1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Miniupnpd with NAT-PMP for Tomato?

Discussion in 'Tomato Firmware' started by mstombs, Nov 28, 2008.

  1. mstombs

    mstombs Network Guru Member

    OK here is a binary, control script and build files for a version of minupnp to run under tomato. This is provided as an example of what miniupnp could offer if "built-in" by a mod developer. miniupnp offers enhanced upnp security/configurablity - ie restrict ports specific users can use, prevent one user from setting port forwards for another (secure mode), NAT-PMP. Also has configurable automatic old upnp rule cleaning. This version was compiled with both upnp and NAT-PMP enabled, but either can be disabled from the conf file (see inside the miniupnpcmd.sh script). Miniupnp already available in OpenWRT and Tarifa firmware on same hardware - so why not Tomato?

    Instructions to run,

    download/unzip the attached miniupnpd.zip
    copy miniupnpd and miniupnpcmd.sh to your router /var directory (using for example winscp)
    make both files executable (from telnet/ssh "chmod +x miniupnpd*" or using winscp.
    disable tomato built-in upnp from web interface
    start minupnpd with "miniupnpcmd.sh start" (stop with "miniupnpcmd.sh stop" or reboot!)

    The web interface will not display upnp/nat-pmp port forwards, but they can be seen using iptables commands or from the lease file i.e.

    Code:
    # cat /var/upnp.leases
    TCP:56044:192.168.1.132:56044:NAT-PMP 6974
    UDP:56044:192.168.1.132:56044:NAT-PMP 6974
    The runtime configuration file "/var/miniupnpd.conf" is generated by the control script - should be easy to edit, the script fills in a few defaults such as wan_ifname and router LAN IP address from nvram variables that I know of - lan netmask wasn't in correct form though. This version will not work if you have dmz enabled - the primary divert rule would then need to be inserted above the dmz rule in "nat PREROUTING". As its not "built-in" WAN IP or web gui changes may also delete the miniupnpd iptables chains (named upnp same as normal tomato). The Tomato rc code would normally do this for you.

    You can test upnp functionality with Internet Explorer and the vista qualification tool

    http://www.microsoft.com/windows/using/tools/igd/default.mspx

    uTorrent is the only app I know how to test NAT-PMP with from my windows PC (Skype may also know to use it).

    To build your own version

    Use a machine that can and has also already built a version of tomato
    download the latest miniupnpd source from http://miniupnp.free.fr/files/download.php?file=miniupnpd-20081009.tar.gz
    (To pacify the GPL police, I hereby offer an unaltered copy if the above link is unavailable)
    Copy the uncompressed source to a directory in the Tomato tree, alongside iptables (the Makefile links to the prebuilt iptables libiptc.a library).
    Copy the attached custom config.c, Makefile.tomato and build.sh into the miniupnpd directory.
    build with "./build.sh", - should build with no errors using tomato's normal Linksys toolchain, outside of the tomato build process. Should be possible to reduce the binary size in future by compiler options - the version on my adsl router is only 95kB, using a later gcc 4.1.2 compiler.

    Do let me know what I've forgotten...
     

    Attached Files:

  2. Outer Marker

    Outer Marker Guest

    What a superb effort mstombs!

    It's a bit beyond my reach, but I'm hoping somebody with Linux skills can get a full Tomato firmware version out with this included.

    Not being able to see the forwarded ports in the GUI is no big deal IMO. I use the automatic rule cleaning option, so it's a bit of a moot point. Using the iptables command is sufficient for troubleshooting I think. At least that's how I tested Tarifa.

    Thanks again!
     
  3. guillaumy

    guillaumy LI Guru Member

    I second that.

    uPnP may not be well liked by security gurus, but it's a feature that is necessary for some of our networks.

    miniupnpd would be terrific for our routers that run 24/7, e.g. to clean out uPnP port-forwards that ought to have expired
     
  4. rhester72

    rhester72 Network Guru Member

    I took a short look at this tonight, and replacing upnp is not exactly going to be easy...it is hooked deeply not only into the ASP but also into httpd itself. :/

    Don't get me wrong, I support miniupnpd as much as anyone, but I think this is something Jon will have to tackle...I don't have the time to reverse-engineer all the entry points for the upnp display data to figure out how to update the GUI, and that is a critical thing to have, if for no other reason than to prove to yourself that it's working. ;) The method of force-expiring port rules will also have to be revisited, and new GUI configuration elements will have to be created to control some of the finer points of the miniupnpd configuration (because I don't seriously expect most Tomato users to go edit /etc/miniupnpd.conf with vi ;).

