miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Issues with miniupnpd on multiple LAN interfaces on pfSense

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Bugs
View previous topic :: View next topic  
Author Message
guiambros



Joined: 05 Nov 2022
Posts: 2
Location: Brooklyn, NY
PostPosted: Sun Nov 06, 2022 3:06 am    Post subject: Issues with miniupnpd on multiple LAN interfaces on pfSense Reply with quote
I'm running miniupnpd v2.2.1 on pfSense 2.6.0-release. The system has 1 WAN (em0) and 3 LAN interfaces (em1, em2, em3). I have a valid IP address in the WAN interface.

When configuring via pfSense UI, I end up with this config file:

Code:

$ cat /var/etc/miniupnpd.conf
ext_ifname=em0
port=2189
listening_ip=em1
listening_ip=em2
listening_ip=em3
secure_mode=yes
presentation_url=https://192.168.x.1/
uuid=b00000-d000-f000-f000-10000000000
serial=B200D000
model_number=2.6.0-RELEASE
enable_upnp=yes
enable_natpmp=no


With this config, the system gets spammed every 30s with hundreds of lines like this one:

Code:
# cat routing.log
Nov  5 17:58:11 pfSense miniupnpd[16813]: interface index not matching 4 != 2
Nov  5 17:58:11 pfSense miniupnpd[16813]: interface index not matching 4 != 3
Nov  5 17:58:11 pfSense miniupnpd[16813]: interface index not matching 3 != 2
Nov  5 17:58:11 pfSense miniupnpd[16813]: interface index not matching 4 != 3
Nov  5 17:58:11 pfSense miniupnpd[16813]: interface index not matching 2 != 3
(... plus hundreds of lines)


I read somewhere that the preferred way was to put all interfaces in the same listening_ip line, so I tried changing the config file to:

Code:
listening_ip=em1 em2 em3


The error changed, but still getting tons of these (where x is the subnet of `em2`):

Code:

Nov  5 18:04:21 pfSense miniupnpd[47353]: HTTP peer 192.168.x.21:39758 is not from a LAN, closing the connection
Nov  5 18:04:21 pfSense miniupnpd[47353]: HTTP peer 192.168.x.21:39772 is not from a LAN, closing the connection
(... plus hundreds of lines)


If I change the order of interfaces to
Code:
listening_ip=em2 em1 em3


The error changes to (where x is the subnet of `em3`, the 4th interface in the system):

Code:
Nov  5 22:23:00 pfSense miniupnpd[94656]: SSDP packet sender 192.168.x.7:60844 (if_index=4) not from a LAN, ignoring
Nov  5 22:23:00 pfSense miniupnpd[94656]: SSDP packet sender 192.168.x.7:60844 (if_index=4) not from a LAN, ignoring
(... plus hundreds of lines)



This makes me believe that miniupnpd is only considering the first interface in listening_ip, so I really should have a separate row for each interface.

Lastly, I tried using the IP address in CIDR format (where x, y, z are the subnets for em1, em2, em3), but I think it got deprecated in recent versions:

Code:

listening_ip=192.168.x.1/24
listening_ip=192.168.y.1/24
listening_ip=192.168.z.1/24


This resulted in:

Code:
Error: please specify LAN network interface by name instead of IPv4 address : 192.168.x.1/24
can't parse "192.168.x.1/24" as a valid interface name
Error: please specify LAN network interface by name instead of IPv4 address : 192.168.y.1/24
can't parse "192.168.y.1/24" as a valid interface name
Error: please specify LAN network interface by name instead of IPv4 address : 192.168.z.1/24
can't parse "192.168.z.1/24" as a valid interface name


I'm using

Code:
$ miniupnpd --version
miniupnpd 2.2.1 Jan 12 2022
using pf backend


Any ideas if I'm doing something wrong, or if miniupnpd is broken on pfSense? I haven't tried 2.3.1 yet. It's a bit painful to compile anything for pfSense, so I'd prefer to avoid if possible.

Thanks in advance!

Last edited by guiambros on Mon Apr 24, 2023 4:42 am; edited 1 time in total
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1594
PostPosted: Sun Dec 18, 2022 10:49 pm    Post subject: Reply with quote
Code:

listening_ip=em1
listening_ip=em2
listening_ip=em3

should work.

you should try to tcpdump on each em1 / em2 / em3 interface to check they are only receiving packets from the right subnet.

Code:

# tcpdump -n -i em1 "udp port 1900"

_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
guiambros



Joined: 05 Nov 2022
Posts: 2
Location: Brooklyn, NY
PostPosted: Sun Apr 23, 2023 9:12 pm    Post subject: Reply with quote
miniupnp wrote:

you should try to tcpdump on each em1 / em2 / em3 interface to check they are only receiving packets from the right subnet.


Bingo, I am indeed receiving duplicate SSDP packets across VLANs, so miniupnpd is working as intended and reporting the interface mismatch. Thanks!

I traced the duplicate packets back to pfSense's PIMD service, which is needed to make some devices which rely on multicast to work across subnets (e.g. Sonos / Spotify Connect). I thought that pimd wouldn't replicate link-local multicast traffic like SSDP, but seems I was wrong.

I now need to investigate the security implications of SSDP packages leaking across vlans. I guess it'd be possible for a compromised device on a restricted vlan to announce an evil service via SSDP to other subnets.

As a workaround, I simply commented out this line in minissdp.c, recompiled and installed on pfSense. Won't survive the next upgrade, but at least fixes the log spam for now.

Code:
syslog(LOG_WARNING, "interface index not matching %u != %d", lan_addr->index, source_if);
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1594
PostPosted: Mon May 08, 2023 1:34 pm    Post subject: Reply with quote
I have to read the UPnP standard documents to know exactly what is forbidden / allowed about SSDP crossing LAN's Smile

The main reason of the current implementation of interface check for SSDP in miniupnp was to drop SSDP packets coming from the internet.

You can "cheat" in the miniupnpd configuration by adding a /16 mask to your listening_ip configuration :
Code:
listening_ip=em1/16

https://github.com/miniupnp/miniupnp/blob/master/miniupnpd/INSTALL#L139
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.