Lede 17.01.4 with miniupnpd and Playstation 4

Hello!
I'm new to the forum. I have been using lede for some time now, and never had problems.
But now i'm having problems getting a PS 4 to work with Lede.

I already know that the PS4 uses igd v1, and i believe lede is (for some time now) using igd v2 by default. The Ports won't be forwarded with upnp...
I'm using this Router: https://lede-project.org/toh/hwdata/tp-link/tp-link_archer_c50_v1

My Setup: Cisco epc3940, with the lede-router ip in DMZ <--> Archer C50 V1 with Lede and static ip for wan, DHCP server for LAN Clients <--> PS4 with static ip (assigned and reserved in DHCP fpr the PS4):

UPNP is not working, and so the PS 4 won't connect :wink:

I already tried to compile a firmware myself only using igd v1 with this manual from marbi:
But i'm not a linux guy, so i have problems with this.
Miniupnp with igd2 not compatible with consoles

Maybe somebody can give me an advice, or maybe could somebody who knows what he ist doing compile me a 17.01.4 firmware for the Archer C50 V1 with Luci and miniupnpd igd1. I know, that is a lot i ask for ... but hey, asking ist free...

Any other ideas?

Thanks in advance!

Gregory

It’s supposed to be already downgraded to v1 in LEDE as per this comment:

Do I understand well that you are actually using 17.01.4?

Yes, i am using 17.01.4 ... I think there was a pull request for V2, , but it has not been pulled? Maybe i am wrong.

Can i check which version is used by miniupmpd?

The actual version of miniupnpd 2.0.20170421-2 has been downgraded to igd v1. I'm using it without any problem with my Xbox One.

You can enable additional logging option in MiniUPnP settings and see what is going on in the log using logread -f while you're connected via ssh to your lede router.

Thanks a lot, i'll give it a try... Maybe the problem is another one...
So If i use the firmwarefile from here https://lede-project.org/toh/hwdata/tp-link/tp-link_archer_c50_v1 and Install miniupnpd with luci it should use Version 1?

Thanks!

That's right, lede 17.01.4 has miniupnpd 2.0.20170421-2 which is IGDv1 enabled.

Thanks You! I report back!

It does not seem to be a UPnP or port forward issue. As people have stated UPnP has been fixed appropriately to work. Also, even if UPnP is not enabled and ports are not forwarded you still would be able to connect to PSN and the NAT type would be Type 3 instead of Type 2 on Playstation 4.

Your issue seems to be a double NAT. Meaning your Cisco epc3940 is in router mode doing NAT and even though your Archer C50 is on a DMZ it is still in router mode doing NAT as well. It creates lot of issues having double NAT. The easy solution would be to put the Archer C50 in switch and AP mode.

Here's how I've turned a router in to a switch using LEDE:

1.) Under Network->Switch only have one VLAN with all LAN and WAN ports untagged and the CPU's tagged on the same VLAN

2.) Under Network->Interfaces delete the WAN and WAN6 instances and keep only the LAN instance

3.) Under Network->Interfaces edit the LAN and under Genereal Settings
- Set Protocol to 'Static Address'
- Set the IPv4 Address to something like 192.168.1.2 (whatever you had it statically set before)
- Set the IPv4 Netmask to whatever you are using, typically 255.255.255.0
- Set the IPv4 Gateway to that of your Cisco epc3940's IP

4.) Under System->Startup stop and disable the firewall and dnsmasq services

5.) (Optional) Set up you wireless on it and bridge it to the LAN interface

Next take the IP of the Archer C50 off DMZ on the Cisco epc3940. That raises some real security issues having it on DMZ. Your static IP of your PS4, even though connected to the Archer C50, will now be routed by the Cisco epc3940. So on the Cisco epc3940 enable UPnP or forward the appropriate ports to the static IP of your PS4. You can DMZ the IP of the PS4 as well, I would not recommend it, but you can.

