Install UPnP for OpenWrt on MiWifi R3G

I recently installed OpenWrt on a MiWifi R3G route with version 23.05.4 "mt7621" target and "mipsel_24kc" packages. Everything went well until I tried to enable UPnP function.

Because "opkg list" after an "opkg update" did not show me any package related to UPnP in the repository. I tried to manually download and install the following packages:

libcap-ng_0.8.3-2_mipsel_24kc.ipk
miniupnpd-nftables_2.3.3-2_mipsel_mips32.ipk
luci-app-upnp_git-24.025.85460-2338802_all.ipk

and configured according to https://openwrt.org/docs/guide-user/firewall/upnp/upnp_setup

Here are the 3 problems I met:

  1. /etc/config/miniupnpd not found.
  2. Could not find "zone_wan_forward" and "zone_wan_prerouting" chains under the "Status/Firewall" of the web interface to verify if UPnP is working.
  3. Got "RPCError
    RPC call to luci.upnp/get_status failed with error -32000: Object not found handleCallReply@" error by clicking "Service/UPnP" of the web interface after the reboot.

I think NAT-PMP is working because its traffic is listened on port 5351. What do I need to do to make UPnP fully functional?

Any help would be appreciated.

It would be good to start over and to see the specific output of your opkg installation attempt.

I think they went well.

root@OpenWrt:/tmp# opkg install libcap-ng_0.8.3-2_mipsel_24kc.ipk
Installing libcap-ng (0.8.3-2) to root...
Configuring libcap-ng.

root@OpenWrt:/tmp# opkg install miniupnpd-nftables_2.3.3-2_mipsel_24kc.ipk
Installing miniupnpd-nftables (2.3.3-2) to root...
Configuring miniupnpd-nftables.

root@OpenWrt:/tmp# opkg install luci-app-upnp_git-24.025.85460-2338802_all.ipk
Installing luci-app-upnp (git-24.025.85460-2338802) to root...
Configuring luci-app-upnp.

Well, we should try to understand if there is some other issue. Starting with a default config and then observing the results of the standard opkg installation (as compared to the manual download and install) may tell us what we need to know.

I removed all the manually installed packages and tried the opkg installation again. It somehow allowed me to install those pacakges needed now. I have no idea why it won't let me in the first place and made all the manual fuzz...

Now the web interface works perfectly. Thank you very much for swift and handful help!

The first 2 problem still exists though. I'm not sure if I still need to make them work, or the artical does not apply / being simply outdated?

I don't actually know. I don't use upnp as it represents a security vulnerability on the network, so I've never even played with it. However, maybe others can answer those questions.

Thanks a lot anyways.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

A bit longer but:

opkg list-installed
nft list ruleset | less

Try to search (/) for upnp_ tables.

Installation should be like that:

  1. Install miniupnpd--nftables
  2. install luci-app-upnp
  3. Log out and log in to luci and enable UPnP, defaults accept requests to open ports on WAN interface when requested from LAN interface

root@OpenWrt:~# ubus call system board

{
	"kernel": "5.15.162",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "Xiaomi Mi Router 3G",
	"board_name": "xiaomi,mi-router-3g",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.4",
		"revision": "r24012-d8dd03c46f",
		"target": "ramips/mt7621",
		"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
	}
}

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.13.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '5'
	option band '2g'
	option htmode 'HT20'
	option txpower '20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Rein_SH'
	option encryption 'sae-mixed'
	option key ''

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '144'
	option band '5g'
	option htmode 'VHT80'
	option txpower '20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Rein_SH'
	option encryption 'sae-mixed'
	option key ''

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'relay'
	option ra 'relay'
	option ndp 'relay'

config dhcp 'wan'
	option interface 'wan'
	option master '1'
	option ra 'relay'
	option dhcpv6 'relay'
	option ndp 'relay'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'wan6'
	option interface 'wan6'
	option ignore '1'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Transmission'
	list proto 'tcp'
	option src 'wan'
	option dest_port '51413'
	option target 'ACCEPT'

