• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

UPNP?

2.1 Snapshot Feedback and Problems - RETIRED
6
31
10.6k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • F
    foonus
    last edited by Feb 16, 2013, 1:51 AM

    @jimp:

    Anything listed in "pfctl -sn -a miniupnpd" and "pfctl -sr -a miniupnpd"?

    2.1-BETA1 (amd64)
    built on Fri Feb 15 04:33:17 EST 2013
    FreeBSD 8.3-RELEASE-p5


    Second IP (192.168.1.110) is a user with skype on his iphone, 192.168.1.105 is the seedbox with UPNP port closed issues.

    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Feb 16, 2013, 1:52 AM

      Is igb0 actually your WAN/default route?

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 0
      • F
        foonus
        last edited by Feb 16, 2013, 2:37 AM Feb 16, 2013, 2:00 AM

        @jimp:

        Is igb0 actually your WAN/default route?

        Yep, igb0 is hooked to the cable router (WAN). Its a simple setup, Intel Gigabit ET2 Quad port server adapter (only using 2 ports -.-) in a HP Proiliant DL380 server.
        igb0 for WAN and igb1 for LAN. No errors show in system log at all.
        As i noted in an earlier post, The only changes to a default pfsense install are selecting "6to4 tunnel" for IPv6 on the WAN, and "track interface" for ipv6 on the LAN. Everything else is set at installer default.

        1 Reply Last reply Reply Quote 0
        • G
          gloomrider
          last edited by Feb 16, 2013, 5:57 PM

          Hi

          I can confirm this issue.  The "transmission" torrent application is a good tester because it both asks UPnP to open the port, then has it probed from the outside to confirm that the port has actually been opened.

          
[2.1-BETA1][root@xxx.xxx.xxx]/root(1): pfctl -sn -a miniupnpd
rdr log quick on vr0 inet proto tcp from any to any port = 63839 keep state label "Transmission at 63839" rtable 0 -> 192.168.1.120 port 63839
rdr log quick on vr0 inet proto udp from any to any port = 63839 keep state label "Transmission at 63839" rtable 0 -> 192.168.1.120 port 63839
[2.1-BETA1][root@xxx.xxx.xxx]/root(2): pfctl -sr -a miniupnpd
pass in log quick on vr0 inet proto tcp from any to any port = 63839 flags S/SA keep state label "Transmission at 63839" rtable 0
pass in log quick on vr0 inet proto udp from any to any port = 63839 flags S/SA keep state label "Transmission at 63839" rtable 0

          The best way I can describe the issue is that miniupnpd claims to have performed the requested operation, but didn't actually do it.  Or, perhaps pf is now behaving differently (ignoring?) miniupnpd's request.

          My version with issue: 2.1-BETA1 (i386) built on Fri Feb 15 15:43:49 EST 2013

          Reverting back to: 2.1-BETA1 (i386) built on Thu Jan 24 19:53:22 EST 2013

          …resolves the issue

          Same commands in the earlier snapshot (that works):

          
[2.1-BETA1][root@xxx.xxx.xxx]/root(1): pfctl -sn -a miniupnpd
rdr log quick on vr0 inet proto tcp from any to any port = 59130 keep state label "Transmission at 59130" rtable 0 -> 192.168.1.120 port 59130
rdr log quick on vr0 inet proto udp from any to any port = 59130 keep state label "Transmission at 59130" rtable 0 -> 192.168.1.120 port 59130
[2.1-BETA1][root@xxx.xxx.xxx]/root(2): pfctl -sr -a miniupnpd
pass in log quick on vr0 inet proto tcp from any to any port = 59130 flags S/SA keep state label "Transmission at 59130" rtable 0
pass in log quick on vr0 inet proto udp from any to any port = 59130 flags S/SA keep state label "Transmission at 59130" rtable 0

          NOTE: Port numbers are different because Transmission is assigning random port numbers each time I test.

          I'm happy to run further tests.  Let me know what you want done.

          Thanks

          1 Reply Last reply Reply Quote 0
          • J
            jimp Rebel Alliance Developer Netgate
            last edited by Feb 16, 2013, 7:17 PM

            I updated to the latest snapshot (yesterday's) and I have no problem on i386. uTorrent opens a port and the port test succeeds.

            If the rules are there, it should be working. When UPnP was really broken, there were no rules added there.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • J
              johnpoz LAYER 8 Global Moderator
              last edited by Feb 16, 2013, 8:43 PM Feb 16, 2013, 8:41 PM

              Still not working - showing it blocked in the firewall

              Canyouseeme saying closed..  But clearly the firewall is blocking it - even thouse the pfctl shows rules should be there?

              running
              2.1-BETA1 (i386)
              built on Sat Feb 16 10:53:05 EST 2013
              FreeBSD 8.3-RELEASE-p5

              [2.1-BETA1][root@pfsense.local.lan]/root(1): pfctl -sn -a miniupnpd
              rdr log quick on em1 inet proto tcp from any to any port = 3389 keep state label "test" rtable 0 -> 192.168.1.210 port 3389
              [2.1-BETA1][root@pfsense.local.lan]/root(2): pfctl -sr -a miniupnpd
              pass in log quick on em1 inet proto tcp from any to any port = 3389 flags S/SA keep state label "test" rtable 0

              yes em1 is my wan
              WAN (wan)      -> em1        -> v4/DHCP4: 24.13.snipped/21
                                                v6/DHCP6: 2001:558:6033:12c:snippedf:a3d3/128

              stillblocked.png
              stillblocked.png_thumb

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              1 Reply Last reply Reply Quote 0
              • T
                Tikimotel
                last edited by Feb 16, 2013, 9:30 PM

