FB Twitter YouTube LinkedIn GitHub G+
ClearOS Module - MiniUPNP Daemon

Community Forum

Resolved
1 votes
I've built and packaged MiniUPNP daemon so that it will work with ClearOS
http://miniupnp.free.fr/

It relies on your system being configured in gateway mode, it also has only been tested in a single WAN environment. MultiWAN is experimental and can be acheived by editing the config (/etc/miniupnpd/miniupnpd.conf) and iptables (see below)

This can be used as a direct replacement for LinuxIGD, which as a flaw whereby multiple rules will be created with the same port for multiple devices.

MiniUPNPD also supports NAT-PMP

INSTALL:-
Setup the community yum repo by following the instructions HERE
yum --enablerepo=timb install miniupnpd


Add the following code to /etc/rc.d/rc.firewall.local to create the MiniUPNPD tables, required so that after a firewall restart the tables do not disappear.
##
#MINIUPNPD required tables
##
IPTABLES=/sbin/iptables
#EXTIF= (not required as uses automagic to determine WAN, can be manually specified)
#adding the MINIUPNPD chain for nat
$IPTABLES -t nat -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD

#adding the MINIUPNPD chain for filter
$IPTABLES -t filter -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD


Then review the config in /etc/miniupnpd/miniupnpd.conf - shouldn't need any changes....the External WAN is determined using the ClearOS automagic function.

Then restart the firewall to create the tables, and start the service
service firewall restart
service miniupnpd start


Voila! you should now have a functioning UPNP gateway device, you can check logs and entries by running
grep upnpd /var/log/messages
or
iptables -t nat -L MINIUPNPD -n -v
iptables -L MINIUPNPD -n -v


Enjoy :D
Saturday, November 27 2010, 11:26 PM
Share this post:
Responses (86)
  • Accepted Answer

    Monday, November 23 2015, 05:46 PM - #Permalink
    Resolved
    0 votes
    Thanks for giving it a try Eric! I have added the topic to the issue tracker and I'll circle back around when I'm doing network-related reviews for ClearOS.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, November 23 2015, 01:06 AM - #Permalink
    Resolved
    0 votes
    Peter Baldwin wrote:

    Eric Anderson wrote:

    https://github.com/pcbaldwin/miniupnpd/commits/master

    I think it is inwork for clearos 7.1. It would be nice to know when it is published then i can upgrade...


    It's now available for testing in ClearOS 7.1:

    yum install miniupnpd


    You will need to manually configure the /etc/sysconfig/miniupnpd with your network settings. The "-i" flag is for specifying your WAN/Internet interface, "-a" for your LAN interface, and "-w" for the ClearOS webconfig URL, e.g.:


    MINIUPNPD_WAN="-i ens32"
    MINIUPNPD_LANS="-a ens34"
    MINIUPNPD_URL="-w https://192.168.4.1:81"


    And you can start it too:


    service miniupnpd start
    chkconfig miniupnpd on


    If the miniupnpd works as advertised, I'll push out the app-upnp package. The app will automatically configure the /etc/sysconfig/miniupnpd file :-)


    Peter, this worked for me. I did have to edit the bottom of the /etc/miniupnpd/miniupnpd.conf to expand the range to "allow 0-65535 192.168.0.0/16 0-65535" again!
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, November 11 2015, 08:05 PM - #Permalink
    Resolved
    1 votes
    Eric Anderson wrote:

    https://github.com/pcbaldwin/miniupnpd/commits/master

    I think it is inwork for clearos 7.1. It would be nice to know when it is published then i can upgrade...


    It's now available for testing in ClearOS 7.1:

    yum install miniupnpd


    You will need to manually configure the /etc/sysconfig/miniupnpd with your network settings. The "-i" flag is for specifying your WAN/Internet interface, "-a" for your LAN interface, and "-w" for the ClearOS webconfig URL, e.g.:


    MINIUPNPD_WAN="-i ens32"
    MINIUPNPD_LANS="-a ens34"
    MINIUPNPD_URL="-w https://192.168.4.1:81"


    And you can start it too:


    service miniupnpd start
    chkconfig miniupnpd on


    If the miniupnpd works as advertised, I'll push out the app-upnp package. The app will automatically configure the /etc/sysconfig/miniupnpd file :-)
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, November 08 2015, 05:55 PM - #Permalink
    Resolved
    0 votes
    https://github.com/pcbaldwin/miniupnpd/commits/master

    I think it is inwork for clearos 7.1. It would be nice to know when it is published then i can upgrade...
    The reply is currently minimized Show
  • Accepted Answer

    UrbanSk
    UrbanSk
    Offline
    Monday, September 28 2015, 09:54 AM - #Permalink
    Resolved
    3 votes
    Will there be an version for the latest ClearOS 7?
    The reply is currently minimized Show
  • Accepted Answer

    UrbanSk
    UrbanSk
    Offline
    Thursday, November 27 2014, 11:53 AM - #Permalink
    Resolved
    0 votes
    Any chance to get miniupnpd updated to the latest version?