root@OpenWrt:~# opkg list-installed

attr - 2.5.1-1

avahi-dbus-daemon - 0.8-8

base-files - 1559-r24012-d8dd03c46f

block-mount - 2023-02-28-bfe882d5-1

busybox - 1.36.1-1

ca-bundle - 20230311-1

cgi-io - 2022-08-10-901b0f04-21

dbus - 1.13.18-12

dnsmasq - 2.90-2

dropbear - 2022.82-6

firewall4 - 2023-09-01-598d9fbb-1

fstools - 2023-02-28-bfe882d5-1

fwtool - 2019-11-12-8f7fe925-1

getrandom - 2022-08-13-4c7b720b-2

hd-idle - 1.05-2

hostapd-common - 2023-09-08-e5ccbfc6-7

iw - 5.19-1

iwinfo - 2023-07-01-ca79f641-1

jansson4 - 2.14-3

jshn - 2023-05-23-75a3b870-1

jsonfilter - 2024-01-23-594cfa86-1

kernel - 5.15.162-1-144de9e5c1a8813b724b14faa054d9f0

kmod-cfg80211 - 5.15.162+6.1.97-1-1

kmod-crypto-acompress - 5.15.162-1

kmod-crypto-aead - 5.15.162-1

kmod-crypto-ccm - 5.15.162-1

kmod-crypto-cmac - 5.15.162-1

kmod-crypto-crc32 - 5.15.162-1

kmod-crypto-crc32c - 5.15.162-1

kmod-crypto-ctr - 5.15.162-1

kmod-crypto-gcm - 5.15.162-1

kmod-crypto-gf128 - 5.15.162-1

kmod-crypto-ghash - 5.15.162-1

kmod-crypto-hash - 5.15.162-1

kmod-crypto-hmac - 5.15.162-1

kmod-crypto-manager - 5.15.162-1

kmod-crypto-null - 5.15.162-1

kmod-crypto-rng - 5.15.162-1

kmod-crypto-seqiv - 5.15.162-1

kmod-crypto-sha512 - 5.15.162-1

kmod-fs-exfat - 5.15.162-1

kmod-fs-ext4 - 5.15.162-1

kmod-fs-f2fs - 5.15.162-1

kmod-fs-ntfs - 5.15.162-1

kmod-fs-vfat - 5.15.162-1

kmod-gpio-button-hotplug - 5.15.162-3

kmod-leds-gpio - 5.15.162-1

kmod-lib-crc-ccitt - 5.15.162-1

kmod-lib-crc16 - 5.15.162-1

kmod-lib-crc32c - 5.15.162-1

kmod-lib-lzo - 5.15.162-1

kmod-mac80211 - 5.15.162+6.1.97-1-1

kmod-mt76-core - 5.15.162+2024-04-03-1e336a85-1

kmod-mt7603 - 5.15.162+2024-04-03-1e336a85-1

kmod-mt76x02-common - 5.15.162+2024-04-03-1e336a85-1

kmod-mt76x2 - 5.15.162+2024-04-03-1e336a85-1

kmod-mt76x2-common - 5.15.162+2024-04-03-1e336a85-1

kmod-nf-conntrack - 5.15.162-1

kmod-nf-conntrack6 - 5.15.162-1

kmod-nf-flow - 5.15.162-1

kmod-nf-log - 5.15.162-1

kmod-nf-log6 - 5.15.162-1

kmod-nf-nat - 5.15.162-1

kmod-nf-reject - 5.15.162-1

kmod-nf-reject6 - 5.15.162-1

kmod-nfnetlink - 5.15.162-1

kmod-nft-core - 5.15.162-1

kmod-nft-fib - 5.15.162-1

kmod-nft-nat - 5.15.162-1

kmod-nft-offload - 5.15.162-1

kmod-nls-base - 5.15.162-1

kmod-nls-cp437 - 5.15.162-1

kmod-nls-iso8859-1 - 5.15.162-1

kmod-nls-utf8 - 5.15.162-1

kmod-ppp - 5.15.162-1

kmod-pppoe - 5.15.162-1

kmod-pppox - 5.15.162-1

kmod-scsi-core - 5.15.162-1

kmod-scsi-generic - 5.15.162-1

kmod-slhc - 5.15.162-1

kmod-usb-core - 5.15.162-1

kmod-usb-ehci - 5.15.162-1

kmod-usb-ledtrig-usbport - 5.15.162-1

kmod-usb-storage - 5.15.162-1

kmod-usb-storage-uas - 5.15.162-1

kmod-usb-xhci-hcd - 5.15.162-1

kmod-usb-xhci-mtk - 5.15.162-1

kmod-usb2 - 5.15.162-1

kmod-usb3 - 5.15.162-1

libatomic1 - 12.3.0-4

libattr - 2.5.1-1

libavahi-client - 0.8-8

libavahi-dbus-support - 0.8-8

libblkid1 - 2.39-2

libblobmsg-json20230523 - 2023-05-23-75a3b870-1

