I've built and packaged MiniUPNP daemon so that it will work with ClearOS
http://miniupnp.free.fr/
It relies on your system being configured in gateway mode, it also has only been tested in a single WAN environment. MultiWAN is experimental and can be acheived by editing the config (/etc/miniupnpd/miniupnpd.conf) and iptables (see below)
This can be used as a direct replacement for LinuxIGD, which as a flaw whereby multiple rules will be created with the same port for multiple devices.
MiniUPNPD also supports NAT-PMP
INSTALL:-
Setup the community yum repo by following the instructions HERE
Add the following code to /etc/rc.d/rc.firewall.local to create the MiniUPNPD tables, required so that after a firewall restart the tables do not disappear.
Then review the config in /etc/miniupnpd/miniupnpd.conf - shouldn't need any changes....the External WAN is determined using the ClearOS automagic function.
Then restart the firewall to create the tables, and start the service
Voila! you should now have a functioning UPNP gateway device, you can check logs and entries by running
Enjoy
http://miniupnp.free.fr/
It relies on your system being configured in gateway mode, it also has only been tested in a single WAN environment. MultiWAN is experimental and can be acheived by editing the config (/etc/miniupnpd/miniupnpd.conf) and iptables (see below)
This can be used as a direct replacement for LinuxIGD, which as a flaw whereby multiple rules will be created with the same port for multiple devices.
MiniUPNPD also supports NAT-PMP
INSTALL:-
Setup the community yum repo by following the instructions HERE
yum --enablerepo=timb install miniupnpd
Add the following code to /etc/rc.d/rc.firewall.local to create the MiniUPNPD tables, required so that after a firewall restart the tables do not disappear.
##
#MINIUPNPD required tables
##
IPTABLES=/sbin/iptables
#EXTIF= (not required as uses automagic to determine WAN, can be manually specified)
#adding the MINIUPNPD chain for nat
$IPTABLES -t nat -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
#adding the MINIUPNPD chain for filter
$IPTABLES -t filter -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD
Then review the config in /etc/miniupnpd/miniupnpd.conf - shouldn't need any changes....the External WAN is determined using the ClearOS automagic function.
Then restart the firewall to create the tables, and start the service
service firewall restart
service miniupnpd start
Voila! you should now have a functioning UPNP gateway device, you can check logs and entries by running
grep upnpd /var/log/messages
or
iptables -t nat -L MINIUPNPD -n -v
iptables -L MINIUPNPD -n -v
Enjoy
Share this post:
Responses (86)
-
Accepted Answer
Thanks for giving it a try Eric! I have added the topic to the issue tracker and I'll circle back around when I'm doing network-related reviews for ClearOS. -
Accepted Answer
Peter Baldwin wrote:
Eric Anderson wrote:
https://github.com/pcbaldwin/miniupnpd/commits/master
I think it is inwork for clearos 7.1. It would be nice to know when it is published then i can upgrade...
It's now available for testing in ClearOS 7.1:
yum install miniupnpd
You will need to manually configure the /etc/sysconfig/miniupnpd with your network settings. The "-i" flag is for specifying your WAN/Internet interface, "-a" for your LAN interface, and "-w" for the ClearOS webconfig URL, e.g.:
MINIUPNPD_WAN="-i ens32"
MINIUPNPD_LANS="-a ens34"
MINIUPNPD_URL="-w https://192.168.4.1:81"
And you can start it too:
service miniupnpd start
chkconfig miniupnpd on
If the miniupnpd works as advertised, I'll push out the app-upnp package. The app will automatically configure the /etc/sysconfig/miniupnpd file :-)
Peter, this worked for me. I did have to edit the bottom of the /etc/miniupnpd/miniupnpd.conf to expand the range to "allow 0-65535 192.168.0.0/16 0-65535" again! -
Accepted Answer
Eric Anderson wrote:
https://github.com/pcbaldwin/miniupnpd/commits/master
I think it is inwork for clearos 7.1. It would be nice to know when it is published then i can upgrade...
It's now available for testing in ClearOS 7.1:
yum install miniupnpd
You will need to manually configure the /etc/sysconfig/miniupnpd with your network settings. The "-i" flag is for specifying your WAN/Internet interface, "-a" for your LAN interface, and "-w" for the ClearOS webconfig URL, e.g.:
MINIUPNPD_WAN="-i ens32"
MINIUPNPD_LANS="-a ens34"
MINIUPNPD_URL="-w https://192.168.4.1:81"
And you can start it too:
service miniupnpd start
chkconfig miniupnpd on
If the miniupnpd works as advertised, I'll push out the app-upnp package. The app will automatically configure the /etc/sysconfig/miniupnpd file :-) -
Accepted Answer
https://github.com/pcbaldwin/miniupnpd/commits/master
I think it is inwork for clearos 7.1. It would be nice to know when it is published then i can upgrade... -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
OK. I strongly recommend you give WHS a fixed IP of some sort. It can be done through the Leases section of the DHCP Server screen, in which case you can use anywhere between 192.168.0.2 and 192.168.7.254, or just by giving it a fixed IP in WHS, in which case you will need to have it in the range 192.168.1.2 - 192.168.1.0.
If you are free to play with subnets at the moment, I also strongly recommend you avoid the 192.168.0.0/24 and 192.168.1.0/24 subnets. In your case, because you want such a large range, you could go to 192.168.8.0/21 or somewhere completely different.
Did you read the thread I linked you to? I suspect you'll find your answer there. -
Accepted Answer
Nick Howitt wrote:
You have an odd configuration for your subnet. Presumably you subnet mask is 255.255.248.0 and you are reserving addresses from 192.168.0.1 to 192.168.1.0 for fixed IP's? You've got your gateway IP overlapping with your DHCP server range which is not a good idea. Which IP is your whs using?
What is the output to:ifconfig | grep Eth -A 1
Also you have the same warning as in this thread. Also look at the ports solution.
I changed my ip address to 192.168.0.1 and gateway and dns to the same under dhcp.
