Hello! This is my first post. I think I exhausted all my options before asking for help here, so here goes.
A caveat is that I am not very experienced with networking, but I did learn a lot about iptables and ZeroTier in the process.
I did follow a guide to setup ZeroTier in my OpenWRT router (https://github.com/mwarning/zerotier-openwrt/wiki#using-luci-in-openwrt-1907).
The objective is to allow my friend, who is behind a CG-NAT and his ISP does not offer another option, to use my UPNP, NAT-PMP or port-forwarding to play a specific game (For Honor, if you are curious).
I am also open to other suggestions like SSH Tunneling or proxies (we have experience using Proxifier too).
The issue I am having with ZeroTier:
- I connected a Kali Linux machine from outside my LAN in the ZT, I can connect to all my LAN peers, and to the internet on a Full-Tunnel config ("what is my IP" reports my WAN IP)
- I can connect to my router LUCI config (port 80), but if I try to access the nat-pcmp port (through natpmpc on Kali Linux), it does fail with the following result:
$ natpmpc
initnatpmp() returned 0 (SUCCESS)
using gateway : 172.29.96.238
sendpublicaddressrequest returned 2 (SUCCESS)
readnatpmpresponseorretry returned -7 (FAILED)
readnatpmpresponseorretry() failed : the gateway does not support nat-pmp
errno=111 'Connection refused'
A tcpdump on my router tracking the Kali Linux host and ZT interface reports:
root@OpenWrt:~# tcpdump -i zthnhpqrjc host 172.29.79.132
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on zthnhpqrjc, link-type EN10MB (Ethernet), capture size 262144 bytes
13:15:12.739735 IP 172.29.79.132.48036 > 172.29.96.238.5351: UDP, length 2
13:15:12.739789 IP 172.29.96.238 > 172.29.79.132: ICMP 172.29.96.238 udp port 5351 unreachable, length 38
Output from my iptables (sudo iptables -L -v -n | more)
Chain INPUT (policy ACCEPT 194 packets, 20548 bytes)
pkts bytes target prot opt in out source destination
9668 1609K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
45851 6400K input_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom input rule chain */
43270 6248K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
759 34036 syn_flood tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 /* !fw3 */
728 46999 zone_lan_input all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
1187 63420 zone_wan_input all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
551 25772 zone_wan_input all -- pppoe-wanb * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
36 1080 zone_ztvpn_input all -- zthnhpqrjc * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
19111 1716K forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom forwarding rule chain */
11942 795K FLOWOFFLOAD all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Traffic offloading */ ctstate RELATED,ESTABLISHED FLOWOFFLOAD
11942 795K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
0 0 zone_lan_dest_ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1900 /* !fw3: Allow SSDP */
0 0 zone_lan_dest_ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* !fw3: Allow SSDP */
2936 380K zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
1796 95034 zone_wan_forward all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
299 15501 zone_wan_forward all -- pppoe-wanb * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
2138 431K zone_ztvpn_forward all -- zthnhpqrjc * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
9668 1609K ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
85119 31M output_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom output rule chain */
61507 26M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED /* !fw3 */
12561 3262K zone_lan_output all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
6452 852K zone_wan_output all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
4599 617K zone_wan_output all -- * pppoe-wanb 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 zone_ztvpn_output all -- * zthnhpqrjc 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain MINIUPNPD (2 references)
pkts bytes target prot opt in out source destination
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_ztvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_ztvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_ztvpn_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (1 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */ reject-with icmp-port-unreachable
Chain syn_flood (1 references)
pkts bytes target prot opt in out source destination
759 34036 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 limit: avg 25/sec burst 50 /* !fw3 */
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_dest_ACCEPT (7 references)
pkts bytes target prot opt in out source destination
12561 3262K ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
2936 380K forwarding_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan forwarding rule chain */
2936 380K zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone lan to wan forwarding policy */
0 0 zone_ztvpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone lan to ztvpn forwarding policy */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
728 46999 input_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan input rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
728 46999 zone_lan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
12561 3262K output_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom lan output rule chain */
12561 3262K zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
728 46999 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_wan_dest_ACCEPT (4 references)
pkts bytes target prot opt in out source destination
55 2212 DROP all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
9333 1230K ACCEPT all -- * pppoe-wan 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
0 0 DROP all -- * pppoe-wanb 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
4599 617K ACCEPT all -- * pppoe-wanb 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_forward (2 references)
pkts bytes target prot opt in out source destination
2095 111K forwarding_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan forwarding rule chain */
0 0 zone_lan_dest_ACCEPT esp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-IPSec-ESP */
0 0 zone_lan_dest_ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 /* !fw3: Allow-ISAKMP */
2095 111K zone_ztvpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone wan to ztvpn forwarding policy */
2095 111K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_input (2 references)
pkts bytes target prot opt in out source destination
1738 89192 input_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan input rule chain */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:68 /* !fw3: Allow-DHCP-Renew */
