Thanks for giving it a try Eric! I have added the topic to the issue tracker and I'll circle back around when I'm doing network-related reviews for ClearOS.

Peter Baldwin wrote:

Eric Anderson wrote:

https://github.com/pcbaldwin/miniupnpd/commits/master

I think it is inwork for clearos 7.1. It would be nice to know when it is published then i can upgrade...

It's now available for testing in ClearOS 7.1:

yum install miniupnpd

You will need to manually configure the /etc/sysconfig/miniupnpd with your network settings. The "-i" flag is for specifying your WAN/Internet interface, "-a" for your LAN interface, and "-w" for the ClearOS webconfig URL, e.g.:

MINIUPNPD_WAN="-i ens32"

MINIUPNPD_LANS="-a ens34"

MINIUPNPD_URL="-w https://192.168.4.1:81"

And you can start it too:

service miniupnpd start

chkconfig miniupnpd on

If the miniupnpd works as advertised, I'll push out the app-upnp package. The app will automatically configure the /etc/sysconfig/miniupnpd file :-)

Peter, this worked for me. I did have to edit the bottom of the /etc/miniupnpd/miniupnpd.conf to expand the range to "allow 0-65535 192.168.0.0/16 0-65535" again!

Eric Anderson wrote:

https://github.com/pcbaldwin/miniupnpd/commits/master

I think it is inwork for clearos 7.1. It would be nice to know when it is published then i can upgrade...

It's now available for testing in ClearOS 7.1:

yum install miniupnpd

You will need to manually configure the /etc/sysconfig/miniupnpd with your network settings. The "-i" flag is for specifying your WAN/Internet interface, "-a" for your LAN interface, and "-w" for the ClearOS webconfig URL, e.g.:

MINIUPNPD_WAN="-i ens32"

MINIUPNPD_LANS="-a ens34"

MINIUPNPD_URL="-w https://192.168.4.1:81"

And you can start it too:

service miniupnpd start

chkconfig miniupnpd on

If the miniupnpd works as advertised, I'll push out the app-upnp package. The app will automatically configure the /etc/sysconfig/miniupnpd file :-)

https://github.com/pcbaldwin/miniupnpd/commits/master

I think it is inwork for clearos 7.1. It would be nice to know when it is published then i can upgrade...

Will there be an version for the latest ClearOS 7?

Any chance to get miniupnpd updated to the latest version?

Regards,

Urban

Thanks Nick, it was "allow 0-65535 192.168.0.0/16 0-65535" again! you would think that the miniupnpd package would have been updated for that now that it is mainstream. good news was auto magic worked.

OK. I strongly recommend you give WHS a fixed IP of some sort. It can be done through the Leases section of the DHCP Server screen, in which case you can use anywhere between 192.168.0.2 and 192.168.7.254, or just by giving it a fixed IP in WHS, in which case you will need to have it in the range 192.168.1.2 - 192.168.1.0.

If you are free to play with subnets at the moment, I also strongly recommend you avoid the 192.168.0.0/24 and 192.168.1.0/24 subnets. In your case, because you want such a large range, you could go to 192.168.8.0/21 or somewhere completely different.

Did you read the thread I linked you to? I suspect you'll find your answer there.

Nick Howitt wrote:

You have an odd configuration for your subnet. Presumably you subnet mask is 255.255.248.0 and you are reserving addresses from 192.168.0.1 to 192.168.1.0 for fixed IP's? You've got your gateway IP overlapping with your DHCP server range which is not a good idea. Which IP is your whs using?

What is the output to:

ifconfig | grep Eth -A 1

Also you have the same warning as in this thread. Also look at the ports solution.

I changed my ip address to 192.168.0.1 and gateway and dns to the same under dhcp.

# ifconfig | grep Eth -A 1
eth0 Link encap:Ethernet HWaddr 90:2B:34:XX:XX:XX
inet addr:192.168.0.1 Bcast:192.168.7.255 Mask:255.255.248.0
--
eth1 Link encap:Ethernet HWaddr 90:2B:34:XX:XX:XX
inet addr:66.182.XXX.52 Bcast:66.182.XXX.255 Mask:255.255.255.0

My Lan is eth0 now set to 192.168.0.1, gateway 192.168.0.1, ip range start 192.168.1.1, ip range end 192.168.7.254, dns #1 192.168.1.1, netmask (Network/IP Settings) is 255.255.248.0

correct, i'm reserving the lower reange. whs is using 192.168.4.204

# iptables -t nat -L MINIUPNPD -n -v
Chain MINIUPNPD (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51824 to:192.168.7.17:51824
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:63695 to:192.168.4.204:63695
# iptables -L MINIUPNPD -n -v
Chain MINIUPNPD (2 references)
pkts bytes target prot opt in out source destination
1 137 ACCEPT udp -- * * 0.0.0.0/0 192.168.7.17 udp dpt:51824
4 548 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.204 udp dpt:63695

whs complains port forwarding is not configured correcctly on the router, and remote web access to your server is blocked...

You have an odd configuration for your subnet. Presumably you subnet mask is 255.255.248.0 and you are reserving addresses from 192.168.0.1 to 192.168.1.0 for fixed IP's? You've got your gateway IP overlapping with your DHCP server range which is not a good idea. Which IP is your whs using?

What is the output to:

ifconfig | grep Eth -A 1

Also you have the same warning as in this thread. Also look at the ports solution.