libc - 1.2.4-4

libcap - 2.69-1

libcap-ng - 0.8.3-2

libcurl4 - 8.7.1-r1

libdaemon - 0.14-5

libdbus - 1.13.18-12

libdeflate - 1.18-1

libdht - 2022-04-27-11123089-1

libevdev - 1.13.0-1

libevent2-7 - 2.1.12-1

libevent2-core7 - 2.1.12-1

libevent2-pthreads7 - 2.1.12-1

libexpat - 2.5.0-1

libgcc1 - 12.3.0-4

libgmp10 - 6.2.1-1

libgnutls - 3.8.3-1

libidn2 - 2.3.4-1

libiwinfo-data - 2023-07-01-ca79f641-1

libiwinfo20230701 - 2023-07-01-ca79f641-1

libjson-c5 - 0.16-3

libjson-script20230523 - 2023-05-23-75a3b870-1

liblucihttp-ucode - 2023-03-15-9b5b683f-1

liblucihttp0 - 2023-03-15-9b5b683f-1

libmbedtls12 - 2.28.8-1

libminiupnpc - 2.2.3-1

libmnl0 - 1.0.5-1

libmount1 - 2.39-2

libnatpmp1 - 20150609-3

libncurses6 - 6.4-2

libnettle8 - 3.9.1-1

libnftnl11 - 1.2.6-1

libnghttp2-14 - 1.57.0-1

libnl-tiny1 - 2023-07-27-bc92a280-1

libopenssl3 - 3.0.14-2

libpam - 1.5.2-1

libpcre2 - 10.42-1

libpopt0 - 1.19-1

libpsl5 - 0.21.2-1

libpthread - 1.2.4-4

libreadline8 - 8.2-1

librt - 1.2.4-4

libsmartcols1 - 2.39-2

libstdcpp6 - 12.3.0-4

libtasn1 - 4.19.0-2

libtirpc - 1.3.3-1

libubox20230523 - 2023-05-23-75a3b870-1

libubus20230605 - 2023-06-05-f787c97b-1

libuci20130104 - 2023-08-10-5781664d-1

libuclient20201210 - 2023-04-13-007d9454-1

libucode20230711 - 2024-07-11-1a8a0bcf-1

libudev-zero - 1.0.1-1

libunistring - 1.1-1

libusb-1.0-0 - 1.0.26-3

libustream-mbedtls20201210 - 2023-02-25-498f6e26-1

libutp - 2023-02-14-c95738b1-1

libuuid1 - 2.39-2

logd - 2022-08-13-4c7b720b-2

lsblk - 2.39-2

luci - git-23.051.66410-a505bb1

luci-app-firewall - git-24.067.01746-69867db

luci-app-hd-idle - git-21.322.37170-27ca2e2

luci-app-opkg - git-24.148.43905-2891ca4

luci-app-samba4 - git-23.142.65904-c0478f0

luci-app-transmission - git-21.337.84171-2ef8100

luci-app-upnp - git-24.025.85485-89a9b58

luci-base - git-24.086.45142-09d5a38

luci-light - git-23.024.33244-34dee82

luci-mod-admin-full - git-19.253.48496-3f93650

luci-mod-network - git-24.111.76511-ff6b275

luci-mod-status - git-24.141.29354-5cfe7a7

luci-mod-system - git-24.067.01860-7a82b2f

luci-proto-ipv6 - git-24.086.45108-51aee90

luci-proto-ppp - git-24.135.44542-f1ec9c2

luci-ssl - git-23.035.26083-7550ad6

luci-theme-bootstrap - git-24.086.46634-1ffe078

miniupnpd-nftables - 2.3.3-2

mtd - 26

netifd - 2024-01-04-c18cc79d-2

nftables-json - 1.0.8-1

odhcp6c - 2023-05-12-bcd28363-20

odhcpd-ipv6only - 2023-10-24-d8118f6e-1

openwrt-keyring - 2022-03-25-62471e69-2

opkg - 2022-02-24-d038e5b6-2

ppp - 2.4.9.git-2021-01-04-4

ppp-mod-pppoe - 2.4.9.git-2021-01-04-4

procd - 2023-06-25-2db83655-2

procd-seccomp - 2023-06-25-2db83655-2

procd-ujail - 2023-06-25-2db83655-2

px5g-mbedtls - 10

rpcd - 2023-07-01-c07ab2f9-1

rpcd-mod-file - 2023-07-01-c07ab2f9-1

rpcd-mod-iwinfo - 2023-07-01-c07ab2f9-1

rpcd-mod-luci - 20240305-1

rpcd-mod-rrdns - 20170710

rpcd-mod-ucode - 2023-07-01-c07ab2f9-1

