uPnP support?

Murus
siliconai
Posts: 3
Joined: Fri Jan 09, 2015 12:53 am

uPnP support?

Post by siliconai » Fri Jan 09, 2015 1:21 am

Hi,
I just got Murus Pro as an upgrade for the old end of life IPNetRouterX and under that everything just worked once I set up port forwarding, so I'm wondering if Murus supports or is there a way to setup UPnP?

I play a game called Warframe most nights with a smallish group of friends and it uses UPnP to help connect to other players. Currently it pops up a strict nat warning every time I play (https://warframe.com/strictNAT), I've set up port forwarding as recommended on that page and I can connect to or host some people, but others I can't connect to or host at all.


Other than that everything else seems to be working well, although the gui seems a bit annoying to use and the predefined Services seem rather simplistic and limited. Looking forward to future development and improvements, good work so far!

hany
Posts: 457
Joined: Wed Dec 10, 2014 5:20 pm

Re: uPnP support?

Post by hany » Sat Jan 10, 2015 4:41 pm

hello, thanks for your report.
as far as I know upnp uses UDP port 1900 because it should be based on ssdp.
from wikipedia:
SSDP is a text-based protocol based on HTTPU. It uses the User Datagram Protocol (UDP) as the underlying transport protocol. Services are announced by the hosting system with multicast addressing to a specifically designated IP multicast address at UDP port number 1900. In IPv4, the multicast address is 239.255.255.250[3] and SSDP over IPv6 uses the address set ff0X::c for all scope ranges indicated by X.
So probably you need to forward UDP port 1900 to your mac, open port in Murus for everyone.
I never used upnp so I'm only guessing. Please try and let me know :)

siliconai
Posts: 3
Joined: Fri Jan 09, 2015 12:53 am

Re: uPnP support?

Post by siliconai » Sun Jan 11, 2015 9:02 am

I've already tried that and it doesn't work either, as I understand it, the NAT router needs to support it in some way, similar to NAT-PMP and I've found several things like http://miniupnp.tuxfamily.org/ which add support to pf, however their development all seems to have stopped a few years ago, so I don't know if they're still required.

On the subject of NAT-PMP, Warframe as of a few months ago, now supports NAT-PMP as well, which I'm guessing based on the NATPMP Murus service description, is supported when using Murus NAT and should probably just work? So I've tried switching to that in warframe, but I'm not having much luck with it either.

hany
Posts: 457
Joined: Wed Dec 10, 2014 5:20 pm

Re: uPnP support?

Post by hany » Sun Jan 11, 2015 2:51 pm

"NATPMP" Murus service is there only for reference. Murus uses PF NAT, and PF NAT is not based on natpmp but it's plain NAPT.
OS X uses natpmpd with its default Internet Sharing system, but its usage breaks PF (your mileage may vary).
Both natpmp and upnp and vulnerable by design, and if you need a strong security then you should avoid both and use static translation and forwarding. While it may be possible to combine pf and natpmp on osx, we did not care about it. I suggest you to configure your network using static IP addresses and to manually forward all the ports needed by your client in order to work.
From warframe.com:
Warframe uses UDP ports 4950 and 4955 & the TCP port range 6695 - 6699. Your router needs to let traffic on those ports through to your PC. For your convenience these ports and your local IP address are shown in the network analysis dialog.
SO:
create a Murus custom service, add this port range:
4950 4955 6695:6699
select protocol "ALL"
This should be enough for your client to work.
You will probably get the message about "strict nat", because "strict nat" is exactly the type of NAT activated by PF using Murus.

siliconai
Posts: 3
Joined: Fri Jan 09, 2015 12:53 am

Re: uPnP support?

Post by siliconai » Mon Jan 12, 2015 2:11 pm

Ah ok, thanks, I'll go back to port forwarding and turn off upnp and natpmp in warframe then, a few days ago said they'll fix their strict nat issues once and for all this year, I just hope it's soon rather than the end of the year.
Hopefully I can connect at least most people this way and I'll have to put up with the warning, I don't know why it just worked with IPNetRouterX, I can't find anything to suggest that it supported upnp and all I did was setup port forwarding the same way.

fmood123
Posts: 3
Joined: Mon Mar 09, 2015 1:33 am

Re: uPnP support?

