# PF + miniupnpd problem



## Radiolab (Jun 3, 2011)

Hello,

Please help me on following case. I'm trying to make UPNP port forwarding using miniupnpd and pf, but it does't work.

FreeBSD 8.2-STABLE, kernel and world built from cvs RELENG_8.

Miniupnpd installed from ports. Config of miniupnpd:


```
/usr/local/etc>cat ./miniupnpd.conf | grep -v '^#' | sed '/^$/d'
ext_ifname=sk0
ext_ip=*.*.19.66
listening_ip=10.1.0.1
port=5555
bitrate_up=131072
bitrate_down=524288
secure_mode=yes
system_uptime=yes
clean_ruleset_interval=600
notify_interval=30
uuid=f8565bd4-8d3a-11e0-8d57-00112fba8587
allow 1024-65535 10.1.0.0/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
```

pf config:


```
/usr/local/etc>cat /etc/pf.conf | grep -v '^#' | sed '/^$/d'
ext_if="sk0"
external_addr="*.*.19.66"
int_if="em0"
internal_net="10.1.0.0/24"
nat on $ext_if from $internal_net to any -> $external_addr
rdr-anchor miniupnpd
anchor miniupnpd
pass in quick proto igmp all allow-opts
pass out quick proto igmp all allow-opts
pass out quick on $int_if from any to 239.0.0.0/8 keep state
pass in quick on $int_if from any to 239.0.0.0/8 keep state
pass in all
pass out all
```

Starting miniupnpd in debug mode:


```
/usr/local/etc/rc.d>miniupnpd -f /usr/local/etc/miniupnpd.conf -d
miniupnpd[25778]: HTTP listening on port 5555
```

OK, miniupnpd is running:


```
/usr/local/etc>sockstat -4 -l | grep miniupnpd
root     miniupnpd  25778 5  tcp4   *:5555                *:*
root     miniupnpd  25778 6  udp4   *:1900                *:*
root     miniupnpd  25778 7  udp4   10.1.0.1:48461        *:*
```


Now I start uTorrent with UPNP enabled on my Windows pc. We can see that there is some upnp traffic coming from Windows pc:


```
/usr/local/etc>tcpdump -i em0 port 1900 or port 5555

15:41:52.112939 IP6 fe80::5cbe:cbdb:e3eb:f511.61545 > ff02::c.1900: UDP, length
15:42:07.561265 IP pc.home.lcl.52612 > 239.255.255.250.1900: UDP, length 9
15:42:12.564581 IP pc.home.lcl.52612 > 239.255.255.250.1900: UDP, length 9
15:42:17.579889 IP pc.home.lcl.52612 > 239.255.255.250.1900: UDP, length 9
15:42:20.430164 IP pc.home.lcl.61547 > 239.255.255.250.1900: UDP, length 1
```

But there is no reaction from miniupnpd on debug stdout and no interaction with PF:


```
/usr/local>pfctl -a miniupnpd -sn

output is void
```

What's wrong?


----------



## fwaggle (Jun 3, 2011)

Don't you need:


```
enable_natpmp=yes
```

... in miniupnpd.conf to enable that functionality?


----------



## jnbek (Jun 3, 2011)

Can you explain in detail what you mean by it isn't working?


----------



## quintessence (Jun 3, 2011)

Hello,

`# cd /usr/ports/net/miniupnpd; make`


```
*** obsdrdr.c.orig      Fri Jun  3 23:35:06 2011
--- obsdrdr.c   Fri Jun  3 23:41:56 2011
***************
*** 205,211 ****
  #ifdef PFRULE_HAS_RTABLEID
                pcr.rule.rtableid = -1; /* first appeared in OpenBSD 4.0 */
  #endif
!               pcr.rule.quick = 1;
                pcr.rule.keep_state = PF_STATE_NORMAL;
                if(tag)
                        strlcpy(pcr.rule.tagname, tag, PF_TAG_NAME_SIZE);
--- 205,211 ----
  #ifdef PFRULE_HAS_RTABLEID
                pcr.rule.rtableid = -1; /* first appeared in OpenBSD 4.0 */
  #endif
!               pcr.rule.quick = 0;
                pcr.rule.keep_state = PF_STATE_NORMAL;
                if(tag)
                        strlcpy(pcr.rule.tagname, tag, PF_TAG_NAME_SIZE);
```

put this as filename obsdrdr.quick in /usr/ports/net/miniupnpd/work/miniupnpd-1.5/pf and go to this directory, then apply the patch:

`# patch -p0 < obsdrdr.quick`

and then (re)install the port.

