Universal Plug and Play (UPnP) is a set of networking protocols that permits networked devices, such as personal computers, printers, Internet gateways, Wi-Fi access points and mobile devices to seamlessly discover each other’s presence on the network and establish functional network services for data sharing, communications, and entertainment.
The MiniUPnP project offers software which supports the UPnP Internet Gateway Device (IGD) specifications.
For the purposes of this article I’ll assume you’re familiar with setting up NAT under FreeBSD using OpenBSD Packet Filter. I’ll also assume that your machine is up, routing and translating traffic correctly and is protected by OpenBSD Packet Filter (PF).
To build and install MiniUPnPd from ports:
1 |
[[email protected]~]#make install clean -C /usr/ports/net/miniupnpd |
Add this to your /etc/rc.conf
miniupnpd_enable=”YES”
Now we make the top of your PF ruleset look like this:
scrub on rl0 no-df
nat on rl0 from lan0:network to any -> (rl0) static-port
rdr-anchor miniupnpd
replace rl0 with your external interface.
Reload the ruleset in PF if you haven’t already:
1 |
|
static-port prevents PF from re-arranging port numbers on the WAN side as it makes sense, which might break stuff occasionally – especially when we play online games (XBOX, PlayStation, etc).
Now that you have an anchor set up for MiniUPNPd to add rules to, it’s time to configure the daemon itself.
Copy the miniupnpd.conf.sample to miniupnpd.conf in /usr/local/etc, and then start editing it with your favourite editor.
1 |
/usr/ local /etc/miniupnpd.conf.sample /usr/ local /etc/miniupnpd.conf |
The important things to change are:
ext_ifname=rl0 # your external interface (WAN)
listening_ip=192.168.1.0 # the LAN IP of your router
enable_natpmp=yes # enable NAT-PMP support
secure_mode=yes
allow 1024-65535 0.0.0.0/0 1024-65535 # access control, but you can do it via PF anyway
secure_mode is important – UPNP-IGD specs allow devices to set up firewall rules for other devices, which is where the broken-by-design issues with regards the UPNP spec come into play. You almost certainly do not want to allow this, and I can’t for the life of me figure out any reason you would need such functionality.
Access control can be configured based on IPs, you can also firewall the UPNP service (UDP port 5555) so that your network doesn’t appear to even support UPNP for hosts that you’d rather not have it.
Start MiniUPnPd daemon:
1 |
local /etc/rc.d/miniupnpd start |