miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

upnp and natpmp issues

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Bugs
View previous topic :: View next topic  
Author Message
maul



Joined: 14 Feb 2011
Posts: 2

PostPosted: Mon Feb 14, 2011 6:16 pm    Post subject: upnp and natpmp issues Reply with quote

Hi everyone!
I'm setting up a FreeBSD box to be used as my router/NAS/server/whatever.
My network isn't the simplest, but right now I've connected this machine (called "goldie") to my cable modem directly and want to set up a few simple things.

The setup:
deluge (torrent client) running on goldie
custom firewall rules (pf) on goldie (blocks everything from the outside, also NATs but that shouldn't matter right now)
miniupnpd on goldie that would allow deluge to set up port forwards automatically (this is the part that's not working)

The problem:
From deluge's logs I see that it is trying to use both upnp and natpmp to set up port forwarding and neither works. So I tried running upnpc by hand and it actually worked - even NATing to a pc on the other ethernet interface. From this I figured deluge's upnp implementation must be broken. I upgraded deluge to the newest svn version but that didn't help. So I thought even if upnp doesn't work, natpmp should. However running natpmpc by hand gives an error:

Quote:

[root@goldie /home/maul]# natpmpc
initnatpmp() returned 0 (SUCCESS)
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned -7 (FAILED)
readnatpmpresponseorretry() failed : the gateway does not support nat-pmp
errno=61 'Connection refused'


Here's what I noticed: natpmpc sent packets on the external interface. Tcpdump showed that I'm sending myself packets directly. I'm not sure if that's normal. Anyway, I tried disabling pf or removing the rules that block all incoming traffic on this interface but that didn't change much. Once I got a few different packets (12 bytes instead of 2) but ultimately natpmpc reported failure. I upgraded miniupnpd to the newest version as well but that didn't change much.

Here's my pf.conf:
Quote:


#macro

ext_if="rl0"
int_if="re0"

portforwards = "{ 3344 }"
portprotos = " {tcp, udp }"

#table <spamd-white> persist

privnets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

#options

#scrub

scrub on $ext_if no-df

#nat

nat on $ext_if from $int_if:network to any -> ($ext_if) static-port
rdr pass on $ext_if proto $portprotos from any to ($ext_if) port $portforwards -> 192.168.66.4

rdr-anchor "miniupnpd"

#filter

block all
pass quick on lo0 all
pass quick on $int_if all

pass quick proto icmp all

antispoof for $ext_if
antispoof for $int_if



#block drop in on $ext_if from $privnets to any
#block drop in on $ext_if from any to $privnets
block drop in on $ext_if from any to any

pass in on $ext_if from ($ext_if) to any
pass in on $ext_if proto $portprotos from any port $portforwards to 192.168.66.4

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if all

anchor "miniupnpd"


my miniupnpd.conf:
Quote:


# WAN network interface
#ext_ifname=eth0
ext_ifname=rl0
# if the WAN interface has several IP addresses, you
# can specify the one to use below
#ext_ip=

# LAN network interfaces IPs / networks
# there can be multiple listening ips for SSDP traffic.
# should be under the form nnn.nnn.nnn.nnn/nn
# HTTP is available on all interfaces
# When MULTIPLE_EXTERNAL_IP is enabled, the external ip
# address associated with the subnet follows. for example :
# listening_ip=192.168.0.1/24 88.22.44.13
#listening_ip=192.168.0.1/24
#listening_ip=192.168.1.1/24
listening_ip=192.168.66.1

# port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.
port=0

# path to the unix socket used to communicate with MiniSSDPd
# If running, MiniSSDPd will manage M-SEARCH answering.
# default is /var/run/minissdpd.sock
#minissdpdsocket=/var/run/minissdpd.sock

# enable NAT-PMP support (default is no)
enable_natpmp=yes

# enable UPNP support (default is yes)
enable_upnp=yes

# chain names for netfilter (not used for pf or ipf).
# default is MINIUPNPD for both
#upnp_forward_chain=forwardUPnP
#upnp_nat_chain=UPnP

# lease file location
#lease_file=/var/log/upnp.leases

# bitrates reported by daemon in bits per second
bitrate_up=1000000
bitrate_down=10000000

# "secure" mode : when enabled, UPnP client are allowed to add mappings only
# to their IP.
#secure_mode=yes
secure_mode=no

# default presentation url is http address on port 80
# If set to an empty string, no presentationURL element will appear
# in the XML description of the device, which prevents MS Windows
# from displaying an icon in the "Network Connections" panel.
#presentation_url=http://www.mylan/index.php

# report system uptime instead of daemon uptime
system_uptime=yes

# notify interval in seconds. default is 30 seconds.
#notify_interval=240
notify_interval=60

# unused rules cleaning.
# never remove any rule before this threshold for the number
# of redirections is exceeded. default to 20
#clean_ruleset_threshold=10
# clean process work interval in seconds. default to 0 (disabled).
# a 600 seconds (10 minutes) interval makes sense
clean_ruleset_interval=600

# log packets in pf
#packet_log=no

# ALTQ queue in pf
# filter rules must be used for this to be used.
# compile with PF_ENABLE_FILTER_RULES (see config.h file)
#queue=queue_name1

# tag name in pf
#tag=tag_name1

# make filter rules in pf quick or not. default is yes
# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
#quickrules=no

# uuid : generate your own with "make genuuid"
uuid=afa88d5e-3858-11e0-91b8-7071bcb07bff

# serial and model number the daemon will report to clients
# in its XML description
serial=12345678
model_number=1

# UPnP permission rules
# (allow|deny) (external port range) ip/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# ip/mask format must be nn.nn.nn.nn/nn
# it is advised to only allow redirection of port above 1024
# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
#allow 1024-65535 192.168.0.0/24 1024-65535
#allow 1024-65535 192.168.1.0/24 1024-65535
#allow 1024-65535 192.168.0.0/23 22
#allow 12345 192.168.7.113/32 54321
allow 0-65535 0.0.0.0/0 0-65535


I'm not really sure about either of these, I'm quite new to freebsd and networking at this level.
Anyway, if someone could help me I'd really appreciate it.
Back to top
View user's profile Send private message
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Tue Feb 15, 2011 11:18 am    Post subject: Reply with quote

if goldies has a public IP (the one given by your ISP) you SHOULD not use natpmp or upnp on it...
UPnP IGD and NAT-PMP is for NAT.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
maul



Joined: 14 Feb 2011
Posts: 2

PostPosted: Tue Feb 15, 2011 11:40 am    Post subject: Reply with quote

miniupnp wrote:
if goldies has a public IP (the one given by your ISP) you SHOULD not use natpmp or upnp on it...
UPnP IGD and NAT-PMP is for NAT.

So how can I set it up so deluge can automatically enable ports?
Also, upnpc from the command line worked fine, so it can't be such a huge issue.
Anyway, thanks for the reply.
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Bugs All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.