    Regards,

    Urban
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, September 30 2014, 04:17 AM - #Permalink
    Resolved
    0 votes
    Thanks Nick, it was "allow 0-65535 192.168.0.0/16 0-65535" again! you would think that the miniupnpd package would have been updated for that now that it is mainstream. good news was auto magic worked.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, September 29 2014, 04:55 PM - #Permalink
    Resolved
    0 votes
    OK. I strongly recommend you give WHS a fixed IP of some sort. It can be done through the Leases section of the DHCP Server screen, in which case you can use anywhere between 192.168.0.2 and 192.168.7.254, or just by giving it a fixed IP in WHS, in which case you will need to have it in the range 192.168.1.2 - 192.168.1.0.

    If you are free to play with subnets at the moment, I also strongly recommend you avoid the 192.168.0.0/24 and 192.168.1.0/24 subnets. In your case, because you want such a large range, you could go to 192.168.8.0/21 or somewhere completely different.

    Did you read the thread I linked you to? I suspect you'll find your answer there.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, September 29 2014, 03:19 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:
    You have an odd configuration for your subnet. Presumably you subnet mask is 255.255.248.0 and you are reserving addresses from 192.168.0.1 to 192.168.1.0 for fixed IP's? You've got your gateway IP overlapping with your DHCP server range which is not a good idea. Which IP is your whs using?

    What is the output to:
    ifconfig | grep Eth -A 1


    Also you have the same warning as in this thread. Also look at the ports solution.


    I changed my ip address to 192.168.0.1 and gateway and dns to the same under dhcp.

    # ifconfig | grep Eth -A 1
    eth0 Link encap:Ethernet HWaddr 90:2B:34:XX:XX:XX
    inet addr:192.168.0.1 Bcast:192.168.7.255 Mask:255.255.248.0
    --
    eth1 Link encap:Ethernet HWaddr 90:2B:34:XX:XX:XX
    inet addr:66.182.XXX.52 Bcast:66.182.XXX.255 Mask:255.255.255.0

    My Lan is eth0 now set to 192.168.0.1, gateway 192.168.0.1, ip range start 192.168.1.1, ip range end 192.168.7.254, dns #1 192.168.1.1, netmask (Network/IP Settings) is 255.255.248.0

    correct, i'm reserving the lower reange. whs is using 192.168.4.204

    # iptables -t nat -L MINIUPNPD -n -v
    Chain MINIUPNPD (2 references)
    pkts bytes target prot opt in out source destination
    0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:51824 to:192.168.7.17:51824
    0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:63695 to:192.168.4.204:63695
    # iptables -L MINIUPNPD -n -v
    Chain MINIUPNPD (2 references)
    pkts bytes target prot opt in out source destination
    1 137 ACCEPT udp -- * * 0.0.0.0/0 192.168.7.17 udp dpt:51824
    4 548 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.204 udp dpt:63695

    whs complains port forwarding is not configured correcctly on the router, and remote web access to your server is blocked...
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, September 28 2014, 07:44 AM - #Permalink
    Resolved
    0 votes
    You have an odd configuration for your subnet. Presumably you subnet mask is 255.255.248.0 and you are reserving addresses from 192.168.0.1 to 192.168.1.0 for fixed IP's? You've got your gateway IP overlapping with your DHCP server range which is not a good idea. Which IP is your whs using?

    What is the output to:
    ifconfig | grep Eth -A 1


    Also you have the same warning as in this thread. Also look at the ports solution.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, September 27 2014, 09:59 PM - #Permalink
    Resolved
    0 votes
    For some reason i can't get upnp to work, well at least my whs2011 can't configure its self to forward ports to its self.
    1) port forwarding is not configured correctly on the router.
    2) remote web access to your server is blocked

    I'm running ClearOS V6.5.
    set eth0 to be 192.168.1.1, gateway 192.168.1.1, ip range start 192.168.1.1, ip range end 192.168.7.254, dns #1 192.168.1.1
    set eth1 to dhcp and role as external

    Installed miniupnpd, added the fire wall stuff from first post to /etc/clearos/firewall.d/local:

    # grep upnpd /var/log/messages
    Sep 26 21:55:09 orion yum[27442]: Installed: miniupnpd-1.6.20120121-5.v6.x86_64
    Sep 26 22:01:27 orion miniupnpd: SNet version started
    Sep 26 22:01:27 orion miniupnpd[1077]: could not open lease file: /var/lib/miniupnpd/upnp.leases
    Sep 26 22:01:27 orion miniupnpd[1077]: HTTP listening on port 40186
    Sep 26 22:01:27 orion miniupnpd[1077]: Listening for NAT-PMP traffic on port 5351
    Sep 26 22:11:40 orion miniupnpd[1077]: received signal 15, good-bye
    Sep 26 22:11:40 orion miniupnpd: SNet version started
    Sep 26 22:11:40 orion miniupnpd[24066]: already expired lease in lease file
    Sep 26 22:11:40 orion miniupnpd[24066]: already expired lease in lease file
    Sep 26 22:11:40 orion miniupnpd[24066]: HTTP listening on port 42280
    Sep 26 22:11:40 orion miniupnpd[24066]: Listening for NAT-PMP traffic on port 5351
    Sep 26 22:16:12 orion miniupnpd[24066]: received signal 15, good-bye
    Sep 26 22:16:12 orion miniupnpd: SNet version started
    Sep 26 22:16:12 orion miniupnpd[1757]: already expired lease in lease file
    Sep 26 22:16:12 orion miniupnpd[1757]: already expired lease in lease file
    Sep 26 22:16:12 orion miniupnpd[1757]: HTTP listening on port 34953
    Sep 26 22:16:12 orion miniupnpd[1757]: Listening for NAT-PMP traffic on port 5351
    Sep 26 22:25:37 orion miniupnpd[1757]: received signal 15, good-bye
    Sep 26 22:25:37 orion miniupnpd: SNet version started
    Sep 26 22:25:37 orion miniupnpd[22810]: already expired lease in lease file
    Sep 26 22:25:37 orion miniupnpd[22810]: already expired lease in lease file
    Sep 26 22:25:37 orion miniupnpd[22810]: HTTP listening on port 57731
    Sep 26 22:25:37 orion miniupnpd[22810]: Listening for NAT-PMP traffic on port 5351
    Sep 26 22:37:25 orion miniupnpd[22810]: received signal 15, good-bye
    Sep 26 22:37:26 orion miniupnpd: SNet version started
    Sep 26 22:37:26 orion miniupnpd[16828]: already expired lease in lease file
    Sep 26 22:37:26 orion miniupnpd[16828]: already expired lease in lease file
    Sep 26 22:37:26 orion miniupnpd[16828]: HTTP listening on port 41820
    Sep 26 22:37:26 orion miniupnpd[16828]: Listening for NAT-PMP traffic on port 5351
    Sep 26 22:39:26 orion miniupnpd[16828]: received signal 15, good-bye
    Sep 26 22:40:05 orion miniupnpd: SNet version started
    Sep 26 22:40:05 orion miniupnpd[22905]: already expired lease in lease file
    Sep 26 22:40:05 orion miniupnpd[22905]: already expired lease in lease file
    Sep 26 22:40:05 orion miniupnpd[22905]: HTTP listening on port 58884
    Sep 26 22:40:05 orion miniupnpd[22905]: Listening for NAT-PMP traffic on port 5351
    Sep 26 22:54:16 orion miniupnpd[22905]: received signal 15, good-bye
    Sep 26 22:55:48 orion miniupnpd: SNet version started
    Sep 26 22:55:48 orion miniupnpd[2512]: already expired lease in lease file
    Sep 26 22:55:48 orion miniupnpd[2512]: already expired lease in lease file
    Sep 26 22:55:48 orion miniupnpd[2512]: HTTP listening on port 35623
    Sep 26 22:55:48 orion miniupnpd[2512]: Listening for NAT-PMP traffic on port 5351
    Sep 27 01:56:55 orion miniupnpd[2512]: received signal 15, good-bye
    Sep 27 01:56:55 orion miniupnpd: SNet version started
    Sep 27 01:56:55 orion miniupnpd[9641]: already expired lease in lease file
    Sep 27 01:56:55 orion miniupnpd[9641]: already expired lease in lease file
    Sep 27 01:56:55 orion miniupnpd[9641]: already expired lease in lease file
    Sep 27 01:56:55 orion miniupnpd[9641]: already expired lease in lease file
    Sep 27 01:56:55 orion miniupnpd[9641]: HTTP listening on port 45696
    Sep 27 01:56:55 orion miniupnpd[9641]: Listening for NAT-PMP traffic on port 5351