This method is suggested as solution from the MiniUPnP author:
http://miniupnp.tuxfamily.org/forum/viewtopic.php?t=660


----------



## SirDice (Jun 4, 2011)

Miniupnpd works fine without the patches.


```
root@maelcum:~#pfctl -a miniupnpd -s nat
rdr quick on rl0 inet proto tcp from any to any port = 51413 keep state label "Transmission at 51413" rtable 0 -> 192.168.1.190 port 51413
rdr quick on rl0 inet proto udp from any to any port = 51413 keep state label "Transmission at 51413" rtable 0 -> 192.168.1.190 port 51413
root@maelcum:~#pfctl -a miniupnpd -s rules
pass in quick on rl0 inet proto tcp from any to any port = 51413 flags S/SA keep state label "Transmission at 51413" rtable 0
pass in quick on rl0 inet proto udp from any to any port = 51413 flags S/SA keep state label "Transmission at 51413" rtable 0
```


----------



## fwaggle (Jun 4, 2011)

Those patches are only for if you don't want the "quick" rules in your ruleset. If you're doing a last-matched-rule setup instead of a first-matched-rule, you probably don't want "quick" set and therefore would want the patches applied.

I don't believe that's the case here - no rules are showing up.


----------



## Radiolab (Jun 4, 2011)

My miniupnpd doesn't interact with pf at all!

miniupnpd should send SSDP NOTIFY messages every 30 seconds, but [CMD=""]tcpdump -i em0 port 1900[/CMD] shows void output. 

We can see, that mimiupnpd neither sends nor receives packets.

Maybe my /etc/rc.conf can be helpful to solve problem. All services listed below work fine.


```
font8x14="cp866-8x14"
font8x16="cp866b-8x16"
font8x8="cp866-8x8"
scrnmap="koi8-r2cp866"
keymap="ru.koi8-r"
keyrate="fast"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog.pcap"
pflog_flags="-s 1500"
hostname="gw.home.lcl"
defaultrouter="*.*.19.1"
ifconfig_em0="inet 10.1.0.1  netmask 255.255.255.0"
ifconfig_sk0="inet *.*.19.66 netmask 255.255.255.0"
moused_enable="NO"
moused_type="NO"
ntpdate_program="/usr/sbin/ntpdate"
ntpdate_flags="-b -u ntp1.vniiftri.ru ntp2.vniiftri.ru ntp3.vniiftri.ru ntp4.vniiftri.ru"
ntpd_enable="YES"
ntpd_config="/etc/ntp.conf"
proftpd_enable="YES"
router_enable="NO"
sshd_enable="YES"
mysql_enable="YES"
apache22_enable="YES"
dhcpd_enable="YES"                         
dhcpd_flags="-4 -q"                           
proftpd_enable="YES"
dhcpd_ifaces="em0"                          # ethernet interface(s)
dhcpd_withumask="022"                       # file creation mask
dhcpd_chuser_enable="YES"           # runs w/o privileges?
dhcpd_withuser="dhcpd"              # user name to run as
dhcpd_withgroup="dhcpd"             # group name to run as
dhcpd_chroot_enable="YES"           # runs chrooted?
dhcpd_devfs_enable="YES"            # use devfs if available?
dhcpd_rootdir="/var/db/dhcpd"       # directory to run in
dhcpd_includedir="/usr/local/etc/"  # directory with config
syslogd_flags="-s -l /var/db/dhcpd/var/run/log"
watchdogd_enable="YES"
named_enable="YES"
samba_enable="YES"
gif_interfaces="gif0 gif1"
gifconfig_gif0="*.*.19.66 *.*.105.181"
ifconfig_gif0="inet 10.1.0.1 10.2.0.1 netmask 255.255.255.255 mtu 1500"
gifconfig_gif1="*.*.19.66 *.*.241.138"
ifconfig_gif1="inet 10.1.0.1 192.168.0.1 netmask 255.255.255.255 mtu 1500"
static_routes="yas rvt"
route_yas="-net 10.2.0.0/24 10.2.0.1"
route_rvt="-net 192.168.0.0/24 192.168.0.1"
miniupnpd_enable="YES"
miniupnpd_config="/usr/local/etc/miniupnp.conf"
miniupnpd_flags=""
```


----------



## Radiolab (Jun 6, 2011)

The problem was so easy - my VPN tunnels (gif0, gif1) has the same IP with local net interface em0. Miniupnpd binds to one of them instead of binding to em0.

Here the parts of /etc/rc.conf, caused the problem :


```
ifconfig_em0="inet 10.1.0.1  netmask 255.255.255.0"
ifconfig_gif0="inet 10.1.0.1 10.2.0.1 netmask 255.255.255.255 mtu 1500"
ifconfig_gif1="inet 10.1.0.1 192.168.0.1 netmask 255.255.255.255 mtu 1500"
```

*Workaround:*
I've changed tunnels to another private address block: 


```
ifconfig_gif0="inet 10.11.0.1 10.12.0.1 netmask 255.255.255.255 mtu 1500"
ifconfig_gif1="inet 10.21.0.1 192.168.1.1 netmask 255.255.255.255 mtu 1500"
static_routes="yas rvt"
route_yas="-net 10.2.0.0/24 10.12.0.1"
route_rvt="-net 192.168.0.0/24 192.168.1.1"
```

And now everything is OK. Thanks to everybody!


----------