                Installed "2.1-BETA1 (amd64) built on Sat Feb 16 10:55:42 EST 2013"
                Still no go on upnp opening ports.

                tested with:
                www.grc.com (shields up!)
                www.canyouseeme.org
                and
                utorrent internal testing option…

                $ pfctl -sn -a miniupnpd
rdr log quick on em0 inet proto udp from any to any port = 24927 keep state label "Skype UDP at 192.168.0.50:24927 (2238)" rtable 0 -> 192.168.0.50 port 24927
rdr log quick on em0 inet proto tcp from any to any port = 24927 keep state label "Skype TCP at 192.168.0.50:24927 (2238)" rtable 0 -> 192.168.0.50 port 24927

                $ pfctl -sr -a miniupnpd
pass in log quick on em0 inet proto udp from any to any port = 24927 flags S/SA keep state label "Skype UDP at 192.168.0.50:24927 (2238)" rtable 0
pass in log quick on em0 inet proto tcp from any to any port = 24927 flags S/SA keep state label "Skype TCP at 192.168.0.50:24927 (2238)" rtable 0

                em0 is my WAN

                1 Reply Last reply Reply Quote 0
                • F
                  foonus
                  last edited by Feb 16, 2013, 11:33 PM

                  @johnpoz:

                  Still not working - showing it blocked in the firewall

                  John, If you set a static port map do you still see packets being blocked as indicated in your screenshot?
                  If so this would indicate an issue outside of the miniupnp daemon itself…

                  @jimp:

                  I updated to the latest snapshot (yesterday's) and I have no problem on i386. uTorrent opens a port and the port test succeeds.

                  If the rules are there, it should be working. When UPnP was really broken, there were no rules added there.

                  Do you think a clean install would make a difference Jim?

                  1 Reply Last reply Reply Quote 0
                  • J
                    jimp Rebel Alliance Developer Netgate
                    last edited by Feb 16, 2013, 11:38 PM

                    Unlikely, but possible.

                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • G
                      gloomrider
                      last edited by Feb 17, 2013, 12:30 AM

                      Jim,

                      Please don't think I'm being confrontational, but what would it take to prove this issue exists for some of us?

                      1 Reply Last reply Reply Quote 0
                      • J
                        jimp Rebel Alliance Developer Netgate
                        last edited by Feb 17, 2013, 1:30 AM

                        A few things:

                        1. A screenshot of the UPnP status screen showing the client ports that should be open. Use uTorrent or similar that has a built-in test.
                        2. The pfctl commands mentioned above.
                        3. The parsed and raw firewall log entries for the packets that should be matching the rule, but are not.
                        4. The full contents of /tmp/rules.debug, pfctl -vvsr, and pfctl -vvsn
                        5. The contents of netstat -rn
                        6. A screenshot showing that the test failed.
                        7. Repeat the same test with a manual port forward instead of UPnP and see if that works.

                        I don't doubt that it's not working, but given the rest of the context, I'm not entirely sure it's UPnP and not something else just getting blamed on UPnP.

                        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                        Need help fast? Netgate Global Support!

                        Do not Chat/PM for help!

                        1 Reply Last reply Reply Quote 0
                        • T
                          Tikimotel
                          last edited by Feb 17, 2013, 10:56 AM

                          A snipped from "/tmp/rules.debug"
                          Why is the miniupnpd anchor not ending in "/*"

                          # Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"

# Setup Squid proxy redirect
no rdr on em1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128

# UPnPd rdr anchor
rdr-anchor "miniupnpd" (Why NOT "miniupnpd/*" ???)

anchor "relayd/*"
anchor "openvpn/*"
anchor "ipsec/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------

                          pfctl -vvsr results in no anchors named "miniupnpd"