    # iptables -t nat -L MINIUPNPD -n -v
    Chain MINIUPNPD (2 references)
    pkts bytes target prot opt in out source destination
    0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8000 to:192.168.5.167:8000
    0 0 DNAT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1025 to:192.168.5.167:1025
    0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:57024 to:192.168.4.61:57024
    0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:58880 to:192.168.4.61:58880
    0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:52066 to:192.168.2.69:52066

    # iptables -L MINIUPNPD -n -v
    Chain MINIUPNPD (2 references)
    pkts bytes target prot opt in out source destination
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.5.167 tcp dpt:8000
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.5.167 tcp dpt:1025
    76 10412 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.61 udp dpt:57024
    78 10686 ACCEPT udp -- * * 0.0.0.0/0 192.168.4.61 udp dpt:58880
    24 3288 ACCEPT udp -- * * 0.0.0.0/0 192.168.2.69 udp dpt:52066
    The reply is currently minimized Show
  • Accepted Answer

    Robert
    Robert
    Offline
    Monday, July 08 2013, 10:00 PM - #Permalink
    Resolved
    0 votes
    Hi All,

    I wonder if somebody elso also observed that, but it takes always upto 30 minutes to show me the server and its content in Windows or Android. Is my server maybe to slow to prepare the data to send? Or is it taking longer and longer to show the servers content as more is on the server? I have about 500 songs and 20 movies on the server.

    Except this waiting thing everything else runs fine.

    Thanks for you help.

    Cheers

    Robert
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 02 2013, 06:38 PM - #Permalink
    Resolved
    0 votes
    Great man thank you!! :)

    As far as the lease file is concerned, there is no file in the path specified... can I just create a blank txt file with the same name and drop it into that directory?

    Update: I created the file and dropped it into that dir. Gave root full permissions and restarted the service.. no error.

    Works like a charm, I can see my PS3 by using

    iptables -L MINIUPNPD -n -v
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 02 2013, 06:21 PM - #Permalink
    Resolved
    0 votes
    That is the 5.x file location. For 6.x use /etc/clearos/firewall.d/local.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, July 02 2013, 04:52 PM - #Permalink
    Resolved
    0 votes
    Hi Everyone,

    I am using the newest flavor of Clearos and wanted to get upnp to work properly. I seem to be having some issues.

    First off I do not have a firewall file /etc/rc.d/rc.firewall.local.

    I ran the install using the Clearos 6 repo and not Tim's.. it installed ok.

    When I check the log file I see the following..

    Jul 1 04:04:14 wall yum[19603]: Installed: miniupnpd-1.6.20120121-4.v6.x86_64
    Jul 2 12:26:06 wall miniupnpd: SNet version started
    Jul 2 12:26:06 wall miniupnpd[18706]: could not open lease file: /var/lib/miniupnpd/upnp.leases
    Jul 2 12:26:06 wall miniupnpd[18706]: HTTP listening on port 44247
    Jul 2 12:26:06 wall miniupnpd[18706]: Listening for NAT-PMP traffic on port 535

    I can play xbox and ps3 online, however I always could even before installing the service. So it appears that it is not truly opening up ports.

    Any ideas?
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, March 12 2013, 01:24 AM - #Permalink
    Resolved
    0 votes
    my miniupnpd appears to be not automatically starting. "grep miniupnp /var/log/messages" reveals nothing, but if stop and then start the same command reveals:

    Mar 10 10:17:25 orion miniupnpd[2158]: received signal 15, good-bye
    Mar 10 10:17:32 orion miniupnpd: SNet version started
    Mar 10 10:17:32 orion miniupnpd[7822]: already expired lease in lease file
    Mar 10 10:17:32 orion miniupnpd[7822]: HTTP listening on port 49866
    Mar 10 10:17:32 orion miniupnpd[7822]: Listening for NAT-PMP traffic on port 5351
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 15 2012, 10:15 PM - #Permalink
    Resolved
    0 votes
    OK so what role does that interface have? LAN? the init script should setup the broadcast route for all LAN interfaces, and to be fair is not designed to account for your number of interfaces

    However try from the command line
    /sbin/route add -net 239.0.0.0 netmask 255.0.0.0 eth3

    You may also want to explicitly specify the interfaces in /etc/miniupnpd/miniupnpd.conf... change listening_ip=10.100.0.0/31 and ext_ifname=eth2

