I've built and packaged MiniUPNP daemon so that it will work with ClearOS
http://miniupnp.free.fr/
It relies on your system being configured in gateway mode, it also has only been tested in a single WAN environment. MultiWAN is experimental and can be acheived by editing the config (/etc/miniupnpd/miniupnpd.conf) and iptables (see below)
This can be used as a direct replacement for LinuxIGD, which as a flaw whereby multiple rules will be created with the same port for multiple devices.
MiniUPNPD also supports NAT-PMP
INSTALL:-
Setup the community yum repo by following the instructions HERE
Add the following code to /etc/rc.d/rc.firewall.local to create the MiniUPNPD tables, required so that after a firewall restart the tables do not disappear.
Then review the config in /etc/miniupnpd/miniupnpd.conf - shouldn't need any changes....the External WAN is determined using the ClearOS automagic function.
Then restart the firewall to create the tables, and start the service
Voila! you should now have a functioning UPNP gateway device, you can check logs and entries by running
Enjoy
http://miniupnp.free.fr/
It relies on your system being configured in gateway mode, it also has only been tested in a single WAN environment. MultiWAN is experimental and can be acheived by editing the config (/etc/miniupnpd/miniupnpd.conf) and iptables (see below)
This can be used as a direct replacement for LinuxIGD, which as a flaw whereby multiple rules will be created with the same port for multiple devices.
MiniUPNPD also supports NAT-PMP
INSTALL:-
Setup the community yum repo by following the instructions HERE
yum --enablerepo=timb install miniupnpd
Add the following code to /etc/rc.d/rc.firewall.local to create the MiniUPNPD tables, required so that after a firewall restart the tables do not disappear.
##
#MINIUPNPD required tables
##
IPTABLES=/sbin/iptables
#EXTIF= (not required as uses automagic to determine WAN, can be manually specified)
#adding the MINIUPNPD chain for nat
$IPTABLES -t nat -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
#adding the MINIUPNPD chain for filter
$IPTABLES -t filter -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD
Then review the config in /etc/miniupnpd/miniupnpd.conf - shouldn't need any changes....the External WAN is determined using the ClearOS automagic function.
Then restart the firewall to create the tables, and start the service
service firewall restart
service miniupnpd start
Voila! you should now have a functioning UPNP gateway device, you can check logs and entries by running
grep upnpd /var/log/messages
or
iptables -t nat -L MINIUPNPD -n -v
iptables -L MINIUPNPD -n -v
Enjoy
Share this post:
Responses (86)
-
Accepted Answer
Great stuff Tim. I'll stick this on later and see if I can get it working with my multiwan setup. If it's using the ClearOS automatic detection then I believe it picks one of the 2 WAN's so it should work but I'll override that as I want it to use the one I pick.
I've only got one Xbox 360 but would be interested to know if 2 do work in open NAT at the same time with this. I might get another at some point soon. -
Accepted Answer
-
Accepted Answer
Tim,
I notice there is a restriction in the init function to only one LAN interface as there is in upnpd. Is this a restriction of yours or one of miniupnpd? It looks like you based your script on the upnpd one but it would be more of a job to make it loop through the LANIFS if it were even possible.
Nick -
Accepted Answer
Hi Nick, i've uploaded a new version with amended init script which will listen on all LAN interfaces (LANIF not HOTLAN)
ftp://starlane.gotdns.org/miniupnpd-1.4.20100921-2.clearos.i686.rpm
You can add further interface / subnets by editing /etc/miniupnpd/miniupnpd.conf and adding "listening_ip" fields -
Accepted Answer
-
Accepted Answer
Tim Burgess wrote:
Hi Nick, i've uploaded a new version with amended init script which will listen on all LAN interfaces (LANIF not HOTLAN)
ftp://starlane.gotdns.org/miniupnpd-1.4.20100921-2.clearos.i686.rpm
You can add further interface / subnets by editing /etc/miniupnpd/miniupnpd.conf and adding "listening_ip" fields
Thanks, that's neat. That saves me hacking the init script. I have 2 LAN's, one of which is normally not used, but as luck would have it, it was the one picked up by the init script. It was the same for upnpd which is why I recognised your script and knew where to hack. -
Accepted Answer
hi tim,
when I tried to add this into /etc/rc.d/rc.firewall.local
##
#MINIUPNPD required tables
##
IPTABLES=/sbin/iptables
#EXTIF= (not required as uses automagic to determine WAN, can be manually specified)
#adding the MINIUPNPD chain for nat
$IPTABLES -t nat -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
#adding the MINIUPNPD chain for filter
$IPTABLES -t filter -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD
doing a firewall service restart returned me a failed status.. :dry: clearOS is managing my multi-wan -
Accepted Answer
-
Accepted Answer
i have 3 interfaces.. eth0 and eth1 are respectively ppp0 and ppp1.. whereas eth2 is the LAN..
upon inspection of the /var/log/messages and /var/log/system , it doesn't show anything helpful though..
