# Can I get a simple miniupnpd.conf and pf.conf file(s)?



## pathiaki (Jun 14, 2017)

Hi,

I have been trying to get UPNP to work for my gaming son.  Apparently, things need to be UPNP to get a NAT type of 'open' from the various gaming networks.

So, I've dug into miniupnpd and modded a very complex pf.conf file.  Still no luck.  I was wondering if someone could post the most basic of both the files so that I could make sure all my settings are correct and that this will at least work before I continue banging my head on the wall.

I have put an anchor declaration in for miniupnpd in the pf.conf file, I have tried various settings in miniupnpd.conf and quite a few other things.  However, something just isn't right

I've been told that if the anchor is working correctly, I should be able to see the state or nat using 

`pfctl -a miniupnpd -s nat`

However, this is returns nothing.

I tried something simple with a pf.conf file:


```
scrub from em1 to any no-df random-id fragment reassemble
nat on em0 from any to any -> (em0) static-port

rdr-anchor miniupnpd

#
# Table for blacklist addresses
#
table <fail2ban> persist file "/etc/fail2ban"
#
#
anchor miniupnpd
#
#
# Blocking IPs via fail2ban and bruteforce
#
block in on em0 from <fail2ban> to any
#
antispoof for em0
#
# Allow Loopback Traffic
#
pass log quick on loopback inet from any to any label "Loopback"
pass log quick on lo0 inet proto udp from lo0 to 127.0.0.1 label "UDP lo0"

#
# Gaming connect on 27017
#

pass log quick on em0 inet proto udp from 192.168.0.0/24 to any port { 1900, 5555, 27017 }


# lo1 cloned loopback on internal network
#
pass log quick inet  from 192.168.0.0/24 to any label "lo1"
#
# Internal network access to server and outside world
#
pass  log quick inet  from 192.168.0.0/24 to any  label "INTERNAL2WORLD"
#

#
# Allow TCP protocol to be transmitted
#
pass log quick on em0 inet proto tcp from any to any label "TCPACCEPT"
#
# Allow UDP protocol to be transmitted
#
pass log quick on em0 inet proto udp from any to any label "UDPACCEPT"
#
# Allow ICMP protocol to be transmitted
#
pass log quick on em0 inet proto icmp from any to any label "ICMPACCEPT"
#
```

That seems about as easy as it gets.  (It's also pretty wide open)

