View previous topic :: View next topic |
Author |
Message |
apz
Joined: 19 May 2013 Posts: 4 Location: Kouvola, Finland
|
Posted: Sun May 19, 2013 12:13 pm Post subject: Miniupnpd 1.8.1 with FreeBSD 9.1 and PF. |
|
|
Hi folks.
I have a FreeBSD 9.1 based system that acts as a firewall/NAT for my network.
The interface em0 uses DHCP and is for the inernet connection, em1 is for LAN.
I recently swiched from IPF to PF as the current Miniupnpd versions no longer worked with IPF. For some reason I can't seem to get the clients to see Miniupnpd any more. Miniupnpd v1.8.1 is build from FreeBSD ports, with PF support enabled.
I see Miniupnpd listening to its ports correctly:
---
# sockstat -4 -l | grep mini
root miniupnpd 78981 4 tcp4 *:24397 *:*
root miniupnpd 78981 6 udp4 *:1900 *:*
root miniupnpd 78981 7 udp4 192.168.1.28:15944 *:*
root miniupnpd 78981 9 udp4 192.168.1.28:5351 *:*
---
Running upnpc -s from the machine running Minipnpd or any of the LAN machines, I get:
No IGD UPnP Device found on the network !
However, if I specify the NAT-machine's IP and proper port, upnpc seems to work:
---
$ upnpc -u 192.168.1.28:24397/igd.xml -s
upnpc : miniupnpc library test client. (c) 2006-2010 Thomas Bernard
for more information.
Found valid IGD : 192.168.1.28:24397/
Local LAN ip address : 192.168.1.1
Connection Type : IP_Routed
Status : Connected, uptime=140725s, LastConnectionError : ERROR_NONE
Time started : Fri May 17 23:16:37 2013
MaxBitRateDown : 524288 bps MaxBitRateUp 131072 bps
ExternalIPAddress = xxx.xxx.xxx.xxx
Bytes: Sent: 181096013 Recv: 4031495460
Packets: Sent: 1531348 Recv: 3062141
---
I've tried stripping the miniupnpd.conf to it's bare minimum, even trying to allow all client IPs. I've also tried flushing all PF rules. Telnet connects to Miniupnpd's port from all clients.
--- miniupnpd.conf ---
ext_ifname=em0
listening_ip=192.168.1.28
port=0
enable_natpmp=yes
bitrate_up=131072
bitrate_down=524288
secure_mode=yes
system_uptime=yes
clean_ruleset_interval=600
packet_log=yes
uuid=[removed_from_this_post]
allow 1024-65000 192.168.1.0/24 1024-65000
deny 0-65535 0.0.0.0/0 0-65535
--- miniupnpd.conf ---
Any pointers where to look next?
(links mangled because of the forum's anti-spam system) |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1592
|
Posted: Sun May 19, 2013 9:29 pm Post subject: |
|
|
I think the SSDP packets are filtered out by PF...
as written in the INSTALL file :
Code: | - some FreeBSD users reported that it is also necessary for them
to explicitly allow udp traffic on 239.0.0.0/8 by adding the two following
lines to /etc/pf.conf :
pass out on $int_if from any to 239.0.0.0/8 keep state
pass in on $int_if from any to 239.0.0.0/8 keep state
|
This information may need some updates (as pf has evolved since) _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1592
|
Posted: Mon May 20, 2013 12:16 am Post subject: Re: Miniupnpd 1.8.1 with FreeBSD 9.1 and PF. |
|
|
apz wrote: | [...]
I have a FreeBSD 9.1 based system that acts as a firewall/NAT for my network.
The interface em0 uses DHCP and is for the inernet connection, em1 is for LAN.
I recently swiched from IPF to PF as the current Miniupnpd versions no longer worked with IPF.
[...] |
Indeed miniupnpd was only compatible with IPF 4.x.