    I give this zero hope of being a part of 1.23, as I believe it is just around the corner, but maybe 1.24 or 1.25...*if* Jon gets excited about it. Given the length of time SpeedMod has existed and still hasn't gone into core Tomato, it could be a coin toss. ;)

    Rodney
     
  5. Outer Marker

    Outer Marker Guest

    The beautiful thing about miniUPnP is that it handles both UPNP and NAT-PMP as distinct functions. They can be enabled/disabled independently of each other. Given that, I wonder if we can just add miniUPnP in and not make use of its UPNP implementation, just its NAT-PMP function?
     
  6. rhester72

    rhester72 Network Guru Member

    I personally wouldn't want that, because then you lose all advantage of auto-expiry of uPnP forwards.

    Rodney
     
  7. Outer Marker

    Outer Marker Guest

    That's true. I wouldn't want that either. :frown:
     
  8. guillaumy

    guillaumy LI Guru Member


    If I recall correctly (which is not to be taken for granted these days due to my age), Jon DID incorporate speedmod features a few releases ago, but rolled the changes back because some users were having trouble. Maybe if Jon were contacted with the latest changes and troubleshooting notes, he would reconsider? I myself would use Speedmod except that I want to deploy only "official" firmware for consistency's sake.
     
  9. mstombs

    mstombs Network Guru Member

    I'm pretty sure miniupnpd does its own xml web serving so the httpd link probably easy (take out code!). The Tomato author Jon has looked at miniupnpd - I have seen #defines in the rc code in the past. Tomato upnp is heavily customized by Jon - I am sure he took a look at miniupnpd and decided against.

    I don't know about ASP, but I think it would be fairly easy to add the display of upnp port forwards to the web interface by modifing the existing code. (easier said than done, but the resulting iptables rules very similar!).

    For custom configuration lots of nvram variables and a web screen "extra config" similar to that for dnsmasq would be needed.

    One function I do not know how to reproduce in miniupnpd is the option to not "Show In My Network Places" which I quite like in Tomato - it stops the windows messages "new device has appeared on the network". Its something to do with "presentation url", and needs a mod to miniupnpd I believe.
     
  10. i1135t

    i1135t Network Guru Member

    Where do I put these files so that they will survive a reboot and at startup run automatically? I got it working but I don't want to set this up at every reboot...

    Also, I notice that this doesn't use bash shell, so what does it use and what is the command to put into the init text box?

    Sorry for the noob questions, but help would be appreciated. Thanks!!
     
  11. mstombs

    mstombs Network Guru Member

    Glad to hear its working for someone other than me!

    To make it permanent you would have to enable/use jffs and change some paths in the script file. I am not too sure how much space available in stock or mod Tomato - my routers have 8MB flash!

    The start command probably should go in the firewall script, as Tomato flushes and rebuilds the firewall rules on wan-restart. Also depending on your connection type the WAN interface may not exist until the WAN is connected. The miniupnpd binary does not need to be restarted on WAN restart (or IP change), but maybe no harm in doing so - but definitely don't want more than 1 copy running at any one time? I can experiment later, can also fix the dmz issue I'm sure.

    Not bash? Maybe my obscure code! Tomato uses the BusyBox provided bash shell, a version of "ash" I believe.
     
  12. teddy_bear

    teddy_bear Network Guru Member

    In a new version of my USB mod I attempted to replace built-in upnp daemon with miniupnpd.

    Unfortunately I left out the mstombs' favorite feature - the option to not "Show In My Network Places" :(. The efforts needed to change existing miniupnpd code to support that seemed a little bit too much for what that feature does, besides it can be turned off in Windows I believe.

    The rest of GUI functionality is there including displaying and removing port forwards, and some additional miniupnpd settings.

    Although for now it's only available as a part of my USB mod, I'm sure other modders will port it into non-USB versions soon enough.
     
  13. mstombs

    mstombs Network Guru Member

    Great -I'll give it a test run later - assuming I can get it to ignore my lack of USB (my test WRT54G-TM does run ND versions... and doesn't have flash/ram size issue).
     
  14. Outer Marker

    Outer Marker Guest

    Wow, this is excellent news. I'll give this a whirl ASAP.
     

Share This Page