Help with CGNAT and PCP

jim_jones · April 20, 2024, 12:52pm

I may be wrong, but to my understanding, PCP allows you to still forward ports even if your ISP uses CGNAT?
Now my ISP has told me that PCP "should" work. So I installed minimalist-pcproxy and hnetd-nossl. I all ready had miniupnpd-nftables installed and forwarding ports because my previous ISP gave me a static IP.
So I can see ports getting assigned in Luci, but the ports are still blocked according to deluge?
I can't find much info on using PCP to forward upstream ports on a CGNAT connection, so I don't know how to troubleshoot if the problem is in my router configuration or my ISP?

My upnpd cfg, its disabled atm since it doesn't work;

config upnpd 'config'
	option log_output '1'
	option download '1024'
	option upload '512'
	option internal_iface 'lan'
	option port '5000'
	option upnp_lease_file '/var/run/miniupnpd.leases'
	option igdv1 '1'
	option pcp_allow_thirdparty '1'
	option ipv6_listening_ip '::1'
	option external_zone 'wan'
	option _pcproxy_configured '1'
	option uuid '3539cc55-d4fb-49d6-acbd-f9b46b562f99'
	option enabled '0'
	option external_ip 'x.x.x.x'
	option external_iface 'wan'

config perm_rule
	option action 'allow'
	option ext_ports '1024-65535'
	option int_addr '0.0.0.0/0'
	option int_ports '1024-65535'
	option comment 'Allow high ports'

config perm_rule
	option action 'deny'
	option ext_ports '0-65535'
	option int_addr '0.0.0.0/0'
	option int_ports '0-65535'
	option comment 'Default deny'

Any help would be appreciated.

moeller0 · April 20, 2024, 12:58pm

Not that it helps much, but I would try to tickle an event that should elicit PCP messages while doing a packet capture on the wan interface to see what happens there...

jim_jones · April 20, 2024, 1:34pm

I'll admit I don't have much experience with reading packet captures. The only thing that stood out to me was;

Destination unreachable (Communication administratively filtered)

And the destination IP is the one shown on IPV4 Upstream details on Luci, and not my public IP address?

But I now also notice that in syslog I see many;

Sat Apr 20 14:25:05 2024 daemon.debug miniupnpd[32760]: rule with label 'Deluge/2.1.2.dev0 libtorrent/2.0.9.0' is not a IGD pinhole

Oh and I forgot to include versions, sorry;

Firmware Version	OpenWrt SNAPSHOT r25858-501ef81040 / LuCI Master 24.099.49263~b576339
Kernel Version	6.1.82

miniupnpd-nftables	2.3.3-r2

brada4 · April 20, 2024, 4:54pm

You need to enable external IP detection. Usually same subscriber gets same external IP (shared with few others)

github.com

miniupnp/miniupnp/blob/db6f9968fed27e5ef7cfddac4be47d8daf5c9624/miniupnpd/miniupnpd.conf#L24


      
          
          # WAN interface must have public IP address. Otherwise it is behind NAT
          # and port forwarding is impossible. In some cases WAN interface can be
          # behind unrestricted full-cone NAT 1:1 when all incoming traffic is NAT-ed and
          # routed to WAN interfaces without any filtering. In this cases miniupnpd
          # needs to know public IP address and it can be learnt by asking external
          # server via STUN protocol. Following option enable retrieving external
          # public IP address from STUN server and detection of NAT type. You need
          # to specify also external STUN server in stun_host option below.
          # This option is disabled by default.
          #ext_perform_stun=yes
          
          # Specify STUN server, either hostname or IP address
          # Some public STUN servers:
          #  stunserver.stunprotocol.org
          #  stun.sipgate.net
          #  stun.xten.com
          #  stun.l.google.com (on non standard port 19302)
          #ext_stun_host=stunserver.stunprotocol.org
          # Specify STUN UDP port, by default it is standard port 3478.
          #ext_stun_port=3478

Further diagnostics is to punch ports with minupnpc and in all ways try to understand how to teach CGNAT to work your way.

jim_jones · April 26, 2024, 7:02pm

Thanks, here is my new upnp config;

config upnpd 'config'
	option log_output '1'
	option download '1024'
	option upload '512'
	option internal_iface 'lan'
	option port '5000'
	option upnp_lease_file '/var/run/miniupnpd.leases'
	option igdv1 '1'
	option pcp_allow_thirdparty '1'
	option ipv6_listening_ip '::1'
	option external_zone 'wan'
	option _pcproxy_configured '1'
	option uuid '3539cc55-d4fb-49d6-acbd-f9b46b562f99'
	option enabled '1'
	option external_iface 'wan'
	option use_stun '1'
	option stun_host 'stun.l.google.com'
	option stun_port '19302'

config perm_rule
	option action 'allow'
	option ext_ports '1024-65535'
	option int_addr '0.0.0.0/0'
	option int_ports '1024-65535'
	option comment 'Allow high ports'

config perm_rule
	option action 'deny'
	option ext_ports '0-65535'
	option int_addr '0.0.0.0/0'
	option int_ports '0-65535'
	option comment 'Default deny'

and here is the log when I start miniupnpd;
syslog

The line;

STUN: ext interface pppoe-wan with IP address 0.0.0.0 is now behind unrestricted full-cone NAT 1:1 with public IP address 0.0.0.0 and firewall does not block incoming connections set by miniunnpd

Looks promising, the addresses are correct.
But deluge still says port is blocked. I tried testing the port with 'www.yougetsignal.com/tools/open-ports/' but it says the port is still closed as well?

jim_jones · April 26, 2024, 10:18pm

I just tried changing the STUN server to sipgate, and now the log says;

STUN: ext interface pppoe-wan with private IP address 0.0.0.0 is now behind restrictive or symmetric NAT with public IP address 0.0.0.0 which does not support port forwarding

brada4 · April 27, 2024, 5:31am

You neex to enable ext_perform_stun to publich locally address used to connect stun service in place of routers outer ip.

jim_jones · April 27, 2024, 1:22pm

It's all ready done, I posted my config just above;

option use_stun '1'

brada4 · April 27, 2024, 2:25pm

Then no chance

jim_jones · April 27, 2024, 2:42pm

Why is that?

brada4 · April 27, 2024, 3:11pm

If your providers cgnat was fullcone aka paired ie you got same public ip receiving connections from the world to cgnat ip then stun mode would work. Try miniupnpc and natpmpc from router if they can open ports. There is no relay to replace upnpd for this case.
Try to find some corners:
https://www.rfc-editor.org/rfc/rfc6888

brada4 · May 4, 2024, 8:48pm

It could have been useful project to have upnp proxy that punches ports via cgnat upnp server

system · May 14, 2024, 8:53pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.