Nov 30 18:00:33 M2-LB-01 firewall: ========== start /etc/rc.d/rc.firewall.custom ==========
Nov 30 18:00:33 M2-LB-01 firewall: # Custom firewall rules managed through webconfig
Nov 30 18:00:33 M2-LB-01 firewall: # This file is executed by the firewall on stop/start/restart.
Nov 30 18:00:33 M2-LB-01 firewall: ========== end /etc/rc.d/rc.firewall.custom ==========
Nov 30 18:00:33 M2-LB-01 firewall: ========== start /etc/rc.d/rc.firewall.local ==========
Nov 30 18:00:33 M2-LB-01 firewall: # Custom firewall rules.
Nov 30 18:00:33 M2-LB-01 firewall: # This file is executed by the firewall on stop/start/restart.
Nov 30 18:00:33 M2-LB-01 firewall:
Nov 30 18:00:33 M2-LB-01 firewall: ##
Nov 30 18:00:33 M2-LB-01 firewall: #MINIUPNPD required tables
Nov 30 18:00:33 M2-LB-01 firewall: ##
Nov 30 18:00:33 M2-LB-01 firewall: IPTABLES=/sbin/iptables
Nov 30 18:00:33 M2-LB-01 firewall: #EXTIF= (not required as uses automagic to determine WAN, can be
Nov 30 18:00:33 M2-LB-01 firewall: manually specified)
Nov 30 18:00:33 M2-LB-01 firewall: #adding the MINIUPNPD chain for nat
Nov 30 18:00:33 M2-LB-01 firewall: $IPTABLES -t nat -N MINIUPNPD
Nov 30 18:00:33 M2-LB-01 firewall: #adding the rule to MINIUPNPD
Nov 30 18:00:33 M2-LB-01 firewall: $IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
Nov 30 18:00:33 M2-LB-01 firewall:
Nov 30 18:00:33 M2-LB-01 firewall: #adding the MINIUPNPD chain for filter
Nov 30 18:00:33 M2-LB-01 firewall: $IPTABLES -t filter -N MINIUPNPD
Nov 30 18:00:33 M2-LB-01 firewall: #adding the rule to MINIUPNPD
Nov 30 18:00:33 M2-LB-01 firewall: $IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD
Nov 30 18:00:33 M2-LB-01 firewall: ========== start /etc/rc.d/rc.firewall.local ==========
Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: chain MINIUPNPD not found
Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: chain MINIUPNPD not found
Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: addnatrule() : iptc_is_chain() error : No chain/target/match by that name
Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: chain MINIUPNPD not found
Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: chain MINIUPNPD not found
Nov 30 18:00:53 M2-LB-01 miniupnpd[23876]: addnatrule() : iptc_is_chain() error : No chain/target/match by that name -
Accepted Answer
The firewall rules (and miniupnpd) will fail with multiwan.
In the firewall rules you'll need to change these rules:
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD
Change the $EXTIF for ethx, the external interface you want to use (assuming it is only one).
You also need to change the /etc/rc.d/init.d/miniupnpd. Either change this lineUPNP_WAN=`echo $AUTOMAGIC_EXTIFS | awk '{ print $1 }'`
to
UPNP_WAN=ethx
or, rather than replace the line, I would just add the replacement line after the original line to make it easy to revert the script. Replace x to correspond with the interface you chose for the firewall rule.
At the end of the day miniupnpd only has an experimental multiwan feature but you'll need to read the docs to see how it works. Tim's script effectively only works for one WAN and I think a lot more studying of the docs will be needed to make it work for more than one.
Post back if this works as I only have a single WAN environment here so I have not tested it. -
Accepted Answer
'True' MultiWAN is experimental (i.e. not tested!) and also stated that way by the author - it appears I will have to build another version with the define MULTIPLE_EXTERNAL_IP flag for it to work.
If you do want multiple WAN's. you'll have to throw away the init script and iptables, and resort to configuring it via the config file only.
Miniupnpd *should* however work ok with systems with MultiWAN's, but just use only one for the UPNP traffic. The iptables script however will only work for one WAN...try the following to fix your firewall:-
Uncomment the following line (/etc/rc.d/rc.firewall.local) and manually specify the interface you want UPNP traffic to use:-
EXTIF=eth0
Nick's changes above to the init file shouldn't be necessary as it will pick the first WAN in the list.