                          $ pfctl -vvsr
@0 scrub on em0 all fragment reassemble
  [ Evaluations: 28002     Packets: 9561      Bytes: 1992949     States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@1 scrub on em1 all fragment reassemble
  [ Evaluations: 18441     Packets: 18225     Bytes: 3932485     States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@0 anchor "relayd/*" all
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@1 anchor "openvpn/*" all
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@2 anchor "ipsec/*" all
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@3 block drop in inet all label "Default deny rule IPv4"
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@4 block drop out inet all label "Default deny rule IPv4"
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@5 block drop in inet6 all label "Default deny rule IPv6"
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@6 block drop out inet6 all label "Default deny rule IPv6"
  [ Evaluations: 567       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@7 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@8 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@9 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@10 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@11 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@12 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@13 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@14 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@15 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@16 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@17 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@18 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@19 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@20 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@21 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@22 pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@23 pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@24 pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@25 pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@26 block drop quick inet proto tcp from any port = 0 to any
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@27 block drop quick inet proto tcp from any to any port = 0
  [ Evaluations: 1904      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@28 block drop quick inet proto udp from any port = 0 to any
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@29 block drop quick inet proto udp from any to any port = 0
  [ Evaluations: 985       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@30 block drop quick inet6 proto tcp from any port = 0 to any
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@31 block drop quick inet6 proto tcp from any to any port = 0
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@32 block drop quick inet6 proto udp from any port = 0 to any
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@33 block drop quick inet6 proto udp from any to any port = 0
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@34 block drop quick from <snort2c:0> to any label "Block snort2c hosts"
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@35 block drop quick from any to <snort2c:0> label "Block snort2c hosts"
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@36 block drop in log quick proto tcp from <sshlockout:0> to any port = ssh label "sshlockout"
  [ Evaluations: 2893      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@37 block drop in log quick proto tcp from <webconfiguratorlockout:0> to any port = http label "webConfiguratorlockout"
  [ Evaluations: 1812      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@38 block drop in quick from <virusprot:0> to any label "virusprot overload table"
  [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@39 block drop in quick on em0 from <bogons:4652> to any label "block bogon IPv4 networks from WAN"
  [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@40 block drop in quick on em0 from <bogonsv6:68028> to any label "block bogon IPv6 networks from WAN"
  [ Evaluations: 139       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@41 block drop in on ! em0 inet from 84.xxx.xxx.0/23 to any
  [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@42 block drop in inet from 84.xxx.xxx.221 to any
  [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@43 block drop in on em0 inet6 from fe80::6a05:caff:fe0f:c58 to any
  [ Evaluations: 2326      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@44 block drop in quick on em0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
  [ Evaluations: 139       Packets: 139       Bytes: 50929       States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@45 block drop in quick on em0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@46 block drop in quick on em0 inet from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@47 block drop in quick on em0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@48 block drop in quick on em0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@49 block drop in quick on em0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@50 pass in on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@51 pass out on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
  [ Evaluations: 567       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@52 block drop in on ! em1 inet from 192.168.0.0/24 to any
  [ Evaluations: 2754      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@53 block drop in inet from 192.168.0.1 to any
  [ Evaluations: 2187      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@54 block drop in on em1 inet6 from fe80::6a05:caff:fe0f:c59 to any
  [ Evaluations: 2187      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@55 pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 2181      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@56 pass in quick on em1 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@57 pass out quick on em1 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
  [ Evaluations: 934       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@58 pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  [ Evaluations: 2754      Packets: 108       Bytes: 9072        States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@59 pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  [ Evaluations: 12        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@60 pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  [ Evaluations: 12        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@61 pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@62 pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
  [ Evaluations: 2754      Packets: 108       Bytes: 9072        States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@63 pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
  [ Evaluations: 567       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@64 pass out route-to (em0 84.xxx.xxx.1) inet from 84.xxx.xxx.221 to ! 84.xxx.xxx.0/23 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
  [ Evaluations: 567       Packets: 4352      Bytes: 2038614     States: 17    ]
  [ Inserted: uid 0 pid 73134 ]
@65 anchor "userrules/*" all
  [ Evaluations: 2754      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@66 pass in quick on em1 inet proto tcp from <managementhosts:1> to 192.168.0.1 port = https flags S/SA keep state label "USER_RULE: Allow access to firewall management"
  [ Evaluations: 2754      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@67 pass in quick on em1 inet proto tcp from <managementhosts:1> to 192.168.0.1 port = ssh flags S/SA keep state label "USER_RULE: Allow access to firewall management"
  [ Evaluations: 1714      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@68 pass in quick on em1 inet proto tcp from <managementhosts:1> to 192.168.0.1 port = http flags S/SA keep state label "USER_RULE: Allow access to firewall management"
  [ Evaluations: 1714      Packets: 1197      Bytes: 890290      States: 2     ]
  [ Inserted: uid 0 pid 73134 ]
@69 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = domain flags S/SA keep state label "USER_RULE: Allow internal network to DNS forwarder"
  [ Evaluations: 1694      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@70 pass in quick on em1 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = domain keep state label "USER_RULE: Allow internal network to DNS forwarder"
  [ Evaluations: 369       Packets: 628       Bytes: 66445       States: 1     ]
  [ Inserted: uid 0 pid 73134 ]
@71 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = ntp flags S/SA keep state label "USER_RULE: Allow internal network to NTPd server"
  [ Evaluations: 1696      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@72 pass in quick on em1 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = ntp keep state label "USER_RULE: Allow internal network to NTPd server"
  [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@73 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 2189 flags S/SA keep state label "USER_RULE: Allow internal network to upnp and nat-pmp"
  [ Evaluations: 1696      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@74 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 5153 flags S/SA keep state label "USER_RULE: Allow internal network to upnp and nat-pmp"
  [ Evaluations: 1694      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@75 pass in quick on em1 inet from 192.168.0.0/24 to 224.0.0.0/8 flags S/SA keep state label "USER_RULE: Allow multicast"
  [ Evaluations: 1847      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@76 pass in quick on em1 inet from 192.168.0.0/24 to 239.0.0.0/30 flags S/SA keep state label "USER_RULE: Allow multicast"
  [ Evaluations: 1847      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@77 pass in quick on em1 inet proto icmp from 192.168.0.0/24 to 192.168.0.1 keep state label "USER_RULE: Allow internal network to ping LAN IP"
  [ Evaluations: 1847      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@78 block drop in quick on em1 inet from any to 192.168.0.1 label "USER_RULE: Reject all else to LAN IP"
  [ Evaluations: 1847      Packets: 1694      Bytes: 86336       States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@79 pass in quick on em1 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
  [ Evaluations: 153       Packets: 4824      Bytes: 2762700     States: 18    ]
  [ Inserted: uid 0 pid 73134 ]
@80 anchor "tftp-proxy/*" all
  [ Evaluations: 573       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@81 pass in quick on em1 proto tcp from any to ! (em1:2) port = http flags S/SA keep state
  [ Evaluations: 573       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]
@82 pass in quick on em1 proto tcp from any to ! (em1:2) port = 3128 flags S/SA keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 73134 ]</managementhosts:1></managementhosts:1></managementhosts:1></bogonsv6:68028></bogons:4652></virusprot:0></webconfiguratorlockout:0></sshlockout:0></snort2c:0></snort2c:0>

