Miniupnpd in trunk & STUN setup

apocalypse · April 28, 2020, 6:11pm

Miniupnpd version from 18.06 does not have stun support.

Since miniupnpd is "smart" and can detect the NAT type and if the WAN interface IP is public or private, it is not working in double NAT configurations (openwrt behind the ISP router with DMZ). Miniupnod detects if the IP of the wan interface is private or public, and does not enable port forwarding if its private. One solution is to use a stun server to detect the public IP, but for it to work you have to allow incoming UDP traffic (thus it detects that it is a NAT 1:1 and determines that it is possible to redirect ports). It's not recommended for security allow all incoming UDP traffic on an interface connected to the internet. Otherwise miniupnpd warns that NAT is strict and port forwarding is not working. The other solution is to add external_ip to the configuration file and manually specify public IP (only useful if you have static ip) or edit the /etc/init.d/miniupnpd file so that it detects the public IP every time it is started (for example from a DDNS host) .

You can also use version 18.06 when it was not yet "smart" and it will work regardless of whether the wan interface IP is private or public. The negative side is that the devices that ask for upnp for the public IP, will get a private one and it may not work correctly.

willowen100 · May 8, 2020, 10:23pm

I actually have a public IP address on my WAN interface and none of the miniupnpd packages after 18.06 (miniupnpd v 2.1-1) work with my games consoles.The external_ip parameter won't work me as my IP address is randomly refreshed.

TopDog · May 9, 2020, 1:27pm

IIRC, they switched the default config for miniupnpd to be 'igdv2', which is current and more secure. However, most consoles can't deal with that, and require the upnp process support igvd1 standards.

The fix is easy, add this to your /etc/config/upnpd settings in the config upnpd section:

option igdv1 '1'

Given the security patches to the process, I recommend you recompile with a current version, and use the setting to revert the igdv support level.
My Xbox One S reports an Open NAT with nothing extra done to achieve that other than having that option set in upnpd.

willowen100 · May 9, 2020, 1:47pm

Is that file definitely at /etc/upnpd or should it be /etc/config/upnpd?

TopDog · May 9, 2020, 4:37pm

Sorry, it is in /etc/config/upnpd. I've edited the text above.

willowen100 · May 9, 2020, 6:04pm

Cheers. I will recompile without touching miniupnpd and post back. However, I do have strong feeling that setting option igdv1 '1' was one of the first things I enabled in the LuCI-app and it made no difference.

willowen100 · May 12, 2020, 10:59am

I compiled a large firmware for my Linksys WRT1900ACSv2 last night including miniupnpd and everything opens up fine.

The miniupnpd version is now 2.1.20191006-4 rather than 2.1-1

The only problem now is I'm getting major issues when two games consoles trying to initially connect to the same 3074 port. I have made a post here UPnP Clash WIth Duplicate Initial Port

MarcoMartins · November 19, 2020, 7:33pm

The problem was a missing chain rule in the iptable filter, it should be fixed once my code is merged https://github.com/openwrt/packages/pull/13951

You can also fix it by ssh to the router and adding the rule yourselves by:
1-Call iptables -L to list all the rules
2-Check your Chain zone_CON_input where CON in my case is wan
3-Count the existing rules below target prot opt source destination
4-Last one should say zone_CON_src_REJECTED
5-Call iptables -I zone_CON_input NUMBER -c 0 0 -j MINIUPNPD to add the needed rule, where NUMBER is the count you've made before, this will add the rule in penultimate, also replace CON.
6-Should be good now. If you also use IPv6, ip6tables should be similar I think.

Reeves0724 · September 12, 2021, 5:03pm

working now!!!!!

