Lede 17.01.4 with miniupnpd and Playstation 4

marbi · December 4, 2017, 8:01am

The actual version of miniupnpd 2.0.20170421-2 has been downgraded to igd v1. I'm using it without any problem with my Xbox One.

You can enable additional logging option in MiniUPnP settings and see what is going on in the log using logread -f while you're connected via ssh to your lede router.

would · December 4, 2017, 8:12am

Thanks a lot, i'll give it a try... Maybe the problem is another one...
So If i use the firmwarefile from here https://lede-project.org/toh/hwdata/tp-link/tp-link_archer_c50_v1 and Install miniupnpd with luci it should use Version 1?

Thanks!

marbi · December 4, 2017, 8:20am

That's right, lede 17.01.4 has miniupnpd 2.0.20170421-2 which is IGDv1 enabled.

would · December 4, 2017, 8:45am

Thanks You! I report back!

mj5030 · December 4, 2017, 1:31pm

It does not seem to be a UPnP or port forward issue. As people have stated UPnP has been fixed appropriately to work. Also, even if UPnP is not enabled and ports are not forwarded you still would be able to connect to PSN and the NAT type would be Type 3 instead of Type 2 on Playstation 4.

Your issue seems to be a double NAT. Meaning your Cisco epc3940 is in router mode doing NAT and even though your Archer C50 is on a DMZ it is still in router mode doing NAT as well. It creates lot of issues having double NAT. The easy solution would be to put the Archer C50 in switch and AP mode.

Here's how I've turned a router in to a switch using LEDE:

1.) Under Network->Switch only have one VLAN with all LAN and WAN ports untagged and the CPU's tagged on the same VLAN

2.) Under Network->Interfaces delete the WAN and WAN6 instances and keep only the LAN instance

3.) Under Network->Interfaces edit the LAN and under Genereal Settings
- Set Protocol to 'Static Address'
- Set the IPv4 Address to something like 192.168.1.2 (whatever you had it statically set before)
- Set the IPv4 Netmask to whatever you are using, typically 255.255.255.0
- Set the IPv4 Gateway to that of your Cisco epc3940's IP

4.) Under System->Startup stop and disable the firewall and dnsmasq services

5.) (Optional) Set up you wireless on it and bridge it to the LAN interface

Next take the IP of the Archer C50 off DMZ on the Cisco epc3940. That raises some real security issues having it on DMZ. Your static IP of your PS4, even though connected to the Archer C50, will now be routed by the Cisco epc3940. So on the Cisco epc3940 enable UPnP or forward the appropriate ports to the static IP of your PS4. You can DMZ the IP of the PS4 as well, I would not recommend it, but you can.

would · December 4, 2017, 3:43pm

Thank you for your answer. I'll try that if it is not working.

But the LEDE User Guide says under "LEDE as router as "exposed host" in the ISP router" that this is a way to deal with this "problem": https://lede-project.org/docs/user-guide/switch_router_gateway_and_nat

p.s.: i especially need a wifi-network to connect the PS4...

mj5030 · December 4, 2017, 4:11pm

According to their documentation your setup should work. On your manual network settings on the PS4 what device's IP do you have the Default Gateway and the DNS Server(s) pointing to? Is your Archer C50 on a different subnet than your Cisco epc3940? For example, your Cisco epc3940 and devices connected to it are 192.168.0.x and then your Archer C50 and devices connected to it are 192.168.1.x, with your Archer C50 on the WAN Interface having an IP of 192.168.0.x and the Default Gateway pointing to the Archer C50's IP and then on the LAN interface assigning devices attached to the Archer C50 in the 192.168.1.x.

Also, at which step does it fail on a network test on your PS4?

Obtain IP address
Internet Connection
Connect to PSN
NAT Test
Download Speed
Upload Speed

would · December 4, 2017, 5:04pm

For example, your Cisco epc3940 and devices connected to it are 192.168.0.x and then your Archer C50 and devices connected to it are 192.168.1.x, with your Archer C50 on the WAN Interface having an IP of 192.168.0.x and the Default Gateway pointing to the Archer C50’s IP and then on the LAN interface assigning devices attached to the Archer C50 in the 192.168.1.x.

