Help with CGNAT and PCP

I may be wrong, but to my understanding, PCP allows you to still forward ports even if your ISP uses CGNAT?
Now my ISP has told me that PCP "should" work. So I installed minimalist-pcproxy and hnetd-nossl. I all ready had miniupnpd-nftables installed and forwarding ports because my previous ISP gave me a static IP.
So I can see ports getting assigned in Luci, but the ports are still blocked according to deluge?
I can't find much info on using PCP to forward upstream ports on a CGNAT connection, so I don't know how to troubleshoot if the problem is in my router configuration or my ISP?

My upnpd cfg, its disabled atm since it doesn't work;

config upnpd 'config'
	option log_output '1'
	option download '1024'
	option upload '512'
	option internal_iface 'lan'
	option port '5000'
	option upnp_lease_file '/var/run/miniupnpd.leases'
	option igdv1 '1'
	option pcp_allow_thirdparty '1'
	option ipv6_listening_ip '::1'
	option external_zone 'wan'
	option _pcproxy_configured '1'
	option uuid '3539cc55-d4fb-49d6-acbd-f9b46b562f99'
	option enabled '0'
	option external_ip 'x.x.x.x'
	option external_iface 'wan'

config perm_rule
	option action 'allow'
	option ext_ports '1024-65535'
	option int_addr '0.0.0.0/0'
	option int_ports '1024-65535'
	option comment 'Allow high ports'

config perm_rule
	option action 'deny'
	option ext_ports '0-65535'
	option int_addr '0.0.0.0/0'
	option int_ports '0-65535'
	option comment 'Default deny'

Any help would be appreciated.

Not that it helps much, but I would try to tickle an event that should elicit PCP messages while doing a packet capture on the wan interface to see what happens there...

I'll admit I don't have much experience with reading packet captures. The only thing that stood out to me was;

Destination unreachable (Communication administratively filtered)

And the destination IP is the one shown on IPV4 Upstream details on Luci, and not my public IP address?

But I now also notice that in syslog I see many;

Sat Apr 20 14:25:05 2024 daemon.debug miniupnpd[32760]: rule with label 'Deluge/2.1.2.dev0 libtorrent/2.0.9.0' is not a IGD pinhole

Oh and I forgot to include versions, sorry;

Firmware Version	OpenWrt SNAPSHOT r25858-501ef81040 / LuCI Master 24.099.49263~b576339
Kernel Version	6.1.82
miniupnpd-nftables	2.3.3-r2

You need to enable external IP detection. Usually same subscriber gets same external IP (shared with few others)

Further diagnostics is to punch ports with minupnpc and in all ways try to understand how to teach CGNAT to work your way.

Thanks, here is my new upnp config;

config upnpd 'config'
	option log_output '1'
	option download '1024'
	option upload '512'
	option internal_iface 'lan'
	option port '5000'
	option upnp_lease_file '/var/run/miniupnpd.leases'
	option igdv1 '1'
	option pcp_allow_thirdparty '1'
	option ipv6_listening_ip '::1'
	option external_zone 'wan'
	option _pcproxy_configured '1'
	option uuid '3539cc55-d4fb-49d6-acbd-f9b46b562f99'
	option enabled '1'
	option external_iface 'wan'
	option use_stun '1'
	option stun_host 'stun.l.google.com'
	option stun_port '19302'

config perm_rule
	option action 'allow'
	option ext_ports '1024-65535'
	option int_addr '0.0.0.0/0'
	option int_ports '1024-65535'
	option comment 'Allow high ports'

config perm_rule
	option action 'deny'
	option ext_ports '0-65535'
	option int_addr '0.0.0.0/0'
	option int_ports '0-65535'
	option comment 'Default deny'

and here is the log when I start miniupnpd;
syslog

The line;

STUN: ext interface pppoe-wan with IP address 0.0.0.0 is now behind unrestricted full-cone NAT 1:1 with public IP address 0.0.0.0 and firewall does not block incoming connections set by miniunnpd

Looks promising, the addresses are correct.
But deluge still says port is blocked. I tried testing the port with 'www.yougetsignal.com/tools/open-ports/' but it says the port is still closed as well?

I just tried changing the STUN server to sipgate, and now the log says;

STUN: ext interface pppoe-wan with private IP address 0.0.0.0 is now behind restrictive or symmetric NAT with public IP address 0.0.0.0 which does not support port forwarding

You neex to enable ext_perform_stun to publich locally address used to connect stun service in place of routers outer ip.

It's all ready done, I posted my config just above;

option use_stun '1'

Then no chance :frowning:

Why is that?

If your providers cgnat was fullcone aka paired ie you got same public ip receiving connections from the world to cgnat ip then stun mode would work. Try miniupnpc and natpmpc from router if they can open ports. There is no relay to replace upnpd for this case.
Try to find some corners:
https://www.rfc-editor.org/rfc/rfc6888

It could have been useful project to have upnp proxy that punches ports via cgnat upnp server

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.