Need Help with UPnP on Tp-Link Archer C6 V3 GCNAT

Hi everyone,

I wanted to share that my UPnP works with the original firmware on my TP-Link Archer C6 v3, even though I am behind a CGNAT from my ISP. However, I can't get it to work on OpenWrt. Can anyone help me out? I'll share my current configuration below.

Thanks in advance!

config upnpd config
	option enabled		1
	option enable_natpmp	1
	option enable_upnp	1
	option secure_mode	1
	option log_output	0
	option download		1024
	option upload		512
#by default, looked up dynamically from ubus
#	option external_iface	wan
	option internal_iface	lan
	option port		5000
	option upnp_lease_file	/var/run/miniupnpd.leases
	option igdv1		1

config perm_rule
	option action		allow
	option ext_ports	1024-65535
	option int_addr	# Does not override secure_mode
	option int_ports	1024-65535
	option comment		"Allow high ports"

config perm_rule
	option action		deny
	option ext_ports	0-65535
	option int_addr
	option int_ports	0-65535
	option comment		"Default deny"

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr ''
	option netmask ''
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username '*********'
	option password '**********'
	option ipv6 'auto'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

Are you certain that you are behind CG-NAT in general?

CG-NAT (assuming no special provisions/allowances from the ISP) will not allow you to have any inbound ports from the internet due to the fact that you share one or many public IP addresses with many subscribers (often it is a pool of many, but it is not a 1:1 subscriber:publicIP arrangement). Therefore, unpn should not have worked ever, regardless if you were using the original firmware or now OpenWrt?

How did you determine that:

  • you're behind CG-NAT
  • that were behind CG-NAT with the original firmware
  • that upnp was actually working while behind CG-NAT (with the original firmware).

For starters, though, let's see the first two octets of your current wan IP address (in bold: aaa.bbb.ccc.ddd) from this command: ifstatus wan | grep address.

1 Like

here it is

here it is

root@OpenWrt:~# ifstatus wan | grep address.
"ipv4-address": [
"address": "",
"ptpaddress": ""
"ipv6-address": [
"address": "fe80::7c07:aeb4:245c:66f3",
"ipv4-address": [
"ipv6-address": [

What happens if you check your IP with an external site/service? (google "what's my IP")

at this moment this is My ip is

That all checks out as CG-NAT.

Is it possible that you were issued a true public IP when you were using the previous firmware (this change could happen if the MAC address the router uses on its wan is different based on the firmware in use)?

Alternatively, could your result previously have been IPv6 based?

but how could I have received a public address in the original Tp-link firmware, that wouldn't make sense, what would be the solution for this, should I get the tp-link mac and put it here in openwrt? Could you please give me more details.

If the MAC address presented to the ISP was different when it was running the vendor firmware, that could possibly explain it.
(that said, I've never used PPPoE and I might be wrong here -- with DHCP this is certainly a thing, but maybe not PPPoE).

but I'm sure that in the original firmware, upnp works normally and the address established by the ISP was in Cgnat and upnp was working perfectly.

How did you determine that upnp was working previously? And for that matter, what address did you use as your public address such that you could access your internally hosted services?

I can go back to the original firmware here now and take screenshots, just tell me which screenshots you need.

I don't know what the original firmware looks like...

But importantly, how did you know that upnp was working? What was the method you used to test previously? Or what services were you hosting that used upnp for inbound connections?

When I activate upnp, I checked in call of duty, my nat was open, and in the original tp link firmware it displays the log of the open port, I only need upnp to open game ports.

Were you hosting the CoD server on your network and inviting others to join your server? Or were you connecting to other servers?

I play warzone, I just want upnp to open the doors to have nat open, I'm not creating any servers

If you're not hosting servers, you do not need upnp or any open ports.

Put another way, are you unable to play the game normally?

I know I can forward port 3074 manually in Port Forwards, and I’ve done this several times on OpenWrt. When I do, my NAT type becomes open instead of moderate, which allows me to find matches faster. However, I really want UPnP to work on OpenWrt.

Two weeks ago, my ISP gave me a public IP for testing, and the UPnP on OpenWrt worked perfectly. But when they reverted to CGNAT, it stopped working again.

As I stated previously, upnp doesn't work with CG-NAT. This is not an issue with OpenWrt. To be clear, upnp can be up and running and doing its thing, it will just have no effect because there is no inbound path from the internet > ISP > you (it's the ISP that is the limiting factor here).

This is my point, exactly... you need a public IP if you want this capability. This is not within your control if you have a CG-NAT. It doesn't matter what firmware you are running, this will always be true.

As an aside... upnp is actually not recommended because it actually creates potential security vulnerabilities in your network. This is because it operates silently without user/admin interaction/knowledge/notification. Although irrelevant in the case of CG-NAT, in general the recommendation is to manually configure port forwards so that you (as the administrator) know exactly what ports have been opened and for what purpose.

Specify STUN server in your UPnP settings (e.g.:, port: 19302). Should work after that.


I did what you told me but I still haven't been successful, maybe I'm missing something in my settings.

config upnpd 'config'
	option enabled '1'
	option download '1024'
	option upload '512'
	option internal_iface 'lan'
	option port '5000'
	option upnp_lease_file '/var/run/miniupnpd.leases'
	option igdv1 '1'
	option use_stun '1'
	option stun_host ''
	option stun_port '19302'
	option uuid 'b0c14653-c6b9-42f8-b8f9-97c72629c896'

config perm_rule
	option action 'allow'
	option ext_ports '1024-65535'
	option int_addr ''
	option int_ports '1024-65535'
	option comment 'Allow high ports'

config perm_rule
	option action 'deny'
	option ext_ports '0-65535'
	option int_addr ''
	option int_ports '0-65535'
	option comment 'Default deny'