Next, I have a 'simple' miniupnpd.conf file:


```
# WAN network interface
ext_ifname=em0

# If the WAN interface has several IP addresses, you
# can specify the one to use below
#ext_ip=

# LAN network interfaces IPs / networks
# There can be multiple listening IPs for SSDP traffic, in that case
# use multiple 'listening_ip=...' lines, one for each network interface.
# It can be IP address or network interface name (ie. "eth0")
# It is mandatory to use the network interface name in order to enable IPv6
# HTTP is available on all interfaces.
# When MULTIPLE_EXTERNAL_IP is enabled, the external IP
# address associated with the subnet follows. For example:
#  listening_ip=192.168.0.1/24 88.22.44.13
#listening_ip=192.168.0.1/24
#listening_ip=10.5.0.0/16
listening_ip=em1

# CAUTION: mixing up WAN and LAN interfaces may introduce security risks!
# Be sure to assign the correct interfaces to LAN and WAN and consider
# implementing UPnP permission rules at the bottom of this configuration file

# Port for HTTP (descriptions and SOAP) traffic. Set to 0 for autoselect.
http_port=5555
# Port for HTTPS. Set to 0 for autoselect (default)
#https_port=0

# Path to the UNIX socket used to communicate with MiniSSDPd
# If running, MiniSSDPd will manage M-SEARCH answering.
# default is /var/run/minissdpd.sock
#minissdpdsocket=/var/run/minissdpd.sock

# Enable NAT-PMP support (default is no)
#enable_natpmp=yes
enable_natpmp=no

# Enable UPNP support (default is yes)
#enable_upnp=no
enable_upnp=yes

# PCP
# Configure the minimum and maximum lifetime of a port mapping in seconds
# 120s and 86400s (24h) are suggested values from PCP-base
min_lifetime=120
max_lifetime=86400

# Chain names for netfilter (not used for pf or ipf).
# default is MINIUPNPD for both
#upnp_forward_chain=forwardUPnP
#upnp_nat_chain=UPnP

# Lease file location
# lease_file=/var/log/upnp.leases

# To enable the next few runtime options, see compile time
# ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h)

# Name of this service, default is "`uname -s` router"
# friendly_name="Home Router"

# Manufacturer name, default is "`uname -s`"
#manufacturer_name=Manufacturer corp

# Manufacturer URL, default is URL of OS vendor
#manufacturer_url=[URL]http://miniupnp.free.fr/[/URL]

# Model name, default is "`uname -s` router"
#model_name=Router Model

# Model description, default is "`uname -s` router"
#model_description=Very Secure Router - Model

# Model URL, default is URL of OS vendor
#model_url=[URL]http://miniupnp.free.fr/[/URL]

# Bitrates reported by daemon in bits per second
# by default miniupnpd tries to get WAN interface speed
#bitrate_up=100000000
#bitrate_down=1000000000

# Secure Mode, UPnP clients can only add mappings to their own IP
#secure_mode=yes
secure_mode=no

# Default presentation URL is HTTP address on port 80
# If set to an empty string, no presentationURL element will appear
# in the XML description of the device, which prevents MS Windows
# from displaying an icon in the "Network Connections" panel.
#presentation_url=[URL]http://www.mylan/index.php[/URL]

# Report system uptime instead of daemon uptime
system_uptime=yes

# Notify interval in seconds. default is 30 seconds.
#notify_interval=240
notify_interval=60

# Unused rules cleaning.
# never remove any rule before this threshold for the number
# of redirections is exceeded. default to 20
#clean_ruleset_threshold=10
# Clean process work interval in seconds. default to 0 (disabled).
# a 600 seconds (10 minutes) interval makes sense
clean_ruleset_interval=600

# Log packets in pf (default is no)
#packet_log=no

# Anchor name in pf (default is miniupnpd)
#anchor=miniupnpd

# ALTQ queue in pf
# Filter rules must be used for this to be used.
# compile with PF_ENABLE_FILTER_RULES (see config.h file)
#queue=queue_name1
#queue=queue_name1

# Tag name in pf
#tag=tag_name1

# Make filter rules in pf quick or not. default is yes
# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
#quickrules=no

# UUID, generate your own UUID with "make genuuid"
uuid=9179ca36-50b5-11e7-ba30-0025908afefc

# Daemon's serial and model number when reporting to clients
# (in XML description)
#serial=12345678
#model_number=1

# UPnP permission rules
# (allow|deny) (external port range) IP/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# IP/mask format must be nnn.nnn.nnn.nnn/nn
# It is advised to only allow redirection of port >= 1024
# and end the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
# The following default ruleset allows specific LAN side IP addresses
# to request only ephemeral ports. It is recommended that users
# modify the IP ranges to match their own internal networks, and
# also consider implementing network-specific restrictions
# CAUTION: failure to enforce any rules may permit insecure requests to be made!
#allow 1024-65535 192.168.0.0/24 1024-65535
#allow 1024-65535 192.168.1.0/24 1024-65535
##allow 1024-65535 192.168.0.0/23 22
## allow 12345 192.168.7.113/32 54321
#deny 0-65535 0.0.0.0/0 0-65535
allow 1024-65535 0.0.0.0/0 1024-65535
```

I'm not too sure what I've missed and hope someone can help with a simpler file/configuration so that I can get this running asap.