                          $ pfctl -sn -a miniupnpd
rdr log quick on em0 inet proto udp from any to any port = 17040 keep state label "Skype UDP at 192.168.0.51:17040 (2239)" rtable 0 -> 192.168.0.51 port 17040
rdr log quick on em0 inet proto tcp from any to any port = 17040 keep state label "Skype TCP at 192.168.0.51:17040 (2239)" rtable 0 -> 192.168.0.51 port 17040
                          1 Reply Last reply Reply Quote 0
                          • J
                            johnpoz LAYER 8 Global Moderator
                            last edited by Feb 17, 2013, 12:17 PM

                            So yeah if I do a manual nat - its works no problem, see attached

                            canyouseeme goes back to 80 when you do the test, but clearly in the ouput you see that its saying 3389 is open  to the public.  When UPnP says that it opens this port, firewall blocks it and canyouseeme reports closed/timeout/etc.

                            nat.png
                            nat.png_thumb
                            staticworks.png
                            staticworks.png_thumb

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            1 Reply Last reply Reply Quote 0
                            • A
                              athurdent
                              last edited by Feb 17, 2013, 12:49 PM Feb 17, 2013, 12:44 PM

                              @Tikimotel:

                              Why is the miniupnpd anchor not ending in "/*"

                              The INSTALL file of the source code (miniupnpd-1.8.20130207.tar.gz) suggests the following:

                              - add "rdr-anchor miniupnpd" and "anchor miniupnpd" lines to /etc/pf.conf
- some FreeBSD users reported that it is also necessary for them
  to explicitly allow udp traffic on 239.0.0.0/8 by adding the two following
  lines to /etc/pf.conf :
   pass out on $int_if from any to 239.0.0.0/8 keep state
   pass in on $int_if from any to 239.0.0.0/8 keep state

                              pfctl -vvsn

                              show the following on my system:

                              @7 rdr-anchor "miniupnpd" all
  [ Evaluations: 46940     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 48152 ]

                              But I am no using UPNP, so that's OK.
                              Would be interesting to see, if your systems show non-zero values there.

                              Edit: and it would be good to have the actual raw firewall logs of the blocked traffic.

                              1 Reply Last reply Reply Quote 0
                              • T
                                Tikimotel
                                last edited by Feb 17, 2013, 1:45 PM Feb 17, 2013, 1:19 PM

                                the INSTALL file says to add both, rdr-anchor and anchor entries.

                                pfctl -vvsn

                                $ pfctl -vvsn
@0 no nat proto carp all
  [ Evaluations: 13505     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@1 nat-anchor "natearly/*" all
  [ Evaluations: 13505     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@2 nat-anchor "natrules/*" all
  [ Evaluations: 13505     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@3 nat on em0 inet from 192.168.0.0/24 port = isakmp to any port = isakmp -> 84.xxx.xx3.221 port 500
  [ Evaluations: 13505     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@4 nat on em0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> 84.xxx.xx3.221 port 500
  [ Evaluations: 883       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@5 nat on em0 inet from 192.168.0.0/24 to any -> 84.xxx.xx3.221 port 1024:65535
  [ Evaluations: 13457     Packets: 4057605   Bytes: 3705179324  States: 267   ]
  [ Inserted: uid 0 pid 31155 ]
@6 nat on em0 inet from 127.0.0.0/8 to any -> 84.xxx.xx3.221 port 1024:65535
  [ Evaluations: 883       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@0 no rdr proto carp all
  [ Evaluations: 28718     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@1 rdr-anchor "relayd/*" all
  [ Evaluations: 28718     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@2 rdr-anchor "tftp-proxy/*" all
  [ Evaluations: 28718     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@3 no rdr on em1 inet proto tcp from any to 192.168.0.0/16 port = http
  [ Evaluations: 28718     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@4 no rdr on em1 inet proto tcp from any to 172.16.0.0/12 port = http
  [ Evaluations: 5241      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@5 no rdr on em1 inet proto tcp from any to 10.0.0.0/8 port = http
  [ Evaluations: 5241      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@6 rdr on em1 inet proto tcp from any to ! (em1:1) port = http -> 127.0.0.1 port 3128
  [ Evaluations: 5241      Packets: 5044      Bytes: 3257109     States: 1     ]
  [ Inserted: uid 0 pid 31155 ]
@7 rdr-anchor "miniupnpd" all
  [ Evaluations: 28566     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]