    Then run 'service miniupnpd restart'
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, October 14 2012, 11:44 PM - #Permalink
    Resolved
    0 votes
    eth3
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, October 13 2012, 08:38 PM - #Permalink
    Resolved
    0 votes
    OK so which NIC / LAN subnet do you want Minidpnpd to work on? you have many local interfaces, it looks like the multicast route for broadcast traffic is only setup for eth1.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, October 12 2012, 02:06 AM - #Permalink
    Resolved
    0 votes
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    x.x.x.x 0.0.0.0 255.255.255.240 U 0 0 0 eth0
    x.x.x.x 0.0.0.0 255.255.255.240 U 0 0 0 eth2
    10.100.4.0 0.0.0.0 255.255.254.0 U 0 0 0 eth5
    10.100.0.0 0.0.0.0 255.255.254.0 U 0 0 0 eth3
    10.100.2.0 0.0.0.0 255.255.254.0 U 0 0 0 eth4
    10.70.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
    239.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
    0.0.0.0 x.x.x.x 0.0.0.0 UG 0 0 0 eth2
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, October 09 2012, 01:12 PM - #Permalink
    Resolved
    0 votes
    my Playstation works just fine behind ClearOS, and is displayed as 'open' from with games such as MW3

    What is your network setup? can you provide the output of 'route -n'

    You can also try changing the interface (ext_ifname) in /etc/miniupnpd/miniupnpd.conf and restarting the miniupnpd service.
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2012, 03:00 AM - #Permalink
    Resolved
    0 votes
    is this the only way to get nat type 1??

    i need a way to get playstation network to work through clearos this doesnt seem to work xbox says its nat type 2 and PSN refuses to connect
    The reply is currently minimized Show
  • Accepted Answer

    Monday, October 08 2012, 02:58 AM - #Permalink
    Resolved
    0 votes
    that worked thanks! i had to define Wan and Lan instead of it autodetecting it
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, October 07 2012, 09:25 PM - #Permalink
    Resolved
    0 votes
    Hi Don, do you have WAN/LAN interfaces defined? is ClearOS configured in gateway mode?
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, October 06 2012, 11:16 PM - #Permalink
    Resolved
    0 votes
    clearos 6.2 no proxy no filter
    this is what i get every time i start miniupnpd
    Starting miniupnpd: Network configuration missing[FAILED]
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, October 04 2012, 08:15 PM - #Permalink
    Resolved
    0 votes
    As Nick said delete the contents and restart the firewall - perhaps you pasted some other content by mistake? (copy and paste from Windows can introduce hidden characters)
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, October 03 2012, 06:42 PM - #Permalink
    Resolved
    0 votes
    How are you editing rc.firewall.local? Can you post the contents? If the worst comes to the worst rename the file then issue the command "touch /etc/rc.d/rc.firewall.local" to completely reset the file. (It also removes the first two dummy lines but that should not matter).
    The reply is currently minimized Show
  • Accepted Answer

    Erik
    Erik
    Offline
    Wednesday, October 03 2012, 01:06 PM - #Permalink
    Resolved
    0 votes
    Hi Tim and everyone else!

    I just recently tried to install miniupnp following the guidelines layed out in the first post however after I made changes to the rc.firewall.local file I have had the same issue as peter first described. When trying to start/restarting the firewall service it fails and I havent been able to make it work again by clearing the rc.firewall.local file.

    Any suggestions on how this is fixed or what is causing it other than the file?
    The reply is currently minimized Show
  • Accepted Answer

    Friday, August 24 2012, 06:52 AM - #Permalink
    Resolved
    0 votes
    You appear to have two typo's in your conf "50.150.51.1/24" should be "10.150.51.1/24". I am not sure if you need the listening_ip at all. On my 5.2 system it is not set up.
    The reply is currently minimized Show
  • Accepted Answer

    Joel
    Joel
    Offline
    Friday, August 24 2012, 01:52 AM - #Permalink
    Resolved
    0 votes
    I'm not quite sure what I was thinking when I setup that subnet :huh: Might not have been quite awake when I did it lol.
    I changed my lan to 10.150.50.1/24 and my hotlan to 10.150.51.1/24. I also modified the miniupnpd.conf file accordingly. I am still showing a moderate nat on the xbox when connected to the hotlan. If I try to connect through the standard lan it won't even connect to live which is not a problem as I am not planning on having any xboxes on the standard lan. Here is my updated config file.

