The pfSense Store

Author Topic: UPnP support  (Read 116034 times)

0 Members and 1 Guest are viewing this topic.

Offline bradenmcg

  • Jr. Member
  • **
  • Posts: 97
  • Karma: +0/-0
  • AS13697
    • View Profile
UPnP support
« on: February 01, 2006, 09:47:49 pm »
I would pay at least $100 for someone to put working UPnP support in the base image.  It can be disabled by default, and even require 10 different check marks to enable if you want to be that crazy about it (I know that many consider it a huge security hole).

I want it because I have multiple machines at home, using things like BitTorrent that function best if they have dedicated ports.  While I can forward ports, it then requires setting up DHCP reservations for each machine, and there are some apps that don't allow you to change their default port.  I also have two XBoxes and an XBox360, all of which like to be able to poke holes so they can host games.  There's no way to configure a port range on either game system.  It can and does "work" behind a normal NAT box, but your system is never able to become a host for outsiders, which can make finding a game to play more difficult at times.

I only ask that UPnP be in base (as opposed to an add-on) because I'm using a Soekris with a CF card, and I don't have access to the packages system.  It doesn't necessarily have to be tied into the main code tree, I just want it to be something that gets distributed as part of a "vanilla" system.

I'd be willing to go higher if you can do it quickly (by the end of Feb. would be great).  I welcome anyone else that wants UPnP support to tack on more money to this bounty.  It would make pfSense the only embedded-type platform short of junky consumer boxes (Linksys/etc) that handles UPnP.

For those who aren't familiar, UPnP itself is actually not all that complicated.  It's a series of HTTP messages that are multicasted to the LAN, and then from there it looks like a SOAP exchange, with XML data going back and forth between devices.  It does have periodic multicasting ("advertisement") built in to the spec, so a proper system would probably use a daemon, although I could also see it being implemented with straight PHP I suppose.

Here's all the technical info you should need to implement (some of this didn't look right in Firefox 1.5, not sure why):
http://www.upnp.org/download/UPnPDA10_20000613.htm

You can find more information on what a router (aka "Internet Gateway Device") is required to implement here:
http://www.upnp.org/standardizeddcps/igd.asp

I don't even really care about a fully compliant implementation - as long as my devices can talk to pfSense and get it to open ports as needed (and then dispose of them), I'll consider the bounty fulfilled.  A fully compliant system would kick ass though.  :)
« Last Edit: February 01, 2006, 10:28:51 pm by bradenmcg »

Offline jeroen234

  • Sr. Member
  • ****
  • Posts: 505
  • Karma: +0/-0
    • View Profile
Re: UPnP support
« Reply #1 on: February 02, 2006, 12:44:24 am »
there is upnp suport for freebsd but not many use it if you need it then you use this in a shell on the pfsense system:

pkg_add -r http://www.gigaload.org/freebsd.org/ports/i386/packages-6.0-release/net/linuxigd-0.92_2.tbz



Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +3/-0
    • View Profile
    • pfSense
Re: UPnP support
« Reply #2 on: February 02, 2006, 12:45:37 am »
Does that open up the respective PF ports automatically?   Last I tested this, it didn't work.

Offline billm

  • Administrator
  • Hero Member
  • *****
  • Posts: 731
  • Karma: +1/-0
    • View Profile
    • UCSecurity - Technology discovery and ramblings
Re: UPnP support
« Reply #3 on: February 03, 2006, 12:10:01 am »
there is upnp suport for freebsd but not many use it if you need it then you use this in a shell on the pfsense system:

pkg_add -r http://www.gigaload.org/freebsd.org/ports/i386/packages-6.0-release/net/linuxigd-0.92_2.tbz

I'd be willing to take a look at this again at some point, but the last I looked at this package I couldn't even get Windows to see that there was a UPnP gateway on the network.  Obviously pf stuff won't work out of the box either, but w/out a client that sees it, it'll be somewhat difficult to implement.

FWIW, I believe the "package" is still in our package XML, just commented out.  Should be easy for someone interested to get the package working once the communication issue is straightened out.

--Bill
pfSense core developer
blog - http://www.ucsecurity.com/
twitter - billmarquette

Offline bradenmcg

  • Jr. Member
  • **
  • Posts: 97
  • Karma: +0/-0
  • AS13697
    • View Profile
Re: UPnP support
« Reply #4 on: February 07, 2006, 02:23:47 pm »
Bill, very interesting.