                                pfctl -vvsr

                                $ pfctl -vvsr
@0 scrub on em0 all fragment reassemble
  [ Evaluations: 14128596  Packets: 7067707   Bytes: 986362156   States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@1 scrub on em1 all fragment reassemble
  [ Evaluations: 7060889   Packets: 7060521   Bytes: 989205780   States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@0 anchor "relayd/*" all
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@1 anchor "openvpn/*" all
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@2 anchor "ipsec/*" all
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@3 block drop in log inet all label "Default deny rule IPv4"
  [ Evaluations: 39657     Packets: 12604     Bytes: 796042      States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@4 block drop out log inet all label "Default deny rule IPv4"
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@5 block drop in log inet6 all label "Default deny rule IPv6"
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@6 block drop out log inet6 all label "Default deny rule IPv6"
  [ Evaluations: 12655     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@7 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echorep keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@8 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@9 pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@10 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echorep keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@11 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@12 pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@13 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@14 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@15 pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@16 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@17 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@18 pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@19 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type echoreq keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@20 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routersol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@21 pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type routeradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@22 pass quick inet6 proto ipv6-icmp all icmp6-type unreach keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@23 pass quick inet6 proto ipv6-icmp all icmp6-type toobig keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@24 pass quick inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@25 pass quick inet6 proto ipv6-icmp all icmp6-type neighbradv keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@26 block drop quick inet proto tcp from any port = 0 to any
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@27 block drop quick inet proto tcp from any to any port = 0
  [ Evaluations: 18915     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@28 block drop quick inet proto udp from any port = 0 to any
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@29 block drop quick inet proto udp from any to any port = 0
  [ Evaluations: 20680     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@30 block drop quick inet6 proto tcp from any port = 0 to any
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@31 block drop quick inet6 proto tcp from any to any port = 0
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@32 block drop quick inet6 proto udp from any port = 0 to any
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@33 block drop quick inet6 proto udp from any to any port = 0
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@34 block drop quick from <snort2c:0>to any label "Block snort2c hosts"
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@35 block drop quick from any to <snort2c:0>label "Block snort2c hosts"
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@36 block drop in log quick proto tcp from <sshlockout:0>to any port = ssh label "sshlockout"
  [ Evaluations: 39657     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@37 block drop in log quick proto tcp from <webconfiguratorlockout:0>to any port = http label "webConfiguratorlockout"
  [ Evaluations: 14044     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@38 block drop in quick from <virusprot:0>to any label "virusprot overload table"
  [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@39 block drop in log quick on em0 from <bogons:10>to any label "block bogon IPv4 networks from WAN"
  [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@40 block drop in log quick on em0 from <bogonsv6:0>to any label "block bogon IPv6 networks from WAN"
  [ Evaluations: 12846     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@41 block drop in on ! em0 inet from 84.xxx.xx2.0/23 to any
  [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@42 block drop in inet from 84.xxx.xx3.221 to any
  [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@43 block drop in on em0 inet6 from fe80::6a05:caff:fe0f:c58 to any
  [ Evaluations: 27002     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@44 block drop in log quick on em0 inet from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
  [ Evaluations: 12846     Packets: 242       Bytes: 89350       States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@45 block drop in log quick on em0 inet from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
  [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@46 block drop in log quick on em0 inet from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
  [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@47 block drop in log quick on em0 inet from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
  [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@48 block drop in log quick on em0 inet from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
  [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@49 block drop in log quick on em0 inet6 from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
  [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@50 pass in on em0 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WAN"
  [ Evaluations: 12604     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@51 pass out on em0 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WAN"
  [ Evaluations: 18042     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@52 block drop in on ! em1 inet from 192.168.0.0/24 to any
  [ Evaluations: 39415     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@53 block drop in inet from 192.168.0.1 to any
  [ Evaluations: 26783     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@54 block drop in on em1 inet6 from fe80::6a05:caff:fe0f:c59 to any
  [ Evaluations: 26760     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@55 pass in quick on em1 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 14132     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@56 pass in quick on em1 inet proto udp from any port = bootpc to 192.168.0.1 port = bootps keep state label "allow access to DHCP server"
  [ Evaluations: 2         Packets: 3         Bytes: 1232        States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@57 pass out quick on em1 inet proto udp from 192.168.0.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
  [ Evaluations: 19931     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@58 pass in on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  [ Evaluations: 39413     Packets: 184       Bytes: 14796       States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@59 pass out on lo0 inet all flags S/SA keep state label "pass IPv4 loopback"
  [ Evaluations: 48        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@60 pass in on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  [ Evaluations: 48        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@61 pass out on lo0 inet6 all flags S/SA keep state label "pass IPv6 loopback"
  [ Evaluations: 24        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@62 pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
  [ Evaluations: 39413     Packets: 1502      Bytes: 388250      States: 2     ]
  [ Inserted: uid 0 pid 31155 ]
@63 pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
  [ Evaluations: 12655     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@64 pass out route-to (em0 84.xxx.xx2.1) inet from 84.xxx.xx3.221 to ! 84.xxx.xx2.0/23 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
  [ Evaluations: 12655     Packets: 4049547   Bytes: 3701333567  States: 177   ]
  [ Inserted: uid 0 pid 31155 ]
@65 anchor "userrules/*" all
  [ Evaluations: 39413     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@66 pass in quick on em1 inet proto tcp from <managementhosts:1>to 192.168.0.1 port = https flags S/SA keep state label "USER_RULE: Allow access to firewall management"
  [ Evaluations: 39413     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@67 pass in quick on em1 inet proto tcp from <managementhosts:1>to 192.168.0.1 port = ssh flags S/SA keep state label "USER_RULE: Allow access to firewall management"
  [ Evaluations: 1987      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@68 pass in quick on em1 inet proto tcp from <managementhosts:1>to 192.168.0.1 port = http flags S/SA keep state label "USER_RULE: Allow access to firewall management"
  [ Evaluations: 1987      Packets: 2933      Bytes: 2349344     States: 2     ]
  [ Inserted: uid 0 pid 31155 ]
@69 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = domain flags S/SA keep state label "USER_RULE: Allow internal network to DNS forwarder"
  [ Evaluations: 1960      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@70 pass in quick on em1 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = domain keep state label "USER_RULE: Allow internal network to DNS forwarder"
  [ Evaluations: 7279      Packets: 940       Bytes: 91307       States: 5     ]
  [ Inserted: uid 0 pid 31155 ]
@71 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = ntp flags S/SA keep state label "USER_RULE: Allow internal network to NTPd server"
  [ Evaluations: 1968      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@72 pass in quick on em1 inet proto udp from 192.168.0.0/24 to 192.168.0.1 port = ntp keep state label "USER_RULE: Allow internal network to NTPd server"
  [ Evaluations: 8         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@73 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 2189 flags S/SA keep state label "USER_RULE: Allow internal network to upnp and nat-pmp"
  [ Evaluations: 1968      Packets: 452       Bytes: 90991       States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@74 pass in quick on em1 inet proto tcp from 192.168.0.0/24 to 192.168.0.1 port = 5153 flags S/SA keep state label "USER_RULE: Allow internal network to upnp and nat-pmp"
  [ Evaluations: 1921      Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@75 pass in quick on em1 inet from 192.168.0.0/24 to 224.0.0.0/8 flags S/SA keep state label "USER_RULE: Allow multicast"
  [ Evaluations: 13597     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@76 pass in quick on em1 inet from 192.168.0.0/24 to 239.0.0.0/30 flags S/SA keep state label "USER_RULE: Allow multicast"
  [ Evaluations: 13597     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@77 pass in quick on em1 inet proto icmp from 192.168.0.0/24 to 192.168.0.1 keep state label "USER_RULE: Allow internal network to ping LAN IP"
  [ Evaluations: 13597     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@78 block drop in quick on em1 inet from any to 192.168.0.1 label "USER_RULE: Reject all else to LAN IP"
  [ Evaluations: 13597     Packets: 1926      Bytes: 98442       States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@79 pass in quick on em1 inet from 192.168.0.0/24 to any flags S/SA keep state label "USER_RULE: Default LAN -> any"
  [ Evaluations: 11671     Packets: 4049388   Bytes: 3702156825  States: 164   ]
  [ Inserted: uid 0 pid 31155 ]
@80 anchor "tftp-proxy/*" all
  [ Evaluations: 25283     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@81 pass in quick on em1 proto tcp from any to ! (em1:2) port = http flags S/SA keep state
  [ Evaluations: 25283     Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]
@82 pass in quick on em1 proto tcp from any to ! (em1:2) port = 3128 flags S/SA keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 31155 ]</managementhosts:1></managementhosts:1></managementhosts:1></bogonsv6:0></bogons:10></virusprot:0></webconfiguratorlockout:0></sshlockout:0></snort2c:0></snort2c:0>