Please let us know - as I don't have a multiwan setup to test with -
Accepted Answer
Tim,
I was off work today so I jumped in earlier. Naughty.
Are you sure the change to the init file is not needed? I was doing it to force the re.firewall.local and init scripts to use the same EXTIF. I did not think there was any guarantee that eth0 evaluated before eth1 (in his case) when using the automagic stuff. With my multiLAN set up the init script picked eth2 instead of eth1. -
Accepted Answer
Hi Nick,
No worries - you have a good point, the order in which the WAN's are listed is set in /etc/firewall (see the EXTIF= setting), there's no guarantee that the first one will be the one you want.
Calvin, the changes proposed for the init file then are a good way forward to ensure you get the right WAN -
Accepted Answer
-
Accepted Answer
-
Accepted Answer
You should have had a section like:
##
#MINIUPNPD required tables
##
IPTABLES=/sbin/iptables
#EXTIF= (not required as uses automagic to determine WAN, can be manually specified)
#adding the MINIUPNPD chain for nat
$IPTABLES -t nat -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
#adding the MINIUPNPD chain for filter
$IPTABLES -t filter -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD
in /etc/rc.d/rc.firewall.local.
Tim suggested changing it to :
##
#MINIUPNPD required tables
##
IPTABLES=/sbin/iptables
EXTIF=eth0 ##### changed to override the value from /etc/firewall
#adding the MINIUPNPD chain for nat
$IPTABLES -t nat -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t nat -A PREROUTING -i $EXTIF -j MINIUPNPD
#adding the MINIUPNPD chain for filter
$IPTABLES -t filter -N MINIUPNPD
#adding the rule to MINIUPNPD
$IPTABLES -t filter -A FORWARD -i $EXTIF -o ! $EXTIF -j MINIUPNPD -
Accepted Answer
alright got the firewall to restart properly after that
Dec 1 20:40:41 M2-LB-01 miniupnpd[23876]: received signal 15, good-bye
Dec 1 20:40:41 M2-LB-01 miniupnpd: SNet version started
Dec 1 20:40:41 M2-LB-01 miniupnpd[25150]: HTTP listening on port 34985
Dec 1 20:40:41 M2-LB-01 miniupnpd[25150]: Listening for NAT-PMP traffic on port 5351
however there's still one question though.. shouldn't miniupnpd be listening on interface ppp0 instead of eth0 ? -
Accepted Answer
Calvin Teh wrote:
however there's still one question though.. shouldn't miniupnpd be listening on interface ppp0 instead of eth0 ?
I'll pass on that one as I have a cable connection. Have a look in /etc/firewall and see how EXTIF is defined. I'd use the same as it has there. Remember you also have to change the /etc/rc.d/init.d/miniupnpd file as well to hard code the UPNP_WAN to the same value for safety, -
Accepted Answer
Just to highlight why I like MiniUPNP more then LinuxIGD from a security point of view
You can restrict the permitted network ranges which are allowed to make UPNP calls, and the ports that they are able to open. By default I have configured all of the private range of IP's in /etc/miniupnpd/miniupnpd.conf but you could refine it further as you see fit. This is in addition to listening only to the LAN interfaces
I have also enabled "Strict mode" which means that a device is only able to open a port for it's own IP address, rather than blindly opening anything that is requested by some unscrupulous app
It's still running on my production box without hiccups so very pleased -
Accepted Answer
-
Accepted Answer
With ClearOS 6.x you'll see the ability to install third party modules from the webconfig
To add this to the webconfig deamon (services) list add the following line into the array in /var/webconfig/api/Daemon.inc.php
"miniupnpd" => array("miniupnpd", "miniupnpd", "yes", "MiniUPNPD", "no", null),
-
Accepted Answer
You really are the best, Tim! Just got my kids an XBox for Christmas and included an XBox Live subscription. Just now installed MiniUPNPD and the firewall restarted seemlessly. Unfortunately until they open the thing and we get it all hooked up I won't be able to confirm if it all works with my gateway or not. I'm geeked though.
One aside in reference to your last post on this thread. The administrator needs to add a reference to match your "MiniUPNPD" reference in the Daemon.inc.php script, in the /var/webconfig/api/lang/daemon.en_US script (or the lanuage of their install).
I changed your reference to look similar to the rest of the daemon entries in the Daemon.inc.php.script, which looks like "DAEMON_LANG_MINIUPNPD". Then I added a line of script in the /lang/daemon.en_US script to look like
define("DAEMON_LANG_MINIUPNPD", "MiniUPNPD Plug-n-Play");
Shows up fine in the Webconfig listed services.
