UPnP support
-
to make it startup on reboot
replace /etc/inc/pfsense-utils.inc with http://iserv.nl/files/pfsense/pfsense-utils.inc
replace /etc/inc/system.inc with http://iserv.nl/files/pfsense/system.inc
fetch -o /usr/local/sbin/miniupnpd http://iserv.nl/files/pfsense/miniupnpd
chmod +x /usr/local/sbin/miniupnpdalso updated the miniupnpd binary so it logs properly.
About that test program, ignore it. What it does is connect from the LAN to the WAN on the opened port and then gets bitten by the fact that there is not NAT reflection for that port.
I do not plan on adding that. Furthermore, Azureus does not have this problem (which is what I test with).
-
Okay, I tried this all out. Logging is working properly, but the daemon still doesn't seem to restart after a reboot. I'll check over all the files to make sure they're right, but I did follow all the directions…
-
I still get nothing in my log from UPNP. What should I be expecting? Is there anyway we can get another section added to the logs from upnp? It seems to me it is important enough it should have it's own log section.
-
replace /etc/rc.bootup with http://iserv.nl/files/pfsense/rc.bootup.txt
This works for me.
And the binary which is currently on my site is logging for me. Although it does core dump immediately after reboot :-/
Something to do with azureus referencing non-existant rules after a reboot I think.I have updated system.inc and pfsense-utils.inc as well.
-
I just updated all relevant files again (including system.ini and pfsense-utils.inc) as well as the bootup. I rebooted my PfSense and it started on bootup, and NOW is logging. Now that I see how much it is logging I can tell you before it definately was not logging anything.
I will probably now turn of uPnP as I don't actually want it running on my network but I think it is a major addition to PfSense and am happy to help test it.
-
I also can confirm that it is logging fine and that it starts at bootup!! Cool!!
Thanks!
-
This leaves the following points I want fixed.
- The firewall rule needs to be stricter in the destination address.
- The firewall rule needs to have a label with a description the program provides.
- It needs to clear the redirect and rules table when stopping or restarting miniupnpd.
- We need a page to list the port redirections with the label description.
I would like to claim this bounty and on payment this program will be made into a package for 1.0.
Payment may be sent to seth.mos@xs4all.nl -
Cool, how does the payment process work? (Yes, bradenmcg and I will pay.. :) )
Do we pay after the items you listed to be fixed are fixed?
Also, the OP stated that he would like this to not be a package as he is using this on a soekris box with no access to the package system. Is there a way for him to install it by just replacing files as we have been doing so far? I'm sure that would be OK with him..
Thanks!!
Riley -
The payment can be sent using PayPal to the email address seth.mos@xs4all.nl
From the issues, 1 - currently on hold for a bit, 2 - working on it, 3 - allready fixed (not online yet), 4 - needs labels on rules first.
Replacing files on the embedded platform works exactly the same. And the binary is not large either. So he can test it as it stands now.
Cheers
-
I believe my original post mentioned that I want it in the main system… I use a soekris (CF-based) embedded box so it's useless to me as a package. I'm willing and able to pay bounty but I need to be able to use it first. :)
[edit]
OK, I'll give the above a try. What base revision should I be running? I think I'm still on beta2 or something (since the embedded stuff is such a pain in the arse to flash, I've been putting it off). I'm also going to be putting it to the extreme test - I want to see how it functions with the Xbox 360. The 360 and Azureus are the two reasons I wanted UPnP at all. -
Reflash your box with RC2 and upgrade to RC2e following these instructions: http://forum.pfsense.org/index.php/topic,1820.msg10603.html#msg10603 (yes, it works for embeddeds too).
-
OK, it's working well with Azureus, but not with an Xbox (360, although the normal one should behave the same way).
Bunch of this in the logs:
Aug 18 01:22:22 miniupnpd[682]: Unknown udp packet received from 192.168.42.36:1025 Aug 18 01:22:22 miniupnpd[682]: Unknown udp packet received from 192.168.42.36:1025 Aug 18 01:22:22 miniupnpd[682]: Unknown udp packet received from 192.168.42.36:4776 Aug 18 01:22:22 miniupnpd[682]: Unknown udp packet received from 192.168.42.36:4776 Aug 18 01:22:22 last message repeated 9 times Aug 18 01:22:23 miniupnpd[682]: ST: urn:schemas-upnp-org:service:WANIPConnection:1 Aug 18 01:22:23 miniupnpd[682]: SSDP M-SEARCH packet received from 192.168.42.36:3039 Aug 18 01:22:23 miniupnpd[682]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1 Aug 18 01:22:23 miniupnpd[682]: SSDP M-SEARCH packet received from 192.168.42.36:2306 Aug 18 01:22:23 miniupnpd[682]: ST: urn:schemas-upnp-org:service:WANIPConnection:1 Aug 18 01:22:23 miniupnpd[682]: SSDP M-SEARCH packet received from 192.168.42.36:3039 Aug 18 01:22:22 last message repeated 9 times
pfctl -aminiupnpd -sn (and -sr) don't show anything mapping to the Xbox (it is .36 here, the pfsense is 42.1).
I can probably provide an ethereal/tcpdump capture of the wire from the 360 while it is starting up/probing for UPnP if that would be helpful, but don't expect it until Saturday or Sunday (I'm busy Friday and Saturday and probably won't get to a dump until Sat. PM or Sunday).
I found a bit more info about Microsoft's requirements for an "XBox Live compatible router"…
The Xbox implementation of UPnP follows the InternetGatewayDevice:1 specification- more information is available at http://www.upnp.org.
I didn't read through the specs at all, are you following this specification or is it a more limited implementation?
They also make a stink about UDP port assignment and which method they "prefer":
- The NAT can assign one UDP port to each UDP source port used by a client device, regardless of the destination of the UDP packet. We call this “minimal port assignment policy” because it results in the minimum number of UDP ports being assigned by the NAT. This is also sometimes called a “cone” NAT.
- The NAT can assign a different UDP port for each UDP destination. We call this an “aggressive port assignment policy” because it results in the NAT assigning many ports. This is also sometimes called a “symmetric” NAT.
Microsoft specifies a "cone" NAT device as their favorite. I'm not sure which method pf follows since I haven't been watching it that closely. ;)
The full document about Xbox-Live compatible routers is found at Microsoft in a Word Doc. Google does have it cached & available in HTML too though. I obviously don't expect pfSense to be shooting for MS Logo certification here or anything, I just want UPnP to work so I can have multiple XBoxes behind a single pf router/firewall.
Thanks for all your work so far, it's very impressive!
-
PfSense uses symetric NAT. You might have better luck if you switch to static port assignments under outgoing NAT (advanced) on your PfSense box. I am sure others can tell you more but, that might indeed help/fix the problem for you.
-
I will need a packet capture at least since I do not have a Xbox, 360 or not. Although I am tempted to buy one because of Dead Rising.
Anyhoo, I'll see if I can find some information on what the Xbox sends to a Upnp igd. The miniupnpd device we have actually is a IGD.
If you use upnptest.exeNormally the host request a portmap using http (the Xbox should not be different) you can see these when you start or stop Azureus.
You would see a AddPortMapping and DeletePortMapping message in the eventlog.
Similar to this.Aug 18 00:18:19 miniupnpd[88250]: AddportMapping UDP, for 192.168.11.19, description : Azureus UPnP 36981 UDP
-
Somebody should donate a xbox to databeestje for his work on this feature and to improve it ;)
-
Good news, eventough I am completely unfamiliar with C i have managed to create a proper miniupnpd.
In a bad patch I made the serial was one character too long which meant discovery did not work.It appears that Azureus did not care :-)
The latest version has the firewall rules set correctly.
The rule Labels have the description the program provides.
The serial number was corrected.This leaves a status page.
Since miniupnpd is a work in progress I have no clue if a XBOX should be expected to work.http://miniupnp.free.fr/
Cheers
-
I just re-downloaded the miniupnpd and updated all the other file (the only one that seems update was pfsense-utils.inc. UPNP now appears to be 100% broken… Using Utorrent the port is not forwarding and nothing is showing up in the system logs. As well when I run upnptest.exe I get nothing in the logs etc.
-
reboot
-
Give me some credit. I did. I also tried disabling a re-enabling UPNP both before and after I reboot.
-
I can't smell that from here :-)
Anyhoo. I have updated all the files directly from my testbox where everything appears to work.
so that is pfsense-utils.inc, system.inc, rc.bootup and miniupnpd.
Perhaps the patches from RC2e affected this.
Also check with ps auxw|grep mini if it is actually running.
If the miniupnpd binary is not executable it will not start.