Thank you for your answer. I'll try that if it is not working.

But the LEDE User Guide says under "LEDE as router as "exposed host" in the ISP router" that this is a way to deal with this "problem": https://lede-project.org/docs/user-guide/switch_router_gateway_and_nat

p.s.: i especially need a wifi-network to connect the PS4...

According to their documentation your setup should work. On your manual network settings on the PS4 what device's IP do you have the Default Gateway and the DNS Server(s) pointing to? Is your Archer C50 on a different subnet than your Cisco epc3940? For example, your Cisco epc3940 and devices connected to it are 192.168.0.x and then your Archer C50 and devices connected to it are 192.168.1.x, with your Archer C50 on the WAN Interface having an IP of 192.168.0.x and the Default Gateway pointing to the Archer C50's IP and then on the LAN interface assigning devices attached to the Archer C50 in the 192.168.1.x.

Also, at which step does it fail on a network test on your PS4?

  1. Obtain IP address
  2. Internet Connection
  3. Connect to PSN
  4. NAT Test
  5. Download Speed
  6. Upload Speed

For example, your Cisco epc3940 and devices connected to it are 192.168.0.x and then your Archer C50 and devices connected to it are 192.168.1.x, with your Archer C50 on the WAN Interface having an IP of 192.168.0.x and the Default Gateway pointing to the Archer C50’s IP and then on the LAN interface assigning devices attached to the Archer C50 in the 192.168.1.x.

That is exactly the case!

OK that should be good then. The Default Gateway and the DNS servers on your PS4 are pointing to the IP of the Archer C50 router in the static setup and has an IP in the 192.168.1.x range? If so according to LEDE's setup for the Exposed Host you should be fine then. Let me know at what step exactly it is failing to connect on the PS4. Settings -> Network -> Test Internet Connection. Also, try using 8.8.8.8 and 8.8.4.4 as the DNS primary and secondary servers on the PS4 respectively to make sure there's not a DNS forwarding error by chance.

Everything is working now... The PS4 shows NAT3, but UPnp is working.
The only problem is, that the Router stalled after 45min of use with the PS4... Wireless Network was visible and connectible, but no Internet.
After a restart (switch Off and On again) it is working again... Lets see if it happens again...

Just a general FYI: UPnP is a bad idea all around and should not be utilized due to the massive security implications of UPnP. It exists out of convenience, much the same as WPS (which should also never be utilized).

A few other things that are off topic, but which were mentioned above:

  • Why is your LEDE router configured as a DMZ? If an ISP router is upstream from it, it should not be configured as a DMZ, and should be configured as a normal WAN facing gateway.
    • ISPs are able to SSH into every router they provide to their customers, and while this makes their job of troubleshooting user issues, it also allows them unfettered access to every device on your network, of which is a massive security and privacy issue.
      • While it's not likely the ISP would ever abuse their remote access to a customer's network, the same cannot be said for a rogue employee or third party (if utilized), nor do ISPs provide transparent information such as:
        • Who, and how many, have access to SSH into the router,
        • What SSH protocol and server are they using
        • What security settings have been employed
        • What bit length are the SSH keys
        • Are the SSH keys password protected
        • How do they guarantee no unauthorized access
        • Do they keep and archive remote access for the life of the account
          • Can the customer request a copy of all remote access attempts into their router/network (time, date, length of access, etc.), etc.

@JW0914
I guess your right about upnp but if you have multible gaming consoles (lets say two PS4's) in your network you need upnp to get open NAT status...

Edit: I've just updated my luci-app-upnp package and found that there is a custom configuration field in luci-app-upnp called MiniUPnP-ACLs.
I would highly recommend anyone to use this option and allow upnp only for special devices on your network !

So, the c50 stalled all the time.... Did a Lede Reset, and now it's working... Without UPnp! Gateway is the cisco, the c50 is connected with the Wan-Port to the LAN Port of the cisco and is in DMZ of the cisco, and the c50 is managing the clients (without UPnp)...
The PS4 shows NAT3, but everything is working. ... Also PSN etc.