655 25381 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 /* !fw3: Allow-Ping */
0 0 ACCEPT 2 -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-IGMP */
6 324 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
1077 63487 MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
1077 63487 zone_wan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_output (2 references)
pkts bytes target prot opt in out source destination
11051 1469K output_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom wan output rule chain */
11051 1469K zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_wan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
572 38535 ACCEPT all -- pppoe-wan * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
390 19098 ACCEPT all -- pppoe-wanb * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
Chain zone_ztvpn_dest_ACCEPT (4 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * zthnhpqrjc 0.0.0.0/0 0.0.0.0/0 ctstate INVALID /* !fw3: Prevent NAT leakage */
0 0 ACCEPT all -- * zthnhpqrjc 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ztvpn_forward (1 references)
pkts bytes target prot opt in out source destination
2138 431K forwarding_ztvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom ztvpn forwarding rule chain */
390 23395 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-ZeroTier-Inbound */
1748 407K ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Allow-ZeroTier-Inbound */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone ztvpn to lan forwarding policy */
0 0 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Zone ztvpn to wan forwarding policy */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port forwards */
0 0 zone_ztvpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ztvpn_input (1 references)
pkts bytes target prot opt in out source destination
36 1080 input_ztvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom ztvpn input rule chain */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* !fw3: Accept port redirections */
36 1080 zone_ztvpn_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ztvpn_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_ztvpn_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3: Custom ztvpn output rule chain */
0 0 zone_ztvpn_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* !fw3 */
Chain zone_ztvpn_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
36 1080 ACCEPT all -- zthnhpqrjc * 0.0.0.0/0 0.0.0.0/0 ctstate NEW,UNTRACKED /* !fw3 */
Firewall configuration
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option synflood_protect '1'
option flow_offloading '1'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option log '1'
option log_limit '30/minute'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wanb'
option input 'ACCEPT'
option forward 'ACCEPT'
option log '1'
option log_limit '30/minute'
config zone
option name 'ztvpn'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'ZeroTier'
option log '1'
option log_limit '30/minute'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config rule
option name 'Support-UDP-Traceroute'
option src 'wan'
option dest_port '33434:33689'
option proto 'udp'
option family 'ipv4'
option target 'REJECT'
option enabled '0'
config include
option path '/etc/firewall.user'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'KF2 - Server Port'
list proto 'udp'
option src 'wan'
option src_dport '7777'
option dest_ip '192.168.0.150'
option dest_port '7777'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'KF2 - Steam Master Server'
list proto 'udp'
option src 'wan'
option src_dport '27015'
option dest_ip '192.168.0.150'
option dest_port '27015'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'KF2 - Steam Port'
option src 'wan'
option src_dport '20560'
option dest_ip '192.168.0.150'
option dest_port '20560'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'KF2 - NTP'
list proto 'udp'
option src 'wan'
option src_dport '123'
option dest_ip '192.168.0.150'
option dest_port '123'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'WebServer'
option dest_ip '192.168.0.150'
option src 'wan'
option src_dport '56715'
option dest_port '56715'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Dante Proxy'
option src 'wan'
option src_dport '10805'
option dest_ip '192.168.0.150'
option dest_port '10805'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Chickenator Port'
option src 'wan'
option src_dport '8888'
option dest_ip '192.168.0.150'
option dest_port '8888'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'For Honor - TCP'
list proto 'tcp'
option src 'wan'
option src_dport '14000-14043'
option dest_port '14000-14043'
option dest_ip '192.168.0.174'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'For Honor - UDP'
list proto 'udp'
option src 'wan'
option src_dport '3074-3075'
option dest_port '3074-3075'
option dest_ip '192.168.0.174'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'SSH - Router'
option src 'wan'
option src_dport '22222'
option dest_ip '192.168.0.1'
option dest_port '22'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Web - Router'
option src 'wan'
option dest_ip '192.168.0.1'
option dest_port '80'
option src_dport '8889'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Remote Desktop '
option src 'wan'
option src_dport '3389'
option dest_ip '192.168.0.174'
option dest_port '3389'
config rule
option name 'Allow SSDP'
option dest 'lan'
option dest_port '1900'
option target 'ACCEPT'
option src '*'
config redirect
option dest 'lan'
option target 'DNAT'
option src 'wan'
option dest_ip '192.168.0.150'
option name 'SSH - debian'
option src_dport '22223'
option dest_port '22'
option enabled '0'
config rule
option name 'Allow-ZeroTier-Inbound'
option target 'ACCEPT'
list proto 'tcp'
list proto 'udp'
option dest '*'
option src 'ztvpn'
config forwarding
option src 'ztvpn'
option dest 'lan'
config forwarding
option src 'ztvpn'
option dest 'wan'
config forwarding
option src 'lan'
option dest 'ztvpn'
config forwarding
option src 'wan'
option dest 'ztvpn'
My current configuration on what I have:
- x64 OpenWRT router with ZeroTier and 2 WANs with separate static IPs (balanced by mwan3)
- A debian KVM VM in the lan that has some services like dante proxies, etc. It also has zerotier as a test
- Zerotier configured to route all traffic through the router.
- Kali Linux machine outside of the LAN (connected on the ZT network)
So my question is, how can I either make ZeroTier accept the NAT-PMP or UPNP connection on my router or another solution altogether that allows my friend to port forward on my router.
PS: I already have the ports forwarded for my IP for the game too, so I am trying to find a way that does not conflict.
Sorry for the text wall, I want to provide the most info I can. Cheers!