Reeves0724 · September 12, 2021, 5:04pm

Reeves0724 · September 12, 2021, 5:05pm

Dopam-IT_1987 · September 24, 2021, 11:17pm

how you reproduce your settings in the screen

i have started like this

iptables -t mangle -A PREROUTING -p all -i wan  -j DSCP  --set-dscp-class CS0 
iptables -t mangle -A PREROUTING -p icmp -j DSCP  --set-dscp-class CS6

Reeves0724 · September 25, 2021, 2:18am

#!/bin/ash -x
IPT="iptables"
iptmark="iptables"
##ipset for streming sites.they are bening filled by dnsmasq
ipset create streaming hash:ip
ipset create usrcdn hash:ip
ipset create bulk hash:ip
ipset create latsens hash:ip
## flush mangle table ##
$IPT -t mangle -F PREROUTING
#Clear interface dscp marks, we don't trust ISP marks(also to use our own marks).
$IPT -t mangle -A PREROUTING -i wan -j DSCP --set-dscp 0
########################################
# Latency Sensitive (gaming/voip)
########################################
##Latency Sensitive
$IPT -t mangle -A PREROUTING -p icmp -j DSCP --set-dscp-class CS6 ##dscp tag for ping packets
$IPT -t mangle -A PREROUTING -m set --match-set latsens src -j DSCP --set-dscp-class CS6 ## set dscp tag for our Latency Sensitive (latsens) ipset
$IPT -t mangle -A PREROUTING -p tcp -m conntrack --ctorigsrc 192.168.1.186 -m multiport ! --ports 80,443,8080 -j DSCP --set-dscp-class CS6 -m comment --comment "PS4" #i don't have PS4, change the ip according to your ip setting.
####Latency Sensitive Ports####
sport00="3074"
sport4="9305:9308"
sport16="3478:3479"
dport00="3074:3075,3478:3479,3658:3659,9305:9308"
$IPT -t mangle -A PREROUTING -p udp -m multiport --sport $sport00 -j DSCP --set-dscp-class CS6
$IPT -t mangle -A PREROUTING -p udp -m multiport --sport $sport4 -j DSCP --set-dscp-class AF41
$IPT -t mangle -A PREROUTING -p udp -m multiport --sport $sport16 -j DSCP --set-dscp-class AF41
$IPT -t mangle -A PREROUTING -p udp -m multiport --dport $dport00 -j DSCP --set-dscp-class CS6
$IPT -t mangle -N dscp_mark > /dev/null 2>&1
$IPT -t mangle -F dscp_mark
## check if POSTROUTING already exits then jumps to our tables if not, add them
$IPT -t mangle -L POSTROUTING -n | grep dscp_mark || $IPT -t mangle -A POSTROUTING -o br-lan -j dscp_mark
iptmark() {
    $IPT -t mangle -A dscp_mark "$@"
}
#A robust 2 rules to detect realtime traffic
iptmark -p udp -m hashlimit --hashlimit-name udp_high_prio --hashlimit-above 100/sec --hashlimit-burst 50 --hashlimit-mode srcip,srcport,dstip,dstport -j CONNMARK --set-mark 0x55 -m comment --comment "connmark for udp"
# unmarked UDP streams with small packets get CS6
iptmark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 22,25,53,67,68,123,143,161,162,514,80,443,8080 -m connbytes --connbytes 0:940 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS6 -m comment --comment "small udp connection gets CS6"
iptmark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 137,442,444,445,446,447 -m connbytes --connbytes 0:940 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS6 -m comment --comment "small udp connection gets CS6"
#large udp streams like video call get AF41
iptmark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 22,25,53,67,68,123,143,161,162,514,80,443,8080 -m connbytes --connbytes 940:1500 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class AF21 -m comment --comment "large udp connection gets AF21"
iptmark -p udp -m connmark ! --mark 0x55 -m multiport ! --ports 137,442,444,445,446,447 -m connbytes --connbytes 940:1500 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS6 -m comment --comment "small udp connection gets CS6"
#DNS traffic both udp and tcp
iptmark -p udp -m multiport --port 53 -j DSCP --set-dscp-class CS6 -m comment --comment "DNS udp"
#NTP
iptmark -p udp -m multiport --port 123 -j DSCP --set-dscp-class CS6 -m comment --comment "NTP udp"
#High priority ipset, i use for pubgM
iptmark ! -p udp -m set --match-set latsens src,dst -j DSCP --set-dscp-class CS6 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive (latsens) ipset,udp
iptmark -p tcp -m set --match-set latsens src,dst -j DSCP --set-dscp-class CS6 -m comment --comment "latency sensitive ipset" ## set dscp tag for Latency Sensitive (latsens) ipset
###########
##Browsing
###########
## medium priority for browsing
iptmark -p tcp -m multiport --ports 80,443 -j DSCP --set-dscp-class CS3 -m comment --comment "Browsing at CS3"
##################
#TCP SYN,ACK flows
##################
#Make sure ACK,SYN packets get priority (to avoid upload speed limiting our download speed)
iptmark -p tcp --tcp-flags ALL ACK -m length --length :128 -j DSCP --set-dscp-class CS3
iptmark -p tcp --tcp-flags ALL SYN -m length --length :666 -j DSCP --set-dscp-class CS3
#Small packet is probably interactive or flow control
iptmark -m dscp ! --dscp  24 -m dscp ! --dscp  18 -m dscp ! --dscp  34 -m dscp ! --dscp  40 -m dscp ! --dscp  48 -m length --length 0:500 -j DSCP --set-dscp-class CS3
#Small packet connections: multi purpose (don't harm since not maxed out)
iptmark -m dscp ! --dscp  24 -m dscp ! --dscp  18 -m dscp ! --dscp  34 -m dscp ! --dscp  40 -m dscp ! --dscp  48 -m connbytes --connbytes 0:250 --connbytes-dir both --connbytes-mode avgpkt -j DSCP --set-dscp-class CS3
########################################
# Streaming Media (videos/audios)
########################################
#Known video streams sites like netflix
iptmark -m set --match-set streaming src,dst -j DSCP --set-dscp-class AF41 -m comment --comment "video audio stream ipset"
#known usrcdn like google or akamai
iptmark -m set --match-set usrcdn src,dst -j DSCP --set-dscp-class AF21 -m comment --comment "usrcdn ipset"
#########################################
# Background Traffic (Bulk/file transfer)
#########################################
#bulk traffic ipset, like windows udates and steam updates/downloads
iptmark -p tcp -m set --match-set bulk src,dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset"
iptmark -p udp -m set --match-set bulk src,dst -j DSCP --set-dscp-class CS1 -m comment --comment "bulk traffic ipset"
iptmark -p tcp -m connbytes --connbytes 350000: --connbytes-dir both --connbytes-mode bytes -m dscp --dscp-class CS3 -j DSCP --set-dscp-class CS1 -m comment --comment "Downgrade CS3 to CS1 for bulk tcp traffic"