# ifconfig | grep Eth -A 1
eth0 Link encap:Ethernet HWaddr 90:2B:34:XX:XX:XX
inet addr:192.168.0.1 Bcast:192.168.7.255 Mask:255.255.248.0
--
eth1 Link encap:Ethernet HWaddr 90:2B:34:XX:XX:XX
inet addr:66.182.XXX.52 Bcast:66.182.XXX.255 Mask:255.255.255.0
My Lan is eth0 now set to 192.168.0.1, gateway 192.168.0.1, ip range start 192.168.1.1, ip range end 192.168.7.254, dns #1 192.168.1.1, netmask (Network/IP Settings) is 255.255.248.0
correct, i'm reserving the lower reange. whs is using 192.168.4.204
# iptables -t nat -L MINIUPNPD -n -v
Chain MINIUPNPD (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51824 to:192.168.7.17:51824
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:63695 to:192.168.4.204:63695
# iptables -L MINIUPNPD -n -v
Chain MINIUPNPD (2 references)
pkts bytes target prot opt in out source destination
1 137 ACCEPT udp -- * * 0.0.0.0/0 192.168.7.17 udp dpt:51824
4 548 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.204 udp dpt:63695
whs complains port forwarding is not configured correcctly on the router, and remote web access to your server is blocked... -
Accepted Answer
You have an odd configuration for your subnet. Presumably you subnet mask is 255.255.248.0 and you are reserving addresses from 192.168.0.1 to 192.168.1.0 for fixed IP's? You've got your gateway IP overlapping with your DHCP server range which is not a good idea. Which IP is your whs using?
What is the output to:ifconfig | grep Eth -A 1
Also you have the same warning as in this thread. Also look at the ports solution. -
Accepted Answer
For some reason i can't get upnp to work, well at least my whs2011 can't configure its self to forward ports to its self.
1) port forwarding is not configured correctly on the router.
2) remote web access to your server is blocked
I'm running ClearOS V6.5.
set eth0 to be 192.168.1.1, gateway 192.168.1.1, ip range start 192.168.1.1, ip range end 192.168.7.254, dns #1 192.168.1.1
set eth1 to dhcp and role as external
Installed miniupnpd, added the fire wall stuff from first post to /etc/clearos/firewall.d/local:
# grep upnpd /var/log/messages
Sep 26 21:55:09 orion yum[27442]: Installed: miniupnpd-1.6.20120121-5.v6.x86_64
Sep 26 22:01:27 orion miniupnpd: SNet version started
Sep 26 22:01:27 orion miniupnpd[1077]: could not open lease file: /var/lib/miniupnpd/upnp.leases
Sep 26 22:01:27 orion miniupnpd[1077]: HTTP listening on port 40186
Sep 26 22:01:27 orion miniupnpd[1077]: Listening for NAT-PMP traffic on port 5351
Sep 26 22:11:40 orion miniupnpd[1077]: received signal 15, good-bye
Sep 26 22:11:40 orion miniupnpd: SNet version started
Sep 26 22:11:40 orion miniupnpd[24066]: already expired lease in lease file
Sep 26 22:11:40 orion miniupnpd[24066]: already expired lease in lease file
Sep 26 22:11:40 orion miniupnpd[24066]: HTTP listening on port 42280
Sep 26 22:11:40 orion miniupnpd[24066]: Listening for NAT-PMP traffic on port 5351
Sep 26 22:16:12 orion miniupnpd[24066]: received signal 15, good-bye
Sep 26 22:16:12 orion miniupnpd: SNet version started
Sep 26 22:16:12 orion miniupnpd[1757]: already expired lease in lease file
Sep 26 22:16:12 orion miniupnpd[1757]: already expired lease in lease file
Sep 26 22:16:12 orion miniupnpd[1757]: HTTP listening on port 34953
Sep 26 22:16:12 orion miniupnpd[1757]: Listening for NAT-PMP traffic on port 5351
Sep 26 22:25:37 orion miniupnpd[1757]: received signal 15, good-bye
Sep 26 22:25:37 orion miniupnpd: SNet version started
Sep 26 22:25:37 orion miniupnpd[22810]: already expired lease in lease file
Sep 26 22:25:37 orion miniupnpd[22810]: already expired lease in lease file
Sep 26 22:25:37 orion miniupnpd[22810]: HTTP listening on port 57731
Sep 26 22:25:37 orion miniupnpd[22810]: Listening for NAT-PMP traffic on port 5351
Sep 26 22:37:25 orion miniupnpd[22810]: received signal 15, good-bye
Sep 26 22:37:26 orion miniupnpd: SNet version started
Sep 26 22:37:26 orion miniupnpd[16828]: already expired lease in lease file
Sep 26 22:37:26 orion miniupnpd[16828]: already expired lease in lease file
Sep 26 22:37:26 orion miniupnpd[16828]: HTTP listening on port 41820
Sep 26 22:37:26 orion miniupnpd[16828]: Listening for NAT-PMP traffic on port 5351
Sep 26 22:39:26 orion miniupnpd[16828]: received signal 15, good-bye
Sep 26 22:40:05 orion miniupnpd: SNet version started
Sep 26 22:40:05 orion miniupnpd[22905]: already expired lease in lease file
Sep 26 22:40:05 orion miniupnpd[22905]: already expired lease in lease file
Sep 26 22:40:05 orion miniupnpd[22905]: HTTP listening on port 58884
Sep 26 22:40:05 orion miniupnpd[22905]: Listening for NAT-PMP traffic on port 5351
Sep 26 22:54:16 orion miniupnpd[22905]: received signal 15, good-bye
Sep 26 22:55:48 orion miniupnpd: SNet version started
Sep 26 22:55:48 orion miniupnpd[2512]: already expired lease in lease file
Sep 26 22:55:48 orion miniupnpd[2512]: already expired lease in lease file
Sep 26 22:55:48 orion miniupnpd[2512]: HTTP listening on port 35623
Sep 26 22:55:48 orion miniupnpd[2512]: Listening for NAT-PMP traffic on port 5351
Sep 27 01:56:55 orion miniupnpd[2512]: received signal 15, good-bye
Sep 27 01:56:55 orion miniupnpd: SNet version started
Sep 27 01:56:55 orion miniupnpd[9641]: already expired lease in lease file
Sep 27 01:56:55 orion miniupnpd[9641]: already expired lease in lease file
Sep 27 01:56:55 orion miniupnpd[9641]: already expired lease in lease file
Sep 27 01:56:55 orion miniupnpd[9641]: already expired lease in lease file
Sep 27 01:56:55 orion miniupnpd[9641]: HTTP listening on port 45696
Sep 27 01:56:55 orion miniupnpd[9641]: Listening for NAT-PMP traffic on port 5351
# iptables -t nat -L MINIUPNPD -n -v
Chain MINIUPNPD (2 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 to:192.168.5.167:8000
0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1025 to:192.168.5.167:1025
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:57024 to:192.168.4.61:57024
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:58880 to:192.168.4.61:58880
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:52066 to:192.168.2.69:52066
# iptables -L MINIUPNPD -n -v
Chain MINIUPNPD (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.5.167 tcp dpt:8000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.5.167 tcp dpt:1025
76 10412 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.61 udp dpt:57024
78 10686 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.61 udp dpt:58880
24 3288 ACCEPT udp -- * * 0.0.0.0/0 192.168.2.69 udp dpt:52066 -
Accepted Answer
Hi All,
I wonder if somebody elso also observed that, but it takes always upto 30 minutes to show me the server and its content in Windows or Android. Is my server maybe to slow to prepare the data to send? Or is it taking longer and longer to show the servers content as more is on the server? I have about 500 songs and 20 movies on the server.