For some reason i can't get upnp to work, well at least my whs2011 can't configure its self to forward ports to its self.
1) port forwarding is not configured correctly on the router.
2) remote web access to your server is blocked

I'm running ClearOS V6.5.
set eth0 to be 192.168.1.1, gateway 192.168.1.1, ip range start 192.168.1.1, ip range end 192.168.7.254, dns #1 192.168.1.1
set eth1 to dhcp and role as external

Installed miniupnpd, added the fire wall stuff from first post to /etc/clearos/firewall.d/local:

# grep upnpd /var/log/messages
Sep 26 21:55:09 orion yum[27442]: Installed: miniupnpd-1.6.20120121-5.v6.x86_64
Sep 26 22:01:27 orion miniupnpd: SNet version started
Sep 26 22:01:27 orion miniupnpd[1077]: could not open lease file: /var/lib/miniupnpd/upnp.leases
Sep 26 22:01:27 orion miniupnpd[1077]: HTTP listening on port 40186
Sep 26 22:01:27 orion miniupnpd[1077]: Listening for NAT-PMP traffic on port 5351
Sep 26 22:11:40 orion miniupnpd[1077]: received signal 15, good-bye
Sep 26 22:11:40 orion miniupnpd: SNet version started
Sep 26 22:11:40 orion miniupnpd[24066]: already expired lease in lease file
Sep 26 22:11:40 orion miniupnpd[24066]: already expired lease in lease file
Sep 26 22:11:40 orion miniupnpd[24066]: HTTP listening on port 42280
Sep 26 22:11:40 orion miniupnpd[24066]: Listening for NAT-PMP traffic on port 5351
Sep 26 22:16:12 orion miniupnpd[24066]: received signal 15, good-bye
Sep 26 22:16:12 orion miniupnpd: SNet version started
Sep 26 22:16:12 orion miniupnpd[1757]: already expired lease in lease file
Sep 26 22:16:12 orion miniupnpd[1757]: already expired lease in lease file
Sep 26 22:16:12 orion miniupnpd[1757]: HTTP listening on port 34953
Sep 26 22:16:12 orion miniupnpd[1757]: Listening for NAT-PMP traffic on port 5351
Sep 26 22:25:37 orion miniupnpd[1757]: received signal 15, good-bye
Sep 26 22:25:37 orion miniupnpd: SNet version started
Sep 26 22:25:37 orion miniupnpd[22810]: already expired lease in lease file
Sep 26 22:25:37 orion miniupnpd[22810]: already expired lease in lease file
Sep 26 22:25:37 orion miniupnpd[22810]: HTTP listening on port 57731
Sep 26 22:25:37 orion miniupnpd[22810]: Listening for NAT-PMP traffic on port 5351
Sep 26 22:37:25 orion miniupnpd[22810]: received signal 15, good-bye
Sep 26 22:37:26 orion miniupnpd: SNet version started
Sep 26 22:37:26 orion miniupnpd[16828]: already expired lease in lease file
Sep 26 22:37:26 orion miniupnpd[16828]: already expired lease in lease file
Sep 26 22:37:26 orion miniupnpd[16828]: HTTP listening on port 41820
Sep 26 22:37:26 orion miniupnpd[16828]: Listening for NAT-PMP traffic on port 5351
Sep 26 22:39:26 orion miniupnpd[16828]: received signal 15, good-bye
Sep 26 22:40:05 orion miniupnpd: SNet version started
Sep 26 22:40:05 orion miniupnpd[22905]: already expired lease in lease file
Sep 26 22:40:05 orion miniupnpd[22905]: already expired lease in lease file
Sep 26 22:40:05 orion miniupnpd[22905]: HTTP listening on port 58884
Sep 26 22:40:05 orion miniupnpd[22905]: Listening for NAT-PMP traffic on port 5351
Sep 26 22:54:16 orion miniupnpd[22905]: received signal 15, good-bye
Sep 26 22:55:48 orion miniupnpd: SNet version started
Sep 26 22:55:48 orion miniupnpd[2512]: already expired lease in lease file
Sep 26 22:55:48 orion miniupnpd[2512]: already expired lease in lease file
Sep 26 22:55:48 orion miniupnpd[2512]: HTTP listening on port 35623
Sep 26 22:55:48 orion miniupnpd[2512]: Listening for NAT-PMP traffic on port 5351
Sep 27 01:56:55 orion miniupnpd[2512]: received signal 15, good-bye
Sep 27 01:56:55 orion miniupnpd: SNet version started
Sep 27 01:56:55 orion miniupnpd[9641]: already expired lease in lease file
Sep 27 01:56:55 orion miniupnpd[9641]: already expired lease in lease file
Sep 27 01:56:55 orion miniupnpd[9641]: already expired lease in lease file
Sep 27 01:56:55 orion miniupnpd[9641]: already expired lease in lease file
Sep 27 01:56:55 orion miniupnpd[9641]: HTTP listening on port 45696
Sep 27 01:56:55 orion miniupnpd[9641]: Listening for NAT-PMP traffic on port 5351


# iptables -t nat -L MINIUPNPD -n -v
Chain MINIUPNPD (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 to:192.168.5.167:8000
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1025 to:192.168.5.167:1025
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:57024 to:192.168.4.61:57024
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:58880 to:192.168.4.61:58880
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:52066 to:192.168.2.69:52066

# iptables -L MINIUPNPD -n -v
Chain MINIUPNPD (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.5.167 tcp dpt:8000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.5.167 tcp dpt:1025
76 10412 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.61 udp dpt:57024
78 10686 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.61 udp dpt:58880
24 3288 ACCEPT udp -- * * 0.0.0.0/0 192.168.2.69 udp dpt:52066

Hi All,

I wonder if somebody elso also observed that, but it takes always upto 30 minutes to show me the server and its content in Windows or Android. Is my server maybe to slow to prepare the data to send? Or is it taking longer and longer to show the servers content as more is on the server? I have about 500 songs and 20 movies on the server.

Except this waiting thing everything else runs fine.

Thanks for you help.

Cheers

Robert

Great man thank you!!

As far as the lease file is concerned, there is no file in the path specified... can I just create a blank txt file with the same name and drop it into that directory?

Update: I created the file and dropped it into that dir. Gave root full permissions and restarted the service.. no error.

Works like a charm, I can see my PS3 by using

iptables -L MINIUPNPD -n -v

That is the 5.x file location. For 6.x use /etc/clearos/firewall.d/local.

Hi Everyone,

I am using the newest flavor of Clearos and wanted to get upnp to work properly. I seem to be having some issues.

First off I do not have a firewall file /etc/rc.d/rc.firewall.local.

I ran the install using the Clearos 6 repo and not Tim's.. it installed ok.

When I check the log file I see the following..

Jul 1 04:04:14 wall yum[19603]: Installed: miniupnpd-1.6.20120121-4.v6.x86_64
Jul 2 12:26:06 wall miniupnpd: SNet version started
Jul 2 12:26:06 wall miniupnpd[18706]: could not open lease file: /var/lib/miniupnpd/upnp.leases
Jul 2 12:26:06 wall miniupnpd[18706]: HTTP listening on port 44247
Jul 2 12:26:06 wall miniupnpd[18706]: Listening for NAT-PMP traffic on port 535

I can play xbox and ps3 online, however I always could even before installing the service. So it appears that it is not truly opening up ports.

