Miniupnpd problem (rules are getting deleted after some time even if the service is still active)

I'm facing a problem with upnp and two PS4 game consoles.
Basicaly upnp is working fine and it will open the required ports but after a short period of time the rules are getting deleted even if the game or service (party) is still active which results in a restricted NAT status on some games and the party chat.

Router/Build: Linksys WRT3200ACM, Lede SNAPSHOT r9287-7ebbbda293 / LuCI Master (git-19.038.66435-4e5111e) (davidc r9287)
miniupnpd version: 2.1.20180706-1

upnp config:

config perm_rule
	option action 'allow'
	option ext_ports '1024-65535'
	option int_ports '1024-65535'
	option comment 'Allow PSN1'
	option int_addr '192.168.1.241/24'

config perm_rule
	option comment 'Allow PSN2'
	option ext_ports '1024-65535'
	option int_ports '1024-65535'
	option action 'allow'
	option int_addr '192.168.1.242/24'

config perm_rule
	option action 'deny'
	option ext_ports '0-65535'
	option int_addr '0.0.0.0/0'
	option int_ports '0-65535'
	option comment 'Default deny'

config upnpd 'config'
	option download '1024'
	option upload '512'
	option internal_iface 'lan'
	option port '5000'
	option upnp_lease_file '/var/run/miniupnpd.leases'
	option enabled '1'
	option enable_natpmp '0'
	option igdv1 '1'
	option uuid 'xxx'
	option clean_ruleset_interval '600'
	option notify_interval '30'
	option clean_ruleset_threshold '1'
	option log_output '1'

Related log entry:

Tue Mar 12 08:10:22 2019 daemon.debug miniupnpd[5100]: removing unused mapping 9307 UDP : still 0packets 0bytes
Tue Mar 12 08:10:22 2019 daemon.info miniupnpd[5100]: Trying to delete nat rule at index 1
Tue Mar 12 08:10:22 2019 daemon.info miniupnpd[5100]: Trying to delete filter rule at index 1
Tue Mar 12 08:10:22 2019 daemon.debug miniupnpd[5100]: removing unused mapping 9308 UDP : still 0packets 0bytes
Tue Mar 12 08:10:22 2019 daemon.info miniupnpd[5100]: Trying to delete nat rule at index 0
Tue Mar 12 08:10:22 2019 daemon.info miniupnpd[5100]: Trying to delete filter rule at index 0
Tue Mar 12 08:10:22 2019 daemon.notice miniupnpd[5100]: removed 2 unused rules

So the problem seems to be that miniupnpd thinks that there is no more traffic flowing through the related port(s) and therefore deleting the redirects.
Do you guys have idea what's wrong with my current config or how I can fix this problem?

I've seen issues before (not OpenWrt specific) where running two similar devices behind a NAT'ing firewall that both want the same ports forwarded will clash.

I don't believe they're getting deleted because the router thinks they're unused, I think they're getting deleted because the other console wants the same ports forwarded to its IP address, so one rule gets deleted to be replaced by a new one.

I'm afraid I don't know of a solution to this ¯\_(ツ)_/¯

Thanks for your reply but it does also happen when there is only one console active.
I can set the Clean rules threshold above 1 but then there will be alot of unused forwards active as the Playstation 4 doesn't close them on it's own and after a while I got like 9 forwards active.
Seems to be quite buggy and I don't know how to fix or debug this problem, so any ideas are welcome.

First of all I would like to know if the same problems happens to any of you guys, so if it's a general problem or related to a specific setup/config.

I'm not sure, but I think that having the Clean Rules threshold set at 1 will make upnp clean when any redirect is made, meaning you tell it to clean at 1, then it sees a redirect (1), so it cleans it, so you might have to at least set it to 2.

Set this to default 20 value.

Is there a reason that it is disabled?

I'll give it a try but if I remember right I've tried it with 6 and it was the same result after some time.

Than I will have the problem that after some time plenty of unused forwards will remain in the UPNP service tab as I mentioned above.

I need UPNP only for my PS4 console and my room mates one. Afaik I don't need nat-pmp for my purpose (PSN).

You could set clean time at 300 ( option clean_ruleset_interval '300' ) and the clean rules threshold at 5 (although default as @trendy suggested would be fine) , that should keep old forwards to a minimum and clear them out pretty quickly.

2 Likes

I'll give your suggestions a try later on...

Give it a try, it looks like a better version of upnp.
http://miniupnp.free.fr/nat-pmp.html

1 Like

Do I need to activate NAT-PMP only or together with UPnP?

You can have them both.
Try either way and see what works for you.