Except this waiting thing everything else runs fine.
Thanks for you help.
Cheers
Robert -
Accepted Answer
Great man thank you!!
As far as the lease file is concerned, there is no file in the path specified... can I just create a blank txt file with the same name and drop it into that directory?
Update: I created the file and dropped it into that dir. Gave root full permissions and restarted the service.. no error.
Works like a charm, I can see my PS3 by using
iptables -L MINIUPNPD -n -v -
Accepted Answer
-
Accepted Answer
Hi Everyone,
I am using the newest flavor of Clearos and wanted to get upnp to work properly. I seem to be having some issues.
First off I do not have a firewall file /etc/rc.d/rc.firewall.local.
I ran the install using the Clearos 6 repo and not Tim's.. it installed ok.
When I check the log file I see the following..
Jul 1 04:04:14 wall yum[19603]: Installed: miniupnpd-1.6.20120121-4.v6.x86_64
Jul 2 12:26:06 wall miniupnpd: SNet version started
Jul 2 12:26:06 wall miniupnpd[18706]: could not open lease file: /var/lib/miniupnpd/upnp.leases
Jul 2 12:26:06 wall miniupnpd[18706]: HTTP listening on port 44247
Jul 2 12:26:06 wall miniupnpd[18706]: Listening for NAT-PMP traffic on port 535
I can play xbox and ps3 online, however I always could even before installing the service. So it appears that it is not truly opening up ports.
Any ideas? -
Accepted Answer
my miniupnpd appears to be not automatically starting. "grep miniupnp /var/log/messages" reveals nothing, but if stop and then start the same command reveals:
Mar 10 10:17:25 orion miniupnpd[2158]: received signal 15, good-bye
Mar 10 10:17:32 orion miniupnpd: SNet version started
Mar 10 10:17:32 orion miniupnpd[7822]: already expired lease in lease file
Mar 10 10:17:32 orion miniupnpd[7822]: HTTP listening on port 49866
Mar 10 10:17:32 orion miniupnpd[7822]: Listening for NAT-PMP traffic on port 5351 -
Accepted Answer
OK so what role does that interface have? LAN? the init script should setup the broadcast route for all LAN interfaces, and to be fair is not designed to account for your number of interfaces
However try from the command line
/sbin/route add -net 239.0.0.0 netmask 255.0.0.0 eth3
You may also want to explicitly specify the interfaces in /etc/miniupnpd/miniupnpd.conf... change listening_ip=10.100.0.0/31 and ext_ifname=eth2
Then run 'service miniupnpd restart' -
Accepted Answer
-
Accepted Answer
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
x.x.x.x 0.0.0.0 255.255.255.240 U 0 0 0 eth0
x.x.x.x 0.0.0.0 255.255.255.240 U 0 0 0 eth2
10.100.4.0 0.0.0.0 255.255.254.0 U 0 0 0 eth5
10.100.0.0 0.0.0.0 255.255.254.0 U 0 0 0 eth3
10.100.2.0 0.0.0.0 255.255.254.0 U 0 0 0 eth4
10.70.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
239.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
0.0.0.0 x.x.x.x 0.0.0.0 UG 0 0 0 eth2 -
Accepted Answer
my Playstation works just fine behind ClearOS, and is displayed as 'open' from with games such as MW3
What is your network setup? can you provide the output of 'route -n'
You can also try changing the interface (ext_ifname) in /etc/miniupnpd/miniupnpd.conf and restarting the miniupnpd service. -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Hi Tim and everyone else!
I just recently tried to install miniupnp following the guidelines layed out in the first post however after I made changes to the rc.firewall.local file I have had the same issue as peter first described. When trying to start/restarting the firewall service it fails and I havent been able to make it work again by clearing the rc.firewall.local file.
Any suggestions on how this is fixed or what is causing it other than the file? -
Accepted Answer
-
Accepted Answer
I'm not quite sure what I was thinking when I setup that subnet :huh: Might not have been quite awake when I did it lol.
I changed my lan to 10.150.50.1/24 and my hotlan to 10.150.51.1/24. I also modified the miniupnpd.conf file accordingly. I am still showing a moderate nat on the xbox when connected to the hotlan. If I try to connect through the standard lan it won't even connect to live which is not a problem as I am not planning on having any xboxes on the standard lan. Here is my updated config file.