That is exactly the case!

mj5030 · December 4, 2017, 6:00pm

OK that should be good then. The Default Gateway and the DNS servers on your PS4 are pointing to the IP of the Archer C50 router in the static setup and has an IP in the 192.168.1.x range? If so according to LEDE's setup for the Exposed Host you should be fine then. Let me know at what step exactly it is failing to connect on the PS4. Settings -> Network -> Test Internet Connection. Also, try using 8.8.8.8 and 8.8.4.4 as the DNS primary and secondary servers on the PS4 respectively to make sure there's not a DNS forwarding error by chance.

would · December 4, 2017, 9:18pm

Everything is working now... The PS4 shows NAT3, but UPnp is working.
The only problem is, that the Router stalled after 45min of use with the PS4... Wireless Network was visible and connectible, but no Internet.
After a restart (switch Off and On again) it is working again... Lets see if it happens again...

JW0914 · December 5, 2017, 5:51pm

Just a general FYI: UPnP is a bad idea all around and should not be utilized due to the massive security implications of UPnP. It exists out of convenience, much the same as WPS (which should also never be utilized).

A few other things that are off topic, but which were mentioned above:

Why is your LEDE router configured as a DMZ? If an ISP router is upstream from it, it should not be configured as a DMZ, and should be configured as a normal WAN facing gateway.
- ISPs are able to SSH into every router they provide to their customers, and while this makes their job of troubleshooting user issues, it also allows them unfettered access to every device on your network, of which is a massive security and privacy issue.
  - While it's not likely the ISP would ever abuse their remote access to a customer's network, the same cannot be said for a rogue employee or third party (if utilized), nor do ISPs provide transparent information such as:
    - Who, and how many, have access to SSH into the router,
    - What SSH protocol and server are they using
    - What security settings have been employed
    - What bit length are the SSH keys
    - Are the SSH keys password protected
    - How do they guarantee no unauthorized access
    - Do they keep and archive remote access for the life of the account
      - Can the customer request a copy of all remote access attempts into their router/network (time, date, length of access, etc.), etc.

Kherby · December 6, 2017, 3:27am

@JW0914
I guess your right about upnp but if you have multible gaming consoles (lets say two PS4's) in your network you need upnp to get open NAT status...

Edit: I've just updated my luci-app-upnp package and found that there is a custom configuration field in luci-app-upnp called MiniUPnP-ACLs.
I would highly recommend anyone to use this option and allow upnp only for special devices on your network !

would · December 6, 2017, 8:10am

So, the c50 stalled all the time.... Did a Lede Reset, and now it's working... Without UPnp! Gateway is the cisco, the c50 is connected with the Wan-Port to the LAN Port of the cisco and is in DMZ of the cisco, and the c50 is managing the clients (without UPnp)...
The PS4 shows NAT3, but everything is working. ... Also PSN etc.

P.s. it is in DMZ so that i don't have a Double NAT Config in my network - bridged mode is Not possible with the cisco from the provider

JW0914 · December 6, 2017, 2:56pm

Why would one require Open NAT versus NAT 2, as NAT 2 works perfectly fine on a PlayStation/Xbox/etc.

It doesn't matter if you restrict UPnP to specific IPs, it's still massively insecure as IPs, as well as MACs, can be spoofed.
- UPnP should never be utilized on a home network period.

Port forwarding is easy to configure, especially when most ports needing to be forwarded can be pulled from Port Forward's websitre, or can be found on the support pages of whatever device needs port redirects

/etc/config/firewall

#

  ##::[[---  LEDE WAN Firewall Config  ---]]::##

####################################################
           ##----- NAT Redirects -----##
####################################################

    # PlayStation Network #
#---------------------------------------------------
config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'tcp'
    option  src             'wan'
    option  src_dport       1935
    option  dest            'lan'
    option  dest_ip         192.168.1.20
    option  dest_port       1935
    option  name            'Allow PlayStation Network (1935) -> PS4'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'tcp'
    option  src             'wan'
    option  src_dport       '3478-3480'
    option  dest            'lan'
    option  dest_ip         192.168.1.20
    option  dest_port       '3478-3480'
    option  name            'Allow PlayStation Network (3478:3480) -> PS4'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'tcp'
    option  src             'wan'
    option  src_dport       '3478-3479'
    option  dest            'lan'
    option  dest_ip         192.168.1.20
    option  dest_port       '3478-3479'
    option  name            'Allow PlayStation Network (3478:3479) -> PS4'