    # WAN network interface
    ext_ifname=eth0
    #ext_ifname=xl1
    # if the WAN interface has several IP addresses, you
    # can specify the one to use below
    #ext_ip=

    # LAN network interfaces IPs / networks
    # there can be multiple listening ips for SSDP traffic.
    # should be under the form nnn.nnn.nnn.nnn/nn
    # HTTP is available on all interfaces
    # When MULTIPLE_EXTERNAL_IP is enabled, the external ip
    # address associated with the subnet follows. for example :
    # listening_ip=192.168.0.1/24 88.22.44.13
    listening_ip=50.150.51.1/24
    #listening_ip=192.168.1.1/24
    #listening_ip=
    # port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.
    port=0

    # path to the unix socket used to communicate with MiniSSDPd
    # If running, MiniSSDPd will manage M-SEARCH answering.
    # default is /var/run/minissdpd.sock
    #minissdpdsocket=/var/run/minissdpd.sock

    # enable NAT-PMP support (default is no)
    enable_natpmp=yes

    # enable UPNP support (default is yes)
    enable_upnp=yes

    # chain names for netfilter (not used for pf or ipf).
    # default is MINIUPNPD for both
    #upnp_forward_chain=forwardUPnP
    #upnp_nat_chain=UPnP

    # lease file location
    #lease_file=/var/log/upnp.leases

    # bitrates reported by daemon in bits per second
    bitrate_up=1000000
    bitrate_down=10000000

    # "secure" mode : when enabled, UPnP client are allowed to add mappings only
    # to their IP.
    secure_mode=yes
    #secure_mode=no

    # default presentation url is http address on port 80
    # If set to an empty string, no presentationURL element will appear
    # in the XML description of the device, which prevents MS Windows
    # from displaying an icon in the "Network Connections" panel.
    #presentation_url=http://www.mylan/index.php

    # report system uptime instead of daemon uptime
    system_uptime=yes

    # notify interval in seconds. default is 30 seconds.
    #notify_interval=240
    notify_interval=60

    # unused rules cleaning.
    # never remove any rule before this threshold for the number
    # of redirections is exceeded. default to 20
    #clean_ruleset_threshold=10
    # clean process work interval in seconds. default to 0 (disabled).
    # a 600 seconds (10 minutes) interval makes sense
    clean_ruleset_interval=600

    # log packets in pf
    #packet_log=no

    # ALTQ queue in pf
    # filter rules must be used for this to be used.
    # compile with PF_ENABLE_FILTER_RULES (see config.h file)
    #queue=queue_name1

    # tag name in pf
    #tag=tag_name1

    # make filter rules in pf quick or not. default is yes
    # active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
    #quickrules=no

    # uuid : generate your own with "make genuuid"
    uuid=60943e58-b9ff-42bc-a825-5cd04c359f57

    # serial and model number the daemon will report to clients
    # in its XML description
    serial=12345678
    model_number=1

    # UPnP permission rules
    # (allow|deny) (external port range) ip/mask (internal port range)
    # A port range is <min port>-<max port> or <port> if there is only
    # one port in the range.
    # ip/mask format must be nn.nn.nn.nn/nn
    # it is advised to only allow redirection of port above 1024
    # and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
    allow 1024-65535 50.150.51.0/24 1024-65535
    #allow 1024-65535 10.0.0.0/8 1024-65535
    #allow 1024-65535 172.16.0.0/12 1024-65535
    deny 0-65535 0.0.0.0/0 0-65535



    And I am not quite sure what you meant, Tim Burgess so here is what I get when running the route -n command.

    /etc/miniupnpd$ route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    xxx.xxx.xxx.xxx 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
    10.150.51.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
    10.150.50.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
    239.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth1
    0.0.0.0 xxx.xxx.xxx.xxx 0.0.0.0 UG 0 0 0 ppp0


    I hid my public IP address for security reasons...
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, August 23 2012, 08:46 PM - #Permalink
    Resolved
    0 votes
    The default Miniupnpd config is only to allow Upnp requests from private subnets, but I see you have amended the config

    Check your routing table has an entry for 239.0.0.0 on your hotlan interface ('route -n' command)...from memory the init script only sets up the route for LAN interfaces
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, August 23 2012, 12:17 PM - #Permalink
    Resolved
    0 votes
    Although your LAN detects a upnp device, is it able to configure the ports by upnp? It may be that the LAN can just see the upnp device but not do anything with it.

    BTW, are you aware that your HotLAN is using a public range of addresses which will stop you being able to visit any sites in that address block?
    The reply is currently minimized Show
  • Accepted Answer

    Joel
    Joel
    Offline
    Thursday, August 23 2012, 11:32 AM - #Permalink
    Resolved
    0 votes
    I am trying to enable upnp on a single interface. I have the xbox's on a hotlan with a subnet of 192.150.50.1/24 and it is on eth3. I tried editing the config file for miniupnp to be active for only that subnet and my nat is still moderate. I tried connecting the xbox's to my main subnet of 192.150.50.1/24 and it immediately connected with an open nat and the computers also detected a upnp device on the network. Where did I go wrong?