Post by fmood123 » Mon Mar 09, 2015 1:40 am

Hany,

I am in need of this support as well. I understand that UPnP and NAT-PMP offer some security flaws/vulnerabilities that others may not like, but there are some applications that won't work with static routes. I am in horrible need of this, trying to go down the miniupnpd route hasn't been successful as of yet. I love your Ice Floor product, and if you could set up a way for UPnP and NAT-PMP to be enabled I would purchase Murus in a heartbeat. But right now I have a wife angry at me because I broke our WiFi Baby monitors since they require the UPnP support, and the manufacturer says that its a dynamic range that they can't tell me which ports to forward.

Please HELP!

Thanks!

-Will

fmood123
Posts: 3
Joined: Mon Mar 09, 2015 1:33 am

Re: uPnP support?

Post by fmood123 » Mon Mar 09, 2015 3:18 pm

Hany,

First thanks for your wonderful work on icefloor as well as your new commercial product. I think it looks great, and I have used icefloor for something really small in the past and love it! I will be making a donation/purchase if I can get it to work for this latest project.

Count me on the users who would like NAT-PMP/uPnP support. I realize that others may see this as a security issue/problem, but the fact is that some things just require it these days. I have wifi baby monitors, that once I made the change to your wonderful icefloor product, that just won't work. I ran across your new product Murus, and was hoping to see support for it, but didn't see anything till I came to the forums. I also contacted the manufacturer and they said there aren't specific ports to forward, but rather they exclusively use uPnP. So I have an angry wife who wants me to roll back (the whole weekend project) the changes so our monitors work again.

Although I realize your concerns with security, I think properly configured these technologies can provide a feature set that some users would appreciate. Also most home routers have these services, and I don't know your demographic stats, but I would imagine that home users make up a good portion? If Murus offered this, you would gain at least 1 more user right here. Thanks!

I tried going down the miniupnpd path, but didn't get very far, just very frustrated. Help is appreciated in anyway.

-Will

hany
Posts: 457
Joined: Wed Dec 10, 2014 5:20 pm

Re: uPnP support?

Post by hany » Tue Mar 10, 2015 12:30 pm

Hi Will,

I perfectly understand your needs. I do think that uPnP is evil, but I also recognize it is really easy to setup devices and many people is going to struggle when uPnP is not available. I want to be honest: the only reason why Murus (and all my previous apps) did not support uPnP is because I have no idea on how to implement it. Being "evil" has been an excuse for years! :) A well supported excuse, actually. But, as you correctly stated, people is expecting uPnP from routers.
As far as I know the OS X Internet Sharing supports uPnP, but it is undocumented. We did not go deep into this because we had a lot of more important tasks to focus on. But I admit we should take uPnP into consideration for the next Murus releases.
If you followed Murus development during the last 3 months you already saw that we did great improvements over time in Murus NAT. It is a key feature and we are going to make it better and better over time.
So yes, we will try to add support for uPnP. :-) But please understand that this will probably require time... and help from our users :D

fmood123
Posts: 3
Joined: Mon Mar 09, 2015 1:33 am

Re: uPnP support?

Post by fmood123 » Tue Mar 10, 2015 6:04 pm

Thanks Hany,

I am really looking forward to that. I would check out miniupnpd its an open source daemon to facilitate. The built in Internet sharing does support it. https://support.apple.com/en-us/HT202553 that may have some info to point you in the right direction.

On another note, and maybe I should open another thread about this to not be off topic, but what about connecting a VPN from private addresses out to a server on the internet.

And a not related but one other thing, when sharing a VPN connection with the private clients inside of the NAT, is there a way to limit it to specific ip addresses?

-Will

User avatar
dukzcry
Posts: 1
Joined: Wed Jan 20, 2016 7:29 am
Contact:

Re: uPnP support?

Post by dukzcry » Wed Jan 20, 2016 8:01 am

I've been using MiniUPnPd on OpenBSD/PF router up till now, and it worked fine. It just needs an initial configuration (at minimum it needs to know names on network interfaces to generate relevant PF rules) and MiniUPnPd anchor added to pf.conf. Plus aforementioned SSDP multicast rule for hardened PF setups.

So Hany, it may be a way to just embed MiniUPnPd into Murus :) But first its to good to check whether MiniUPnPd works on OS X/PF combo and probably get in touch with its developer.

P.S.: MiniUPnPd supports both UPnP and NAT-PMP.

Post Reply