----------



## SirDice (Jun 14, 2017)

Your PF rules look fine, it really doesn't involve more than adding those two anchors. 
You do need to enable this:

```
# Enable NAT-PMP support (default is no)
#enable_natpmp=yes
enable_natpmp=no
```

You'll also want to change the rules:

```
allow 1024-65535 192.168.0.0/24 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
```

And make sure miniupnpd is actually running. Eventually you'll get something like this:

```
root@maelcum:~ # pfctl -a miniupnpd -s nat
rdr quick on re0 inet proto udp from any to any port = 51413 keep state label "Transmission at 51413" rtable 0 -> 192.168.10.190 port 51413
rdr quick on re0 inet proto udp from any to any port = 56701 keep state label "Teredo 192.168.10.99:56701 -> 56701 UDP" rtable 0 -> 192.168.10.99 port 56701
rdr quick on re0 inet proto tcp from any to any port = 51413 keep state label "NAT-PMP 51413 tcp" rtable 0 -> 192.168.10.190 port 51413
root@maelcum:~ # pfctl -a miniupnpd -s rules
pass in quick on re0 inet proto udp from any to 192.168.10.190 port = 51413 flags S/SA keep state label "Transmission at 51413" rtable 0
pass in quick on re0 inet proto udp from any to 192.168.10.99 port = 56701 flags S/SA keep state label "Teredo 192.168.10.99:56701->56701 UDP" rtable 0
pass in quick on re0 inet proto tcp from any to 192.168.10.190 port = 51413 flags S/SA keep state label "NAT-PMP 51413 tcp" rtable 0
```

Edit: Oh, I think I see what's wrong. You've swapped the internal and external interfaces in miniupnpd.conf. ext_ifname is the "dirty" internet side, listening_ip is the LAN side.


----------



## pathiaki (Jun 14, 2017)

SirDice, thank you for the help.

I enabled NAT-PMP.

I tried reversing the internal and external interfaces in the miniupnpd.conf  (I don't believe they are wrong as em0 is my WAN and em1 is my LAN) and still nothing.


```
Jun 14 13:03:05 miniupnpd[84478]: HTTP listening on port 5555
Jun 14 13:03:05 miniupnpd[84478]: no HTTP IPv6 address, disabling IPv6
Jun 14 13:03:05 miniupnpd[84478]: Listening for NAT-PMP/PCP traffic on port 5351
```

So, I tried to see what the startup looks like by running:

`miniupnpd -f /usr/local/etc/miniupnpd.conf -d`

and got:


```
miniupnpd[85004]: version 1.9 starting NAT-PMP/PCP UPnP-IGD ext if em0 BOOTID=1497445782
miniupnpd[85004]: HTTP listening on port 5555
miniupnpd[85004]: no HTTP IPv6 address, disabling IPv6
miniupnpd[85004]: Listening for NAT-PMP/PCP traffic on port 5351
miniupnpd[85004]: HTTP REQUEST from 192.168.0.29:63027 : GET /rootDesc.xml (HTTP/1.1)
miniupnpd[85004]: Host: 192.168.0.1:5555
miniupnpd[85004]: HTTP REQUEST from 192.168.0.29:63028 : GET /rootDesc.xml (HTTP/1.1)
miniupnpd[85004]: Host: 192.168.0.1:5555
miniupnpd[85004]: HTTP REQUEST from 192.168.0.29:63029 : GET /rootDesc.xml (HTTP/1.1)
miniupnpd[85004]: Host: 192.168.0.1:5555
```

Nothing would show up with the command:

`pfctl -a miniupnpd -s nat`

It would still be empty.
However, then I had him boot Call Of Duty: Black Ops 3 on Steam....

