miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

OpenBSD rdomain support?

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> NAT/UPnP
View previous topic :: View next topic  
Author Message
basis0



Joined: 04 Jul 2016
Posts: 3

PostPosted: Mon Jul 04, 2016 5:06 pm    Post subject: OpenBSD rdomain support? Reply with quote

I'm working on the design for a new network that requires UPnP devices to be placed into a DMZ. This DMZ will run on separate physical hardware, cabling, etc and the firewall will use OpenBSD rdomains on separate physical interfaces to completely isolate the DMZ from the other internal network and the internet.

As part of this however the miniupnp software will need to run with the internal (DMZ) and internet interfaces to be in isolated rdomains. PF can already do this and allows for packets to be "stolen" across the domains, but miniupnpd requires both the internal and external interfaces for it to operate (though I'm unclear on what each is being used for).

So the question is if miniupnp will be able to run correctly in this type of setup? Thanks for your help!

-Jason
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Mon Jul 04, 2016 5:36 pm    Post subject: Reply with quote

your network setup is not clear to me. could you be more explicit ?
miniupnpd needs to run on the firewall (because its job is to add port mappings to the firewall !) but are you talking about other UPnP devices ?

Maybe you just need to add rdomain option on the miniupnpd anchor ?

The difficult thing may be to get SSDP (discovery) working properly, because it uses multicast.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
basis0



Joined: 04 Jul 2016
Posts: 3

PostPosted: Mon Jul 04, 2016 6:03 pm    Post subject: Reply with quote

Sorry about the confusion, let me see if I can clear it up. This is the firewall itself as you are correct about Miniupnp requiring to be on the firewall to correctly open rules. The devices I mean are a clients gaming consoles which will exist in the DMZ network with full isolation from the other internal network. The configuration will look like this:

Interface em0 connects to the internet and is in rdomain 0 using dhcp

Interface em1 connects to the dmz and is in rdomain 1 with static IP of 192.168.1.1

Interface em2 connects to the rest of the internal network and is in rdomain 2 with static IP of 192.168.0.1

Now because of the above the miniupnp configuration will need:

ext_ifname=em0
listening_ip=192.168.1.1

This the single process is going to be running with two interfaces in separate rdomains which depending on what miniupnp is doing with those interfaces may not work as they're in separate routing tables. The question is can miniupnpd run like this?

Let me know if any other information will help. Thank you for your assistance!
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Mon Jul 04, 2016 7:38 pm    Post subject: Reply with quote

Quote:
ext_ifname=em0
listening_ip=192.168.1.1

(I guess there is NAT configured for em1 => em0)
I don't see why miniupnpd won't work like this.
just test and tell me if something is wrong
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
basis0



Joined: 04 Jul 2016
Posts: 3

PostPosted: Mon Jul 04, 2016 7:50 pm    Post subject: Reply with quote

Yes there will be nat for em1 <-> em0 and nat for em2 <-> em0.

Isolated rdomains make it so em1 cannot talk to em2 unless I configured pf to steal the packet across, which I won't.

This is a remote installation so I'm trying to plan it all in advance of the install, it'll be this fall before I try it out so I was hoping to get these answers beforehand. I'll try it out in a test environment in advance and see if it works and let you know. Thanks!
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Mon Jul 04, 2016 8:06 pm    Post subject: Reply with quote

Well it should work, but you're the only one able to confirm this !
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> NAT/UPnP All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.