UPnP support
-
Does that open up the respective PF ports automatically? Last I tested this, it didn't work.
-
there is upnp suport for freebsd but not many use it if you need it then you use this in a shell on the pfsense system:
pkg_add -r http://www.gigaload.org/freebsd.org/ports/i386/packages-6.0-release/net/linuxigd-0.92_2.tbz
I'd be willing to take a look at this again at some point, but the last I looked at this package I couldn't even get Windows to see that there was a UPnP gateway on the network. Obviously pf stuff won't work out of the box either, but w/out a client that sees it, it'll be somewhat difficult to implement.
FWIW, I believe the "package" is still in our package XML, just commented out. Should be easy for someone interested to get the package working once the communication issue is straightened out.
–Bill
-
Bill, very interesting.
Another place to get WORKING UPnP is the Linksys code for their WRT series of routers. There are other free implementations/extensions of their code, but AFAIK it should be available as open source already (since they based the whole thing on Linux). I know that Linux isn't BSD, but as I said before, UPnP is mostly multicasted HTTP and then SOAP-like exchanges…
-
I'm just wondering if there has been an update to this?
I'd be willing to throw in a little cashola for this as well..
UPnP would make my Pfsense box the perfect home firewall IMO..
Riley
-
No, I am affraid not. Seth talked about working on it so maybe push him over the edge with a bounty :)
It requires some c work, so it's not a trivial patch to bring to life.
-
Unfortunately, things may be a little tight for a bit as I'm moving to a new place, but I would offer up $50. It's not much I'm afraid..
So, uPnP support bounty is up to $150 now I guess.. :)
Riley
-
I am currently having a poke at it. I require at least a week.
Also, other upnp software came available that has no silly depencies which might make it easier to work on.
-
I have some proof of concept code and was wondering if there are any testers available.
-
I'll try it out. Do you have a link or a file with some instructions?
-
replace /etc/inc/system.inc with http://iserv.nl/files/pfsense/system.inc
replace /etc/inc/filter.inc with http://iserv.nl/files/pfsense/filter.inc
replace /usr/local/www/interfaces_lan.php with http://iserv.nl/files/pfsense/interfaces_lan.txt
replace /usr/local/www/interfaces_opt.php with http://iserv.nl/files/pfsense/interfaces_opt.txt
execute this command, fetch -o /usr/local/sbin/miniupnpd http://iserv.nl/files/pfsense/miniupnpd
execute this command, chmod +x /usr/local/sbin/miniupnpdenable it on the lan interface.
Check the sytem logs.
Currently unsupported
-
Okay, files updated, service enabled. Stuff is happening in the system logs when I open uTorrent or MSN Messenger. I'll have to close some of my presently opened & NATed ports and check it out…
Thanks!
-
Further testing seems to indicate that it's working properly.
I removed my NAT & Firewall Rules entries for uTorrent, enabled UPnP in the program, and it all worked!!
The port was opened when I opened the program.
And it seemed to be closed after I exited the program as indicated from a external port probe.It passes these simple tests anyway!
Thanks again!
-
Minor update.
I did see this one error in the logs. It doesn't seem to stop it from working, but just for completeness here it is.
miniupnpd[46767]: /dummy not found, responding ERROR 404 -
That's a feature. No fix for that. The computer is requesting something from the daemon which it does not comprehend.
Nice hearing that it appears working.
It does need further fixing though. It currently does not remove the firewall rules, only the port forwards to the inside host. I hope to fix that at a later time.
Cheers.
-
Cool!!
It would be nice to have it as a package even in this state so we won't lose it across updates!
Plus it would be easier to install! ;) Not that it's terribly difficult, but… :DIt may not be the best feature in a corporate environment, but it sure is nice in a small home/office setup!
Thanks for your hard work so far!! :D
JC (aka Superman)
-
Cool great!!
I'll have to give this a try and I'll let the OP (bradenmcg) know there has been progress as he is at the desk next to me.. :)
Riley
-
It appears this wil be going into base instead of a package although that is still up for discussion
It does make sense for some corporate workplaces though. If you have a lot of skype and videoconferencing then upnp is a good solution and far more granular then opening port ranges or creating static port ranges with static IP's.
A socks proxy is even worse because then you can tunnel anything in and out.
Cheers,
-
Can you see what has been opened by UPNP? IE can a corporate firewall administrator who in a fit of insanity allows uPnP at least see what is going on with it?
-
Not yet.
-
pfctl -aminiupnpd -sr
pfctl -aminiupnpd -sn