    # WAN network interface
    ext_ifname=eth0
    #ext_ifname=xl1
    # if the WAN interface has several IP addresses, you
    # can specify the one to use below
    #ext_ip=

    # LAN network interfaces IPs / networks
    # there can be multiple listening ips for SSDP traffic.
    # should be under the form nnn.nnn.nnn.nnn/nn
    # HTTP is available on all interfaces
    # When MULTIPLE_EXTERNAL_IP is enabled, the external ip
    # address associated with the subnet follows. for example :
    # listening_ip=192.168.0.1/24 88.22.44.13
    listening_ip=192.150.51.1/24
    #listening_ip=192.168.1.1/24
    #listening_ip=
    # port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.
    port=0

    # path to the unix socket used to communicate with MiniSSDPd
    # If running, MiniSSDPd will manage M-SEARCH answering.
    # default is /var/run/minissdpd.sock
    #minissdpdsocket=/var/run/minissdpd.sock

    # enable NAT-PMP support (default is no)
    enable_natpmp=yes

    # enable UPNP support (default is yes)
    enable_upnp=yes

    # chain names for netfilter (not used for pf or ipf).
    # default is MINIUPNPD for both
    #upnp_forward_chain=forwardUPnP
    #upnp_nat_chain=UPnP

    # lease file location
    #lease_file=/var/log/upnp.leases

    # bitrates reported by daemon in bits per second
    bitrate_up=1000000
    bitrate_down=10000000

    # "secure" mode : when enabled, UPnP client are allowed to add mappings only
    # to their IP.
    secure_mode=yes
    #secure_mode=no

    # default presentation url is http address on port 80
    # If set to an empty string, no presentationURL element will appear
    # in the XML description of the device, which prevents MS Windows
    # from displaying an icon in the "Network Connections" panel.
    #presentation_url=http://www.mylan/index.php

    # report system uptime instead of daemon uptime
    system_uptime=yes

    # notify interval in seconds. default is 30 seconds.
    #notify_interval=240
    notify_interval=60

    # unused rules cleaning.
    # never remove any rule before this threshold for the number
    # of redirections is exceeded. default to 20
    #clean_ruleset_threshold=10
    # clean process work interval in seconds. default to 0 (disabled).
    # a 600 seconds (10 minutes) interval makes sense
    clean_ruleset_interval=600

    # log packets in pf
    #packet_log=no

    # ALTQ queue in pf
    # filter rules must be used for this to be used.
    # compile with PF_ENABLE_FILTER_RULES (see config.h file)
    #queue=queue_name1

    # tag name in pf
    #tag=tag_name1

    # make filter rules in pf quick or not. default is yes
    # active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
    #quickrules=no

    # uuid : generate your own with "make genuuid"
    uuid=60943e58-b9ff-42bc-a825-5cd04c359f57

    # serial and model number the daemon will report to clients
    # in its XML description
    serial=12345678
    model_number=1

    # UPnP permission rules
    # (allow|deny) (external port range) ip/mask (internal port range)
    # A port range is <min port>-<max port> or <port> if there is only
    # one port in the range.
    # ip/mask format must be nn.nn.nn.nn/nn
    # it is advised to only allow redirection of port above 1024
    # and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
    allow 1024-65535 192.150.51.0/16 1024-65535
    allow 1024-65535 10.0.0.0/8 1024-65535
    allow 1024-65535 172.16.0.0/12 1024-65535
    deny 0-65535 0.0.0.0/0 0-65535

    The reply is currently minimized Show
  • Accepted Answer

    Eric
    Eric
    Offline
    Friday, June 15 2012, 01:03 AM - #Permalink
    Resolved
    0 votes
    That is interesting I never had any problems with 4.x or 5.x. I have only had issues with the content filtering in 6.2. I also noticed that once I uninstalled content filtering that my Facebook App on my iPhone 4 started working again. Hopefully the content filter will get fixed in future updates.
    The reply is currently minimized Show
  • Accepted Answer

    Peter
    Peter
    Offline
    Wednesday, June 13 2012, 12:08 PM - #Permalink
    Resolved
    0 votes
    Hi Eric,

    Many thanks for the info. Since my last post I've move to
    ClearOS V6 and added the Xbox live incoming port settings
    (plus fixed a few ldap issues thx to Tim's advice
    http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,10/func,view/id,40810/limit,10/limitstart,20/#42075 ).

    Now all ok. If I need to use Xbox live I still need to shutdown
    the content filter. But with many little fingers browsing the
    internet the content filter has to stay.

