miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Multicast usage in miniupnpd?

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Compilation/Installation
View previous topic :: View next topic  
Author Message
neildarlow



Joined: 12 Nov 2008
Posts: 2

PostPosted: Wed Nov 12, 2008 12:20 pm    Post subject: Multicast usage in miniupnpd? Reply with quote

Hi,

I am using miniupnpd to provide uPnP service for BitTorrent clients behind my dual-homed FreeBSD-7 router/firewall. It appears that miniupnpd works because I am unable to download content using both Windows and GNU/Linux clients configured for uPnP and the clients continue to seed content long after the download is finished (and a socket would have timed-out).

The problem I notice is that during operation my /var/log/messages fills with the following messages:
Code:
miniupnpd[20838]: sendto(udp_notify=7, 192.168.0.1): Operation not permitted

A restart of miniupnpd typically logs the following:
Code:
miniupnpd[20799]: received signal 15, good-bye
miniupnpd[20799]: sendto(udp_shutdown=7): Operation not permitted
miniupnpd[20799]: Failed to broadcast good-bye notifications
miniupnpd[20838]: HTTP listening on port 5555
miniupnpd[20838]: Listening for NAT-PMP traffic on port 5351

From reading other threads on this forum it appears that something is wrong with my firewall configuration or I'm not permitting the routing of multicast packets. I've researched the FreeBSD documentation relating to multicast but it only makes reference to configuring the kernel to act as a multicast router and the requrement to run mrouted. Do I need to do this?

My /usr/local/etc/miniupnpd.conf is:
Code:
# WAN network interface
ext_ifname=vr0

# enable NAT-PMP support (default is no)
enable_natpmp=yes

# there can be multiple listening ips for receiving SSDP traffic.
# the 1st IP is also used for UPnP Soap traffic.
listening_ip=192.168.0.1
port=5555

# bitrates reported by daemon in bits per second
bitrate_up=81920
bitrate_down=4194304

# default presentation url is http address on port 80
#presentation_url=

# report system uptime instead of daemon uptime
system_uptime=yes

# notify interval in seconds default is 30 seconds.
#notify_interval=240

# log packets in pf
#packet_log=no

# uuid : generated by the install a new one can be created with
# uuidgen
uuid=73c9083f-38b5-11dd-8bca-004063dfeebb

# UPnP permission rules
# (allow|deny) (external port range) ip/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# ip/mask format must be nn.nn.nn.nn/nn
allow 6881-6889 192.168.0.0/24 6881-6889
deny 0-65535 0.0.0.0/0 0-65535

My /etc/pf.conf is:
Code:
int_if = "vr1"
ext_if = "vr0"

tcp_services = "{ ssh, smtp, http, auth, imap, https, smtps, imaps, xmpp-client, xmpp-server }"
udp_services = "{ sip, 5004:5023 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat-anchor "ftp-proxy/*"
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr-anchor "miniupnpd"

# filter rules
block all

pass quick on lo0 all

block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) port > 49151 keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

anchor "ftp-proxy/*"
anchor "miniupnpd"
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

My ifconfig output is:
Code:
vr0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=48<VLAN_MTU,POLLING>
        ether 00:40:63:df:ee:bb
        inet6 fe80::240:63ff:fedf:eebb%vr0 prefixlen 64 scopeid 0x1
        inet WW.XX.YY.ZZ netmask 0xfffffc00 broadcast 255.255.255.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
vr1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=48<VLAN_MTU,POLLING>
        ether 00:40:63:df:ee:57
        inet6 fe80::240:63ff:fedf:ee57%vr1 prefixlen 64 scopeid 0x2
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> metric 0 mtu 1500
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33204
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
        inet 127.0.0.1 netmask 0xff000000
pfsync0: flags=0<> metric 0 mtu 1460
        syncpeer: 224.0.0.240 maxupd: 128

And my routing table:
Code:

Internet:
Destination        Gateway            Flags    Refs      Use  Netif Expire
default            82.14.32.1         UGS         0 10071714    vr0
WW.XX.YY.0/22      link#1             UC          0        0    vr0
WW.XX.YY.1         00:0f:35:44:10:01  UHLW        2        0    vr0    574
WW.XX.YY.ZZ        00:40:63:df:ee:bb  UHLW        1      860    lo0
127.0.0.1          127.0.0.1          UH          0  3122038    lo0
192.168.0.0/24     link#2             UC          0        0    vr1
192.168.0.1        00:40:63:df:ee:57  UHLW        1   688172    lo0

I have obscured my external IP address (WW.XX.YY.ZZ) but for general information my external interface is vr0 and is dynamically assigned (WW.XX.YY.ZZ), my internal interface is vr1 and is 192.168.0.1 on my local 192.168.0.0/24 network.

I currently only allow redirection of ports 6881-6889 in miniupnpd.conf for BitTorrent traffic.

Any suggestions on how to configure my miniupnpd.conf/pf.conf to eliminate these multicast-related error messages would be most appreciated.

Regards,
Neil Darlow
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1593

PostPosted: Thu Nov 13, 2008 10:10 am    Post subject: Reply with quote

you should maybe add something like
Code:
pass out on $int_if from any to 239.255.255.250 keep state

in your pf.conf file.
or even
pass out on $int_if from any to any keep state
(at least temporarly for testing)
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
neildarlow



Joined: 12 Nov 2008
Posts: 2

PostPosted: Thu Nov 13, 2008 11:35 am    Post subject: Reply with quote

Thank you so much, that was exactly what was required.

I added the following to my /etc/pf.conf:
Code:
table <multicast> persist { 224/4 }
...
pass out on $int_if inet proto udp from any to <multicast> keep state

I know a table for a single IP subnet is probably overkill but it will allow for fine tuning at a later date.

Regards,
Neil Darlow
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Compilation/Installation All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.