Only NAT-PMP does not work and together with upnp and it still does not fix the problem for me.
I just don't understand it... If i understand it correctly the miniupnpd service checks every 600 (in my case every 300) seconds if any data flows through the open port and if that's the case the port forward will remain active but for some reason it does not work with the PS4/PSN and old forwards will remain active until the threshold limit is reached (default 20 in my case).

edit: looking at https://github.com/miniupnp/miniupnp/blob/master/miniupnpd/miniupnpd.conf there is a value of min and max lifetime in seconds of a port mapping but I haven't found any setting like this in OpenWRT.
Maybe this could help me with my problem?

edit2: It seem like that min-max_lifetime is only working for PCP, so again I'm out of ideas.
My ISP will change my public IP every 24h so I'll try Clean rules interval=86400 + Clean rules threshold=1.

What I figured out so far is that no packet or traffic is going through the opened PSN and game ports.
For example miniupnpd opens port 3659 for Apex Legends (EA Tunnel) but I can't see any traffic or packet in my NAT firewall for this port.
I guess that's why the ports will close after a while (Clean rules interval)...

Chain MINIUPNPD (1 References):

|Pkts.|Traffic|Target|Prot.|In|Out|Source|Destination|Options|Comment|
|---|---|---|---|---|---|---|---|---|---|
|0 |0 B|DNAT|udp|*|*|0.0.0.0/0|0.0.0.0/0|udp dpt:9308 to:192.168.1.242:9308|-|
|0 |0 B|DNAT|udp|*|*|0.0.0.0/0|0.0.0.0/0|udp dpt:3659 to:192.168.1.242:3659|-|

I'm still trying to figure out why there is no traffic on the forwarded ports at Chain MINIUPNPD and Chain MINIUPNPD-POSTROUTING. I guess that's the reason why these port forwards are getting deleted... Or is it supposed to be like this?

I've tested miniupnp with my windows laptop and qBittorrent and everything is working fine over there. The rules are staying active while downloading a torrent and the rules are getting automaticly deleted after closing the programm. I can also see packets/traffic at the correct miniupnpd chain with qBittorrent.

So my conclusion is that the implementation of upnp on PS4 is buggy or miniupnpd isn't working correctly with PS4/PSN and thats why I don't see any traffic on the forwarded ports at the miniupnpd chain and the ports are getting closed after the default Clean rules interval and a Clean rules threshold of 1. Id love to test this with Xbox Live but I don't own a xbox. It would be great if someone with a xbox one could test this...

Here is my current upnp config for two PS4 consoles:

config perm_rule
	option action 'allow'
	option ext_ports '1024-65535'
	option int_ports '1024-65535'
	option comment 'Allow PS4-1'
	option int_addr '192.168.1.241/32'

config perm_rule
	option comment 'Allow PS4-2'
	option ext_ports '1024-65535'
	option int_ports '1024-65535'
	option action 'allow'
	option int_addr '192.168.1.242/32'

config perm_rule
	option action 'deny'
	option ext_ports '0-65535'
	option int_addr '0.0.0.0/0'
	option int_ports '0-65535'
	option comment 'Default deny'

config upnpd 'config'
	option download '1024'
	option upload '512'
	option internal_iface 'lan'
	option external_iface 'wan'
	option port '5000'
	option upnp_lease_file '/var/run/miniupnpd.leases'
	option enable_natpmp '0'
	option uuid ''
	option notify_interval '30'
	option clean_ruleset_interval '600'
	option enabled '1'
	option igdv1 '1'
	option log_output '1'
	option clean_ruleset_threshold '1'

In Postrouting SNAT/Masquerade takes place, so I am not sure what is supposed to be found there.
On the other hand I am not using (and neither anyone security concerned) upnp, so I cannot say for sure. If the application has successfully created a flow using the ports it needs, then upnp is not necessary.

I just don't understand why miniupnpd doesn't pick up the traffic on port 3074 and I think it's the reason why the port forward is getting deleted from the chain. My knowlege about these things is very limited but it feels like that it shouldn't be like this.

Here is an example with qBittorrent (upnp working correctly, the port forwardings are staying active while downloading):

root@WRT:~# iptables -t nat -L MINIUPNPD -n -v
Chain MINIUPNPD (2 references)
 pkts bytes target     prot opt in     out     source               destination
  340 19196 DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:6881 to:192.168.1.230:6881
  507 60856 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:6881 to:192.168.1.230:6881

And here is an example with my PS4 playing Modern Warfare Multiplayer(game port is getting closed after 10mins. The Real Time connection Graph still shows traffic on port 3074 while the port forward is getting deleted/closed):

root@WRT:~# iptables -t nat -L MINIUPNPD -n -v
Chain MINIUPNPD (2 references)
 pkts bytes target     prot opt in     out     source               destination
    1    43 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:3074 to:192.168.1.242:3074

If the game is using the existing outgoing connection for the incoming traffic too, hole punching the firewall and keeping the connection active, then the port forward is basically useless.

2 Likes

I was just confused because miniupnpd were always closing every port forward for my PS4 and it happend on every PS4 Game that I've played... So everything is working as expected and there is no problem with miniupnpd and PS4/PSN?

If in doubt, you can always create manually the port forwards for PSN. Maybe this will be the best solution.