This is what i use for dscp marks in conjunction with upnp and stun server.... Here is my dnsmasq file which needs some updating now that im looking at it...

Reeves0724 · September 25, 2021, 2:32am

dnsmasq.conf

# Change the following lines if you want dnsmasq to serve SRV
# records.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>

# A SRV record sending LDAP for the example.com domain to
# ldapserver.example.com port 289
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389

# Two SRV records for LDAP, each with different priorities
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
#srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2

# A SRV record indicating that there is no LDAP server for the domain
# example.com
#srv-host=_ldap._tcp.example.com

# The following line shows how to make dnsmasq serve an arbitrary PTR
# record. This is useful for DNS-SD.
# The fields are <name>,<target>
#ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"

# Change the following lines to enable dnsmasq to serve TXT records.
# These are used for things like SPF and zeroconf.
# The fields are <name>,<text>,<text>...

#Example SPF.
#txt-record=example.com,"v=spf1 a -all"

#Example zeroconf
#txt-record=_http._tcp.example.com,name=value,paper=A4

# Provide an alias for a "local" DNS name. Note that this _only_ works
# for targets which are names from DHCP or /etc/hosts. Give host
# "bert" another name, bertrand
# The fields are <cname>,<target>
#cname=bertand,bert

except-interface=wan

##Latency Sensitive (gaming/voip)
ipset=/zcure-blr-ps4-east-us.hardsuitlabs.com/*hardsuitlabs.com,9305,1/latsens
ipset=/zcure-blr-ps4-east-us.hardsuitlabs.com/*hardsuitlabs.com,9306,2/latsens
ipset=/zcure-blr-ps4-east-us.hardsuitlabs.com/*hardsuitlabs.com,9308,3/latsens
ipset=/d3ovluux6b7f2q.cloudfront.net/*demonware.net/Iw8-ps4-loginqueue.prod.demonware.net,3074,1/latsens

