miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Miniupnpd 1.8.1 with FreeBSD 9.1 and PF.

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Compilation/Installation
View previous topic :: View next topic  
Author Message
apz



Joined: 19 May 2013
Posts: 4
Location: Kouvola, Finland

PostPosted: Sun May 19, 2013 12:13 pm    Post subject: Miniupnpd 1.8.1 with FreeBSD 9.1 and PF. Reply with quote

Hi folks.

I have a FreeBSD 9.1 based system that acts as a firewall/NAT for my network.
The interface em0 uses DHCP and is for the inernet connection, em1 is for LAN.

I recently swiched from IPF to PF as the current Miniupnpd versions no longer worked with IPF. For some reason I can't seem to get the clients to see Miniupnpd any more. Miniupnpd v1.8.1 is build from FreeBSD ports, with PF support enabled.

I see Miniupnpd listening to its ports correctly:

---
# sockstat -4 -l | grep mini
root miniupnpd 78981 4 tcp4 *:24397 *:*
root miniupnpd 78981 6 udp4 *:1900 *:*
root miniupnpd 78981 7 udp4 192.168.1.28:15944 *:*
root miniupnpd 78981 9 udp4 192.168.1.28:5351 *:*
---

Running upnpc -s from the machine running Minipnpd or any of the LAN machines, I get:
No IGD UPnP Device found on the network !

However, if I specify the NAT-machine's IP and proper port, upnpc seems to work:

---
$ upnpc -u 192.168.1.28:24397/igd.xml -s
upnpc : miniupnpc library test client. (c) 2006-2010 Thomas Bernard
for more information.
Found valid IGD : 192.168.1.28:24397/
Local LAN ip address : 192.168.1.1
Connection Type : IP_Routed
Status : Connected, uptime=140725s, LastConnectionError : ERROR_NONE
Time started : Fri May 17 23:16:37 2013
MaxBitRateDown : 524288 bps MaxBitRateUp 131072 bps
ExternalIPAddress = xxx.xxx.xxx.xxx
Bytes: Sent: 181096013 Recv: 4031495460
Packets: Sent: 1531348 Recv: 3062141
---

I've tried stripping the miniupnpd.conf to it's bare minimum, even trying to allow all client IPs. I've also tried flushing all PF rules. Telnet connects to Miniupnpd's port from all clients.

--- miniupnpd.conf ---
ext_ifname=em0
listening_ip=192.168.1.28
port=0
enable_natpmp=yes
bitrate_up=131072
bitrate_down=524288
secure_mode=yes
system_uptime=yes
clean_ruleset_interval=600
packet_log=yes
uuid=[removed_from_this_post]
allow 1024-65000 192.168.1.0/24 1024-65000
deny 0-65535 0.0.0.0/0 0-65535
--- miniupnpd.conf ---

Any pointers where to look next?

(links mangled because of the forum's anti-spam system)
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Sun May 19, 2013 9:29 pm    Post subject: Reply with quote

I think the SSDP packets are filtered out by PF...
as written in the INSTALL file :
Code:
- some FreeBSD users reported that it is also necessary for them
  to explicitly allow udp traffic on 239.0.0.0/8 by adding the two following
  lines to /etc/pf.conf :
   pass out on $int_if from any to 239.0.0.0/8 keep state
   pass in on $int_if from any to 239.0.0.0/8 keep state

This information may need some updates (as pf has evolved since)
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Mon May 20, 2013 12:16 am    Post subject: Re: Miniupnpd 1.8.1 with FreeBSD 9.1 and PF. Reply with quote

apz wrote:
[...]
I have a FreeBSD 9.1 based system that acts as a firewall/NAT for my network.
The interface em0 uses DHCP and is for the inernet connection, em1 is for LAN.

I recently swiched from IPF to PF as the current Miniupnpd versions no longer worked with IPF.
[...]