# WAN network interface
ext_ifname=eth0
#ext_ifname=xl1
# if the WAN interface has several IP addresses, you
# can specify the one to use below
#ext_ip=
# LAN network interfaces IPs / networks
# there can be multiple listening ips for SSDP traffic.
# should be under the form nnn.nnn.nnn.nnn/nn
# HTTP is available on all interfaces
# When MULTIPLE_EXTERNAL_IP is enabled, the external ip
# address associated with the subnet follows. for example :
# listening_ip=192.168.0.1/24 88.22.44.13
listening_ip=50.150.51.1/24
#listening_ip=192.168.1.1/24
#listening_ip=
# port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.
port=0
# path to the unix socket used to communicate with MiniSSDPd
# If running, MiniSSDPd will manage M-SEARCH answering.
# default is /var/run/minissdpd.sock
#minissdpdsocket=/var/run/minissdpd.sock
# enable NAT-PMP support (default is no)
enable_natpmp=yes
# enable UPNP support (default is yes)
enable_upnp=yes
# chain names for netfilter (not used for pf or ipf).
# default is MINIUPNPD for both
#upnp_forward_chain=forwardUPnP
#upnp_nat_chain=UPnP
# lease file location
#lease_file=/var/log/upnp.leases
# bitrates reported by daemon in bits per second
bitrate_up=1000000
bitrate_down=10000000
# "secure" mode : when enabled, UPnP client are allowed to add mappings only
# to their IP.
secure_mode=yes
#secure_mode=no
# default presentation url is http address on port 80
# If set to an empty string, no presentationURL element will appear
# in the XML description of the device, which prevents MS Windows
# from displaying an icon in the "Network Connections" panel.
#presentation_url=http://www.mylan/index.php
# report system uptime instead of daemon uptime
system_uptime=yes
# notify interval in seconds. default is 30 seconds.
#notify_interval=240
notify_interval=60
# unused rules cleaning.
# never remove any rule before this threshold for the number
# of redirections is exceeded. default to 20
#clean_ruleset_threshold=10
# clean process work interval in seconds. default to 0 (disabled).
# a 600 seconds (10 minutes) interval makes sense
clean_ruleset_interval=600
# log packets in pf
#packet_log=no
# ALTQ queue in pf
# filter rules must be used for this to be used.
# compile with PF_ENABLE_FILTER_RULES (see config.h file)
#queue=queue_name1
# tag name in pf
#tag=tag_name1
# make filter rules in pf quick or not. default is yes
# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
#quickrules=no
# uuid : generate your own with "make genuuid"
uuid=60943e58-b9ff-42bc-a825-5cd04c359f57
# serial and model number the daemon will report to clients
# in its XML description
serial=12345678
model_number=1
# UPnP permission rules
# (allow|deny) (external port range) ip/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# ip/mask format must be nn.nn.nn.nn/nn
# it is advised to only allow redirection of port above 1024
# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
allow 1024-65535 50.150.51.0/24 1024-65535
#allow 1024-65535 10.0.0.0/8 1024-65535
#allow 1024-65535 172.16.0.0/12 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
And I am not quite sure what you meant, Tim Burgess so here is what I get when running the route -n command.
/etc/miniupnpd$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.xxx.xxx.xxx 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.150.51.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
10.150.50.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
239.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
0.0.0.0 xxx.xxx.xxx.xxx 0.0.0.0 UG 0 0 0 ppp0
I hid my public IP address for security reasons... -
Accepted Answer
-
Accepted Answer
Although your LAN detects a upnp device, is it able to configure the ports by upnp? It may be that the LAN can just see the upnp device but not do anything with it.
BTW, are you aware that your HotLAN is using a public range of addresses which will stop you being able to visit any sites in that address block? -
Accepted Answer
I am trying to enable upnp on a single interface. I have the xbox's on a hotlan with a subnet of 192.150.50.1/24 and it is on eth3. I tried editing the config file for miniupnp to be active for only that subnet and my nat is still moderate. I tried connecting the xbox's to my main subnet of 192.150.50.1/24 and it immediately connected with an open nat and the computers also detected a upnp device on the network. Where did I go wrong?
