Uverse Remote App Behind PfSense



  • I recently graduated from using DD-Wrt to a Pfsense box on my home network.  I have always wanted to have the ability to use the Uverse remote app on my iPhone to control my Uverse set-top boxes (STB) while on my local network.  Now that I am up and running with Pfsense, I am trying to tackle this task but not having any luck so far.

    Currently my setup is as follows:

    Uverse RG -> Pfsense WAN <-> PFsense LAN -> Home network with WiFi AP and multiple wired devices
      |
      |-> Uverse STB's

    I have set the Uverse RG with IP Passthrough to my Pfsense box using https://forums.att.com/t5/Features-and-How-To/How-to-put-the-Motorola-NVG589-in-bridge-mode-or-as-close-as-you/td-p/3552057 as my guide.  Thus, my Pfsense WAN gets assigned the public IP address.  I have set up Pfsense as my DHCP to serve IP addresses to my local network.  the Uverse RG acts as the DHCP for my STB's.

    Uverse RG IP: 192.168.1.254
    Uverse STB's: 192.168.1.10, 192.168.1.11
    Local Network IP's: 172.16.1.0/24

    I can reach my RG from within the local network and I can ping the STB's from the local network.  However, when using the Uverse Remote App, it can not find the STB's.

    During my research on how to get this working, I came across the following discussion at https://forums.att.com/t5/U-verse-Applications/iPad-app-behind-my-router/m-p/3114279/highlight/true#M582 where someone was able to get it working behind a Cisco ASA.  However, I have no idea how to translate the Cisco instruction set to Pfsense.

    From the above posted link, here is the pertinent information:

    1. The U-verse RG is 192.168.1.254 on its inside network.
    2. The Cisco ASA is configured for DMZPlus mode in the U-verse RG firewall. Given that, the IP address of the Cisco's outside interface is actually the public IP, even though the RG's internal network is routable from behind the Cisco.
    3. My Internet network (and wi-fi AP, and iPad) is behind the Cisco. The U-verse STB's are out on the RG's 192.168.1.0/24 network and directly connected to the RG's switch.
    4. On my Cisco ASA, I named the list "acl_out".  If you already have a different access-list assigned to the outside interface, you can use that instead.

    Here are the config lines. Feel free to update my config if you find a better one:

    multicast-routing
    access-list acl_out extended permit ip any host 239.255.255.250
    (* note, I've wondered if I should instead change "any" to "192.168.1.0 255.255.255.0" because I'm running DMZplus…not sure)
    access-group acl_out in interface outside
    mroute 192.168.1.0 255.255.255.0 outside
    pim rp-address 192.168.1.254 bidir
    (* note, if this command it necessary, the "bidir" seemed to be the key to making it work)

    For those on other routers, what I'm telling the Cisco ASA is to turn on multicast routing, allow access from the outside to the multicast IP 239.255.255.250, route multicast requests to/from 192.168.1.0 via the outside interface, and set up the RG as a "Protocol Independent Multicast" routing neighbor to the Cisco. Curiously if I do a "show pim neighbor" it doesn't show any on the ASA, but otherwise, this config seemed to make the whole thing work.

    I will post separately what I have tried unsuccessfully to get this working.  Any help anyone can provide, would be greatly appreciated.



  • I tried to translate the Cisco instructions posted above to Pfsense as follows.  After some more searching, I can across the following https://seantheitguy.wordpress.com/2014/02/10/using-pfsense-with-nvg589-with-dvr-stb-connected-to-my-router-not-u-verse-gateway/.  However, this was on how to put the STB's after the Pfsense.  I do not really want to do this and mix IPTV traffic with my network traffic on my local network, but I used the information from this post to try and help figure out the Cisco settings.

    I have tried various combination of the below and can't get it to work.

    WAN Firewall
    Using the above link and the former CIsco solution as a guide, I tried several of the different firewall rules below on the WAN:
    Pass IPV4 *    192.168.1.0/24  *  *  *  none
    or
    Pass IPV4 UDP 192.168.1.0/24 239.255.255.250 * * none
    or
    Pass IPV4 UDP 192.168.1.254 * * * none

    LAN Firewall
    Pass IPV4  *  LAN net  *  *  *  * none w/ Advanced features -> Advanced options -> "This allows packets with IP options to pass." turned on <- Do I really need this?

    IGMP Proxy
    Looks like from the above link and various other searches involving SSDP, it looks like i need to have IGMP Proxy running so I turned it on using http://pfsensesetup.com/igmp-proxy-configuration-in-pfsense/ as a guide with the following various settings (Bold seems, to me the most ocrrect and secure option):
    WAN upstream 0.0.0.0/ or WAN upstream 192.168.1.0/24 or WAN upstream 192.168.1.0/
    LAN downstream 172.16.1.0/24 <- now that I look at the examples, should this be "LAN downstream 239.255.255.250/"?

    None of the above settings get it working for me.  I can see in the WAN Firewall log, the STB's sending out and being blocked to a destination of 239.255.255.250, so it looks like some traffic is trying to get through, but no combination of the above seems to work.

    I even tried turning on the UPnP & NAT-PMP service, since SSDP seems to be related to UPnP, but that didn't help, either.

    Any help anyone can provide in helping me get this working would be greatly appreciated.  Thank you!


  • Rebel Alliance Global Moderator

    So you say pfsense gets public IP on its wan, but then you say your uverse stuff is on a

    Uverse RG IP: 192.168.1.254
    Uverse STB's: 192.168.1.10, 192.168.1.11

    These are clearly not on the same network as your devices on your lan or wifi which is 172.16

    How does app find these devices?  Via broadcast, multicast?  What do you put in an IP?  You do understand you put your devices behind a nat compared to your stb…  How are they suppose to find them?

    Why don't you put them on the same network and figure out how they talk via sniff.  Then with that information you can figure out if you can make it work or not.



  • My guess is since the Uverse RG has its own router/firewall built in, that, even though it is theoretically placing a public IP address on my PFsense router's WAN, it is still intercepting any traffic to 192.168.1.0 and directing it accordingly.  Because I can still access the RG interface from my 172.16.1.0 network by typing 192.168.1.254 into my browser and I can successfully ping the STB's.

    I will look into the sniff (never used it before) you suggest to see if I can pull out how the Uverse App uses SSDP to discover and communicate.  I am slowly getting my head around routing, firewalls, etc. so hopefully I can figure it out.  I just figured that since someone already successfully did it using a Cisco router, that I could just simply translate it to Pfsense.

    I will keep working on it this weekend and see if I can figure it out, but if anyone has any experience with Cisco-speak and can help me translate the above, I would appreciate it.  Thanks!