next »

[bradenmcg]

I would pay at least $100 for someone to put working UPnP support in the base image.  It can be disabled by default, and even require 10 different check marks to enable if you want to be that crazy about it (I know that many consider it a huge security hole).

I want it because I have multiple machines at home, using things like BitTorrent that function best if they have dedicated ports.  While I can forward ports, it then requires setting up DHCP reservations for each machine, and there are some apps that don't allow you to change their default port.  I also have two XBoxes and an XBox360, all of which like to be able to poke holes so they can host games.  There's no way to configure a port range on either game system.  It can and does "work" behind a normal NAT box, but your system is never able to become a host for outsiders, which can make finding a game to play more difficult at times.

I only ask that UPnP be in base (as opposed to an add-on) because I'm using a Soekris with a CF card, and I don't have access to the packages system.  It doesn't necessarily have to be tied into the main code tree, I just want it to be something that gets distributed as part of a "vanilla" system.

I'd be willing to go higher if you can do it quickly (by the end of Feb. would be great).  I welcome anyone else that wants UPnP support to tack on more money to this bounty.  It would make pfSense the only embedded-type platform short of junky consumer boxes (Linksys/etc) that handles UPnP.

For those who aren't familiar, UPnP itself is actually not all that complicated.  It's a series of HTTP messages that are multicasted to the LAN, and then from there it looks like a SOAP exchange, with XML data going back and forth between devices.  It does have periodic multicasting ("advertisement") built in to the spec, so a proper system would probably use a daemon, although I could also see it being implemented with straight PHP I suppose.

Here's all the technical info you should need to implement (some of this didn't look right in Firefox 1.5, not sure why):
http://www.upnp.org/download/UPnPDA10_20000613.htm

You can find more information on what a router (aka "Internet Gateway Device") is required to implement here:
http://www.upnp.org/standardizeddcps/igd.asp

I don't even really care about a fully compliant implementation - as long as my devices can talk to pfSense and get it to open ports as needed (and then dispose of them), I'll consider the bounty fulfilled.  A fully compliant system would kick ass though. 

[jeroen234]

there is upnp suport for freebsd but not many use it if you need it then you use this in a shell on the pfsense system:

pkg_add -r http://www.gigaload.org/freebsd.org/ports/i386/packages-6.0-release/net/linuxigd-0.92_2.tbz

[sullrich]

Does that open up the respective PF ports automatically?   Last I tested this, it didn't work.

[billm]

there is upnp suport for freebsd but not many use it if you need it then you use this in a shell on the pfsense system:

pkg_add -r http://www.gigaload.org/freebsd.org/ports/i386/packages-6.0-release/net/linuxigd-0.92_2.tbz

I'd be willing to take a look at this again at some point, but the last I looked at this package I couldn't even get Windows to see that there was a UPnP gateway on the network.  Obviously pf stuff won't work out of the box either, but w/out a client that sees it, it'll be somewhat difficult to implement.

FWIW, I believe the "package" is still in our package XML, just commented out.  Should be easy for someone interested to get the package working once the communication issue is straightened out.

--Bill

[bradenmcg]

Bill, very interesting.

Another place to get WORKING UPnP is the Linksys code for their WRT series of routers.  There are other free implementations/extensions of their code, but AFAIK it should be available as open source already (since they based the whole thing on Linux).  I know that Linux isn't BSD, but as I said before, UPnP is mostly multicasted HTTP and then SOAP-like exchanges...

[Skud]

I'm just wondering if there has been an update to this?

I'd be willing to throw in a little cashola for this as well..

UPnP would make my Pfsense box the perfect *home* firewall IMO..

Riley

[sullrich]

No, I am affraid not.  Seth talked about working on it so maybe push him over the edge with a bounty

It requires some c work, so it's not a trivial patch to bring to life.

[Skud]

Unfortunately, things may be a little tight for a bit as I'm moving to a new place, but I would offer up $50. It's not much I'm afraid..

So, uPnP support bounty is up to $150 now I guess..

Riley

[databeestje]

I am currently having a poke at it. I require at least a week.

Also, other upnp software came available that has no silly depencies which might make it easier to work on.

[databeestje]

I have some proof of concept code and was wondering if there are any testers available.

[Superman]

I'll try it out. Do you have a link or a file with some instructions?

[databeestje]

replace /etc/inc/system.inc with http://iserv.nl/files/pfsense/system.inc
replace /etc/inc/filter.inc with http://iserv.nl/files/pfsense/filter.inc
replace /usr/local/www/interfaces_lan.php with http://iserv.nl/files/pfsense/interfaces_lan.txt
replace /usr/local/www/interfaces_opt.php with http://iserv.nl/files/pfsense/interfaces_opt.txt
execute this command, fetch -o /usr/local/sbin/miniupnpd http://iserv.nl/files/pfsense/miniupnpd
execute this command, chmod +x /usr/local/sbin/miniupnpd

enable it on the lan interface.

Check the sytem logs.

Currently unsupported

[Superman]

Okay, files updated, service enabled. Stuff is happening in the system logs when I open uTorrent or MSN Messenger. I'll have to close some of my presently opened & NATed ports and check it out...

Thanks!

[Superman]

Further testing seems to indicate that it's working properly.
I removed my NAT & Firewall Rules entries for uTorrent, enabled UPnP in the program, and it all worked!!
The port was opened when I opened the program.
And it seemed to be closed after I exited the program as indicated from a external port probe.

It passes these simple tests anyway!

Thanks again!

[Superman]

Minor update.

I did see this one error in the logs. It doesn't seem to stop it from working, but just for completeness here it is.

Code:

miniupnpd[46767]: /dummy not found, responding ERROR 404