Any ideas?

my miniupnpd appears to be not automatically starting. "grep miniupnp /var/log/messages" reveals nothing, but if stop and then start the same command reveals:

Mar 10 10:17:25 orion miniupnpd[2158]: received signal 15, good-bye
Mar 10 10:17:32 orion miniupnpd: SNet version started
Mar 10 10:17:32 orion miniupnpd[7822]: already expired lease in lease file
Mar 10 10:17:32 orion miniupnpd[7822]: HTTP listening on port 49866
Mar 10 10:17:32 orion miniupnpd[7822]: Listening for NAT-PMP traffic on port 5351

OK so what role does that interface have? LAN? the init script should setup the broadcast route for all LAN interfaces, and to be fair is not designed to account for your number of interfaces

However try from the command line
/sbin/route add -net 239.0.0.0 netmask 255.0.0.0 eth3

You may also want to explicitly specify the interfaces in /etc/miniupnpd/miniupnpd.conf... change listening_ip=10.100.0.0/31 and ext_ifname=eth2

Then run 'service miniupnpd restart'

eth3

OK so which NIC / LAN subnet do you want Minidpnpd to work on? you have many local interfaces, it looks like the multicast route for broadcast traffic is only setup for eth1.

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

x.x.x.x     0.0.0.0         255.255.255.240 U     0      0        0 eth0

x.x.x.x     0.0.0.0         255.255.255.240 U     0      0        0 eth2

10.100.4.0      0.0.0.0         255.255.254.0   U     0      0        0 eth5

10.100.0.0      0.0.0.0         255.255.254.0   U     0      0        0 eth3

10.100.2.0      0.0.0.0         255.255.254.0   U     0      0        0 eth4

10.70.0.0       0.0.0.0         255.255.0.0     U     0      0        0 eth1

239.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 eth1

0.0.0.0         x.x.x.x     0.0.0.0         UG    0      0        0 eth2

my Playstation works just fine behind ClearOS, and is displayed as 'open' from with games such as MW3

What is your network setup? can you provide the output of 'route -n'

You can also try changing the interface (ext_ifname) in /etc/miniupnpd/miniupnpd.conf and restarting the miniupnpd service.

is this the only way to get nat type 1??

i need a way to get playstation network to work through clearos this doesnt seem to work xbox says its nat type 2 and PSN refuses to connect

that worked thanks! i had to define Wan and Lan instead of it autodetecting it

Hi Don, do you have WAN/LAN interfaces defined? is ClearOS configured in gateway mode?

clearos 6.2 no proxy no filter
this is what i get every time i start miniupnpd
Starting miniupnpd: Network configuration missing[FAILED]

As Nick said delete the contents and restart the firewall - perhaps you pasted some other content by mistake? (copy and paste from Windows can introduce hidden characters)

How are you editing rc.firewall.local? Can you post the contents? If the worst comes to the worst rename the file then issue the command "touch /etc/rc.d/rc.firewall.local" to completely reset the file. (It also removes the first two dummy lines but that should not matter).

Hi Tim and everyone else!

I just recently tried to install miniupnp following the guidelines layed out in the first post however after I made changes to the rc.firewall.local file I have had the same issue as peter first described. When trying to start/restarting the firewall service it fails and I havent been able to make it work again by clearing the rc.firewall.local file.

Any suggestions on how this is fixed or what is causing it other than the file?

You appear to have two typo's in your conf "50.150.51.1/24" should be "10.150.51.1/24". I am not sure if you need the listening_ip at all. On my 5.2 system it is not set up.

I'm not quite sure what I was thinking when I setup that subnet :huh: Might not have been quite awake when I did it lol.
I changed my lan to 10.150.50.1/24 and my hotlan to 10.150.51.1/24. I also modified the miniupnpd.conf file accordingly. I am still showing a moderate nat on the xbox when connected to the hotlan. If I try to connect through the standard lan it won't even connect to live which is not a problem as I am not planning on having any xboxes on the standard lan. Here is my updated config file.

# WAN network interface

ext_ifname=eth0

#ext_ifname=xl1

# if the WAN interface has several IP addresses, you

# can specify the one to use below

#ext_ip=



# LAN network interfaces IPs / networks

# there can be multiple listening ips for SSDP traffic.

# should be under the form nnn.nnn.nnn.nnn/nn

# HTTP is available on all interfaces

# When MULTIPLE_EXTERNAL_IP is enabled, the external ip

# address associated with the subnet follows. for example :

#  listening_ip=192.168.0.1/24 88.22.44.13

listening_ip=50.150.51.1/24

#listening_ip=192.168.1.1/24

#listening_ip=

# port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.

port=0



# path to the unix socket used to communicate with MiniSSDPd

# If running, MiniSSDPd will manage M-SEARCH answering.

# default is /var/run/minissdpd.sock

#minissdpdsocket=/var/run/minissdpd.sock



# enable NAT-PMP support (default is no)

enable_natpmp=yes



# enable UPNP support (default is yes)

enable_upnp=yes



# chain names for netfilter (not used for pf or ipf).

# default is MINIUPNPD for both

#upnp_forward_chain=forwardUPnP

#upnp_nat_chain=UPnP



# lease file location

#lease_file=/var/log/upnp.leases



# bitrates reported by daemon in bits per second

bitrate_up=1000000

bitrate_down=10000000



# "secure" mode : when enabled, UPnP client are allowed to add mappings only

# to their IP.

secure_mode=yes

#secure_mode=no



# default presentation url is http address on port 80

# If set to an empty string, no presentationURL element will appear

# in the XML description of the device, which prevents MS Windows

# from displaying an icon in the "Network Connections" panel.

#presentation_url=http://www.mylan/index.php



# report system uptime instead of daemon uptime

system_uptime=yes



# notify interval in seconds. default is 30 seconds.

#notify_interval=240

notify_interval=60



# unused rules cleaning.

# never remove any rule before this threshold for the number

# of redirections is exceeded. default to 20

#clean_ruleset_threshold=10

# clean process work interval in seconds. default to 0 (disabled).

# a 600 seconds (10 minutes) interval makes sense

clean_ruleset_interval=600



# log packets in pf

#packet_log=no



# ALTQ queue in pf

# filter rules must be used for this to be used.

# compile with PF_ENABLE_FILTER_RULES (see config.h file)

#queue=queue_name1



# tag name in pf

#tag=tag_name1



# make filter rules in pf quick or not. default is yes

# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)