# WAN network interface
ext_ifname=eth0
#ext_ifname=xl1
# if the WAN interface has several IP addresses, you
# can specify the one to use below
#ext_ip=
# LAN network interfaces IPs / networks
# there can be multiple listening ips for SSDP traffic.
# should be under the form nnn.nnn.nnn.nnn/nn
# HTTP is available on all interfaces
# When MULTIPLE_EXTERNAL_IP is enabled, the external ip
# address associated with the subnet follows. for example :
# listening_ip=192.168.0.1/24 88.22.44.13
listening_ip=192.150.51.1/24
#listening_ip=192.168.1.1/24
#listening_ip=
# port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.
port=0
# path to the unix socket used to communicate with MiniSSDPd
# If running, MiniSSDPd will manage M-SEARCH answering.
# default is /var/run/minissdpd.sock
#minissdpdsocket=/var/run/minissdpd.sock
# enable NAT-PMP support (default is no)
enable_natpmp=yes
# enable UPNP support (default is yes)
enable_upnp=yes
# chain names for netfilter (not used for pf or ipf).
# default is MINIUPNPD for both
#upnp_forward_chain=forwardUPnP
#upnp_nat_chain=UPnP
# lease file location
#lease_file=/var/log/upnp.leases
# bitrates reported by daemon in bits per second
bitrate_up=1000000
bitrate_down=10000000
# "secure" mode : when enabled, UPnP client are allowed to add mappings only
# to their IP.
secure_mode=yes
#secure_mode=no
# default presentation url is http address on port 80
# If set to an empty string, no presentationURL element will appear
# in the XML description of the device, which prevents MS Windows
# from displaying an icon in the "Network Connections" panel.
#presentation_url=http://www.mylan/index.php
# report system uptime instead of daemon uptime
system_uptime=yes
# notify interval in seconds. default is 30 seconds.
#notify_interval=240
notify_interval=60
# unused rules cleaning.
# never remove any rule before this threshold for the number
# of redirections is exceeded. default to 20
#clean_ruleset_threshold=10
# clean process work interval in seconds. default to 0 (disabled).
# a 600 seconds (10 minutes) interval makes sense
clean_ruleset_interval=600
# log packets in pf
#packet_log=no
# ALTQ queue in pf
# filter rules must be used for this to be used.
# compile with PF_ENABLE_FILTER_RULES (see config.h file)
#queue=queue_name1
# tag name in pf
#tag=tag_name1
# make filter rules in pf quick or not. default is yes
# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
#quickrules=no
# uuid : generate your own with "make genuuid"
uuid=60943e58-b9ff-42bc-a825-5cd04c359f57
# serial and model number the daemon will report to clients
# in its XML description
serial=12345678
model_number=1
# UPnP permission rules
# (allow|deny) (external port range) ip/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# ip/mask format must be nn.nn.nn.nn/nn
# it is advised to only allow redirection of port above 1024
# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
allow 1024-65535 192.150.51.0/16 1024-65535
allow 1024-65535 10.0.0.0/8 1024-65535
allow 1024-65535 172.16.0.0/12 1024-65535
deny 0-65535 0.0.0.0/0 0-65535
-
Accepted Answer
That is interesting I never had any problems with 4.x or 5.x. I have only had issues with the content filtering in 6.2. I also noticed that once I uninstalled content filtering that my Facebook App on my iPhone 4 started working again. Hopefully the content filter will get fixed in future updates. -
Accepted Answer
Hi Eric,
Many thanks for the info. Since my last post I've move to
ClearOS V6 and added the Xbox live incoming port settings
(plus fixed a few ldap issues thx to Tim's advice
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,10/func,view/id,40810/limit,10/limitstart,20/#42075 ).
Now all ok. If I need to use Xbox live I still need to shutdown
the content filter. But with many little fingers browsing the
internet the content filter has to stay.
Many thank
PeterHuk -
Accepted Answer
-
Accepted Answer
Many thanks for the update tim, no matter what I do it just dont seem to want to work.
I've read some people say that they can shut down the content filter and get it working.
When I shut down my content filter (set content filter to disable in web proxy) it stops
all interent access (continuosly comes up with Invalid web request error).
Is there a way to view / monitor the traffic from my xbox and xbox live (only). There must be a
web request from the xbox that is failing to come back or vice versa. If I could see the the request
and the port requested then I'm sure it will be much easier to diagnose the problem. At the moment
I'ts like trying to fault find in the dark.
Many thanks
PeterHuk -
Accepted Answer
Are you using the web proxy? if so then as one last step you'll need to add a bypass for it... (the Xbox is not very proxy friendly). There was a post on this here
http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,40/func,view/id,22515/
You can't configure Miniupnpd for just one IP address, its a daemon that will serve your LAN, dynamically providing port forwards for services that need or use the UPNP protocol...Skype, file sharing, messengers etc.
Secure / strict mode is enabled by default in the /etc/miniupnpd/miniupnpd.conf so that services can only open ports for their own IP address
Your iptables output looks fine, you have one mapped entry for UDP on 3074
Be careful not to too confuse yourself with the 'prerouting' table. This table is used to dynamically change packets (or redirect them) prior to hitting the 'input' or 'port forward' chains. This is where the port is actually opened..those rules you see are just to permit web traffic to/form the ClearOS box without getting caught by your transparent proxy redirect. If you have put your XBox IP in the 'proxy' bypass list, then it too will also appear here...this is a function of the webconfig, not miniupnpd. -
Accepted Answer
Hi all,
Does these results look ok?
[root@gateway ~]# iptables -L -n -v -t nat
Chain PREROUTING (policy ACCEPT 4201 packets, 360K bytes)
pkts bytes target prot opt in out source destination
0 0 REDIRECT tcp -- * * !127.0.0.1 0.0.0.0/0 tcp dpt:3128 redir ports 82
0 0 ACCEPT tcp -- * * 0.0.0.0/0 G/W int ip tcp dpt:80
7 352 ACCEPT tcp -- * * 0.0.0.0/0 G/W ext ip tcp dpt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 xbox ip tcp dpt:80
483 25266 REDIRECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
209 36756 MINIUPNPD all -- eth0 * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 4285 packets, 366K bytes)
pkts bytes target prot opt in out source destination
987 58708 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 7389 packets, 559K bytes)
pkts bytes target prot opt in out source destination
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3074 to:xbox ip:3074
will the gateway ipaddress (G/W int ip) on port 80 conflict with the Xbox lisening on port 80?
Also if this suggests that port 80 is open by default for my gateway how do I remove this rule?
Many thanks
PeterHuk -
Accepted Answer
Tim wrote:
Just to highlight why I like MiniUPNP more then LinuxIGD from a security point of view
You can restrict the permitted network ranges which are allowed to make UPNP calls, and the ports that they are able to open. By default I have configured all of the private range of IP's in /etc/miniupnpd/miniupnpd.conf but you could refine it further as you see fit. This is in addition to listening only to the LAN interfaces
I have also enabled "Strict mode" which means that a device is only able to open a port for it's own IP address, rather than blindly opening anything that is requested by some unscrupulous app
It's still running on my production box without hiccups so very pleased
Would really appreciate some info of how you achieved this pls
PeterHuk -
Accepted Answer
Hi Tim,
Just found out something that most of you will know, "windows line breaks
can cause linux apps to fails".
I have saved the file minus the windows line breaks and all working ok now,
my Xbox gets to Xbox live now (in the Xbox network test ) without complaint
but does not do the test login as it does with the wired rj45 connection?
This seems to suggest that it can see the Xbox live server but cannot login.
Does this happen for everyone or just mine?
What would be the best way to configure the miniupnp for just the Xbox IP
address and the Xbox live protocols?
Many thanks
PeterHuk -
Accepted Answer
Hi Tim,
I've just discovered something strange, any changes I make to
/etc/rc.d/rc.firewall.loca causes the restart to fail. As a test I simply
added a hash '#' at the end of the file and that caused it to fail.
This is srange as I have been using my WiseFTP ap for some time
now without any problems. I'll install WinSCP and see what happens.
Many thanks
PeterHuk -
Accepted Answer
Tim,
Many thanks for your reply and information I'll give it a try.
I am curently using 'Protocol Filter Configuration' to lock down
ports and in 'Reports -> Protocol Filter Configuration' there are
constantly attemps to access:
1, JPEG - Joint Picture Expert Group image format
2, eDonkey2000 - P2P filesharing - http://edonkey2000.com and others
3, Finger - User information server - RFC 1288
4, RTP - Real-time Transport Protocol - RFC 3550
5, SOCKS Version 5 - Firewall traversal protocol - RFC 1928
Not sure what is trying to gain access to these blocked ports but internet access
appears fine. If I have a service which needs access to a protocol (like external
email) I usally put there domain / IP in the bypass rule.