Another place to get WORKING UPnP is the Linksys code for their WRT series of routers.  There are other free implementations/extensions of their code, but AFAIK it should be available as open source already (since they based the whole thing on Linux).  I know that Linux isn't BSD, but as I said before, UPnP is mostly multicasted HTTP and then SOAP-like exchanges...

Offline Skud

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +0/-0
    • View Profile
Re: UPnP support
« Reply #5 on: August 10, 2006, 07:25:57 pm »
I'm just wondering if there has been an update to this?

I'd be willing to throw in a little cashola for this as well..

UPnP would make my Pfsense box the perfect *home* firewall IMO..

Riley

Offline sullrich

  • Hero Member
  • *****
  • Posts: 5110
  • Karma: +3/-0
    • View Profile
    • pfSense
Re: UPnP support
« Reply #6 on: August 10, 2006, 07:44:40 pm »
No, I am affraid not.  Seth talked about working on it so maybe push him over the edge with a bounty :)

It requires some c work, so it's not a trivial patch to bring to life.

Offline Skud

  • Jr. Member
  • **
  • Posts: 54
  • Karma: +0/-0
    • View Profile
Re: UPnP support
« Reply #7 on: August 10, 2006, 08:13:11 pm »
Unfortunately, things may be a little tight for a bit as I'm moving to a new place, but I would offer up $50. It's not much I'm afraid..

So, uPnP support bounty is up to $150 now I guess.. :)

Riley

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • Karma: +0/-0
  • It just might be your luck day, if you only knew.
    • View Profile
Re: UPnP support
« Reply #8 on: August 11, 2006, 08:29:21 am »
I am currently having a poke at it. I require at least a week.

Also, other upnp software came available that has no silly depencies which might make it easier to work on.

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • Karma: +0/-0
  • It just might be your luck day, if you only knew.
    • View Profile
Re: UPnP support
« Reply #9 on: August 15, 2006, 01:01:14 am »
I have some proof of concept code and was wondering if there are any testers available.

Offline Superman

  • Full Member
  • ***
  • Posts: 136
  • Karma: +0/-0
    • View Profile
Re: UPnP support
« Reply #10 on: August 15, 2006, 09:18:55 am »
I'll try it out. Do you have a link or a file with some instructions?

Offline databeestje

  • Administrator
  • Hero Member
  • *****
  • Posts: 1048
  • Karma: +0/-0
  • It just might be your luck day, if you only knew.
    • View Profile
Re: UPnP support
« Reply #11 on: August 15, 2006, 09:51:49 am »
replace /etc/inc/system.inc with http://iserv.nl/files/pfsense/system.inc
replace /etc/inc/filter.inc with http://iserv.nl/files/pfsense/filter.inc
replace /usr/local/www/interfaces_lan.php with http://iserv.nl/files/pfsense/interfaces_lan.txt
replace /usr/local/www/interfaces_opt.php with http://iserv.nl/files/pfsense/interfaces_opt.txt
execute this command, fetch -o /usr/local/sbin/miniupnpd http://iserv.nl/files/pfsense/miniupnpd
execute this command, chmod +x /usr/local/sbin/miniupnpd

enable it on the lan interface.

Check the sytem logs.

Currently unsupported

Offline Superman

  • Full Member
  • ***
  • Posts: 136
  • Karma: +0/-0
    • View Profile
Re: UPnP support
« Reply #12 on: August 15, 2006, 10:12:43 am »
Okay, files updated, service enabled. Stuff is happening in the system logs when I open uTorrent or MSN Messenger. I'll have to close some of my presently opened & NATed ports and check it out...

Thanks!

Offline Superman

  • Full Member
  • ***
  • Posts: 136
  • Karma: +0/-0
    • View Profile
Re: UPnP support
« Reply #13 on: August 15, 2006, 10:27:36 am »
Further testing seems to indicate that it's working properly.
I removed my NAT & Firewall Rules entries for uTorrent, enabled UPnP in the program, and it all worked!!
The port was opened when I opened the program.
And it seemed to be closed after I exited the program as indicated from a external port probe.

It passes these simple tests anyway!

Thanks again!

Offline Superman

  • Full Member
  • ***
  • Posts: 136
  • Karma: +0/-0
    • View Profile
Re: UPnP support
« Reply #14 on: August 15, 2006, 10:54:25 am »
Minor update.

I did see this one error in the logs. It doesn't seem to stop it from working, but just for completeness here it is.

Code: [Select]
miniupnpd[46767]: /dummy not found, responding ERROR 404