#quickrules=no



# uuid : generate your own with "make genuuid"

uuid=60943e58-b9ff-42bc-a825-5cd04c359f57



# serial and model number the daemon will report to clients

# in its XML description

serial=12345678

model_number=1



# UPnP permission rules

# (allow|deny) (external port range) ip/mask (internal port range)

# A port range is <min port>-<max port> or <port> if there is only

# one port in the range.

# ip/mask format must be nn.nn.nn.nn/nn

# it is advised to only allow redirection of port above 1024

# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"

allow 1024-65535 50.150.51.0/24 1024-65535

#allow 1024-65535 10.0.0.0/8 1024-65535

#allow 1024-65535 172.16.0.0/12 1024-65535

deny 0-65535 0.0.0.0/0 0-65535

And I am not quite sure what you meant, Tim Burgess so here is what I get when running the route -n command.

/etc/miniupnpd$ route -n

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

xxx.xxx.xxx.xxx   0.0.0.0         255.255.255.255 UH    0      0        0 ppp0

10.150.51.0     0.0.0.0         255.255.255.0   U     0      0        0 eth3

10.150.50.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

239.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 eth1

0.0.0.0         xxx.xxx.xxx.xxx   0.0.0.0         UG    0      0        0 ppp0

I hid my public IP address for security reasons...

The default Miniupnpd config is only to allow Upnp requests from private subnets, but I see you have amended the config

Check your routing table has an entry for 239.0.0.0 on your hotlan interface ('route -n' command)...from memory the init script only sets up the route for LAN interfaces

Although your LAN detects a upnp device, is it able to configure the ports by upnp? It may be that the LAN can just see the upnp device but not do anything with it.

BTW, are you aware that your HotLAN is using a public range of addresses which will stop you being able to visit any sites in that address block?

I am trying to enable upnp on a single interface. I have the xbox's on a hotlan with a subnet of 192.150.50.1/24 and it is on eth3. I tried editing the config file for miniupnp to be active for only that subnet and my nat is still moderate. I tried connecting the xbox's to my main subnet of 192.150.50.1/24 and it immediately connected with an open nat and the computers also detected a upnp device on the network. Where did I go wrong?

# WAN network interface

ext_ifname=eth0

#ext_ifname=xl1

# if the WAN interface has several IP addresses, you

# can specify the one to use below

#ext_ip=



# LAN network interfaces IPs / networks

# there can be multiple listening ips for SSDP traffic.

# should be under the form nnn.nnn.nnn.nnn/nn

# HTTP is available on all interfaces

# When MULTIPLE_EXTERNAL_IP is enabled, the external ip

# address associated with the subnet follows. for example :

#  listening_ip=192.168.0.1/24 88.22.44.13

listening_ip=192.150.51.1/24

#listening_ip=192.168.1.1/24

#listening_ip=

# port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.

port=0



# path to the unix socket used to communicate with MiniSSDPd

# If running, MiniSSDPd will manage M-SEARCH answering.

# default is /var/run/minissdpd.sock

#minissdpdsocket=/var/run/minissdpd.sock



# enable NAT-PMP support (default is no)

enable_natpmp=yes



# enable UPNP support (default is yes)

enable_upnp=yes



# chain names for netfilter (not used for pf or ipf).

# default is MINIUPNPD for both

#upnp_forward_chain=forwardUPnP

#upnp_nat_chain=UPnP



# lease file location

#lease_file=/var/log/upnp.leases



# bitrates reported by daemon in bits per second

bitrate_up=1000000

bitrate_down=10000000



# "secure" mode : when enabled, UPnP client are allowed to add mappings only

# to their IP.

secure_mode=yes

#secure_mode=no



# default presentation url is http address on port 80

# If set to an empty string, no presentationURL element will appear

# in the XML description of the device, which prevents MS Windows

# from displaying an icon in the "Network Connections" panel.

#presentation_url=http://www.mylan/index.php



# report system uptime instead of daemon uptime

system_uptime=yes



# notify interval in seconds. default is 30 seconds.

#notify_interval=240

notify_interval=60



# unused rules cleaning.

# never remove any rule before this threshold for the number

# of redirections is exceeded. default to 20

#clean_ruleset_threshold=10

# clean process work interval in seconds. default to 0 (disabled).

# a 600 seconds (10 minutes) interval makes sense

clean_ruleset_interval=600



# log packets in pf

#packet_log=no



# ALTQ queue in pf

# filter rules must be used for this to be used.

# compile with PF_ENABLE_FILTER_RULES (see config.h file)

#queue=queue_name1



# tag name in pf

#tag=tag_name1



# make filter rules in pf quick or not. default is yes

# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)

#quickrules=no



# uuid : generate your own with "make genuuid"

uuid=60943e58-b9ff-42bc-a825-5cd04c359f57



# serial and model number the daemon will report to clients

# in its XML description

serial=12345678

model_number=1



# UPnP permission rules

# (allow|deny) (external port range) ip/mask (internal port range)

# A port range is <min port>-<max port> or <port> if there is only

# one port in the range.

# ip/mask format must be nn.nn.nn.nn/nn

# it is advised to only allow redirection of port above 1024

# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"

allow 1024-65535 192.150.51.0/16 1024-65535

allow 1024-65535 10.0.0.0/8 1024-65535

allow 1024-65535 172.16.0.0/12 1024-65535

deny 0-65535 0.0.0.0/0 0-65535

That is interesting I never had any problems with 4.x or 5.x. I have only had issues with the content filtering in 6.2. I also noticed that once I uninstalled content filtering that my Facebook App on my iPhone 4 started working again. Hopefully the content filter will get fixed in future updates.

Hi Eric,

Many thanks for the info. Since my last post I've move to
ClearOS V6 and added the Xbox live incoming port settings
(plus fixed a few ldap issues thx to Tim's advice
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,10/func,view/id,40810/limit,10/limitstart,20/#42075 ).