I guess this will all go out the window with miniupnpd or can miniupnpd be
configured for just the ip address and required protocols of my xbox / xbox live?
Many thanks
PeterHuk -
Accepted Answer
Hi Peter, please use a tool like WinSCP to make changes it will make life simpler. Vim is good once you figure out its quirks but by no means user friendly...nano is better, but still not great.
You can safely remove and reinstall using
yum remove miniupnpd
yum --enablerepo=timb install miniupnpd
Upnp protocol is inherently 'insecure' in that it trusts outgoing traffic, but if you already have outgoing allow, then theres not much difference. For some applications its the only way to provide functional support behind a NAT gateway for things live XBox live, MSN, video sharing etc.
Miniupnpd goes some way to make sure that these UPNP requests only originate from your LAN. The default "allow" rules are for local subnets only (192.168.x.x, 10.x.x.x, 172.16.x.x) not your actual IP...out of interest how is ClearOS configured?
For XBox live, outgoing traffic will have a SOURCE port in the range 1024+, the ports you are referring to are DESTINATION ports, Miniupnpd will handle the forwarding for you...
See the following for more info
http://en.wikipedia.org/wiki/Universal_Plug_and_Play -
Accepted Answer
Hi Tim,
I’m using version miniupnpd-1.5.20110309-1.clearos.
Is there away I can uninstall then reinstall? I’m not sure why my
Installation was so different but it would be great to get it working.
By the way the notepad edit did not work, I clicked on save then
assumed that notepad updated the file but due to file permissions
the mod did not get saved, so I’m back at square 1.
I have tried to use vim in the pass but when trying to end the program
it always seem to end up running in background mode and then I
find myself searching Goog for the command to kill background apps.
One other thing I noticed, in the miniupnp config file my external address
was listed i.e
# UPnP permission rules
# (allow|deny) (external port range) ip/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# ip/mask format must be nn.nn.nn.nn/nn
# it is advised to only allow redirection of port above 1024
# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
allow 1024-65535 out.going.ip.address/subnet 1024-65535
Although I really would like this to work in the back of my mind
I’m thinking if this is not configured correctly rouge apps can easily
open up ports left right and centre and compromise my gateway security.
Plus it mentions a recommendation of only redirecting ports above 1024
but Xbox live requires 53, 80, 88 how does miniupnpd handle these?
Is there any useful links to find more info? But more importantly is a
uninstall reinstall likely to work?
Many thanks
PeterHuk -
Accepted Answer
Hi Peter,it should be there! what version do you have installed?
rpm -q miniupnpd
I'm puzzled because the RPM and firewall config is all you should need...then restart the firewall first to create the required MINIUPNPD tables
Your initial problems with file editing can be caused by line breaks creeping in, I tend to use either 'nano' or 'vim' for local file editing. If your a windows fan, then you should check out WinSCP (free) for file manipulation -
Accepted Answer
-
Accepted Answer
Tim,
This is completely weird, I just copied and pasted the mod back into
/etc/rc.d/rc.firewall.loca restarted the firewall and it worked.
That is crazy, the only thing that I could think may have happed is my
ftp programme (wiseftp) tends to add an extra line at the end of the
page when saving.
I used notepad this time and it came up. The only thing now is that
When I run the two test commands:
iptables -t nat -L MINIUPNPD -n -v
iptables -L MINIUPNPD -n –v
I get
'iptables: No chain/target/match by that name'
Any ideas
Many thanks
PeterHuk -
Accepted Answer
Sorry Tim,
Just re-read my last post and it didn't make any sense. "panic over" meaning my firewall is back up. but there
is still a problem with getting the MiniUPNP working.
It's strange that everyone elses seem to work straight away I mines is refusing to play ball. anyway any
sugestion would be appreciated.
Many thanks
PeterHuk -
Accepted Answer
Hi tim,
I copy exactly from the thread, any way panic over now as taking the modification out
has returned it to working order.
how can I trace the problem to get it working though?
I can't get my xbox live working via the wireless / clearos every time I need to use
the Xbox I've got to remove the gateway connection to the broadband modem and
insert an rj45 cable from the Xbox to the cable modem.
Any sugestions?
Many thanks for the fix for getting my firewall up again.
PeterHuk -
Accepted Answer
-
Accepted Answer
Sorry, the full message is:
Mar 31 21:50:11 gateway miniupnpd: SNet version started
Mar 31 21:50:11 gateway miniupnpd[7636]: HTTP listening on port 49340
Mar 31 21:50:11 gateway miniupnpd[7636]: Listening for NAT-PMP traffic on port 5351
Mar 31 21:50:11 gateway miniupnpd[7636]: chain MINIUPNPD not found -
Accepted Answer
-
Accepted Answer
Hi Tim,
I just install your MiniUPNPD as I’m trying to get Xbox live.
Have added your entry to /etc/rc.d/rc.firewall.local and in the
/etc/rc.d/init.d/miniupnpd file thier was no 'UPNP_WAN= ' entry
available to update.
I'm not a Linux person but installed on good faith (your information
has been spot on before). After installing I now keep getting FAILED
when trying to restart / start my firewall.
Have looked in messages and system (as per your previous
recommendations) and no relevant errors displayed.
Getting a bit nervous now as not sure what to do.
Any suggestions?
PeterHuk -
Accepted Answer
Hello! Well it's December 25th 2011 and an XBox 360S found it's way into our house. I was immediately recruited by my 13 year old son to help resolve an issue with Xbox LIVE. The Xbox 360 was unable to connect to XBox Live, regardless of what I did, including following this tech tip. The only thing I did differently was I used miniupnpd-1.5.20110309-1.clearos.i686.rpm instead of miniupnpd-1.4.20100921-2.clearos.i686.rpm as enumerated in the tech tip.
