Firefox 1.5, not sure why):

    You can find more information on what a router (aka "Internet Gateway Device") is required to implement here:

    I don't even really care about a fully compliant implementation - as long as my devices can talk to pfSense and get it to open ports as needed (and then dispose of them), I'll consider the bounty fulfilled.  A fully compliant system would kick ass though.  :)

  • there is upnp suport for freebsd but not many use it if you need it then you use this in a shell on the pfsense system:

    pkg_add -r http://www.gigaload.org/freebsd.org/ports/i386/packages-6.0-release/net/linuxigd-0.92_2.tbz

  • Does that open up the respective PF ports automatically?  Last I tested this, it didn't work.

  • @jeroen234:

    there is upnp suport for freebsd but not many use it if you need it then you use this in a shell on the pfsense system:

    pkg_add -r http://www.gigaload.org/freebsd.org/ports/i386/packages-6.0-release/net/linuxigd-0.92_2.tbz

    I'd be willing to take a look at this again at some point, but the last I looked at this package I couldn't even get Windows to see that there was a UPnP gateway on the network.  Obviously pf stuff won't work out of the box either, but w/out a client that sees it, it'll be somewhat difficult to implement.

    FWIW, I believe the "package" is still in our package XML, just commented out.  Should be easy for someone interested to get the package working once the communication issue is straightened out.


  • Bill, very interesting.

    Another place to get WORKING UPnP is the Linksys code for their WRT series of routers.  There are other free implementations/extensions of their code, but AFAIK it should be available as open source already (since they based the whole thing on Linux).  I know that Linux isn't BSD, but as I said before, UPnP is mostly multicasted HTTP and then SOAP-like exchanges…

  • I'm just wondering if there has been an update to this?

    I'd be willing to throw in a little cashola for this as well..

    UPnP would make my Pfsense box the perfect home firewall IMO..


  • No, I am affraid not.  Seth talked about working on it so maybe push him over the edge with a bounty :)

    It requires some c work, so it's not a trivial patch to bring to life.

  • Unfortunately, things may be a little tight for a bit as I'm moving to a new place, but I would offer up $50. It's not much I'm afraid..

    So, uPnP support bounty is up to $150 now I guess.. :)


  • I am currently having a poke at it. I require at least a week.

    Also, other upnp software came available that has no silly depencies which might make it easier to work on.

  • I have some proof of concept code and was wondering if there are any testers available.

  • I'll try it out. Do you have a link or a file with some instructions?

  • replace /etc/inc/system.inc with http://iserv.nl/files/pfsense/system.inc
    replace /etc/inc/filter.inc with http://iserv.nl/files/pfsense/filter.inc
    replace /usr/local/www/interfaces_lan.php with http://iserv.nl/files/pfsense/interfaces_lan.txt
    replace /usr/local/www/interfaces_opt.php with http://iserv.nl/files/pfsense/interfaces_opt.txt
    execute this command, fetch -o /usr/local/sbin/miniupnpd http://iserv.nl/files/pfsense/miniupnpd
    execute this command, chmod +x /usr/local/sbin/miniupnpd

    enable it on the lan interface.

    Check the sytem logs.

    Currently unsupported

  • Okay, files updated, service enabled. Stuff is happening in the system logs when I open uTorrent or MSN Messenger. I'll have to close some of my presently opened & NATed ports and check it out…


  • Further testing seems to indicate that it's working properly.
    I removed my NAT & Firewall Rules entries for uTorrent, enabled UPnP in the program, and it all worked!!
    The port was opened when I opened the program.
    And it seemed to be closed after I exited the program as indicated from a external port probe.

    It passes these simple tests anyway!

    Thanks again!

  • Minor update.

    I did see this one error in the logs. It doesn't seem to stop it from working, but just for completeness here it is.

    miniupnpd[46767]: /dummy not found, responding ERROR 404

  • That's a feature. No fix for that. The computer is requesting something from the daemon which it does not comprehend.

    Nice hearing that it appears working.

    It does need further fixing though. It currently does not remove the firewall rules, only the port forwards to the inside host. I hope to fix that at a later time.


  • Cool!!

    It would be nice to have it as a package even in this state so we won't lose it across updates!
    Plus it would be easier to install!  ;) Not that it's terribly difficult, but… :D

    It may not be the best feature in a corporate environment, but it sure is nice in a small home/office setup!

    Thanks for your hard work so far!! :D

    JC (aka Superman)

  • Cool great!!