Now all ok. If I need to use Xbox live I still need to shutdown
the content filter. But with many little fingers browsing the
internet the content filter has to stay.

Many thank

PeterHuk

The only way I could get my xbox to work was by doing the following

Uninstall the content filter
yum remove app-content-filter

install upnp
yum install miniupnpd

My Web Proxy is configured as follows
Transparent Mode: Enabled
User Authentication: Disabled

Many thanks for the update tim, no matter what I do it just dont seem to want to work.

I've read some people say that they can shut down the content filter and get it working.
When I shut down my content filter (set content filter to disable in web proxy) it stops
all interent access (continuosly comes up with Invalid web request error).

Is there a way to view / monitor the traffic from my xbox and xbox live (only). There must be a
web request from the xbox that is failing to come back or vice versa. If I could see the the request
and the port requested then I'm sure it will be much easier to diagnose the problem. At the moment
I'ts like trying to fault find in the dark.

Many thanks


PeterHuk

Are you using the web proxy? if so then as one last step you'll need to add a bypass for it... (the Xbox is not very proxy friendly). There was a post on this here
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,40/func,view/id,22515/

You can't configure Miniupnpd for just one IP address, its a daemon that will serve your LAN, dynamically providing port forwards for services that need or use the UPNP protocol...Skype, file sharing, messengers etc.

Secure / strict mode is enabled by default in the /etc/miniupnpd/miniupnpd.conf so that services can only open ports for their own IP address

Your iptables output looks fine, you have one mapped entry for UDP on 3074

Be careful not to too confuse yourself with the 'prerouting' table. This table is used to dynamically change packets (or redirect them) prior to hitting the 'input' or 'port forward' chains. This is where the port is actually opened..those rules you see are just to permit web traffic to/form the ClearOS box without getting caught by your transparent proxy redirect. If you have put your XBox IP in the 'proxy' bypass list, then it too will also appear here...this is a function of the webconfig, not miniupnpd.

Hi all,

Does these results look ok?

[root@gateway ~]# iptables -L -n -v -t nat

Chain PREROUTING (policy ACCEPT 4201 packets, 360K bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 REDIRECT   tcp  --  *      *      !127.0.0.1            0.0.0.0/0           tcp dpt:3128 redir ports 82

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            G/W int ip          tcp dpt:80

    7   352 ACCEPT     tcp  --  *      *       0.0.0.0/0            G/W ext ip          tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            xbox ip             tcp dpt:80

  483 25266 REDIRECT   tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

  209 36756 MINIUPNPD  all  --  eth0   *       0.0.0.0/0            0.0.0.0/0



Chain POSTROUTING (policy ACCEPT 4285 packets, 366K bytes)

 pkts bytes target     prot opt in     out     source               destination

  987 58708 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0



Chain OUTPUT (policy ACCEPT 7389 packets, 559K bytes)

 pkts bytes target     prot opt in     out     source               destination



Chain MINIUPNPD (1 references)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:3074 to:xbox ip:3074

will the gateway ipaddress (G/W int ip) on port 80 conflict with the Xbox lisening on port 80?
Also if this suggests that port 80 is open by default for my gateway how do I remove this rule?

Many thanks

PeterHuk

Tim wrote:

Just to highlight why I like MiniUPNP more then LinuxIGD from a security point of view

You can restrict the permitted network ranges which are allowed to make UPNP calls, and the ports that they are able to open. By default I have configured all of the private range of IP's in /etc/miniupnpd/miniupnpd.conf but you could refine it further as you see fit. This is in addition to listening only to the LAN interfaces

I have also enabled "Strict mode" which means that a device is only able to open a port for it's own IP address, rather than blindly opening anything that is requested by some unscrupulous app

It's still running on my production box without hiccups so very pleased

Would really appreciate some info of how you achieved this pls

PeterHuk

Hi Tim,

Just found out something that most of you will know, "windows line breaks
can cause linux apps to fails".

I have saved the file minus the windows line breaks and all working ok now,
my Xbox gets to Xbox live now (in the Xbox network test ) without complaint
but does not do the test login as it does with the wired rj45 connection?

This seems to suggest that it can see the Xbox live server but cannot login.

Does this happen for everyone or just mine?

What would be the best way to configure the miniupnp for just the Xbox IP
address and the Xbox live protocols?

Many thanks

PeterHuk

Hi Tim,

I've just discovered something strange, any changes I make to
/etc/rc.d/rc.firewall.loca causes the restart to fail. As a test I simply
added a hash '#' at the end of the file and that caused it to fail.

This is srange as I have been using my WiseFTP ap for some time
now without any problems. I'll install WinSCP and see what happens.

Many thanks

PeterHuk

Tim,

Many thanks for your reply and information I'll give it a try.

I am curently using 'Protocol Filter Configuration' to lock down
ports and in 'Reports -> Protocol Filter Configuration' there are
constantly attemps to access:

1, JPEG - Joint Picture Expert Group image format
2, eDonkey2000 - P2P filesharing - http://edonkey2000.com and others
3, Finger - User information server - RFC 1288
4, RTP - Real-time Transport Protocol - RFC 3550
5, SOCKS Version 5 - Firewall traversal protocol - RFC 1928

Not sure what is trying to gain access to these blocked ports but internet access
appears fine. If I have a service which needs access to a protocol (like external
email) I usally put there domain / IP in the bypass rule.

I guess this will all go out the window with miniupnpd or can miniupnpd be
configured for just the ip address and required protocols of my xbox / xbox live?

Many thanks

PeterHuk

Hi Peter, please use a tool like WinSCP to make changes it will make life simpler. Vim is good once you figure out its quirks but by no means user friendly...nano is better, but still not great.

You can safely remove and reinstall using

yum remove miniupnpd

yum --enablerepo=timb install miniupnpd

Upnp protocol is inherently 'insecure' in that it trusts outgoing traffic, but if you already have outgoing allow, then theres not much difference. For some applications its the only way to provide functional support behind a NAT gateway for things live XBox live, MSN, video sharing etc.
Miniupnpd goes some way to make sure that these UPNP requests only originate from your LAN. The default "allow" rules are for local subnets only (192.168.x.x, 10.x.x.x, 172.16.x.x) not your actual IP...out of interest how is ClearOS configured?