I was able to resolve the problem by putting the Xbox on a HOTLAN that I set up on a third NIC card. I also divided my Asante switch into 2 VLANS. The Xbox is on VLAN2, which is connected to the HOTLAN. This assures complete isolation from the primary, content filtered, ICS LAN that the PC's in our house occupy. I'm not sure why the Xbox doesn't like to be proxied, but I think this HOTLAN solution is probably the best from a gaming standpoint as it should help keep the ping times down as low as possible, and the best part is, you don't have to try an figure out all this egghead iptables stuff. Thanks for investing the time to try and create a work around, and more power to you if you're able to make it work. I was not. (Clear OS 5.2) -
Accepted Answer
-
Accepted Answer
Hi I have battled with Xbox live for ages, and I did get there using a different method that Tim wrote about. Anyhow added 2 more Xboxes to the network and everything stopped working. Thats when I found this post.
I have all three now connecting to Xbox live however I am unable to connect to Zune, Facebook, LastFM ect. I am however able to download updates and demos.
When I do an Xbox live test I still get the message that the NAT is in moderate mode and some content will not be available. Is there something this points to could I have made a mistake somewhere that this points to.
UPDATE
by turning on Transparent Mode all is working -
Accepted Answer
Thanks Dirk! hope it all goes smoothly for you tomorrow just to be sure check that the MINIUPNPD tables exist and the service is running ok. Logs are stored in /var/log/messages. To test starting a UPNP app such as uTorrent should show a port entry added to firewall rules
iptables -t nat -L MINIUPNPD -n -v
iptables -L MINIUPNPD -n -v
The Daemon API hack is not locale friendly, so it will just display "MiniUPNPD" but your modification allows you to change that to what ever you wish
Have a good Christmas -
Accepted Answer
You really are the best, Tim! Just got my kids an XBox for Christmas and included an XBox Live subscription. Just now installed MiniUPNPD and the firewall restarted seemlessly. Unfortunately until they open the thing and we get it all hooked up I won't be able to confirm if it all works with my gateway or not. I'm geeked though.
One aside in reference to your last post on this thread. The administrator needs to add a reference to match your "MiniUPNPD" reference in the Daemon.inc.php script, in the /var/webconfig/api/lang/daemon.en_US script (or the lanuage of their install).
I changed your reference to look similar to the rest of the daemon entries in the Daemon.inc.php.script, which looks like "DAEMON_LANG_MINIUPNPD". Then I added a line of script in the /lang/daemon.en_US script to look like
define("DAEMON_LANG_MINIUPNPD", "MiniUPNPD Plug-n-Play");
Shows up fine in the Webconfig listed services.
Thanks again. -
Accepted Answer
With ClearOS 6.x you'll see the ability to install third party modules from the webconfig
To add this to the webconfig deamon (services) list add the following line into the array in /var/webconfig/api/Daemon.inc.php
"miniupnpd" => array("miniupnpd", "miniupnpd", "yes", "MiniUPNPD", "no", null),
-
Accepted Answer
-
Accepted Answer
Just to highlight why I like MiniUPNP more then LinuxIGD from a security point of view
You can restrict the permitted network ranges which are allowed to make UPNP calls, and the ports that they are able to open. By default I have configured all of the private range of IP's in /etc/miniupnpd/miniupnpd.conf but you could refine it further as you see fit. This is in addition to listening only to the LAN interfaces
I have also enabled "Strict mode" which means that a device is only able to open a port for it's own IP address, rather than blindly opening anything that is requested by some unscrupulous app
It's still running on my production box without hiccups so very pleased -
Accepted Answer
Calvin Teh wrote:
however there's still one question though.. shouldn't miniupnpd be listening on interface ppp0 instead of eth0 ?
I'll pass on that one as I have a cable connection. Have a look in /etc/firewall and see how EXTIF is defined. I'd use the same as it has there. Remember you also have to change the /etc/rc.d/init.d/miniupnpd file as well to hard code the UPNP_WAN to the same value for safety, -
Accepted Answer
alright got the firewall to restart properly after that
Dec 1 20:40:41 M2-LB-01 miniupnpd[23876]: received signal 15, good-bye
Dec 1 20:40:41 M2-LB-01 miniupnpd: SNet version started
Dec 1 20:40:41 M2-LB-01 miniupnpd[25150]: HTTP listening on port 34985
Dec 1 20:40:41 M2-LB-01 miniupnpd[25150]: Listening for NAT-PMP traffic on port 5351
however there's still one question though.. shouldn't miniupnpd be listening on interface ppp0 instead of eth0 ? -
Accepted Answer
You should have had a section like:
##
#MINIUPNPD required tables
##
IPTABLES=/sbin/iptables
#EXTIF= (not required as uses automagic to determine WAN, can be manually specified)
#adding the MINIUPNPD chain for nat
$IPTABLES -t nat -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
#adding the MINIUPNPD chain for filter
$IPTABLES -t filter -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD
in /etc/rc.d/rc.firewall.local.
Tim suggested changing it to :
##
#MINIUPNPD required tables
##
IPTABLES=/sbin/iptables
EXTIF=eth0 ##### changed to override the value from /etc/firewall
#adding the MINIUPNPD chain for nat
$IPTABLES -t nat -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
#adding the MINIUPNPD chain for filter
$IPTABLES -t filter -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
Hi Nick,
No worries - you have a good point, the order in which the WAN's are listed is set in /etc/firewall (see the EXTIF= setting), there's no guarantee that the first one will be the one you want.
Calvin, the changes proposed for the init file then are a good way forward to ensure you get the right WAN -
Accepted Answer
Tim,
I was off work today so I jumped in earlier. Naughty.
Are you sure the change to the init file is not needed? I was doing it to force the re.firewall.local and init scripts to use the same EXTIF. I did not think there was any guarantee that eth0 evaluated before eth1 (in his case) when using the automagic stuff. With my multiLAN set up the init script picked eth2 instead of eth1. -
Accepted Answer
'True' MultiWAN is experimental (i.e. not tested!) and also stated that way by the author - it appears I will have to build another version with the define MULTIPLE_EXTERNAL_IP flag for it to work.
If you do want multiple WAN's. you'll have to throw away the init script and iptables, and resort to configuring it via the config file only.
Miniupnpd *should* however work ok with systems with MultiWAN's, but just use only one for the UPNP traffic. The iptables script however will only work for one WAN...try the following to fix your firewall:-
Uncomment the following line (/etc/rc.d/rc.firewall.local) and manually specify the interface you want UPNP traffic to use:-
EXTIF=eth0
Nick's changes above to the init file shouldn't be necessary as it will pick the first WAN in the list.