    I'll have to give this a try and I'll let the OP (bradenmcg) know there has been progress as he is at the desk next to me.. :)


  • It appears this wil be going into base instead of a package although that is still up for discussion

    It does make sense for some corporate workplaces though. If you have a lot of skype and videoconferencing then upnp is a good solution and far more granular then opening port ranges or creating static port ranges with static IP's.

    A socks proxy is even worse because then you can tunnel anything in and out.


  • Can you see what has been opened by UPNP? IE can a corporate firewall administrator who in a fit of insanity allows uPnP at least see what is going on with it?

  • Not yet.

  • pfctl -aminiupnpd -sr
    pfctl -aminiupnpd -sn

  • I have tested it and I think I have gone wrong some ware because I get this

    XML error: not well-formed (invalid token) at line 99

  • That's very interesting. I have not seen that happen on 3 different hosts I tried it on.

    What does the config.xml look like at line 99?

    It should (probably)  be in the interfaces, lan section
    Which should have a <enableupnp>tag.</enableupnp>

  • well I have just tryed it on my other PFsense box and it works.  Hmm I must of broken something when I was playing around.

  • Okay, I just tested the latest version of miniupnpd…this time I decided to reboot to make sure to clear the tables...and I noticed a small bug, perhaps unique to me, but maybe not.

    Miniupnpd did not restart at reboot. I had to go to the LAN page > disable it > apply > enable it > apply again, and then it was running.

    Oh, and not much is being logged anymore.

  • It might not be included in the startup scripts. I think the code in HEAD does do this.

    I have not rebooted my box yet. So I have not noticed.

  • I am unable to get it working properly.

    First I tried utorrent and it seems to of half worked. I never turned green but the port was open doing a port scan…

    Then I tried the following program to test http://fp.mgillespie.plus.com/upnphelp.htmhttp://fp.mgillespie.plus.com/upnphelp.htm. There is a link there to download. The program fails tests 7 and 8. In my experience if you pass his test uPnP will work. If you fail his test, it will be hit and miss at best. It of course could just be my setup.

    I have my LAN set to 192.168.17.x (just incase there is a buglet there which I doubt), and am using PPPoE (which again I doubt has any effect).
    If you have any other program you want me to test with just tell me please.

  • to make it startup on reboot

    replace /etc/inc/pfsense-utils.inc with http://iserv.nl/files/pfsense/pfsense-utils.inc
    replace /etc/inc/system.inc with http://iserv.nl/files/pfsense/system.inc
    fetch -o /usr/local/sbin/miniupnpd http://iserv.nl/files/pfsense/miniupnpd
    chmod +x /usr/local/sbin/miniupnpd

    also updated the miniupnpd binary so it logs properly.

    About that test program, ignore it. What it does is connect from the LAN to the WAN on the opened port and then gets bitten by the fact that there is not NAT reflection for that port.

    I do not plan on adding that. Furthermore, Azureus does not have this problem (which is what I test with).

  • Okay, I tried this all out. Logging is working properly, but the daemon still doesn't seem to restart after a reboot. I'll check over all the files to make sure they're right, but I did follow all the directions…

  • I still get nothing in my log from UPNP. What should I be expecting? Is there anyway we can get another section added to the logs from upnp? It seems to me it is important enough it should have it's own log section.

  • replace /etc/rc.bootup with http://iserv.nl/files/pfsense/rc.bootup.txt

    This works for me.

    And the binary which is currently on my site is logging for me. Although it does core dump immediately after reboot :-/
    Something to do with azureus referencing non-existant rules after a reboot I think.

    I have updated system.inc and pfsense-utils.inc as well.

  • I just updated all relevant files again (including system.ini and pfsense-utils.inc) as well as the bootup. I rebooted my PfSense and it started on bootup, and NOW is logging. Now that I see how much it is logging I can tell you before it definately was not logging anything.

    I will probably now turn of uPnP as I don't actually want it running on my network but I think it is a major addition to PfSense and am happy to help test it.

  • I also can confirm that it is logging fine and that it starts at bootup!! Cool!!


  • This leaves the following points I want fixed.

    • The firewall rule needs to be stricter in the destination address.
    • The firewall rule needs to have a label with a description the program provides.
    • It needs to clear the redirect and rules table when stopping or restarting miniupnpd.
    • We need a page to list the port redirections with the label description.