P.s. it is in DMZ so that i don't have a Double NAT Config in my network - bridged mode is Not possible with the cisco from the provider

Why would one require Open NAT versus NAT 2, as NAT 2 works perfectly fine on a PlayStation/Xbox/etc.

  • It doesn't matter if you restrict UPnP to specific IPs, it's still massively insecure as IPs, as well as MACs, can be spoofed.
    • UPnP should never be utilized on a home network period.

Port forwarding is easy to configure, especially when most ports needing to be forwarded can be pulled from Port Forward's websitre, or can be found on the support pages of whatever device needs port redirects

/etc/config/firewall

#

  ##::[[---  LEDE WAN Firewall Config  ---]]::##

####################################################
           ##----- NAT Redirects -----##
####################################################

    # PlayStation Network #
#---------------------------------------------------
config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'tcp'
    option  src             'wan'
    option  src_dport       1935
    option  dest            'lan'
    option  dest_ip         192.168.1.20
    option  dest_port       1935
    option  name            'Allow PlayStation Network (1935) -> PS4'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'tcp'
    option  src             'wan'
    option  src_dport       '3478-3480'
    option  dest            'lan'
    option  dest_ip         192.168.1.20
    option  dest_port       '3478-3480'
    option  name            'Allow PlayStation Network (3478:3480) -> PS4'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'tcp'
    option  src             'wan'
    option  src_dport       '3478-3479'
    option  dest            'lan'
    option  dest_ip         192.168.1.20
    option  dest_port       '3478-3479'
    option  name            'Allow PlayStation Network (3478:3479) -> PS4'

    # Xbox Live #
#---------------------------------------------------
config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'udp'
    option  src             'wan'
    option  src_dport       88
    option  dest            'lan'
    option  dest_ip         192.168.1.21
    option  dest_port       88
    option  name            'Allow Xbox Live (88) -> Xbox One'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             'wan'
    option  src_dport       3074
    option  dest            'lan'
    option  dest_ip         192.168.1.21
    option  dest_port       3074
    option  name            'Allow Xbox Live (3074) -> Xbox One'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'udp'
    option  src             'wan'
    option  src_dport       500
    option  dest            'lan'
    option  dest_ip         192.168.1.21
    option  dest_port       500
    option  name            'Allow Xbox Live (500) -> Xbox One'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'udp'
    option  src             'wan'
    option  src_dport       3544
    option  dest            'lan'
    option  dest_ip         192.168.1.21
    option  dest_port       3544
    option  name            'Allow Xbox Live (3544) -> Xbox One'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'udp'
    option  src             'wan'
    option  src_dport       4500
    option  dest            'lan'
    option  dest_ip         192.168.1.21
    option  dest_port       4500
    option  name            'Allow Xbox Live (4500) -> Xbox One'

My guess is you're probably paying a monthly fee for the ISP's router/modem combo, but even if you're not, I personally would request they swap out the router/modem combo with just a modem.

  • There's too many unknowns to make it acceptable to have everything downstream of an ISP's router in a DMZ.
    • Allowing an ISP's router on one's network, without a firewall [router/managed switch] between that router and all devices downstream, is a massive security risk and not something any consumer should be okay with.

I'm talking about some multiplayer games, for example Call of Duty or Rainbow Six Siege.
I was never able to get "Open NAT" with port forwarding in these games...

So you are saying that there is no secure way of using upnp for just a gaming console ?
How about this... Set up a own vlan for the game console and only allowing upnp for the vlan ?

I'm not using upnp now ... It's also working.
And no, i don't have to pay a monthly fee, it's the only "modem" available...

I also tried to forward the ports... it didn't work

Rainbow Six Siege, that is the game i'm doing it for (my son plays it)

P.s. it showed Nat 2 before, but didn't work. Now it is NAT3 and works