    # Xbox Live #
#---------------------------------------------------
config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'udp'
    option  src             'wan'
    option  src_dport       88
    option  dest            'lan'
    option  dest_ip         192.168.1.21
    option  dest_port       88
    option  name            'Allow Xbox Live (88) -> Xbox One'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'tcp udp'
    option  src             'wan'
    option  src_dport       3074
    option  dest            'lan'
    option  dest_ip         192.168.1.21
    option  dest_port       3074
    option  name            'Allow Xbox Live (3074) -> Xbox One'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'udp'
    option  src             'wan'
    option  src_dport       500
    option  dest            'lan'
    option  dest_ip         192.168.1.21
    option  dest_port       500
    option  name            'Allow Xbox Live (500) -> Xbox One'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'udp'
    option  src             'wan'
    option  src_dport       3544
    option  dest            'lan'
    option  dest_ip         192.168.1.21
    option  dest_port       3544
    option  name            'Allow Xbox Live (3544) -> Xbox One'

config redirect
    option  target          'DNAT'
    option  family          'ipv4'
    option  proto           'udp'
    option  src             'wan'
    option  src_dport       4500
    option  dest            'lan'
    option  dest_ip         192.168.1.21
    option  dest_port       4500
    option  name            'Allow Xbox Live (4500) -> Xbox One'

JW0914 · December 6, 2017, 3:08pm

My guess is you're probably paying a monthly fee for the ISP's router/modem combo, but even if you're not, I personally would request they swap out the router/modem combo with just a modem.

There's too many unknowns to make it acceptable to have everything downstream of an ISP's router in a DMZ.
- Allowing an ISP's router on one's network, without a firewall [router/managed switch] between that router and all devices downstream, is a massive security risk and not something any consumer should be okay with.

Kherby · December 6, 2017, 8:37pm

I'm talking about some multiplayer games, for example Call of Duty or Rainbow Six Siege.
I was never able to get "Open NAT" with port forwarding in these games...

So you are saying that there is no secure way of using upnp for just a gaming console ?
How about this... Set up a own vlan for the game console and only allowing upnp for the vlan ?

would · December 6, 2017, 8:49pm

I'm not using upnp now ... It's also working.
And no, i don't have to pay a monthly fee, it's the only "modem" available...

I also tried to forward the ports... it didn't work

Rainbow Six Siege, that is the game i'm doing it for (my son plays it)

P.s. it showed Nat 2 before, but didn't work. Now it is NAT3 and works

JW0914 · December 6, 2017, 11:57pm

@Kherby UPnP is inherently insecure due to lack of authentication. I don't feel like getting into the weeds, but a google search will bring up plenty of sites that explain why it's insecure and why it should not be used. Again, UPnP is added as a convenience to the user who's too lazy to figure out port forwarding for whatever device needing port redirects.

Here's a decent explanation on StackExchange

.
@would The rules I posted were for PSN itself, so it's likely RSS requires ports other than those listed, of which can be found on the game developer's website/forum. The same could also be determined by tailing the system log and/or configuring a log rule for the PlayStation's IP and then watching for what requests are dropped/rejected.

Open NAT: Device is not firewalled by the router and able to communicate with all three NAT types on remote devices
- This is the equivalent of connecting the device directly to the WAN port on the modem, and is not recommended.
NAT 2 (moderate): Device is behind a firewall and able to communicate with remote devices utilizing Open or NAT 2
NAT 3 (strict): Device can only connect with remote devices utilizing Open NAT, and network services such as multi-player online gaming will not work as intended.
- In regards to PSN, the PlayStation will be able to connect with and download data from PSN, but not connect with remote PlayStations for online gaming.
This write up explains the above pretty well, as well as provides additional ports that will need redirect rules.

Kherby · December 7, 2017, 3:06am

Well I've enabled upnp only for my PS4 console and got NAT type 2 at the psn network test, btw. even without upnp and port forwarding. But thats not the point...
I figured out that the only way for me to get "NAT: Open ingame" is upnp (it might be different from game to game).

As an example I've tried RS:Siege and CoD and these should be quite popular.
And if I remember right it's best to have "NAT:Open Ingame" for the most multiplayer games with "hosted servers" involved, for example in CoD.

With port forwarding i wasn't able to achieve that and it's not that i haven't tried in the first place.

JW0914 · December 7, 2017, 5:39am

I think you may be misunderstanding what UPnP is/does.... it auto opens/forwards inbound ports from WAN when requested by a device, in this case the PS4. There will only be a handful of inbound WAN ports which will need to be opened for any arbitrary game/service/application. You can find the ports for the two games mentioned via a couple of ways...

Check out the game developer's website/forum
Check out the PlayStation forum
Google PS4 port forwards
Create an iptables command to log all inbound traffic to your PS4, then after a match, review the ports that were opened

You never want Open NAT, as it means your device is directly accessible from WAN.