    I would like to claim this bounty and on payment this program will be made into a package for 1.0.
    Payment may be sent to seth.mos@xs4all.nl

  • Cool, how does the payment process work? (Yes, bradenmcg and I will pay.. :) )

    Do we pay after the items you listed to be fixed are fixed?

    Also, the OP stated that he would like this to not be a package as he is using this on a soekris box with no access to the package system. Is there a way for him to install it by just replacing files as we have been doing so far? I'm sure that would be OK with him..


  • The payment can be sent using PayPal to the email address seth.mos@xs4all.nl

    From the issues, 1 - currently on hold for a bit, 2 - working on it, 3 - allready fixed (not online yet), 4 - needs labels on rules first.

    Replacing files on the embedded platform works exactly the same. And the binary is not large either. So he can test it as it stands now.


  • I believe my original post mentioned that I want it in the main system…  I use a soekris (CF-based) embedded box so it's useless to me as a package.  I'm willing and able to pay bounty but I need to be able to use it first.  :)
    OK, I'll give the above a try.  What base revision should I be running?  I think I'm still on beta2 or something (since the embedded stuff is such a pain in the arse to flash, I've been putting it off).  I'm also going to be putting it to the extreme test - I want to see how it functions with the Xbox 360.  The 360 and Azureus are the two reasons I wanted UPnP at all.

  • Reflash your box with RC2 and upgrade to RC2e following these instructions: http://forum.pfsense.org/index.php/topic,1820.msg10603.html#msg10603 (yes, it works for embeddeds too).

  • OK, it's working well with Azureus, but not with an Xbox (360, although the normal one should behave the same way).

    Bunch of this in the logs:

    Aug 18 01:22:22 	miniupnpd[682]: Unknown udp packet received from
    Aug 18 01:22:22 	miniupnpd[682]: Unknown udp packet received from
    Aug 18 01:22:22 	miniupnpd[682]: Unknown udp packet received from
    Aug 18 01:22:22 	miniupnpd[682]: Unknown udp packet received from
    Aug 18 01:22:22 	last message repeated 9 times
    Aug 18 01:22:23 	miniupnpd[682]: ST: urn:schemas-upnp-org:service:WANIPConnection:1
    Aug 18 01:22:23 	miniupnpd[682]: SSDP M-SEARCH packet received from
    Aug 18 01:22:23 	miniupnpd[682]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1
    Aug 18 01:22:23 	miniupnpd[682]: SSDP M-SEARCH packet received from
    Aug 18 01:22:23 	miniupnpd[682]: ST: urn:schemas-upnp-org:service:WANIPConnection:1
    Aug 18 01:22:23 	miniupnpd[682]: SSDP M-SEARCH packet received from
    Aug 18 01:22:22 	last message repeated 9 times

    pfctl -aminiupnpd -sn (and -sr) don't show anything mapping to the Xbox (it is .36 here, the pfsense is 42.1).

    I can probably provide an ethereal/tcpdump capture of the wire from the 360 while it is starting up/probing for UPnP if that would be helpful, but don't expect it until Saturday or Sunday (I'm busy Friday and Saturday and probably won't get to a dump until Sat. PM or Sunday).

    I found a bit more info about Microsoft's requirements for an "XBox Live compatible router"…

    The Xbox implementation of UPnP follows the InternetGatewayDevice:1 specification- more information is available at http://www.upnp.org.

    I didn't read through the specs at all, are you following this specification or is it a more limited implementation?

    They also make a stink about UDP port assignment and which method they "prefer":

    1. The NAT can assign one UDP port to each UDP source port used by a client device, regardless of the destination of the UDP packet. We call this “minimal port assignment policy” because it results in the minimum number of UDP ports being assigned by the NAT. This is also sometimes called a “cone” NAT.
    2. The NAT can assign a different UDP port for each UDP destination. We call this an “aggressive port assignment policy” because it results in the NAT assigning many ports. This is also sometimes called a “symmetric” NAT.

    Microsoft specifies a "cone" NAT device as their favorite.  I'm not sure which method pf follows since I haven't been watching it that closely.  ;)

    The full document about Xbox-Live compatible routers is found at Microsoft in a Word Doc.  Google does have it cached & available in HTML too though.  I obviously don't expect pfSense to be shooting for MS Logo certification here or anything, I just want UPnP to work so I can have multiple XBoxes behind a single pf router/firewall.

    Thanks for all your work so far, it's very impressive!