For XBox live, outgoing traffic will have a SOURCE port in the range 1024+, the ports you are referring to are DESTINATION ports, Miniupnpd will handle the forwarding for you...

See the following for more info
http://en.wikipedia.org/wiki/Universal_Plug_and_Play

Hi Tim,

I’m using version miniupnpd-1.5.20110309-1.clearos.

Is there away I can uninstall then reinstall? I’m not sure why my
Installation was so different but it would be great to get it working.

By the way the notepad edit did not work, I clicked on save then
assumed that notepad updated the file but due to file permissions
the mod did not get saved, so I’m back at square 1.

I have tried to use vim in the pass but when trying to end the program
it always seem to end up running in background mode and then I
find myself searching Goog for the command to kill background apps.

One other thing I noticed, in the miniupnp config file my external address
was listed i.e

# UPnP permission rules
# (allow|deny) (external port range) ip/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# ip/mask format must be nn.nn.nn.nn/nn
# it is advised to only allow redirection of port above 1024
# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
allow 1024-65535 out.going.ip.address/subnet 1024-65535

Although I really would like this to work in the back of my mind
I’m thinking if this is not configured correctly rouge apps can easily
open up ports left right and centre and compromise my gateway security.

Plus it mentions a recommendation of only redirecting ports above 1024
but Xbox live requires 53, 80, 88 how does miniupnpd handle these?

Is there any useful links to find more info? But more importantly is a
uninstall reinstall likely to work?

Many thanks

PeterHuk

Hi Peter,it should be there! what version do you have installed?

rpm -q miniupnpd

I'm puzzled because the RPM and firewall config is all you should need...then restart the firewall first to create the required MINIUPNPD tables

Your initial problems with file editing can be caused by line breaks creeping in, I tend to use either 'nano' or 'vim' for local file editing. If your a windows fan, then you should check out WinSCP (free) for file manipulation

Just noticed, I dont seem to have a '/etc/rc.d/init.d/miniupnpd' file should have been created on install?

Tim,

This is completely weird, I just copied and pasted the mod back into
/etc/rc.d/rc.firewall.loca restarted the firewall and it worked.

That is crazy, the only thing that I could think may have happed is my
ftp programme (wiseftp) tends to add an extra line at the end of the
page when saving.

I used notepad this time and it came up. The only thing now is that
When I run the two test commands:

iptables -t nat -L MINIUPNPD -n -v
iptables -L MINIUPNPD -n –v

I get
'iptables: No chain/target/match by that name'

Any ideas

Many thanks

PeterHuk

Sorry Tim,

Just re-read my last post and it didn't make any sense. "panic over" meaning my firewall is back up. but there
is still a problem with getting the MiniUPNP working.

It's strange that everyone elses seem to work straight away I mines is refusing to play ball. anyway any
sugestion would be appreciated.

Many thanks

PeterHuk

Hi tim,

I copy exactly from the thread, any way panic over now as taking the modification out
has returned it to working order.

how can I trace the problem to get it working though?

I can't get my xbox live working via the wireless / clearos every time I need to use
the Xbox I've got to remove the gateway connection to the broadband modem and
insert an rj45 cable from the Xbox to the cable modem.

Any sugestions?

Many thanks for the fix for getting my firewall up again.

PeterHuk

Hi Peter, check your modifcations to /etc/rc.d/rc.firewall.local for typos etc. Did you copy and paste direct from the thread?

To get a working firewall back, just remove your changes, and run 'service firewall restart'

Sorry, the full message is:

Mar 31 21:50:11 gateway miniupnpd: SNet version started
Mar 31 21:50:11 gateway miniupnpd[7636]: HTTP listening on port 49340
Mar 31 21:50:11 gateway miniupnpd[7636]: Listening for NAT-PMP traffic on port 5351
Mar 31 21:50:11 gateway miniupnpd[7636]: chain MINIUPNPD not found

Just found this in messages 'miniupnpd[7636]: chain MINIUPNPD not found'

Hi Tim,

I just install your MiniUPNPD as I’m trying to get Xbox live.
Have added your entry to /etc/rc.d/rc.firewall.local and in the
/etc/rc.d/init.d/miniupnpd file thier was no 'UPNP_WAN= ' entry
available to update.

I'm not a Linux person but installed on good faith (your information
has been spot on before). After installing I now keep getting FAILED
when trying to restart / start my firewall.

Have looked in messages and system (as per your previous
recommendations) and no relevant errors displayed.

Getting a bit nervous now as not sure what to do.

Any suggestions?

PeterHuk

Hello! Well it's December 25th 2011 and an XBox 360S found it's way into our house. I was immediately recruited by my 13 year old son to help resolve an issue with Xbox LIVE. The Xbox 360 was unable to connect to XBox Live, regardless of what I did, including following this tech tip. The only thing I did differently was I used miniupnpd-1.5.20110309-1.clearos.i686.rpm instead of miniupnpd-1.4.20100921-2.clearos.i686.rpm as enumerated in the tech tip.

I was able to resolve the problem by putting the Xbox on a HOTLAN that I set up on a third NIC card. I also divided my Asante switch into 2 VLANS. The Xbox is on VLAN2, which is connected to the HOTLAN. This assures complete isolation from the primary, content filtered, ICS LAN that the PC's in our house occupy. I'm not sure why the Xbox doesn't like to be proxied, but I think this HOTLAN solution is probably the best from a gaming standpoint as it should help keep the ping times down as low as possible, and the best part is, you don't have to try an figure out all this egghead iptables stuff. Thanks for investing the time to try and create a work around, and more power to you if you're able to make it work. I was not. (Clear OS 5.2)

Just installed MiniUPNP Daemon works great! The Xbox is happy Thanks!

Hi I have battled with Xbox live for ages, and I did get there using a different method that Tim wrote about. Anyhow added 2 more Xboxes to the network and everything stopped working. Thats when I found this post.

I have all three now connecting to Xbox live however I am unable to connect to Zune, Facebook, LastFM ect. I am however able to download updates and demos.

When I do an Xbox live test I still get the message that the NAT is in moderate mode and some content will not be available. Is there something this points to could I have made a mistake somewhere that this points to.

UPDATE

by turning on Transparent Mode all is working

Yep, entry shows up using uTorrent. Sweet!