                                That is with utorrent opening 22425 (tcp/udp) using upnp. (internal utorrent portforwarding test states OK, but traffic get blocked by the default rule)
                                RAW firewall logging

                                Feb 17 14:29:10	pf: 208.94.246.12.59207 > 84.xxx.xxx.xxx.52631: Flags [s], cksum 0x8c13 (correct), seq 3040150792, win 7300, options [mss 1460,sackOK,TS val 93819911 ecr 0,nop,wscale 0], length 0
Feb 17 14:29:10	pf: 00:00:00.032232 rule 3/0(match): block in on em0: (tos 0x0, ttl 52, id 37135, offset 0, flags [DF], proto TCP (6), length 60)
Feb 17 14:29:10	pf: 90.38.197.137.61089 > 192.168.0.51.22425: Flags [s], cksum 0x8c47 (correct), seq 106599862, win 8192, options [mss 1452,nop,wscale 2,nop,nop,sackOK], length 0
Feb 17 14:29:10	pf: 00:00:00.000701 rule 3/0(match): block in on em0: (tos 0x0, ttl 115, id 20243, offset 0, flags [DF], proto TCP (6), length 52)
Feb 17 14:29:10	pf: 90.38.197.137.28344 > 192.168.0.51.22425: UDP, length 30
Feb 17 14:29:10	pf: 00:00:00.007670 rule 3/0(match): block in on em0: (tos 0x0, ttl 115, id 20242, offset 0, flags [none], proto UDP (17), length 58)
Feb 17 14:29:10	pf: 213.220.227.57.53390 > 192.168.0.51.22425: Flags [s], cksum 0x43d8 (correct), seq 3521645254, win 8960, options [mss 8960,sackOK,TS val 120667621 ecr 0,nop,wscale 4], length 0
Feb 17 14:29:10	pf: 00:00:00.040965 rule 3/0(match): block in on em0: (tos 0x0, ttl 54, id 14115, offset 0, flags [DF], proto TCP (6), length 60)
Feb 17 14:29:10	pf: 77.41.15.219.55721 > 84.xxx.xxx.xxx.46657: UDP, length 20
Feb 17 14:29:10	pf: 00:00:00.750937 rule 3/0(match): block in on em0: (tos 0x0, ttl 115, id 28101, offset 0, flags [none], proto UDP (17), length 48)
Feb 17 14:29:10	pf: 95.236.57.133.18746 > 192.168.0.51.22425: Flags [s], cksum 0x113d (correct), seq 2237709668, win 8192, options [mss 1442,nop,wscale 8,nop,nop,sackOK], length 0
netstat -rn
[code]$ netstat -rn
Routing tables

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            84.xxx.xx2.1       UGS         0   174916    em0
84.xxx.xx2.0/23    link#1             U           0      704    em0
84.xxx.xx3.221     link#1             UHS         0        0    lo0
127.0.0.1          link#5             UH          0       58    lo0
192.168.0.0/24     link#2             U           0  7241831    em1
192.168.0.1        link#2             UHS         0      832    lo0

