Filtering UPNP?

GlueGuy · December 3, 2007, 2:04am

We have a client that has a special request involving three ReplayTV units that “find” each other via UPNP. This allows them to share the libraries of videos on any Replay unit from any other Replay unit.

He has two “public” units; call them RP-A and RP-B that are attached to his private LAN. A third ReplayTV unit; call it RP-X is attached to a private LAN segment through a Linksys router.

The reason is that the RP-X unit has “adult” material on it that he’d rather not be seen by the kids.

What he’d like to do is access the video libraries on RP-A and RP-B from RP-X, but NOT the other way around.

I stuck a MikroTik in place of the Linksys and set it up to bridge the two LAN segments together, but added filters that drop UDP packets coming from RP-A and RP-B directed toward RP-X(port 80). This seems to “almost” work. RP-A and RP-B “see” RP-X, but are unable to access its library.

The main issue that I had was using the bridge filters to try to manipulate the packets. It kept claiming that I could only filter TCP packets, and not UDP packets. Yet even when I set it to filter TCP, it wouldn’t do it (same error message).

So I used the ip/firewall/filter to manipulate the packets. This seems to only partially work, and some packets get “dropped” without triggering any rules.

Is this because /ip/firewall/filter cannot be applied between bridged interfaces? Can anyone confirm this?

If that’s the case, then I think I just need to route the two LAN segments, but I still need to let the UPNP packets go through.

I don’t know a lot about UPNP, except that it uses the well-known multicast address 239.255.255.250 (port 1900) for UPNP devices to find each other.

What do I need to do to a MT to allow the UPNP packets to go between the two LAN segments? Would both LANs be “internal”?

What is the distinction between “internal” and “external”?

Any other advice?

sergejs · December 3, 2007, 7:14am

Is this because /ip/firewall/filter cannot be applied between bridged interfaces? Can anyone confirm this?

You should have ‘interface bridge settings set use-ip-firewall=yes’, then firewall is used for packets over the bridge (IP packets).

What do I need to do to a MT to allow the UPNP packets to go between the two LAN segments? Would both LANs be “internal”?
What is the distinction between “internal” and “external”?

Internal is local (LAN), external is remote/public.

You need to set both local interfaces as internal.
Bridge should work fine, as computers from different interfaces are connected just to same switch.
make sure that you have specified protocol for UDP filtering rule

GlueGuy · December 3, 2007, 2:54pm

Thanks sergejs,

I looked through the 2.9 manual to find more information about the use-ip-firewall switch, but couldn’t find anything.

Is this only on 3.x?

sergejs · December 3, 2007, 5:43pm

Yes, this option is available at 3.0.

There are not such option at 2.9, if I’m not mistaken, bridged packets are going over ip firewall by default.

Chupaka · December 3, 2007, 10:07pm

yep, they are =)

GlueGuy · December 4, 2007, 2:11am

Thanks for the replies.

So it seems (to me) that if we actually route the two interfaces, we should be able to exchange UPNP packets between the two subnets. I think all we have to do is set both ethernet ports to “internal” for UPNP settings. Correct?

This way, I can drop new connections from RP-A and RP-B directed toward RP-X. If I allow new connections the other way (from RP-X toward RP-A or RP-B) then RP-X might actually be able to access their video libraries.

With regard to “internal” versus “external”, I knew that was was the private LAN versus the public WAN. What I was not clear on was what significance this had toward UPNP. One thing that I presume this means is that an “external” UPNP will not multicast on 239.255.255.250 (note that this is a presumption). What I don’t know is what other things this does to UPNP (if any, or if the first presumption is correct).