I'm trying to add support for IPF 5.x
see https://github.com/miniupnp/miniupnp/commit/50cb93be4ad2465dbcf6e94ac1a60594cdecd375 _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
apz
Joined: 19 May 2013 Posts: 4 Location: Kouvola, Finland
|
Posted: Mon May 20, 2013 4:45 am Post subject: |
|
|
miniupnp wrote: | I think the SSDP packets are filtered out by PF...
as written in the INSTALL file :
Code: | - some FreeBSD users reported that it is also necessary for them
to explicitly allow udp traffic on 239.0.0.0/8 by adding the two following
lines to /etc/pf.conf :
pass out on $int_if from any to 239.0.0.0/8 keep state
pass in on $int_if from any to 239.0.0.0/8 keep state
|
This information may need some updates (as pf has evolved since) |
I added those lines, but it didn't change anything. Then again, if flushing all rules from the PF didn't help either. |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1592
|
Posted: Mon May 20, 2013 9:53 am Post subject: |
|
|
apz wrote: | miniupnp wrote: | I think the SSDP packets are filtered out by PF...
as written in the INSTALL file :
Code: | - some FreeBSD users reported that it is also necessary for them
to explicitly allow udp traffic on 239.0.0.0/8 by adding the two following
lines to /etc/pf.conf :
pass out on $int_if from any to 239.0.0.0/8 keep state
pass in on $int_if from any to 239.0.0.0/8 keep state
|
This information may need some updates (as pf has evolved since) |
I added those lines, but it didn't change anything. Then again, if flushing all rules from the PF didn't help either. |
it is the SSDP packets that are "blocked". to see where they are blocked, use tcpdump/wireshark on several machines on your LAN (the router, the client)
Code: | $ sudo tcpdump -n -i <interface> -A port 1900 |
you should see something like :
Code: |
11:49:58.352300 IP 192.168.10.109.47089 > 239.255.255.250.1900: UDP, length 137
E.....@....8..
m.......l....M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
MAN: "ssdp:discover"
MX: 2
11:49:58.413687 IP 192.168.10.254.1900 > 192.168.10.109.47089: UDP, length 303
E..K..@.@.....
...
m.l...7m.HTTP/1.1 200 OK
SERVER: Linux/2.6 UPnP/1.0 fbxigdd/1.0
LOCATION: http://192.168.10.254:5678/desc/root
EXT:
CACHE-CONTROL: max-age=1800
ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
USN: uuid:igdxxxxxxxxx::urn:schemas-upnp-org:device:InternetGatewayDevice:1
|
_________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
apz
Joined: 19 May 2013 Posts: 4 Location: Kouvola, Finland
|
Posted: Thu May 23, 2013 4:53 am Post subject: |
|
|
After some debugging, I think I've pinpointed where the packages disappear.
The machine running Miniunpnpd is a virtual machine running on KVM. The packages are last seen in the bridge device of the KVM host. |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1592
|
Posted: Thu May 23, 2013 5:23 pm Post subject: |
|
|
apz wrote: | After some debugging, I think I've pinpointed where the packages disappear.
The machine running Miniunpnpd is a virtual machine running on KVM. The packages are last seen in the bridge device of the KVM host. |
it is very possible that Multicast packets are not properly "bridged" by the KVM. Using multicast is not very common. _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
apz
Joined: 19 May 2013 Posts: 4 Location: Kouvola, Finland
|
Posted: Sun May 26, 2013 10:43 am Post subject: |
|
|
I found a solution to the problem. It wasn't FreeBSD, but a bridging problem on the KVM host machine. This will also work if the virtual machine running Miniupnpd is Linux or other supported OS.
I installed smcroute daemon on the KVM host.
br0 is the bridge from the virtual machines to LAN. I used the following smcroute startup commands:
Code: | echo 0 > /sys/devices/virtual/net/br0/bridge/multicast_snooping
smcroute -j br0 239.255.255.250
smcroute -a br0 0.0.0.0 239.255.255.250 br0 |
After that the consoles and other upnp enabled devices finally worked as expected. Thanks for debugging help! |
|
Back to top |
|
|
|