{"id":731,"date":"2008-11-24T20:19:36","date_gmt":"2008-11-25T01:19:36","guid":{"rendered":"http:\/\/nuxx.net\/blog\/?p=731"},"modified":"2009-01-06T23:03:06","modified_gmt":"2009-01-07T04:03:06","slug":"nxe-xbox-live-with-pf-and-miniupnpd-on-openbsd-42","status":"publish","type":"post","link":"https:\/\/nuxx.net\/blog\/2008\/11\/24\/nxe-xbox-live-with-pf-and-miniupnpd-on-openbsd-42\/","title":{"rendered":"NXE Xbox LIVE with pf and miniupnpd on OpenBSD 4.2"},"content":{"rendered":"

<\/p>\n\n\n
\"New<\/a><\/td>\n<\/tr>\n<\/table>\n

<\/center><\/p>\n

(UPDATE:<\/strong> This issue has been worked around \/ resolved. Please see Xbox Live Open NAT Using pf on OpenBSD<\/a>.)<\/p>\n

I rather enjoy turn-based artillery games like Worms<\/a>, Scorched Earth<\/a> (and Scorch 2000<\/a> and Scorched 3D<\/a>), and GORILLA.BAS<\/a>, so when I found out that Worms for Xbox Live Arcade<\/a> was available, I purchased it.<\/p>\n

A few months ago, before Microsoft released NXE, or the New Xbox Experience<\/a>, I had no problems playing Worms online when using my Trashwall<\/a> set up with the Microsoft proscribed forwards of 88\/udp, 3074\/udp, and 3074\/tcp<\/a>. However, after NXE was released it seemed to stop working. The Xbox LIVE test would consistently tell me that I have “Strict” NAT settings and that some things won’t work. I was unable to host private or public games. Xbox LIVE supposedly works best with either a direct internet connection or a firewall which implements UPnP<\/a>, so I set to implementing UPnP on my pf<\/a>-based firewall.<\/p>\n

In order to do so I compiled and set up miniupnpd<\/a> per the directions, but I ran into a whole bunch of weirdness along the way. I eventually got it working, getting an occasional successful Xbox LIVE test (as seen above) which indicates “Open” NAT, and I was able to play a private game against , but things don’t seem right.<\/p>\n

Below the cut I’ll document what I’m been seeing.<\/p>\n

First, I put compiled miniupnpd on the firewall and set up pf.conf<\/tt> for it:<\/p>\n

rdr-anchor \"miniupnpd\"<\/tt>
\nanchor miniupnpd<\/tt><\/p><\/blockquote>\n

I then set up its config file, \/etc\/miniupnpd.conf<\/tt>:<\/p>\n

# WAN network interface<\/tt>
\next_ifname=gem0<\/tt><\/p>\n

# LAN network interfaces IPs \/ networks<\/tt>
\n# there can be multiple listening ips for SSDP traffic.<\/tt>
\n# should be under the form nnn.nnn.nnn.nnn\/nn<\/tt>
\n# HTTP is available on all interfaces<\/tt>
\nlistening_ip=192.168.0.1\/24<\/tt><\/p>\n

#listening_ip=<\/tt>
\n# port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.<\/tt>
\nport=0<\/tt><\/p>\n

# enable NAT-PMP support (default is no)<\/tt>
\nenable_natpmp=no<\/tt><\/p>\n

# enable UPNP support (default is yes)<\/tt>
\nenable_upnp=yes<\/tt><\/p>\n

# bitrates reported by daemon in bits per second<\/tt>
\nbitrate_up=1000000<\/tt>
\nbitrate_down=10000000<\/tt><\/p>\n

# \"secure\" mode : when enabled, UPnP client are allowed to add mappings only<\/tt>
\n# to their IP.<\/tt>
\nsecure_mode=no<\/tt><\/p>\n

# report system uptime instead of daemon uptime<\/tt>
\nsystem_uptime=yes<\/tt><\/p>\n

# notify interval in seconds. default is 30 seconds.<\/tt>
\nnotify_interval=60<\/tt><\/p>\n

# unused rules cleaning.<\/tt>
\n# never remove any rule before this threshold for the number<\/tt>
\n# of redirections is exceeded. default to 20<\/tt>
\n#clean_ruleset_threshold=10<\/tt>
\n# clean process work interval in seconds. default to 0 (disabled).<\/tt>
\n# a 600 seconds (10 minutes) interval makes sense<\/tt>
\nclean_ruleset_interval=600<\/tt><\/p>\n

# make filter rules in pf quick or not. default is yes<\/tt>
\n# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)<\/tt>
\nquickrules=yes<\/tt><\/p>\n

# uuid : generate your own with \"make genuuid\"<\/tt>
\nuuid=767e113a-ba6c-11dd-908b-0002a5dae400<\/tt><\/p>\n

# serial and model number the daemon will report to clients<\/tt>
\n# in its XML description<\/tt>
\nserial=12345678<\/tt>
\nmodel_number=1<\/tt><\/p>\n

# UPnP permission rules<\/tt>
\n# (allow|deny) (external port range) ip\/mask (internal port range)<\/tt>
\n# A port range is - or if there is only<\/tt>
\n# one port in the range.<\/tt>
\n# ip\/mask format must be nn.nn.nn.nn\/nn<\/tt>
\n# it is advised to only allow redirection of port above 1024<\/tt>
\n# and to finish the rule set with \"deny 0-65535 0.0.0.0\/0 0-65535\"<\/tt>
\nallow 0-65535 192.168.0.0\/24 0-65535<\/tt>
\ndeny 0-65535 0.0.0.0\/0 0-65535<\/tt><\/p><\/blockquote>\n

This seemed to work fine, as I could add, list, and remove rules using the MiniUPnP client<\/a> for Windows from an XP VM. However, the first bit of weirdness I ran into was that I could not do so from my work laptop.<\/p>\n

I next tried the Xbox 360, and this is where the weirdness began. On the first Xbox Live test I saw no output from miniupnpd<\/tt> (running in debug mode), and the Xbox simply told me that the test failed, and I’m using “Strict” NAT. It then suggested that I reboot the router or modem. Immediately hitting OK would cause the test to run, I would then see output from miniupnpd<\/tt>, a forwarding rule would be set up, and the holy grail of Xbox LIVE testing, the success screen shown above, would be displayed. This screen indicates that NAT is what is known as “Open”, or as permissible as possible, with UPnP working.<\/p>\n

What’s even stranger is that running the test again, it would fail. After this second test I was offered the previous suggestion, which was to reboot the router or modem. Again choosing the option to indicate that I did this resulted in a successful test. However, this time the output from miniupnpd<\/tt> indicated that the rule already existed so it wasn’t added.<\/p>\n

At this point I decided to fire up Worms and see if inviting would work, and it did. This confuses me greatly, as the automatically created redirect matches one of the previously done manual ones, and with these set up things didn’t work.<\/p>\n

Here’s some info as things went along showing it being weird:<\/p>\n

Starting out, showing nothing in the in the miniupnpd<\/tt> anchors:<\/p>\n

trashwall# pfctl -a miniupnpd -s nat<\/tt>
\ntrashwall# pfctl -a miniupnpd -s rules<\/tt>
\ntrashwall#<\/tt><\/p><\/blockquote>\n

From the XP VM I can see that the IGD (Internet Gateway Device) is present and contains no forwards:<\/p>\n

C:\\Documents and Settings\\c0nsumer\\Desktop\\miniupnpd>upnpc-shared.exe -l<\/tt>
\nupnpc : miniupnpc library test client. (c) 2006-2008 Thomas Bernard<\/tt>
\nGo to http:\/\/miniupnp.free.fr\/ or http:\/\/miniupnp.tuxfamily.org\/<\/tt>
\nfor more information.<\/tt>
\nList of UPNP devices found on the network :<\/tt>
\n desc: http:\/\/192.168.0.1:30239\/rootDesc.xml<\/tt>
\n st: urn:schemas-upnp-org:device:InternetGatewayDevice:1<\/tt><\/p>\n

Found valid IGD : http:\/\/192.168.0.1:30239\/ctl\/IPConn<\/tt>
\nLocal LAN ip address : 192.168.0.25<\/tt>
\nConnection Type : IP_Routed<\/tt>
\nStatus : Connected, uptime=542063, LastConnectionError : ERROR_NONE<\/tt>
\nMaxBitRateDown : 10000000 bps   MaxBitRateUp 1000000 bps<\/tt>
\nExternalIPAddress = 69.244.128.183<\/tt>
\nGetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)<\/tt><\/p>\n

C:\\Documents and Settings\\c0nsumer\\Desktop\\miniupnpd><\/tt><\/p><\/blockquote>\n

I would now turn on the 360, test the connection, and watch it fail saying that the NAT type is “Strict”, all without seeing any output from miniupnpd<\/tt>. As described above, saying that I’ve rebooted my router or modem would then produce the following output from miniupnpd<\/tt>:<\/p>\n

miniupnpd[11100]: HTTP connection from 192.168.0.7:47933<\/tt>
\nminiupnpd[11100]: HTTP REQUEST : GET \/rootDesc.xml (HTTP\/1.1)<\/tt>
\nminiupnpd[11100]: HTTP connection from 192.168.0.7:8577<\/tt>
\nminiupnpd[11100]: HTTP REQUEST : POST \/ctl\/IPConn (HTTP\/1.1)<\/tt>
\nminiupnpd[11100]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetStatusInfo<\/tt>
\nminiupnpd[11100]: HTTP connection from 192.168.0.7:52543<\/tt>
\nminiupnpd[11100]: HTTP REQUEST : POST \/ctl\/IPConn (HTTP\/1.1)<\/tt>
\nminiupnpd[11100]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping<\/tt>
\nminiupnpd[11100]: AddPortMapping: ext port 3074 to 192.168.0.7:3074 protocol UDP for: Xbox (192.168.0.7:3074) 3074 UDP<\/tt>
\nminiupnpd[11100]: UPnP permission rule 0 matched : port mapping accepted<\/tt>
\nminiupnpd[11100]: redirecting port 3074 to 192.168.0.7:3074 protocol UDP for: Xbox (192.168.0.7:3074) 3074 UDP<\/tt><\/p><\/blockquote>\n

Look at that. XP can now see that there’s a port forward:<\/p>\n

C:\\Documents and Settings\\c0nsumer\\Desktop\\miniupnpd>upnpc-shared.exe -l<\/tt>
\nupnpc : miniupnpc library test client. (c) 2006-2008 Thomas Bernard<\/tt>
\nGo to http:\/\/miniupnp.free.fr\/ or http:\/\/miniupnp.tuxfamily.org\/<\/tt>
\nfor more information.<\/tt>
\nList of UPNP devices found on the network :<\/tt>
\n desc: http:\/\/192.168.0.1:30239\/rootDesc.xml<\/tt>
\n st: urn:schemas-upnp-org:device:InternetGatewayDevice:1<\/tt><\/p>\n

Found valid IGD : http:\/\/192.168.0.1:30239\/ctl\/IPConn<\/tt>
\nLocal LAN ip address : 192.168.0.25<\/tt>
\nConnection Type : IP_Routed<\/tt>
\nStatus : Connected, uptime=542527, LastConnectionError : ERROR_NONE<\/tt>
\nMaxBitRateDown : 10000000 bps   MaxBitRateUp 1000000 bps<\/tt>
\nExternalIPAddress = 69.244.128.183<\/tt>
\n 0 UDP  3074->192.168.0.7:3074  'Xbox (192.168.0.7:3074) 3074 UDP' ''<\/tt>
\nGetGenericPortMappingEntry() returned 713 (SpecifiedArrayIndexInvalid)<\/tt><\/p>\n

C:\\Documents and Settings\\c0nsumer\\Desktop\\miniupnpd><\/tt><\/p><\/blockquote>\n

pf<\/tt> can also see that it has both the redirect and filter rules:<\/p>\n

trashwall# pfctl -a miniupnpd -s nat<\/tt>
\nrdr on gem0 inet proto udp from any to any port = 3074 label \"Xbox (192.168.0.7:3074) 3074 UDP\" -> 192.168.0.7 port 3074<\/tt>
\ntrashwall# pfctl -a miniupnpd -s rules<\/tt>
\npass in quick on gem0 inet proto udp from any to any port = 3074 flags S\/SA keep state label \"Xbox (192.168.0.7:3074) 3074 UDP\"<\/tt>
\ntrashwall#<\/tt><\/p><\/blockquote>\n

However, if I try the test again, it fails. Selecting the option to see the previous suggestion (rebooting the router or modem) and confirming that I did again causes the test to pass, with the Xbox 360 attempting to recreate the rule. As it already exists it isn’t created. The test will again pass:<\/p>\n

miniupnpd[11100]: HTTP connection from 192.168.0.7:64273<\/tt>
\nminiupnpd[11100]: HTTP REQUEST : GET \/rootDesc.xml (HTTP\/1.1)<\/tt>
\nminiupnpd[11100]: HTTP connection from 192.168.0.7:47982<\/tt>
\nminiupnpd[11100]: HTTP REQUEST : POST \/ctl\/IPConn (HTTP\/1.1)<\/tt>
\nminiupnpd[11100]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetStatusInfo<\/tt>
\nminiupnpd[11100]: HTTP connection from 192.168.0.7:23290<\/tt>
\nminiupnpd[11100]: HTTP REQUEST : POST \/ctl\/IPConn (HTTP\/1.1)<\/tt>
\nminiupnpd[11100]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping<\/tt>
\nminiupnpd[11100]: AddPortMapping: ext port 3074 to 192.168.0.7:3074 protocol UDP for: Xbox (192.168.0.7:3074) 3074 UDP<\/tt>
\nminiupnpd[11100]: UPnP permission rule 0 matched : port mapping accepted<\/tt>
\nminiupnpd[11100]: ignoring redirect request as it matches existing redirect<\/tt><\/p><\/blockquote>\n

Just to confirm, here’s the original manual rules I was using prior to NXE when I was able to use Worms and play against others online:<\/p>\n

rdr pass on $ext_if proto { udp } to port 88 -> $xbox360<\/tt>
\nrdr pass on $ext_if proto { tcp, udp } to port 3074 -> $xbox360<\/tt><\/p>\n

pass in on $ext_if inet proto { tcp udp } from any to ($ext_if) port 3074 keep state<\/tt>
\npass in on $ext_if inet proto { udp } from any to ($ext_if) port 88 keep state<\/tt><\/p><\/blockquote>\n

(UPDATE:<\/strong> This issue has been worked around \/ resolved. Please see Xbox Live Open NAT Using pf on OpenBSD<\/a>.)<\/p>\n","protected":false},"excerpt":{"rendered":"

(UPDATE: This issue has been worked around \/ resolved. Please see Xbox Live Open NAT Using pf on OpenBSD.) I rather enjoy turn-based artillery games<\/p>\n

Continue readingNXE Xbox LIVE with pf and miniupnpd on OpenBSD 4.2<\/span><\/a><\/div>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13],"tags":[],"class_list":["post-731","post","type-post","status-publish","format-standard","hentry","category-computers","entry"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/731","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/comments?post=731"}],"version-history":[{"count":14,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/731\/revisions"}],"predecessor-version":[{"id":1014,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/posts\/731\/revisions\/1014"}],"wp:attachment":[{"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/media?parent=731"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/categories?post=731"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuxx.net\/blog\/wp-json\/wp\/v2\/tags?post=731"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}