samba4-libs - 4.18.8-1

samba4-server - 4.18.8-1

terminfo - 6.4-2

transmission-cli - 4.0.6-1

transmission-daemon - 4.0.6-1

transmission-remote - 4.0.6-1

transmission-web - 4.0.6-1

ubi-utils - 2.1.5-1

ubox - 2022-08-13-4c7b720b-2

ubus - 2023-06-05-f787c97b-1

ubusd - 2023-06-05-f787c97b-1

uci - 2023-08-10-5781664d-1

uclient-fetch - 2023-04-13-007d9454-1

ucode - 2024-07-11-1a8a0bcf-1

ucode-mod-fs - 2024-07-11-1a8a0bcf-1

ucode-mod-html - 1

ucode-mod-math - 2024-07-11-1a8a0bcf-1

ucode-mod-nl80211 - 2024-07-11-1a8a0bcf-1

ucode-mod-rtnl - 2024-07-11-1a8a0bcf-1

ucode-mod-ubus - 2024-07-11-1a8a0bcf-1

ucode-mod-uci - 2024-07-11-1a8a0bcf-1

ucode-mod-uloop - 2024-07-11-1a8a0bcf-1

uhttpd - 2023-06-25-34a8a74d-2

uhttpd-mod-ubus - 2023-06-25-34a8a74d-2

urandom-seed - 3

urngd - 2023-11-01-44365eb1-1

usbutils - 014-1

usign - 2020-05-23-f1f65026-1

wget-ssl - 1.21.4-1

wireless-regdb - 2024.07.04-1

wpad-basic-mbedtls - 2023-09-08-e5ccbfc6-7

zlib - 1.2.13-1

root@OpenWrt:~# nft list ruleset | less

Pattern not found

Thanks for the reply. I did do all 3 steps.

How to "defaults accept requests to open ports on WAN interface when requested from LAN interface"? Does this work the same?

On the top of this same page click to enable upnp. Save&apply -> check with transmission dynamic port.

Small note - add country code in upper advanced tab when editing access point. Your wifi power will double in an instant.

Checked "Enable UPnP functionality", Transmission switched to dynamic port, applied the changes, and even started one BT job. It still shows There are no active redirects. above...

Go to status/firewall and search in page for upnp in firewall rules.
It has to be transmission in LAN side, not on OpenWRT

Thanks! I selected AU to get maximum trasmit power.

Below is what related to "upnp" under "status/firewall"



It is enabled , run transmission open port test.

Ouch if yu are behind kind of cgnat - post first 2 numbers of public IP address, if they are 100.64 or 172.16 etc you may need special upnp setup.

Transmission open port test failed.

This router is behind my ISP fiber modem which I don't have admin access. I am not able to find out whether it has its own public address. Public ip test showed my IP is 180.154.x.x and 240e:38a:xxx, but I'm not sure they are actually my modem wan IPs.

On the other hand, the reason I need UPnP is not only Transmission. "NAT Open" is vital to services such as online game play for my XBOX behind. Before trying OpenWrt, after enabling DMZ for my router on the modem (there is an app for me to do so), the UPnP service of the router's original factory firmware would show all the port redirects on its web interface and made those services work.

So far, I tried multiple services and still kept getting this

BTW, missing /etc/config/miniupnpd still concerns me...

Check if /overlay is not stuffed full with other packages.