Hi,
I have been trying to get UPNP to work for my gaming son. Apparently, things need to be UPNP to get a NAT type of 'open' from the various gaming networks.
So, I've dug into miniupnpd and modded a very complex pf.conf file. Still no luck. I was wondering if someone could post the most basic of both the files so that I could make sure all my settings are correct and that this will at least work before I continue banging my head on the wall.
I have put an anchor declaration in for miniupnpd in the pf.conf file, I have tried various settings in miniupnpd.conf and quite a few other things. However, something just isn't right
I've been told that if the anchor is working correctly, I should be able to see the state or nat using
However, this is returns nothing.
I tried something simple with a pf.conf file:
That seems about as easy as it gets. (It's also pretty wide open)
Next, I have a 'simple' miniupnpd.conf file:
I'm not too sure what I've missed and hope someone can help with a simpler file/configuration so that I can get this running asap.
I have been trying to get UPNP to work for my gaming son. Apparently, things need to be UPNP to get a NAT type of 'open' from the various gaming networks.
So, I've dug into miniupnpd and modded a very complex pf.conf file. Still no luck. I was wondering if someone could post the most basic of both the files so that I could make sure all my settings are correct and that this will at least work before I continue banging my head on the wall.
I have put an anchor declaration in for miniupnpd in the pf.conf file, I have tried various settings in miniupnpd.conf and quite a few other things. However, something just isn't right
I've been told that if the anchor is working correctly, I should be able to see the state or nat using
pfctl -a miniupnpd -s nat
However, this is returns nothing.
I tried something simple with a pf.conf file:
Code:
scrub from em1 to any no-df random-id fragment reassemble
nat on em0 from any to any -> (em0) static-port
rdr-anchor miniupnpd
#
# Table for blacklist addresses
#
table <fail2ban> persist file "/etc/fail2ban"
#
#
anchor miniupnpd
#
#
# Blocking IPs via fail2ban and bruteforce
#
block in on em0 from <fail2ban> to any
#
antispoof for em0
#
# Allow Loopback Traffic
#
pass log quick on loopback inet from any to any label "Loopback"
pass log quick on lo0 inet proto udp from lo0 to 127.0.0.1 label "UDP lo0"
#
# Gaming connect on 27017
#
pass log quick on em0 inet proto udp from 192.168.0.0/24 to any port { 1900, 5555, 27017 }
# lo1 cloned loopback on internal network
#
pass log quick inet from 192.168.0.0/24 to any label "lo1"
#
# Internal network access to server and outside world
#
pass log quick inet from 192.168.0.0/24 to any label "INTERNAL2WORLD"
#
#
# Allow TCP protocol to be transmitted
#
pass log quick on em0 inet proto tcp from any to any label "TCPACCEPT"
#
# Allow UDP protocol to be transmitted
#
pass log quick on em0 inet proto udp from any to any label "UDPACCEPT"
#
# Allow ICMP protocol to be transmitted
#
pass log quick on em0 inet proto icmp from any to any label "ICMPACCEPT"
#
That seems about as easy as it gets. (It's also pretty wide open)
Next, I have a 'simple' miniupnpd.conf file:
Code:
# WAN network interface
ext_ifname=em0
# If the WAN interface has several IP addresses, you
# can specify the one to use below
#ext_ip=
# LAN network interfaces IPs / networks
# There can be multiple listening IPs for SSDP traffic, in that case
# use multiple 'listening_ip=...' lines, one for each network interface.
# It can be IP address or network interface name (ie. "eth0")
# It is mandatory to use the network interface name in order to enable IPv6
# HTTP is available on all interfaces.
# When MULTIPLE_EXTERNAL_IP is enabled, the external IP
# address associated with the subnet follows. For example:
# listening_ip=192.168.0.1/24 88.22.44.13
#listening_ip=192.168.0.1/24
#listening_ip=10.5.0.0/16
listening_ip=em1
# CAUTION: mixing up WAN and LAN interfaces may introduce security risks!
# Be sure to assign the correct interfaces to LAN and WAN and consider
# implementing UPnP permission rules at the bottom of this configuration file
# Port for HTTP (descriptions and SOAP) traffic. Set to 0 for autoselect.
http_port=5555
# Port for HTTPS. Set to 0 for autoselect (default)
#https_port=0
# Path to the UNIX socket used to communicate with MiniSSDPd
# If running, MiniSSDPd will manage M-SEARCH answering.
# default is /var/run/minissdpd.sock
#minissdpdsocket=/var/run/minissdpd.sock
# Enable NAT-PMP support (default is no)
#enable_natpmp=yes
enable_natpmp=no
# Enable UPNP support (default is yes)
#enable_upnp=no
enable_upnp=yes
# PCP
# Configure the minimum and maximum lifetime of a port mapping in seconds
# 120s and 86400s (24h) are suggested values from PCP-base
min_lifetime=120
max_lifetime=86400
# Chain names for netfilter (not used for pf or ipf).
# default is MINIUPNPD for both
#upnp_forward_chain=forwardUPnP
#upnp_nat_chain=UPnP
# Lease file location
# lease_file=/var/log/upnp.leases
# To enable the next few runtime options, see compile time
# ENABLE_MANUFACTURER_INFO_CONFIGURATION (config.h)
# Name of this service, default is "`uname -s` router"
# friendly_name="Home Router"
# Manufacturer name, default is "`uname -s`"
#manufacturer_name=Manufacturer corp
# Manufacturer URL, default is URL of OS vendor
#manufacturer_url=[URL]http://miniupnp.free.fr/[/URL]
# Model name, default is "`uname -s` router"
#model_name=Router Model
# Model description, default is "`uname -s` router"
#model_description=Very Secure Router - Model
# Model URL, default is URL of OS vendor
#model_url=[URL]http://miniupnp.free.fr/[/URL]
# Bitrates reported by daemon in bits per second
# by default miniupnpd tries to get WAN interface speed
#bitrate_up=100000000
#bitrate_down=1000000000
# Secure Mode, UPnP clients can only add mappings to their own IP
#secure_mode=yes
secure_mode=no
# Default presentation URL is HTTP address on port 80
# If set to an empty string, no presentationURL element will appear
# in the XML description of the device, which prevents MS Windows
# from displaying an icon in the "Network Connections" panel.
#presentation_url=[URL]http://www.mylan/index.php[/URL]
# Report system uptime instead of daemon uptime
system_uptime=yes
# Notify interval in seconds. default is 30 seconds.
#notify_interval=240
notify_interval=60
# Unused rules cleaning.
# never remove any rule before this threshold for the number
# of redirections is exceeded. default to 20
#clean_ruleset_threshold=10
# Clean process work interval in seconds. default to 0 (disabled).
# a 600 seconds (10 minutes) interval makes sense
clean_ruleset_interval=600
# Log packets in pf (default is no)
#packet_log=no
# Anchor name in pf (default is miniupnpd)
#anchor=miniupnpd
# ALTQ queue in pf
# Filter rules must be used for this to be used.
# compile with PF_ENABLE_FILTER_RULES (see config.h file)
#queue=queue_name1
#queue=queue_name1
# Tag name in pf
#tag=tag_name1
# Make filter rules in pf quick or not. default is yes
# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
#quickrules=no
# UUID, generate your own UUID with "make genuuid"
uuid=9179ca36-50b5-11e7-ba30-0025908afefc
# Daemon's serial and model number when reporting to clients
# (in XML description)
#serial=12345678
#model_number=1
# UPnP permission rules
# (allow|deny) (external port range) IP/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# IP/mask format must be nnn.nnn.nnn.nnn/nn
# It is advised to only allow redirection of port >= 1024
# and end the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
# The following default ruleset allows specific LAN side IP addresses
# to request only ephemeral ports. It is recommended that users
# modify the IP ranges to match their own internal networks, and
# also consider implementing network-specific restrictions
# CAUTION: failure to enforce any rules may permit insecure requests to be made!
#allow 1024-65535 192.168.0.0/24 1024-65535
#allow 1024-65535 192.168.1.0/24 1024-65535
##allow 1024-65535 192.168.0.0/23 22
## allow 12345 192.168.7.113/32 54321
#deny 0-65535 0.0.0.0/0 0-65535
allow 1024-65535 0.0.0.0/0 1024-65535
I'm not too sure what I've missed and hope someone can help with a simpler file/configuration so that I can get this running asap.