Thanks Dirk! hope it all goes smoothly for you tomorrow just to be sure check that the MINIUPNPD tables exist and the service is running ok. Logs are stored in /var/log/messages. To test starting a UPNP app such as uTorrent should show a port entry added to firewall rules

iptables -t nat -L MINIUPNPD -n -v

iptables -L MINIUPNPD -n -v

The Daemon API hack is not locale friendly, so it will just display "MiniUPNPD" but your modification allows you to change that to what ever you wish

Have a good Christmas

You really are the best, Tim! Just got my kids an XBox for Christmas and included an XBox Live subscription. Just now installed MiniUPNPD and the firewall restarted seemlessly. Unfortunately until they open the thing and we get it all hooked up I won't be able to confirm if it all works with my gateway or not. I'm geeked though.

One aside in reference to your last post on this thread. The administrator needs to add a reference to match your "MiniUPNPD" reference in the Daemon.inc.php script, in the /var/webconfig/api/lang/daemon.en_US script (or the lanuage of their install).

I changed your reference to look similar to the rest of the daemon entries in the Daemon.inc.php.script, which looks like "DAEMON_LANG_MINIUPNPD". Then I added a line of script in the /lang/daemon.en_US script to look like

define("DAEMON_LANG_MINIUPNPD", "MiniUPNPD Plug-n-Play");

Shows up fine in the Webconfig listed services.

Thanks again.

With ClearOS 6.x you'll see the ability to install third party modules from the webconfig

To add this to the webconfig deamon (services) list add the following line into the array in /var/webconfig/api/Daemon.inc.php

        "miniupnpd"     => array("miniupnpd",        "miniupnpd",      "yes",  "MiniUPNPD",              "no", null),

anyway to get this included as a package within clearos?

I would love to be able to start and stop the service from the web config (:81/admin/daemon.php)

Tim,

Your awsome !

Sebastiaan.

Just to highlight why I like MiniUPNP more then LinuxIGD from a security point of view

You can restrict the permitted network ranges which are allowed to make UPNP calls, and the ports that they are able to open. By default I have configured all of the private range of IP's in /etc/miniupnpd/miniupnpd.conf but you could refine it further as you see fit. This is in addition to listening only to the LAN interfaces

I have also enabled "Strict mode" which means that a device is only able to open a port for it's own IP address, rather than blindly opening anything that is requested by some unscrupulous app

It's still running on my production box without hiccups so very pleased

Give it a go .......

EXTIF shows as ppp0 ppp1 in /etc/firewall ..

Calvin Teh wrote:

however there's still one question though.. shouldn't miniupnpd be listening on interface ppp0 instead of eth0 ?

I'll pass on that one as I have a cable connection. Have a look in /etc/firewall and see how EXTIF is defined. I'd use the same as it has there. Remember you also have to change the /etc/rc.d/init.d/miniupnpd file as well to hard code the UPNP_WAN to the same value for safety,

alright got the firewall to restart properly after that

Dec  1 20:40:41 M2-LB-01 miniupnpd[23876]: received signal 15, good-bye

Dec  1 20:40:41 M2-LB-01 miniupnpd: SNet version started

Dec  1 20:40:41 M2-LB-01 miniupnpd[25150]: HTTP listening on port 34985

Dec  1 20:40:41 M2-LB-01 miniupnpd[25150]: Listening for NAT-PMP traffic on port 5351

however there's still one question though.. shouldn't miniupnpd be listening on interface ppp0 instead of eth0 ?

You should have had a section like:

##

#MINIUPNPD required tables

##

IPTABLES=/sbin/iptables

#EXTIF=  (not required as uses automagic to determine WAN, can be manually specified)

#adding the MINIUPNPD chain for nat

$IPTABLES -t nat -N MINIUPNPD

#adding the rule to MINIUPNPD

$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD



#adding the MINIUPNPD chain for filter

$IPTABLES -t filter -N MINIUPNPD

#adding the rule to MINIUPNPD

$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD

in /etc/rc.d/rc.firewall.local.

Tim suggested changing it to :

##

#MINIUPNPD required tables

##

IPTABLES=/sbin/iptables

EXTIF=eth0  ##### changed to override the value from /etc/firewall

#adding the MINIUPNPD chain for nat

$IPTABLES -t nat -N MINIUPNPD

#adding the rule to MINIUPNPD

$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD



#adding the MINIUPNPD chain for filter

$IPTABLES -t filter -N MINIUPNPD

#adding the rule to MINIUPNPD

$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD

there was nothing inside /etc/rc.d/rc.firewall.local .. I only added a few incoming firewall rules and port forwarding rules ..

Can you post how you now have the firewall rules?

Alright will try it out and let you guys know about the outcome anyways shouldn't i put ppp0 instead of eth0 ? still kinda foreign to the unix world :P

update: replaced $EXTIF with eth0.. tried to restart the firewall still produces a failed status

Hi Nick,
No worries - you have a good point, the order in which the WAN's are listed is set in /etc/firewall (see the EXTIF= setting), there's no guarantee that the first one will be the one you want.

Calvin, the changes proposed for the init file then are a good way forward to ensure you get the right WAN

Tim,
I was off work today so I jumped in earlier. Naughty.
Are you sure the change to the init file is not needed? I was doing it to force the re.firewall.local and init scripts to use the same EXTIF. I did not think there was any guarantee that eth0 evaluated before eth1 (in his case) when using the automagic stuff. With my multiLAN set up the init script picked eth2 instead of eth1.

'True' MultiWAN is experimental (i.e. not tested!) and also stated that way by the author - it appears I will have to build another version with the define MULTIPLE_EXTERNAL_IP flag for it to work.

If you do want multiple WAN's. you'll have to throw away the init script and iptables, and resort to configuring it via the config file only.

Miniupnpd *should* however work ok with systems with MultiWAN's, but just use only one for the UPNP traffic. The iptables script however will only work for one WAN...try the following to fix your firewall:-

Uncomment the following line (/etc/rc.d/rc.firewall.local) and manually specify the interface you want UPNP traffic to use:-

EXTIF=eth0 

Nick's changes above to the init file shouldn't be necessary as it will pick the first WAN in the list.

Please let us know - as I don't have a multiwan setup to test with

The firewall rules (and miniupnpd) will fail with multiwan.

