plugins
plugins copied to clipboard
opnsense
net/upnp: allow custom listen addresses to support non-directly connected networks
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
- [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
- [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
- [x] When the request is meant for an existing plugin, I've added its name to the title.
Is your feature request related to a problem? Please describe.
In some situations it is desirable to run UPNP on OPNsense for clients that are not directly connected (e.g. a layer 3 switch used for inter-vlan routing with a default route of the OPNsense firewall). In this case the OPNsense frontend/plugin may not be aware of device networks because they are not explicitly defined anywhere in OPNsense already. This means UPNP doesn't create rules for these devices even when repeating SSDP across VLANs. It is possible to work around this by changing the listening_ip in miniupnpd.conf from listening_ip=igb0 to listening_ip=igb0/8 (in our case).
Relevant GitHub issues/documentation can be found here:
- https://github.com/miniupnp/miniupnp/issues/330
- https://github.com/miniupnp/miniupnp/blob/master/miniupnpd/INSTALL#L139-L147
Describe the solution you'd like It would be nice to have a method of defining this change in the OPNsense UPNP interface. Even if it's just a textbox to allow us to manually type interface/cidr addresses in.
Describe alternatives you've considered Manually editing the configuration file isn't particularly feasible because it is reset with every boot/config change. No other alternatives considered, UPNP needs to run on the firewall and we can't move inter-vlan routing to the firewall due to the amount/type of traffic.
Note Before anyone suggests UPNP is a security issue - yes. I am aware! We run gaming events where our networks are already full of hundreds of untrusted hosts. UPNP is a must in these situations for several multiplayer games to work.
Another effect of this behavior is the behavior of tailscale, which will only detect NAT-PMP on the machine's gateway IP. If an OPNsense is operating in a failover pair, the gateway IP is likely to be different than OPNSense's IP for the interface (ie: probably a virtual IP that can failover the secondary via CARP).
For any other users arriving here trying to get tailscale working behind a failover pair of OPNSense, I was able to work around the issue by configuring port forwarding for 5351/udp from the virtual gateway IP to the primary router's IP. Not perfect (in the case of failover), but it gets the typical case working.
I actually started work on improving the UPNP plugin a couple of days ago - I've amended it to solve our use case (and likely yours too @joshbenner). Should be ready soon.
This issue has been automatically timed-out (after 180 days of inactivity).
For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.
If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.