Internet6:
Destination                       Gateway                       Flags      Netif Expire
::1                               ::1                           UH          lo0
fe80::%em0/64                     link#1                        U           em0
fe80::6a05:caff:fe0f:c58%em0      link#1                        UHS         lo0
fe80::%em1/64                     link#2                        U           em1
fe80::6a05:caff:fe0f:c59%em1      link#2                        UHS         lo0
fe80::%lo0/64                     link#5                        U           lo0
fe80::1%lo0                       link#5                        UHS         lo0
ff01::%em0/32                     fe80::6a05:caff:fe0f:c58%em0  U           em0
ff01::%em1/32                     fe80::6a05:caff:fe0f:c59%em1  U           em1
ff01::%lo0/32                     ::1                           U           lo0
ff02::%em0/32                     fe80::6a05:caff:fe0f:c58%em0  U           em0
ff02::%em1/32                     fe80::6a05:caff:fe0f:c59%em1  U           em1
ff02::%lo0/32                     ::1                           U           lo0[/code]
cat /tmp/rules.debug
[code]$ cat /tmp/rules.debug
set limit tables 3000
set optimization normal
set timeout { adaptive.start 0, adaptive.end 0 }
set limit states 894000
set limit src-nodes 894000

#System aliases

loopback = "{ lo0 }"
WAN = "{ em0 }"
LAN = "{ em1 }"

#SSH Lockout Table
table <sshlockout> persist
table <webconfiguratorlockout> persist
#Snort tables
table <snort2c>
table <virusprot>
table <negate_networks> 

# User Aliases 
table <managementhosts> {   192.168.0.0/25 } 
ManagementHosts = "<managementhosts>"
ManagementPorts = "{   443  22  80 }"
ProxyPorts = "{   3128 }"
UpnpPorts = "{   2189  5153 }"

# Gateways
GWWAN = " route-to ( em0 84.xxx.xx2.1 ) "

set loginterface em1

set skip on pfsync0

scrub on $WAN all    fragment reassemble
scrub on $LAN all    fragment reassemble

no nat proto carp
no rdr proto carp
nat-anchor "natearly/*"
nat-anchor "natrules/*"

# Outbound NAT rules

# Subnets to NAT 
tonatsubnets	= "{ 192.168.0.0/24 127.0.0.0/8  }"
nat on $WAN  from $tonatsubnets port 500 to any port 500 -> 84.xxx.xx3.221/32 port 500  
nat on $WAN  from $tonatsubnets to any -> 84.xxx.xx3.221/32 port 1024:65535  

# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"

# Setup Squid proxy redirect
no rdr on em1 proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80
rdr on em1 proto tcp from any to !(em1) port 80 -> 127.0.0.1 port 3128

# UPnPd rdr anchor
rdr-anchor "miniupnpd"

anchor "relayd/*"
anchor "openvpn/*"
anchor "ipsec/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log inet all label "Default deny rule IPv4"
block out log inet all label "Default deny rule IPv4"
block in log inet6 all label "Default deny rule IPv6"
block out log inet6 all label "Default deny rule IPv6"

# IPv6 ICMP is not auxilary, it is required for operation
# See man icmp6(4)
# 1    unreach         Destination unreachable
# 2    toobig          Packet too big
# 128  echoreq         Echo service request
# 129  echorep         Echo service reply
# 133  routersol       Router solicitation
# 134  routeradv       Router advertisement
# 135  neighbrsol      Neighbor solicitation
# 136  neighbradv      Neighbor advertisement
pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state

# Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state

# We use the mighty pf, we cannot be fooled.
block quick inet proto { tcp, udp } from any port = 0 to any
block quick inet proto { tcp, udp } from any to any port = 0
block quick inet6 proto { tcp, udp } from any port = 0 to any
block quick inet6 proto { tcp, udp } from any to any port = 0

# Snort package
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"

# SSH lockout
block in log quick proto tcp from <sshlockout> to any port 22 label "sshlockout"

# webConfigurator lockout
block in log quick proto tcp from <webconfiguratorlockout> to any port 80 label "webConfiguratorlockout"
block in quick from <virusprot> to any label "virusprot overload table"
table <bogons> persist file "/etc/bogons"
table <bogonsv6> persist file "/etc/bogonsv6"
# block bogon networks
# http://www.cymru.com/Documents/bogon-bn-nonagg.txt
# http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
block in log quick on $WAN from <bogons> to any label "block bogon IPv4 networks from WAN"
block in log quick on $WAN from <bogonsv6> to any label "block bogon IPv6 networks from WAN"
antispoof for em0
# block anything from private networks on interfaces with the option set
antispoof for $WAN
block in log quick on $WAN from 10.0.0.0/8 to any label "Block private networks from WAN block 10/8"
block in log quick on $WAN from 127.0.0.0/8 to any label "Block private networks from WAN block 127/8"
block in log quick on $WAN from 100.64.0.0/10 to any label "Block private networks from WAN block 100.64/10"
block in log quick on $WAN from 172.16.0.0/12 to any label "Block private networks from WAN block 172.16/12"
block in log quick on $WAN from 192.168.0.0/16 to any label "Block private networks from WAN block 192.168/16"
block in log quick on $WAN from fc00::/7 to any label "Block ULA networks from WAN block fc00::/7"
# allow our DHCP client out to the WAN
pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
# Not installing DHCP server firewall rules for WAN which is configured for DHCP.
antispoof for em1
# allow access to DHCP server on LAN
pass in quick on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
pass in quick on $LAN proto udp from any port = 68 to 192.168.0.1 port = 67 label "allow access to DHCP server"
pass out quick on $LAN proto udp from 192.168.0.1 port = 67 to any port = 68 label "allow access to DHCP server"

