View previous topic :: View next topic |
Author |
Message |
survient
Joined: 01 Sep 2019 Posts: 2
|
Posted: Sun Sep 01, 2019 12:22 am Post subject: multiple ipv6 addresses |
|
|
I'm in the process of converting some helper scripts for a service that does not natively support UPNP with IPv6 from using direct firewall rule modifications on my local gateway to instead use UPNP and I'm running into a snag in regards to which IPv6 address to use. All clients on my network have at least 2 if not more public IPv6 addresses and from a design perspective I can't determine whether the intent is to create pinhole rules for every IPv6 address or just a single address. For doing multiple IPs I run into an issue with upnpc if the IP being provided doesn't match the "Local LAN ip address":
Code: |
$ upnpc -6 -A "" 0 1234::5678 12345 tcp 120
upnpc : miniupnpc library test client, version 2.1.
(c) 2005-2018 Thomas Bernard.
for more information.
List of UPNP devices found on the network :
desc: :||[1234::1]:54321|rootDesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
desc: 4.3.2.1:8443|upnp
st: upnp:rootdevice
Found valid IGD : [1234::1]:54321|ctl|IPConn
Local LAN ip address : 1234::ABCD
AddPinhole([]:0 -> [1234::5678]:12345) failed with code 606 (Action not authorized)
|
in that example the LAN IP is detected as 1234::ABCD but I'm trying to add a pinhole for a secondary IP on the box of 1234::5678. My gateway device has secure_mode=no so I'm not sure if this is expected or not.
Alternatively if the UPNP design with IPv6 is only intended to pinhole one IP, then what is the method to determine which IP that is? |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Sun Sep 01, 2019 10:10 pm Post subject: |
|
|
1) secure_mode in miniupnpd is only used for IPv4 PortMappings
2) upnpc tries to reach the UPnP IGD by aopening a socket without sepcifying any IP address. So it is the default one that is used. It all depends on your routing table
3) please have a look at the syslog for miniupnpd to check why the pinhole is rejected.
Spec for addPinhole : http://upnp.org/specs/gw/UPnP-gw-WANIPv6FirewallControl-v1-Service.pdf _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
survient
Joined: 01 Sep 2019 Posts: 2
|
Posted: Mon Sep 02, 2019 12:51 am Post subject: |
|
|
Thanks. Here is what I'm seeing:
miniupnpd[16461]: Client 1234::ABCD tried to access pinhole for internal 1234::5678 and is not authorized to do it
miniupnpd[16461]: Returning UPnPError 606: Action not authorized
miniupnpd[16461]: level=0 type=8
based on the standards document regarding "AddPinhole()" it states:
"[IGD2] RECOMMENDS access control requirements and authentication levels to be applied by default for
this action. However, devices MAY choose a different security policy.
In particular, [IGD2] RECOMMENDS that unauthenticated and unauthorized control points are only
allowed to invoke this action with:
• InternalPort value greater than or equal to 1024,
• InternalClient value equals to the control point's IP address.
It is REQUIRED that InternalClient cannot be one of IPv6 addresses used by the gateway. "
This lines up pretty closely with what the "secure_mode" option is supposed to address for ipv4.
What I'm having trouble wrapping my head around is the intended design for a client-service in this regard; to only make use the default IPv6 address, or to try and open up pinholes for each public IPv6 address assigned to a device. If I had to guess it seems like it's supposed to just try and figure out the default IP and use that, ensuring the only IP it "publishes" to a external service is this default but there don't appear to be a lot of examples to compare against. |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Mon Sep 02, 2019 8:08 pm Post subject: |
|
|
You have to remember the UPnP IGD design context. It is designed so a program on a host in your LAN can request a port to be open automatically.
That's useful for P2P programs.
In that cas, I don't understand what's the "several IPs" scenario.
The program will detect the "default" IP and use it for requesting the PinHole, but also to receive inbound connections, etc.
There is no use in using several Global adresses _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
mark
Joined: 21 Jul 2020 Posts: 2 Location: UK
|
Posted: Tue Jul 21, 2020 12:51 pm Post subject: multiple ipv6 addresses |
|
|
IPv6 allows, and often requires, multiple addresses on the same interface. The is more difficult in IPv4, although not always impossible.
What it means is that a host configured with multiple addresses on a single interface will receive traffic destined for any of those addresses. From the perspective of a layer-4 protocol, e.g. TCP, the host can have separate connections using the same TCP address (port) on the same interface because the IP addresses are different.
There are many reasons that this may be configured. If the networks are different, then someone may want the host to serve different networks, e.g. DHCP. If the networks are the same, then it may be due to the obfuscation of IP addressing by Privacy Extensions and Random Addressing that many OSes now employ.
With Cisco, to use multiple IPv4 networks on the same router interface, you must use secondary addressing, and this has some routing protocol limitations. With IPv6, you can simply assign different networks to the same interface, and the routing protocols will work with them all. This doesn't replace the subinterface concept that is often used for VLANs because the different networks will all be on the same layer-2 broadcast domain
Thank You
Mark |
|
Back to top |
|
|
miniupnp Site Admin
Joined: 14 Apr 2007 Posts: 1593
|
Posted: Thu Aug 06, 2020 5:12 pm Post subject: |
|
|
UPnP is designed to hide implementation details to the user, so the use of hosting several services on several IP addresses, etc. is very out of context.
For such use, you will configure everything manually.
UPnP is for use in context where the host computer has IP automatically assigned, and is connected to 1 LAN. In that context, there is only 1 IPv6 Globally routable address. (but there are of course a LinkLocal address and potentially unique local addresses) _________________ Main miniUPnP author.
https://miniupnp.tuxfamily.org/ |
|
Back to top |
|
|
|