##video/audio streams
# Youtube is also isolated by my isp
ipset=/googlevideo.com/*.googlevideo.com/streaming
# NetFlix
ipset=/nflxvideo.net/streaming
# AmazonVideo
ipset=/s3.ll.dash.row.aiv-cdn.net/d25xi40x97liuc.cloudfront.net/aiv-delivery.net/streaming
# Facebook
ipset=/fbcdn.net/streaming
# Twitch
ipset=/ttvnw.net/streaming
# VeVo
ipset=/vevo.com/streaming
# Spotify
ipset=/audio-fa.scdn.cot/streaming
# Deezer
ipset=/deezer.com/streaming
# SoundCloud
ipset=/sndcdn.com/streaming
# last.fm
ipset=/last.fm/streaming
#reddit videos
ipset=/v.redd.it/streaming
#twitch.tv
ipset=/ttvnw.net/par10s27-in-f206.1e100.net/streaming
##i have isolated speed for those cdn's 
ipset=/googletagmanager.com/googleusercontent.com/*.googleusercontent.com/google.com/fbcdn.net/*.fbcdn.net/akamaihd.net/*.akamaihd.net/whatsapp.net/*.whatsapp.net/whatsapp.com/*.whatsapp.com/www-cdn.whatsapp.net/googleapis.com/*.googleapis.com/ucy.ac.cy/1e100.net/hwcdn.net/usrcdn
## Bulk downloads
#qq download
ipset=/download.qq.com/bulk
# Steam Download
ipset=/steamcontent.com/bulk
# PSN Download
ipset=/gs2.ww.prod.dl.playstation.net/bulk
# DropBox
ipset=/dropbox.com/dropboxstatic.com/dropbox-dns.com/log.getdropbox.com/bulk
# Google Drive
ipset=/drive.google.com/drive-thirdparty.googleusercontent.com/bulk
# Google Docs
ipset=/docs.google.com/docs.googleusercontent.com/bulk
# PlayStore Download
ipset=/gvt1.com/bulk
# WhatsApp Files
ipset=/mmg-fna.whatsapp.net/bulk
# Youtube Upload
ipset=/upload.youtube.com/upload.video.google.com/bulk
# WindowsUpdate
ipset=/windowsupdate.com/update.microsoft.com/bulk

AlanDias17 · October 2, 2021, 2:36am

Can you please show your upnpd file? Bcz mine is showing Failed to add NAT-PMP

Reeves0724 · October 2, 2021, 2:53pm


config upnpd 'config'
	option download '1024'
	option upload '512'
	option internal_iface 'lan'
	option port '5000'
	option upnp_lease_file '/var/run/miniupnpd.leases'
	option igdv1 '1'
	option use_stun '1'
	option stun_host 'stun.stunprotocol.org'
	option enabled '1'
	option uuid 'e24e8386-d705-4e33-95b3-a8963dcb274d'
	option log_output '1'

config perm_rule
	option action 'allow'
	option ext_ports '1024-65535'
	option int_ports '1024-65535'
	option comment 'lan'
	option int_addr '192.168.1.0/24'

Reeves0724 · October 2, 2021, 2:59pm

Also spent many ******* hours debuging my own setup lol you have to enable local accept local packets on devices too or it will log into games but not find matches also gives nat type 2 but enable local was the fix... When i first got it to work a few versions back it stopped working when I did a sys upgrade been beating my head trying to figure out why... Just this morning figured it out damn near gave up

AlanDias17 · October 2, 2021, 4:13pm

my upnp was working until a month ago until I recently updated to latest snapshot. Thanks for the file I'll test and let you know

AlanDias17 · October 3, 2021, 12:40am

STUN: ext interface pppoe-wan with IP address 100.64.**.*** is now behind restrictive NAT with public IP address 115.69.***.**: Port forwarding is now impossible
Welp that sucks. What changes did you make in current snapshot? I'm using the same build, Beside before I only needed to enable upnp service and that's it. It was working fine

xato_coslada · October 30, 2021, 5:40pm

Hello, could you indicate what packages you install and what sqm configuration you have ??. Greetings. @Reeves0724