In the firewall rules you'll need to change these rules:

$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD



$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD

Change the $EXTIF for ethx, the external interface you want to use (assuming it is only one).

You also need to change the /etc/rc.d/init.d/miniupnpd. Either change this line

UPNP_WAN=`echo $AUTOMAGIC_EXTIFS | awk '{ print $1 }'`

to

UPNP_WAN=ethx

or, rather than replace the line, I would just add the replacement line after the original line to make it easy to revert the script. Replace x to correspond with the interface you chose for the firewall rule.

At the end of the day miniupnpd only has an experimental multiwan feature but you'll need to read the docs to see how it works. Tim's script effectively only works for one WAN and I think a lot more studying of the docs will be needed to make it work for more than one.

Post back if this works as I only have a single WAN environment here so I have not tested it.

i have 3 interfaces.. eth0 and eth1 are respectively ppp0 and ppp1.. whereas eth2 is the LAN..
upon inspection of the /var/log/messages and /var/log/system , it doesn't show anything helpful though..

Nov 30 18:00:33 M2-LB-01 firewall: ========== start /etc/rc.d/rc.firewall.custom ==========

Nov 30 18:00:33 M2-LB-01 firewall: # Custom firewall rules managed through webconfig

Nov 30 18:00:33 M2-LB-01 firewall: # This file is executed by the firewall on stop/start/restart.

Nov 30 18:00:33 M2-LB-01 firewall: ========== end /etc/rc.d/rc.firewall.custom ==========

Nov 30 18:00:33 M2-LB-01 firewall: ========== start /etc/rc.d/rc.firewall.local ==========

Nov 30 18:00:33 M2-LB-01 firewall: # Custom firewall rules.

Nov 30 18:00:33 M2-LB-01 firewall: # This file is executed by the firewall on stop/start/restart.

Nov 30 18:00:33 M2-LB-01 firewall:

Nov 30 18:00:33 M2-LB-01 firewall: ##

Nov 30 18:00:33 M2-LB-01 firewall: #MINIUPNPD required tables

Nov 30 18:00:33 M2-LB-01 firewall: ##

Nov 30 18:00:33 M2-LB-01 firewall: IPTABLES=/sbin/iptables

Nov 30 18:00:33 M2-LB-01 firewall: #EXTIF= (not required as uses automagic to determine WAN, can be

Nov 30 18:00:33 M2-LB-01 firewall: manually specified)

Nov 30 18:00:33 M2-LB-01 firewall: #adding the MINIUPNPD chain for nat

Nov 30 18:00:33 M2-LB-01 firewall: $IPTABLES -t nat -N MINIUPNPD

Nov 30 18:00:33 M2-LB-01 firewall: #adding the rule to MINIUPNPD

Nov 30 18:00:33 M2-LB-01 firewall: $IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD

Nov 30 18:00:33 M2-LB-01 firewall:

Nov 30 18:00:33 M2-LB-01 firewall: #adding the MINIUPNPD chain for filter

Nov 30 18:00:33 M2-LB-01 firewall: $IPTABLES -t filter -N MINIUPNPD

Nov 30 18:00:33 M2-LB-01 firewall: #adding the rule to MINIUPNPD

Nov 30 18:00:33 M2-LB-01 firewall: $IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD

Nov 30 18:00:33 M2-LB-01 firewall: ========== start /etc/rc.d/rc.firewall.local ==========

Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: chain MINIUPNPD not found

Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: chain MINIUPNPD not found

Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: addnatrule() : iptc_is_chain() error : No chain/target/match by that name

Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: chain MINIUPNPD not found

Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: chain MINIUPNPD not found

Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: addnatrule() : iptc_is_chain() error : No chain/target/match by that name

Hi, any further clues in /var/log/messages or /var/log/system?

Whats your general network config? number of interfaces? are you in gateway mode?

hi tim,

when I tried to add this into /etc/rc.d/rc.firewall.local

##

#MINIUPNPD required tables

##

IPTABLES=/sbin/iptables

#EXTIF=  (not required as uses automagic to determine WAN, can be manually specified)

#adding the MINIUPNPD chain for nat

$IPTABLES -t nat -N MINIUPNPD

#adding the rule to MINIUPNPD

$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD



#adding the MINIUPNPD chain for filter

$IPTABLES -t filter -N MINIUPNPD

#adding the rule to MINIUPNPD

$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD

doing a firewall service restart returned me a failed status.. :dry: clearOS is managing my multi-wan

great! thanks for the feedback

Tim Burgess wrote:

Hi Nick, i've uploaded a new version with amended init script which will listen on all LAN interfaces (LANIF not HOTLAN)
ftp://starlane.gotdns.org/miniupnpd-1.4.20100921-2.clearos.i686.rpm

You can add further interface / subnets by editing /etc/miniupnpd/miniupnpd.conf and adding "listening_ip" fields

Thanks, that's neat. That saves me hacking the init script. I have 2 LAN's, one of which is normally not used, but as luck would have it, it was the one picked up by the init script. It was the same for upnpd which is why I recognised your script and knew where to hack.

Tested it with two xboxs.

Was able to get open nat on both.

first xbox gets port 3074 second one gets 10016 (every time so its not really random)

Thank you so much! B)

Hi Nick, i've uploaded a new version with amended init script which will listen on all LAN interfaces (LANIF not HOTLAN)
ftp://starlane.gotdns.org/miniupnpd-1.4.20100921-2.clearos.i686.rpm

You can add further interface / subnets by editing /etc/miniupnpd/miniupnpd.conf and adding "listening_ip" fields

Tim,

I notice there is a restriction in the init function to only one LAN interface as there is in upnpd. Is this a restriction of yours or one of miniupnpd? It looks like you based your script on the upnpd one but it would be more of a job to make it loop through the LANIFS if it were even possible.

Nick

Great! let me know how you get on

I tested multiple applications configured with the same ports (utorrent) and it did correctly assign another open port instead. (Compared to the behaviour noted with LinuxIGD)

Great stuff Tim. I'll stick this on later and see if I can get it working with my multiwan setup. If it's using the ClearOS automatic detection then I believe it picks one of the 2 WAN's so it should work but I'll override that as I want it to use the one I pick.

I've only got one Xbox 360 but would be interested to know if 2 do work in open NAT at the same time with this. I might get another at some point soon.