Magic! 


```
miniupnpd[85004]: version 1.9 starting NAT-PMP/PCP UPnP-IGD ext if em0 BOOTID=1497445782
miniupnpd[85004]: HTTP listening on port 5555
miniupnpd[85004]: no HTTP IPv6 address, disabling IPv6
miniupnpd[85004]: Listening for NAT-PMP/PCP traffic on port 5351
miniupnpd[85004]: HTTP REQUEST from 192.168.0.29:63027 : GET /rootDesc.xml (HTTP/1.1)
miniupnpd[85004]: Host: 192.168.0.1:5555
miniupnpd[85004]: HTTP REQUEST from 192.168.0.29:63028 : GET /rootDesc.xml (HTTP/1.1)
miniupnpd[85004]: Host: 192.168.0.1:5555
miniupnpd[85004]: HTTP REQUEST from 192.168.0.29:63029 : GET /rootDesc.xml (HTTP/1.1)
miniupnpd[85004]: Host: 192.168.0.1:5555
miniupnpd[85004]: ST: urn:schemas-upnp-org:service:WANIPConnection:1 (ver=1)
miniupnpd[85004]: SSDP M-SEARCH from 192.168.0.29:54560 ST: urn:schemas-upnp-org:service:WANIPConnection:1
miniupnpd[85004]: Single search found
miniupnpd[85004]: SendSSDPResponse(): 0 bytes to 192.168.0.29:54560 ST: HTTP/1.1 200 OK
CACHE-CONTROL: max-age=120
ST: urn:schemas-upnp-org:service:WANIPConnection:1
USN: uuid:9179ca36-50b5-11e7-ba30-0025908afefe::urn:schemas-upnp-org:service:WANIPConnection:1
EXT:
SERVER: FreeBSD/10.3-RELEASE-p19 UPnP/1.1 MiniUPnPd/1.9
LOCATION: http://192.168.0.1:5555/rootDesc.xml
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
01-NLS: 1497445782
BOOTID.UPNP.ORG: 1497445782
CONFIGID.UPNP.ORG: 1337

miniupnpd[85004]: ST: urn:schemas-upnp-org:service:WANPPPConnection:1 (ver=1)
miniupnpd[85004]: SSDP M-SEARCH from 192.168.0.29:54560 ST: urn:schemas-upnp-org:service:WANPPPConnection:1
miniupnpd[85004]: Single search found
miniupnpd[85004]: SendSSDPResponse(): 0 bytes to 192.168.0.29:54560 ST: HTTP/1.1 200 OK
CACHE-CONTROL: max-age=120
ST: urn:schemas-upnp-org:service:WANPPPConnection:1
USN: uuid:9179ca36-50b5-11e7-ba30-0025908afefe::urn:schemas-upnp-org:service:WANPPPConnection:1
EXT:
SERVER: FreeBSD/10.3-RELEASE-p19 UPnP/1.1 MiniUPnPd/1.9
LOCATION: http://192.168.0.1:5555/rootDesc.xml
OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
01-NLS: 1497445782
BOOTID.UPNP.ORG: 1497445782
CONFIGID.UPNP.ORG: 1337

miniupnpd[85004]: HTTP REQUEST from 192.168.0.29:63035 : GET /rootDesc.xml (HTTP/1.1)
miniupnpd[85004]: Host: 192.168.0.1:5555
miniupnpd[85004]: HTTP REQUEST from 192.168.0.29:63036 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd[85004]: Host: 192.168.0.1:5555
miniupnpd[85004]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress
miniupnpd[85004]: HTTP REQUEST from 192.168.0.29:63038 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd[85004]: Host: 192.168.0.1:5555
miniupnpd[85004]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
miniupnpd[85004]: AddPortMapping: ext port 27017 to 192.168.0.29:27017 protocol UDP for: DemonwarePortMapping leaseduration=0 rhost=
miniupnpd[85004]: UPnP permission rule 0 matched : port mapping accepted
miniupnpd[85004]: redirecting port 27017 to 192.168.0.29:27017 protocol UDP for: DemonwarePortMapping
```

Once this was up and running, I checked pfctl (which still show nothing prior to starting the game - just in case people were wondering that something has to be running to see any output):

`pfctl -a miniupnpd -s nat`


```
rdr pass quick on em0 inet proto udp from any to any port = 27017 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.0.29 port 27017
```

As always, thanks for the help.  The game shows as NAT type "OPEN" now.


----------



## SirDice (Jun 14, 2017)

pathiaki said:


> I tried reversing the internal and external interfaces in the miniupnpd.conf (I don't believe they are wrong as em0 is my WAN and em1 is my LAN)


You're right, I got thrown off by this PF rule:

```
pass log quick on em0 inet proto udp from 192.168.0.0/24 to any port { 1900, 5555, 27017 }
```
A pass in wouldn't make sense as there should never be packets with an RFC 1918 address as a source from the internet. At the very least it's something you don't want to allow in. A pass out isn't going to work either because NAT happens before the rules are evaluated (the source would then be the address of em0). So I doubt this rule actually works. Keep in mind that the default of PF is to allow everything. Even if you have no rules at all, all traffic is passed in and out.