Please let us know - as I don't have a multiwan setup to test with -
Accepted Answer
The firewall rules (and miniupnpd) will fail with multiwan.
In the firewall rules you'll need to change these rules:
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD
Change the $EXTIF for ethx, the external interface you want to use (assuming it is only one).
You also need to change the /etc/rc.d/init.d/miniupnpd. Either change this lineUPNP_WAN=`echo $AUTOMAGIC_EXTIFS | awk '{ print $1 }'`
to
UPNP_WAN=ethx
or, rather than replace the line, I would just add the replacement line after the original line to make it easy to revert the script. Replace x to correspond with the interface you chose for the firewall rule.
At the end of the day miniupnpd only has an experimental multiwan feature but you'll need to read the docs to see how it works. Tim's script effectively only works for one WAN and I think a lot more studying of the docs will be needed to make it work for more than one.
Post back if this works as I only have a single WAN environment here so I have not tested it. -
Accepted Answer
i have 3 interfaces.. eth0 and eth1 are respectively ppp0 and ppp1.. whereas eth2 is the LAN..
upon inspection of the /var/log/messages and /var/log/system , it doesn't show anything helpful though..
Nov 30 18:00:33 M2-LB-01 firewall: ========== start /etc/rc.d/rc.firewall.custom ==========
Nov 30 18:00:33 M2-LB-01 firewall: # Custom firewall rules managed through webconfig
Nov 30 18:00:33 M2-LB-01 firewall: # This file is executed by the firewall on stop/start/restart.
Nov 30 18:00:33 M2-LB-01 firewall: ========== end /etc/rc.d/rc.firewall.custom ==========
Nov 30 18:00:33 M2-LB-01 firewall: ========== start /etc/rc.d/rc.firewall.local ==========
Nov 30 18:00:33 M2-LB-01 firewall: # Custom firewall rules.
Nov 30 18:00:33 M2-LB-01 firewall: # This file is executed by the firewall on stop/start/restart.
Nov 30 18:00:33 M2-LB-01 firewall:
Nov 30 18:00:33 M2-LB-01 firewall: ##
Nov 30 18:00:33 M2-LB-01 firewall: #MINIUPNPD required tables
Nov 30 18:00:33 M2-LB-01 firewall: ##
Nov 30 18:00:33 M2-LB-01 firewall: IPTABLES=/sbin/iptables
Nov 30 18:00:33 M2-LB-01 firewall: #EXTIF= (not required as uses automagic to determine WAN, can be
Nov 30 18:00:33 M2-LB-01 firewall: manually specified)
Nov 30 18:00:33 M2-LB-01 firewall: #adding the MINIUPNPD chain for nat
Nov 30 18:00:33 M2-LB-01 firewall: $IPTABLES -t nat -N MINIUPNPD
Nov 30 18:00:33 M2-LB-01 firewall: #adding the rule to MINIUPNPD
Nov 30 18:00:33 M2-LB-01 firewall: $IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
Nov 30 18:00:33 M2-LB-01 firewall:
Nov 30 18:00:33 M2-LB-01 firewall: #adding the MINIUPNPD chain for filter
Nov 30 18:00:33 M2-LB-01 firewall: $IPTABLES -t filter -N MINIUPNPD
Nov 30 18:00:33 M2-LB-01 firewall: #adding the rule to MINIUPNPD
Nov 30 18:00:33 M2-LB-01 firewall: $IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD
Nov 30 18:00:33 M2-LB-01 firewall: ========== start /etc/rc.d/rc.firewall.local ==========
Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: chain MINIUPNPD not found
Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: chain MINIUPNPD not found
Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: addnatrule() : iptc_is_chain() error : No chain/target/match by that name
Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: chain MINIUPNPD not found
Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: chain MINIUPNPD not found
Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: addnatrule() : iptc_is_chain() error : No chain/target/match by that name -
Accepted Answer
-
Accepted Answer
hi tim,
when I tried to add this into /etc/rc.d/rc.firewall.local
##
#MINIUPNPD required tables
##
IPTABLES=/sbin/iptables
#EXTIF= (not required as uses automagic to determine WAN, can be manually specified)
#adding the MINIUPNPD chain for nat
$IPTABLES -t nat -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
#adding the MINIUPNPD chain for filter
$IPTABLES -t filter -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD
doing a firewall service restart returned me a failed status.. :dry: clearOS is managing my multi-wan -
Accepted Answer
Tim Burgess wrote:
Hi Nick, i've uploaded a new version with amended init script which will listen on all LAN interfaces (LANIF not HOTLAN)
ftp://starlane.gotdns.org/miniupnpd-1.4.20100921-2.clearos.i686.rpm
You can add further interface / subnets by editing /etc/miniupnpd/miniupnpd.conf and adding "listening_ip" fields
Thanks, that's neat. That saves me hacking the init script. I have 2 LAN's, one of which is normally not used, but as luck would have it, it was the one picked up by the init script. It was the same for upnpd which is why I recognised your script and knew where to hack. -
Accepted Answer
-
Accepted Answer
Hi Nick, i've uploaded a new version with amended init script which will listen on all LAN interfaces (LANIF not HOTLAN)
ftp://starlane.gotdns.org/miniupnpd-1.4.20100921-2.clearos.i686.rpm
You can add further interface / subnets by editing /etc/miniupnpd/miniupnpd.conf and adding "listening_ip" fields -
Accepted Answer
Tim,
I notice there is a restriction in the init function to only one LAN interface as there is in upnpd. Is this a restriction of yours or one of miniupnpd? It looks like you based your script on the upnpd one but it would be more of a job to make it loop through the LANIFS if it were even possible.
Nick -
Accepted Answer
-
Accepted Answer
Great stuff Tim. I'll stick this on later and see if I can get it working with my multiwan setup. If it's using the ClearOS automatic detection then I believe it picks one of the 2 WAN's so it should work but I'll override that as I want it to use the one I pick.
I've only got one Xbox 360 but would be interested to know if 2 do work in open NAT at the same time with this. I might get another at some point soon.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »