Just add it but keep it disabled by default, and if there`s someone that needs fullcone nat, they can just check the box and enable it.
Not going to happen.
First of all "Fullcone NAT" is not a well-defined term, so just throwing the term into the room does not really tell anyone what you expect that to do. If you really wanted that, you'd have define -exactly- what you expect it to do, at the very least in the form of desired nftables rules, better in the form of fw4 patches. None of this guarantees it to be accepted, but it's the absolute minimum to start a discussion about it, without the meaningless buzzwords in the room.
4 Likes
Another thread where it became clear that the term isn't clearly defined:
3 Likes
The only definition of "Full cone NAT" is in (obsoleted) RFC3489 , but that is resembling what is called "DMZ Host" in proprietary firmware. On the other hand what is implemented and shown as "Full-cone NAT" in OEM FW is host-restricted cone NAT in that rfc, ie you connect to a gaming server and gaming or ftp server can connect back to you. Modern games use upnp igd to open return ports, so there is very diminishing possible usage for esoteric NAT traversal methods.
OpenWrt would give "restricted" type while say pfsense would be "symmetrical", either would work right with upnp, 1st can link 2 udp streams between fixated ports with a lot of luck.
1 Like
OpenWrt provides everything a typical gamer needs. Probably even more than a typical firmware of cheap router.
Do they? I have never seen ports opened by UPnP when kids play games of their phones. Playstation on the other hand relies on that.
Speaking of miniupnpd related stuff, what about IPv6 pinholes? Is it well-supported? Can someone tell me why this is not in OpenWrt?
No upnp in mobile cgnats....
About leases6 - why not PR it?
We are talking about phones connected to OpenWrt via Wi-Fi not cell-network. Technically they are just regular clients just like my laptop.
Probably we should ask the author... Hey @lantis1008 have you tried pushing it to OpenWrt's miniupnpd package?
Ask your game vendor, seriously nothing OpenWrt can do about their design choices.
The last PR I sent to OpenWrt got very little attention, no reviews and I don’t think any developers even bothered looking at it, despite forum interest in the feature.
So the incentive for me to submit another one is just… urgh.
Maybe on the weekend if I feel like it.
3 Likes
Don't even remember when was the last time I installed something for myself to play... Just general observation, UPnP is not that needed these days especially for those who's got their fingers glued to phone. Probably that's the reason why it's not even in default installation...
Thank you in advance.
Yeah, that's a bummer.
P.S. Just for those who's got not idea what we talked about. IPv6 pinholes (kinda UPnP for IPv6) works out of the box (miniupnpd is needed) but it just doesn't report about ports being opened anywhere. That patch enables reporting in dedicated IPv6 leases file. Next step would be reporting it in Luci part of miniupnpd...
I use a nanopi r6s as a router, they have a custom version of openwrt, called friendlywrt, and by default they have added the option to enable fullcone NAT.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):
Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/firewall
https://github.com/friendlyarm/friendlywrt/blob/6b5c13c6165f671c5f3fe2dd32ce383c78f2de7f/package/network/config/firewall4/patches/999-01-firewall4-add-fullcone-support.patch - that should help more.
Thats not the kernel part.
The rest:
I want to know what kernel part does... net/netfilter/*
Maybe we should ask the guy @wongsyrone who wrote the code?
They have a fork of the kernel code.
Ok, it is restricted to a single address but why in tbh it parasites on ct zone and not on undefined ct state/status bits.
It is not 100% imitable by rules but one could add nat dst address to a dynamic/timeout dnat "map" permitting incoming connections for said timeout.