Latest LEDE 17.01 - problem with firewall or miniupnp? (solved: igmpproxy was the culprit)

wind · May 5, 2017, 1:42am

Until recently, I’ve been using the official 17.01 release build on my TP-Link TL-WDR4300 router with miniupnp installed on it. Everything worked great, until I’ve decided to switch to the latest 17.01 code that I pulled from git and built locally. That’s when I started getting a flood of denied SSDP packets coming through LEDE’s wan firewall and miniupnp writing periodically (every 15 seconds or so) the messages about ignored upnp requests from 2 of my SetTopBoxes connected to my ISP’s router:

...
Thu May  4 20:17:46 2017 daemon.warn miniupnpd[5122]: SSDP packet sender 192.168.1.102:1900 not from a LAN, ignoring <- repeated 10 times
Thu May  4 20:17:59 2017 daemon.warn miniupnpd[5122]: SSDP packet sender 192.168.1.101:1900 not from a LAN, ignoring <- repeated 10 times
Thu May  4 20:18:16 2017 daemon.warn miniupnpd[5122]: SSDP packet sender 192.168.1.102:1900 not from a LAN, ignoring <- repeated 10 times
...

While miniupnp is properly doing its job to only serve lan requests, I’m wondering how those requests were able to get through the wan firewall?

When I turn miniupnp off, the only difference in iptables are the MINIUPNP redirects opened for upnp clients from lan. Port 1900 is definitely closed on wan, and

Here is my layout:

                 +-------------+       +----------------------+
Internet  <------+ ISP Router  | <-----+ LEDE with miniupnp   |
                 | 192.168.1.1 |       | wan: 192.168.1.2/24  |
                 +--+-----+----+       | lan: 192.168.11.1/24 |
                    ^     ^            +----------------------+
                    |     |
           +--------+-----+--------+
           |  STB1: 192.168.1.101  |
           |  STB2: 192.168.1.102  |
           +-----------------------+

Configuration:

/etc/config/upnpd:

config upnpd config
        option enable_natpmp    1
        option enable_upnp      1
        option secure_mode      1
        option log_output       0
        option external_iface   wan
        option internal_iface   lan
        option port             5000
        option upnp_lease_file  /var/upnp.leases

config perm_rule
        option action           allow
        option ext_ports        1024-65535
        option int_addr         192.168.11.1/24
        option int_ports        1024-65535
        option comment          'Allow high ports'

config perm_rule
        option action           deny
        option ext_ports        0-65535
        option int_addr         0.0.0.0/0
        option int_ports        0-65535
        option comment          'Default deny'

/etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option disable_ipv6 '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option family 'ipv4'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'DROP'
        option output 'ACCEPT'
        option forward 'DROP'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ah'
        option src 'wan'
        option dest 'lan'
        option proto 'ah'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-esp'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option proto 'udp'
        option src_port '500'
        option dest_port '500'
        option target 'ACCEPT'

config redirect
        option name 'Divert-DNS'
        option src 'lan'
        option proto 'tcpudp'
        option src_dport '53'
        option dest_port '53'
        option target 'DNAT'

config redirect
        option name 'Forward-HTTPS'
        option src 'wan'
        option src_dport '443'
        option proto 'tcp'
        option dest 'lan'
        option dest_ip '192.168.11.XXX'
        option target 'DNAT'

config redirect
        option name 'Forward-Steam'
        option src 'wan'
        option src_dport '27015'
        option proto 'tcpudp'
        option family 'ipv4'
        option dest 'lan'
        option dest_ip '192.168.11.XXX'
        option target 'DNAT'

config include
        option path '/etc/firewall.user'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

trismo · May 5, 2017, 4:46pm

STB1 &2 have Simple Service Discovery Protocol (SSDP) daemon running
It is a *upnp server on the STB1&2 box. They search your network for other devices upnp devices scan is from 192.168.0.1 up to 192.168.254.254 /24
Your lede box wan switch port leak traffic to LAN port please post /etc/config/network

wind · May 5, 2017, 5:27pm

Something is definitely leaking. The /etc/config/network file has not been changed since the original one installed by lede (except the "ipaddr" option):

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdbf:1a94:819e::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.11.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

# Separate VLAN for Lan and Wan:
config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 0t'

trismo · May 5, 2017, 6:50pm

Here is a driver problem
Try change the wan port to lan port 4 this port get not connected with wlan/soc could help to find the isuse

change your config please: now wan is lan port 4
config switch_vlan
option device 'switch0'
option vlan '1'
option ports ' 1 2 3 4 0t'

config switch_vlan
option device 'switch0'
option vlan '2'
option ports '5 0t

Its not help then tryout last lede trunk snapshot have few patches for Atheros AR8327N switch.
Still problem post bug report please bugs.lede-project.org

wind · May 5, 2017, 7:33pm

I appreciate your help trismo! I'll give it a try and report back.

I guess, I know need to read more on how to check firewall for leaks now. miniupnp is a good indication of a leak, but I'll need to have a more thorough check. Would you have any pointers to where I should start looking at?

Also, the 17.01 release did not manifest this problem. It could either be because there were no leaks, or miniupnp did not report "bad" requests in the syslog, or maybe just processed them properly quietly and opened ports.

wind · May 7, 2017, 3:22pm

Switching wan port to 4 did not help preventing the leak.
Started looking into ar8327 patches that you mentioned on the "master" branch, because building "master" failed for me with some weird error:

make[2]: Entering directory '/home/wind/lede'
make[2]: *** No rule to make target 'package/system/opkg/host/compile', needed by 'package/compile'. Stop.

I do not want to investigate problems on "master", since I'd like to stay on 17.01 branch. So, I'm researching into pulling some ar8327 patches into 17.01 branch ...

wind · May 13, 2017, 3:52pm

After a few experiments with various new and old versions of ar8327 driver (file "target/linux/generic/files/drivers/net/phy/ar8327.c" from the mainline and 17.01 branch), I'm going to take this topic offline, since the problem is not reproducible in the official build of 17.01.0 and 17.01.1. Something must be wrong with my local build. I'll keep investigating.

Thanks for your time trismo!

wind · May 13, 2017, 8:46pm

Mystery solved - the presence of igmpproxy (see https://wiki.openwrt.org/doc/howto/udp_multicast) was responsible for letting the packets in. "igmpproxy" was included into my local image and even though I specifically removed rules from the default Lede firewall configuration (/etc/config/firewall) to not allow igmp packets in, the igmpproxy service appended its rules into iptables.

The symptoms that I listed in my original post can be easily reproduced in the official Lede build too if I install igmpproxy. Uninstalling it and restarting the firewall block the unwanted traffic from wan.

trismo · May 13, 2017, 8:55pm

Good to know i didnt even think about it.