# loopback
pass in on $loopback inet all label "pass IPv4 loopback"
pass out on $loopback inet all label "pass IPv4 loopback"
pass in on $loopback inet6 all label "pass IPv6 loopback"
pass out on $loopback inet6 all label "pass IPv6 loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to ( em0 84.xxx.xx2.1 ) from 84.xxx.xx3.221 to !84.xxx.xx2.0/23 keep state allow-opts label "let out anything from firewall host itself"

# User-defined rules follow

anchor "userrules/*"
pass  in  quick  on $LAN  proto tcp  from   $ManagementHosts to 192.168.0.1 port $ManagementPorts  flags S/SA keep state  label "USER_RULE: Allow access to firewall management"
pass  in  quick  on $LAN  proto { tcp udp }  from 192.168.0.0/24 to 192.168.0.1 port 53  keep state  label "USER_RULE: Allow internal network to DNS forwarder"
pass  in  quick  on $LAN  proto { tcp udp }  from 192.168.0.0/24 to 192.168.0.1 port 123  keep state  label "USER_RULE: Allow internal network to NTPd server"
pass  in  quick  on $LAN  proto tcp  from 192.168.0.0/24 to 192.168.0.1 port $UpnpPorts  flags S/SA keep state  label "USER_RULE: Allow internal network to upnp and nat-pmp"
pass  in  quick  on $LAN  from 192.168.0.0/24 to   224.0.0.0/8 keep state  label "USER_RULE: Allow multicast"
pass  in  quick  on $LAN  from 192.168.0.0/24 to   239.0.0.0/30 keep state  label "USER_RULE: Allow multicast"
pass  in  quick  on $LAN  proto icmp  from 192.168.0.0/24 to 192.168.0.1 keep state  label "USER_RULE: Allow internal network to ping LAN IP"
block  in  quick  on $LAN  from any to 192.168.0.1  label "USER_RULE: Reject all else to LAN IP"
pass  in  quick  on $LAN  from 192.168.0.0/24 to any keep state  label "USER_RULE: Default LAN -> any"

# Automatic Pass rules for any delegated IPv6 prefixes through dynamic IPv6 clients

# VPN Rules
anchor "tftp-proxy/*"

# Setup squid pass rules for proxy
pass in quick on em1 proto tcp from any to !(em1) port 80 flags S/SA keep state
pass in quick on em1 proto tcp from any to !(em1) port 3128 flags S/SA keep state
[/code]

![Utorrent-test.png](/public/_imported_attachments_/1/Utorrent-test.png)
![Utorrent-test.png_thumb](/public/_imported_attachments_/1/Utorrent-test.png_thumb)
![pfsense_unpnstatus.png](/public/_imported_attachments_/1/pfsense_unpnstatus.png)
![pfsense_unpnstatus.png_thumb](/public/_imported_attachments_/1/pfsense_unpnstatus.png_thumb)[/s][/s][/s][/s]</bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></snort2c></snort2c></managementhosts></managementhosts></negate_networks></virusprot></snort2c></webconfiguratorlockout></sshlockout>
                                1 Reply Last reply Reply Quote 0
                                • J
                                  jimp Rebel Alliance Developer Netgate
                                  last edited by Mar 11, 2013, 11:45 AM Feb 17, 2013, 1:59 PM

                                  OK, I found it. It wasn't the upnp daemon, but a recent change broke the test that puts the rules anchor in rules.debug.

                                  Should be fixed by https://github.com/pfsense/pfsense/commit/290296cdc05747b65145077e2715e7c4e2ae60aa

                                  Not sure how mine worked without that anchor, but it was working for me.

                                  Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                  Need help fast? Netgate Global Support!

                                  Do not Chat/PM for help!

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by Feb 17, 2013, 2:31 PM Feb 17, 2013, 2:26 PM

                                    just did a gitsync - and shazam there you go Working!

                                    I don't really use it, but sure the guys that do will be happy its working again..  Sweet how some reporting of details and issue fixed..

                                    Got to love the pfsense crew!  Thanks guys!!

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                    1 Reply Last reply Reply Quote 0
                                    • T
                                      Tikimotel
                                      last edited by Feb 17, 2013, 2:54 PM

                                      gitsync saved the day!
                                      miniupnpd is working again thanks. ;D

                                      1 Reply Last reply Reply Quote 0
                                      • G
                                        gloomrider
                                        last edited by Feb 18, 2013, 1:01 AM Feb 18, 2013, 12:45 AM

                                        @jimp:

                                        OK, I found it. It wasn't the upnp daemon, but a recent change broke the test that puts the rules anchor in rules.debug.

                                        Should be fixed by https://github.com/bsdperimeter/pfsense/commit/290296cdc05747b65145077e2715e7c4e2ae60aa

                                        Not sure how mine worked without that anchor, but it was working for me.

                                        Well Jim, since you figured it out before I had to go through your list of tasks, I made a small donation to the project.  ;D

                                        Oh, and thanks, of course!!!

                                        1 Reply Last reply Reply Quote 0
                                        • J
                                          jimp Rebel Alliance Developer Netgate
                                          last edited by Feb 18, 2013, 12:57 AM

                                          Thanks!

                                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                          Need help fast? Netgate Global Support!

                                          Do not Chat/PM for help!

                                          1 Reply Last reply Reply Quote 0
                                          20 out of 31
                                          • First post
                                            20/31
                                            Last post
                                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.