Indeed miniupnpd was only compatible with IPF 4.x.
I'm trying to add support for IPF 5.x
see https://github.com/miniupnp/miniupnp/commit/50cb93be4ad2465dbcf6e94ac1a60594cdecd375
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
apz



Joined: 19 May 2013
Posts: 4
Location: Kouvola, Finland

PostPosted: Mon May 20, 2013 4:45 am    Post subject: Reply with quote

miniupnp wrote:
I think the SSDP packets are filtered out by PF...
as written in the INSTALL file :
Code:
- some FreeBSD users reported that it is also necessary for them
  to explicitly allow udp traffic on 239.0.0.0/8 by adding the two following
  lines to /etc/pf.conf :
   pass out on $int_if from any to 239.0.0.0/8 keep state
   pass in on $int_if from any to 239.0.0.0/8 keep state

This information may need some updates (as pf has evolved since)

I added those lines, but it didn't change anything. Then again, if flushing all rules from the PF didn't help either.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Mon May 20, 2013 9:53 am    Post subject: Reply with quote

apz wrote:
miniupnp wrote:
I think the SSDP packets are filtered out by PF...
as written in the INSTALL file :
Code:
- some FreeBSD users reported that it is also necessary for them
  to explicitly allow udp traffic on 239.0.0.0/8 by adding the two following
  lines to /etc/pf.conf :
   pass out on $int_if from any to 239.0.0.0/8 keep state
   pass in on $int_if from any to 239.0.0.0/8 keep state

This information may need some updates (as pf has evolved since)

I added those lines, but it didn't change anything. Then again, if flushing all rules from the PF didn't help either.

it is the SSDP packets that are "blocked". to see where they are blocked, use tcpdump/wireshark on several machines on your LAN (the router, the client)
Code:
$ sudo tcpdump -n -i <interface> -A port 1900


you should see something like :
Code:

11:49:58.352300 IP 192.168.10.109.47089 > 239.255.255.250.1900: UDP, length 137
E.....@....8..
m.......l....M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
MAN: "ssdp:discover"
MX: 2


11:49:58.413687 IP 192.168.10.254.1900 > 192.168.10.109.47089: UDP, length 303
E..K..@.@.....
...
m.l...7m.HTTP/1.1 200 OK
SERVER: Linux/2.6 UPnP/1.0 fbxigdd/1.0
LOCATION: http://192.168.10.254:5678/desc/root
EXT:
CACHE-CONTROL: max-age=1800
ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
USN: uuid:igdxxxxxxxxx::urn:schemas-upnp-org:device:InternetGatewayDevice:1

_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
apz



Joined: 19 May 2013
Posts: 4
Location: Kouvola, Finland

PostPosted: Thu May 23, 2013 4:53 am    Post subject: Reply with quote

After some debugging, I think I've pinpointed where the packages disappear.

The machine running Miniunpnpd is a virtual machine running on KVM. The packages are last seen in the bridge device of the KVM host.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Thu May 23, 2013 5:23 pm    Post subject: Reply with quote

apz wrote:
After some debugging, I think I've pinpointed where the packages disappear.

The machine running Miniunpnpd is a virtual machine running on KVM. The packages are last seen in the bridge device of the KVM host.

it is very possible that Multicast packets are not properly "bridged" by the KVM. Using multicast is not very common.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
apz



Joined: 19 May 2013
Posts: 4
Location: Kouvola, Finland

PostPosted: Sun May 26, 2013 10:43 am    Post subject: Reply with quote

I found a solution to the problem. It wasn't FreeBSD, but a bridging problem on the KVM host machine. This will also work if the virtual machine running Miniupnpd is Linux or other supported OS.

I installed smcroute daemon on the KVM host.

br0 is the bridge from the virtual machines to LAN. I used the following smcroute startup commands:

Code:
echo 0 > /sys/devices/virtual/net/br0/bridge/multicast_snooping
smcroute -j br0 239.255.255.250
smcroute -a br0 0.0.0.0 239.255.255.250 br0


After that the consoles and other upnp enabled devices finally worked as expected. Thanks for debugging help!
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Compilation/Installation All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.