PF Allowing Multicast Traffic?

4

4S4K4N

So long story short iI have a firewall running PF on 10.2 (r286666) and I want to be able to use net/miniupnpd along with net/minissdpd to serve manage UPnP traffic. I’m testing whether UPnP works with miniupnpd on a Debian machine and an Xbox one's NAT test.

So far what I can tell is supposed to happen is that the client makes and http request to 239.255.255.250 with a special search header, the UPnP server sees that and replies directly to the client with an http OK status (200). This is how the client finds the UPnP server and sends it further requests to open ports. For the life of me, cannot get the auto-discovery portion of this to work. If I do the request manually by hand, miniupnpd works fine.

I tried the following rules to see if I could at least ping the firewall...

Code: 
pass quick on vlan4094 inet proto icmp from any to 224.0.0.0/4 keep state allow-opts
pass quick on vlan4094 inet proto icmp from 224.0.0.0/4 to any keep state allow-opts

And that resulted in nothing, if iI try to ping 239.255.255.250 on a client machine I will get replies from other UPnP clients on the network, but not the firewall itself.

Does anyone have any insight on how to allow something like this?
 
Here's a little more information...

The firewall server is able to send data out to the UPnP multicast address, but I don't think its able to see any data sent to the same address from other machines. Running miniupnpd in debug mode does not show it receiving any multicast packets. So PF must be blocking this.
 
It's usually helpful to start PF rules with this:
Code: 
block log all
Then enable pflog(4) with sysrc pflog_enable=YES and start it with service pflog start.

With the above, you can check if your rules are indeed blocking it with tcpdump -i pflog0 and see if you can at least see the raw inputs with tcpdump -i <INTERFACE>.
 
You must log in or register to reply here.
Back
Top