UPnP support
-
Hello,
I try to find out what i'm missing here, i have installed the mini upnp on my pfsense firewall but it seem that nothing is happening (no rules created and upnp status is allways empty)
as i'm trying to play with msn messenger and be able to use voice (computer -> computer).
I always getting a lot of feed from the firwall telling me that it block some UDP or SIP or TCP port.Exemple port:
1886: UDP
1892: UDPHere is some of my firewall rules
TCP LAN net * * 1863 * Allow MSN -> ANY
UDP LAN net * * 2001 - 2120 * Allow MSN Voice to Phone -> ANY
TCP/UDP LAN net * * 2869 * Allow UPNP -> ANY
TCP LAN net * * 3689 * Allow Itune music share -> ANY
TCP/UDP LAN net * * 5060 * Allow SIP -> ANY
UDP LAN net * * 6801 * Allow MSN Voice to phone -> ANY
TCP LAN net * * 6891 - 6900 * Allow MSN File Transfert -> ANY
TCP/UDP LAN net * * 6901 * Allow MSN Voice to computer -> ANY
TCP/UDP LAN net * * 7001 * Allow MSN Voice to computer -> ANY
If any one got an idea :) you are welcome
-
First off if your using a upnp application you shouldn't manually create the firewall rules. Miniupnpd will automatically create them behind the scenes. Maybe try turning off the winxp firewall if its enabled and see if that makes a difference. Also try out Azureus and see if its port forwards show up in the status. That will give you a starting point.
-
Hello,
I try to find out what i'm missing here, i have installed the mini upnp on my pfsense firewall but it seem that nothing is happening (no rules created and upnp status is allways empty)
as i'm trying to play with msn messenger and be able to use voice (computer -> computer).
I always getting a lot of feed from the firwall telling me that it block some UDP or SIP or TCP port.Just too make sure, if this is a new install, you will have to go to the Miniupnpd tab under the Services heading (you might need to refresh the browser for it to show up…) and actually set it up to enable it. You'll see the miniupnpd Settings tab, where you choose the interface you want to run on, and a few other options and then click change. Check the Services tab under the Status heading to make sure the service is running...also check the System Logs for any errors. If you've already done all that, then it may be some other problem, but this is something that has caught a few so far...
Hope that's of some use.
-
Have done all that and more and still not working,
can someone tell me the basic firewall rules and nat to enable to make it work, i'm sure it's some problem around this… -
yust the default lan rule
upnp will make all the nat rules for youre pc -
Hey,
I've reset the pfsense and reinstall the upnp,
Default rules are working fine with azerus. but still no msn voice or web cam (file transfert is ok)….Thanks for your help,
An other question:
Once you've enable upnp you need to block the port you don't whant your user to access (directly from the client if you got a proxy http, or at all if you don't whant them to send or receive email)...
Is it right?Thanks,
-
Hey,
I've reset the pfsense and reinstall the upnp,
Default rules are working fine with azerus. but still no msn voice or web cam (file transfert is ok)….Thanks for your help,
An other question:
Once you've enable upnp you need to block the port you don't whant your user to access (directly from the client if you got a proxy http, or at all if you don't whant them to send or receive email)...
Is it right?Thanks,
I'm confused by your other question. Upnp only opens ports that the application requests. After you close the application it closes the ports. So no you don't need to block anything. Unless specifically added in the NAT and Firewall Rules everything coming in from the WAN side is blocked by default. Now if you don't want users on the LAN side to access to certain ports then yes you need to block them.
As far as MSN voice and web cam when you try and use them do you see miniupnpd errors in your pfSense system log? If so what are they. If its something like unsupported soap method, etc then there is some incompatibility between miniupnpd and msn messenger.
If that is the case I would recommend emailing Thomas Bernard at miniupnp AT free DOT fr as he is the creator of miniupnpd http://miniupnp.free.fr/
-
We already know MSN Messenger works OK, several people have tried it in the past. Unless a regression bug has cropped up as the code has advanced…
Are you running all of the proper WinXP Services that make UPNP work? MSN Messenger doesn't do the UPNP on its own, it calls the Windows services to do it. This means you need both the "SSDP Discovery Service" as well as the "Universal Plug and Play Device Host" service running for it to work. If you have used one of those stupid "Windows service tweak guides," please go out back and shoot yourself (those guides are mostly pointless and often wrong).
-
Hello,
Ok i've a downloaded a program from this address to test UPNP and it give some tips to fix the computer if you have any problem
http://fp.mgillespie.plus.com/upnphelp.htm
I've run the program on both site and the result is clear.
But still it's like msn is not trying to use Upnp…
Azerus work fine and i see in the pflog new rules created by upnp for azerus.
i only see port blocked on udp for msn.on the computer itself the internet connection (unpnp tools) show dynamic created rules but they are not showing on the log or in miniupnp status
finaly i just allow all port udp from 5006 to 65000 on the wan interface from internet to my lan subnet and it work -.-;
As i'm quite new to upnp (i'm sure you gess it...)
Any idea how to set up a secure environement with upnp and limit outbound connection to internet (i just whant them to be able to connect to msn and web thru a proxy on the dmz...)
Thanks for all your kind help.
Best Regards, -
UPnP and Secure do not belong in the same sentence together.
By definition, UPnP allows any program to open any port that it wants. If you want to use UPnP, then your firewall will never be secure. You can't keep users from doing anything, because a program that speaks UPnP will just open the ports it needs.
Now, I'm not exactly sure where the UPnP rules fall in the list on pfSense. I'm guessing you have a "Deny all" rule in your firewall to keep people from accessing anything, and then you ALLOW port 80 to your proxy? I think that the deny all will "win" against the rules created by miniupnpd, so even if UPnP is working properly, MSN will not be able to get out.
I would backup all of your rules, and then start over with NO rules other than the default and UPnP. See if it works. Slowly start adding in rules until it breaks…
Oh, and you aren't trying to do bridging with pfSense, right? I don't think miniupnpd works in bridge mode.
-
no bridging on this one,
Making all default and trying again was my first try and it didn't work for msn.
Azerus was talking with upnp and i was able to see log with miniupnp mark on it.I just tried the miniupnp client for win32 and it seem that the rules are set for msn -.-; wat's going on…
It just don't log anything and don't allow me to connect to an other computer...
an other funny bug is it crash msn messenger on other computer when i try the video... -
no bridging on this one,
Making all default and trying again was my first try and it didn't work for msn.
Azerus was talking with upnp and i was able to see log with miniupnp mark on it.I just tried the miniupnp client for win32 and it seem that the rules are set for msn -.-; wat's going on…
It just don't log anything and don't allow me to connect to an other computer...
an other funny bug is it crash msn messenger on other computer when i try the video...What version of MSN mesenger is this? I am going to download it and see if I can get it to work. Does it always forward the ports or only when you start video or voice chat as I don't have a webcam or mic on this machine.
Also if the rules are set they should show on the miniupnpd status page. So maybe thats the issue. I will look into it. A link to the msn messenger you are using would be great.
-
Alright I downloaded and tested out MSN Messenger. From what I can tell it works. Like said above I don't have a webcam or mic so I didn't connect to anybody, but when I click the phone button and view the miniupnpd status page I receive the following mappings:
62514 udp 10.10.1.150 msncall (10.10.1.150:14696) 62514 UDP
50735 tcp 10.10.1.150 msncall (10.10.1.150:9306) 50735 TCPUsing the miniupnpd client it shows:
00 - UDP 62514->10.10.1.150:14696 enabled=1 leaseDuration=0
desc='msncall (10.10.1.150:14696) 62514 UDP' rHost=''
01 - TCP 50735->10.10.1.150:9306 enabled=1 leaseDuration=0
desc='msncall (10.10.1.150:9306) 50735 TCP' rHost=''What would be helpful is the printout from the miniupnpd client showing the rules created. I still don't get how it shows them but the pfSense miniupnpd status page doesn't.
You are using version 1.0.1 and miniupnpd package 20061110 correct? At the very least you need to be on pfSense 1.0.
-
Well i've tried both Msn 7.5 and Msn live (8.0.0812).
My Rules are default:
LAN
Prot: any /source: lan net /destination address: any / destination port: any /gateway: anyWAN
NONEDMZ
Allow out -> any destination (DNS, HTTP, HTTPS)
Allow out -> LAN net (ICMP, IDENT)My network testing conf is like this:
Internet -> routeur -> 4 interner address -> IP1 Linksys -> client 1
-> IP2 PFsense -> client 2Funny enougth in this configuration it's not working and the log are showing something wrong when trying to connect via audio…
client 1 open port udp 6016 / 6017
client 2 open port udp client2:32912 -> ip2:23827 / client2:2036 -> ip2:23828
all i see on the pflog are block match (rule 47/0) and sometimes for different port....pflogs:
block in on wan ip1.6016 -> client 2.32912
block in on wan ip1.6017 -> client 2.2036
block in on wan ip1.6017 -> ip2.57520
block in on wan ip1.6016 -> ip2.58676Thanks for your help
cheers, -
What version pfSense are you using?? The version is important.
The client is connected on the LAN port correct? I tested with Live Messenger 8.0.0812.00 and it properly mapped the ports.
Also in Live Messenger goto Tools -> Options menu. When that dialog appears click Connection on the left.
Mine says
"You are directly connected to .NET Messenger Service.
You are connected to the Internet through a UPnP symmetric NAT."
If it does not say that it should enable the connection troubleshooter below. Click start and see what it finds.
-
pfsense 1.01
For Msn I'will see this tomorow no power again here -.-;
-
I don't understand why you have the linksys where it is?
PF can handle multiple WAN IP addresses and can do 1:1 NAT for you if that's what you want… there's really no reason to use the Linksys as a router that I can think of...
-
ok
So i have a internet connection with 2 spare public ip addresse.
For the test i use 2 public ip addresse one is connected to the linksys and the other one to pfsense.
Make the test more realistic…Cheers.
-
msn tell me whith:
pfsense that i'm connected thru a UPNP symetric NAT. (Administrator)
Linksys that i'm connected thru a UPnP Port Restricted NAT. (Administrator)Both are directly connected to .NET Messenger Service.
Cheers,
-
Arg
I've actually tried to connect to each other while connected directly on internet and i had the same problem -.-;
Wondering what's wrong with my computer…Thanks for your time and you great support.