You probably meant something like this:

```
pass [b]in[/b] log quick on em[b]1[/b] inet proto udp from 192.168.0.0/24 to any port { 1900, 5555, 27017 }
```
1900 and 5555 are typical UPnP ports. And now the rule accepts this on the LAN interface.


----------



## pathiaki (Jun 14, 2017)

And now for the next bit of excitement.... 

We now have to have two machines behind the same firewall.  

The first one starts just fine but the second one comes up with NAT type MODERATE

Basically, the command:

`pfctl -a miniupnpd -s nat`

Shows only the first machine connecting.  How do we get two (or more) machines connecting so that he can have a gaming party?


----------



## SirDice (Jun 14, 2017)

Well, you can only redirect a port once. A second machine will need to use a different port. Depending on the software (the UPnP client) it will automatically pick a different port or you will need to configure the port setting by hand. The actual port forwarding will be automatic through UPnP but choosing the correct port may need some manual intervention.


----------



## pathiaki (Jun 14, 2017)

SirDice,

I get the 'only one port redirect'.  However, the second machine UPNP client....  Is this on the Windoze OS?  There seems to be a way to launch the game on a specific port (It's in the Steam settings for the game library.  Right-Click (on game) -> Settings -> General -> Launch Options.  However, this results in it booting the game on those ports and NAT type becomes 'Moderate'.  Any insight into this?  Is there a pf rule or something that would allow this or should I tell both to boot to boot on port 27017?

Thank you!

P.


----------



## SirDice (Jun 14, 2017)

The whole point of an UPnP IGD is that you don't need to change the firewall settings because they're done "automagically".

And the simple fact remains, a port can only be forwarded to a single machine. You cannot forward a specific port to two or more machines because there's no way to tell which of them is the intended recipient.


----------



## pathiaki (Jun 14, 2017)

Yes, I get the simple fact. 

However, I'm seeing some interesting things on the miniupnpd anchor in pf.....

`pfctl -a miniupnpd -s nat | grep -i 192.168.0`


```
rdr pass quick on em0 inet proto udp from any to any port = 3074 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.0.29 port 3074
rdr pass quick on em0 inet proto udp from any to any port = 27017 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.0.29 port 27017
rdr pass quick on em0 inet proto udp from any to any port = 3659 keep state label "EA Tunnel" rtable 0 -> 192.168.0.29 port 3659
rdr pass quick on em0 inet proto udp from any to any port = 59023 keep state label "Giraffic UDP on 192.168.0.77" rtable 0 -> 192.168.0.77 port 59023
```

So, I'd like to flush the table and see what gets generated from the start.

I cleared it with:

`pfctl -a miniupnpd -F nat`

I then started the original Black Ops on Steam on both machines.  This resulted in:


```
root@atlantisservices:/usr/local/etc # !!
pfctl -a miniupnpd -s nat | grep -i 192.168.0
rdr pass quick on em0 inet proto udp from any to any port = 3074 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.0.29 port 3074
rdr pass quick on em0 inet proto udp from any to any port = 3075 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.0.72 port 3075
```

It seems that the original BO on steam now works correctly.  Both connect and can join same lobbies whether private or public.  (Yeah, baby!!!)

However, we tried the same thing with BO 3.


```
root@atlantisservices:/usr/local/etc # pfctl -a miniupnpd -s nat | grep -i 192.168.0
rdr pass quick on em0 inet proto udp from any to any port = 3074 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.0.29 port 3074
rdr pass quick on em0 inet proto udp from any to any port = 3075 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.0.72 port 3075
rdr pass quick on em0 inet proto udp from any to any port = 27099 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.0.29 port 27017
rdr pass quick on em0 inet proto udp from any to any port = 27017 keep state label "DemonwarePortMapping" rtable 0 -> 192.168.0.29 port 27017
```

It tried to connect to port 27099 and 27017 on the first machine (????).

My impression is that BO3 is not trying to create a new port like BO did.

Here's the next level of question....  I see 'rtable 0' at the end.  Is there a way to tell miniupnpd or pf to have a table of mappings to allow something similar to the way the original BO initiated ports?  (I assume that pf can do something that will allow this....)  What would you suggest?

Thanks for the time on this,

P.


----------