    Many thank

    PeterHuk
    The reply is currently minimized Show
  • Accepted Answer

    Eric
    Eric
    Offline
    Wednesday, June 13 2012, 05:23 AM - #Permalink
    Resolved
    0 votes
    The only way I could get my xbox to work was by doing the following

    Uninstall the content filter
    yum remove app-content-filter

    install upnp
    yum install miniupnpd

    My Web Proxy is configured as follows
    Transparent Mode: Enabled
    User Authentication: Disabled
    The reply is currently minimized Show
  • Accepted Answer

    Peter
    Peter
    Offline
    Thursday, April 05 2012, 12:39 AM - #Permalink
    Resolved
    0 votes
    Many thanks for the update tim, no matter what I do it just dont seem to want to work.

    I've read some people say that they can shut down the content filter and get it working.
    When I shut down my content filter (set content filter to disable in web proxy) it stops
    all interent access (continuosly comes up with Invalid web request error).

    Is there a way to view / monitor the traffic from my xbox and xbox live (only). There must be a
    web request from the xbox that is failing to come back or vice versa. If I could see the the request
    and the port requested then I'm sure it will be much easier to diagnose the problem. At the moment
    I'ts like trying to fault find in the dark.

    Many thanks


    PeterHuk
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, April 03 2012, 10:17 PM - #Permalink
    Resolved
    0 votes
    Are you using the web proxy? if so then as one last step you'll need to add a bypass for it... (the Xbox is not very proxy friendly). There was a post on this here
    http://www.clearfoundation.com/component/option,com_kunena/Itemid,232/catid,40/func,view/id,22515/

    You can't configure Miniupnpd for just one IP address, its a daemon that will serve your LAN, dynamically providing port forwards for services that need or use the UPNP protocol...Skype, file sharing, messengers etc.

    Secure / strict mode is enabled by default in the /etc/miniupnpd/miniupnpd.conf so that services can only open ports for their own IP address

    Your iptables output looks fine, you have one mapped entry for UDP on 3074

    Be careful not to too confuse yourself with the 'prerouting' table. This table is used to dynamically change packets (or redirect them) prior to hitting the 'input' or 'port forward' chains. This is where the port is actually opened..those rules you see are just to permit web traffic to/form the ClearOS box without getting caught by your transparent proxy redirect. If you have put your XBox IP in the 'proxy' bypass list, then it too will also appear here...this is a function of the webconfig, not miniupnpd.
    The reply is currently minimized Show
  • Accepted Answer

    Peter
    Peter
    Offline
    Tuesday, April 03 2012, 04:59 PM - #Permalink
    Resolved
    0 votes
    Hi all,

    Does these results look ok?

    [root@gateway ~]# iptables -L -n -v -t nat
    Chain PREROUTING (policy ACCEPT 4201 packets, 360K bytes)
    pkts bytes target prot opt in out source destination
    0 0 REDIRECT tcp -- * * !127.0.0.1 0.0.0.0/0 tcp dpt:3128 redir ports 82
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 G/W int ip tcp dpt:80
    7 352 ACCEPT tcp -- * * 0.0.0.0/0 G/W ext ip tcp dpt:80
    0 0 ACCEPT tcp -- * * 0.0.0.0/0 xbox ip tcp dpt:80
    483 25266 REDIRECT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
    209 36756 MINIUPNPD all -- eth0 * 0.0.0.0/0 0.0.0.0/0

    Chain POSTROUTING (policy ACCEPT 4285 packets, 366K bytes)
    pkts bytes target prot opt in out source destination
    987 58708 MASQUERADE all -- * eth0 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy ACCEPT 7389 packets, 559K bytes)
    pkts bytes target prot opt in out source destination

    Chain MINIUPNPD (1 references)
    pkts bytes target prot opt in out source destination
    0 0 DNAT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:3074 to:xbox ip:3074


    will the gateway ipaddress (G/W int ip) on port 80 conflict with the Xbox lisening on port 80?
    Also if this suggests that port 80 is open by default for my gateway how do I remove this rule?

    Many thanks

    PeterHuk
    The reply is currently minimized Show
  • Accepted Answer

    Peter
    Peter
    Offline
    Tuesday, April 03 2012, 01:03 AM - #Permalink
    Resolved
    0 votes
    Tim wrote:
    Just to highlight why I like MiniUPNP more then LinuxIGD from a security point of view

    You can restrict the permitted network ranges which are allowed to make UPNP calls, and the ports that they are able to open. By default I have configured all of the private range of IP's in /etc/miniupnpd/miniupnpd.conf but you could refine it further as you see fit. This is in addition to listening only to the LAN interfaces

    I have also enabled "Strict mode" which means that a device is only able to open a port for it's own IP address, rather than blindly opening anything that is requested by some unscrupulous app

    It's still running on my production box without hiccups so very pleased


    Would really appreciate some info of how you achieved this pls :)

    PeterHuk
    The reply is currently minimized Show
Your Reply