Thanks again. -
Accepted Answer
Thanks Dirk! hope it all goes smoothly for you tomorrow just to be sure check that the MINIUPNPD tables exist and the service is running ok. Logs are stored in /var/log/messages. To test starting a UPNP app such as uTorrent should show a port entry added to firewall rules
iptables -t nat -L MINIUPNPD -n -v
iptables -L MINIUPNPD -n -v
The Daemon API hack is not locale friendly, so it will just display "MiniUPNPD" but your modification allows you to change that to what ever you wish
Have a good Christmas -
Accepted Answer
Hi I have battled with Xbox live for ages, and I did get there using a different method that Tim wrote about. Anyhow added 2 more Xboxes to the network and everything stopped working. Thats when I found this post.
I have all three now connecting to Xbox live however I am unable to connect to Zune, Facebook, LastFM ect. I am however able to download updates and demos.
When I do an Xbox live test I still get the message that the NAT is in moderate mode and some content will not be available. Is there something this points to could I have made a mistake somewhere that this points to.
UPDATE
by turning on Transparent Mode all is working -
Accepted Answer
-
Accepted Answer
Hello! Well it's December 25th 2011 and an XBox 360S found it's way into our house. I was immediately recruited by my 13 year old son to help resolve an issue with Xbox LIVE. The Xbox 360 was unable to connect to XBox Live, regardless of what I did, including following this tech tip. The only thing I did differently was I used miniupnpd-1.5.20110309-1.clearos.i686.rpm instead of miniupnpd-1.4.20100921-2.clearos.i686.rpm as enumerated in the tech tip.
I was able to resolve the problem by putting the Xbox on a HOTLAN that I set up on a third NIC card. I also divided my Asante switch into 2 VLANS. The Xbox is on VLAN2, which is connected to the HOTLAN. This assures complete isolation from the primary, content filtered, ICS LAN that the PC's in our house occupy. I'm not sure why the Xbox doesn't like to be proxied, but I think this HOTLAN solution is probably the best from a gaming standpoint as it should help keep the ping times down as low as possible, and the best part is, you don't have to try an figure out all this egghead iptables stuff. Thanks for investing the time to try and create a work around, and more power to you if you're able to make it work. I was not. (Clear OS 5.2) -
Accepted Answer
Hi Tim,
I just install your MiniUPNPD as I’m trying to get Xbox live.
Have added your entry to /etc/rc.d/rc.firewall.local and in the
/etc/rc.d/init.d/miniupnpd file thier was no 'UPNP_WAN= ' entry
available to update.
I'm not a Linux person but installed on good faith (your information
has been spot on before). After installing I now keep getting FAILED
when trying to restart / start my firewall.
Have looked in messages and system (as per your previous
recommendations) and no relevant errors displayed.
Getting a bit nervous now as not sure what to do.
Any suggestions?
PeterHuk -
Accepted Answer
-
Accepted Answer
Sorry, the full message is:
Mar 31 21:50:11 gateway miniupnpd: SNet version started
Mar 31 21:50:11 gateway miniupnpd[7636]: HTTP listening on port 49340
Mar 31 21:50:11 gateway miniupnpd[7636]: Listening for NAT-PMP traffic on port 5351
Mar 31 21:50:11 gateway miniupnpd[7636]: chain MINIUPNPD not found -
Accepted Answer
-
Accepted Answer
Hi tim,
I copy exactly from the thread, any way panic over now as taking the modification out
has returned it to working order.
how can I trace the problem to get it working though?
I can't get my xbox live working via the wireless / clearos every time I need to use
the Xbox I've got to remove the gateway connection to the broadband modem and
insert an rj45 cable from the Xbox to the cable modem.
Any sugestions?
Many thanks for the fix for getting my firewall up again.
PeterHuk -
Accepted Answer
Sorry Tim,
Just re-read my last post and it didn't make any sense. "panic over" meaning my firewall is back up. but there
is still a problem with getting the MiniUPNP working.
It's strange that everyone elses seem to work straight away I mines is refusing to play ball. anyway any
sugestion would be appreciated.
Many thanks
PeterHuk -
Accepted Answer
Tim,
This is completely weird, I just copied and pasted the mod back into
/etc/rc.d/rc.firewall.loca restarted the firewall and it worked.
That is crazy, the only thing that I could think may have happed is my
ftp programme (wiseftp) tends to add an extra line at the end of the
page when saving.
I used notepad this time and it came up. The only thing now is that
When I run the two test commands:
iptables -t nat -L MINIUPNPD -n -v
iptables -L MINIUPNPD -n –v
I get
'iptables: No chain/target/match by that name'
Any ideas
Many thanks
PeterHuk -
Accepted Answer
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »