Need Help with UPnP on Tp-Link Archer C6 V3 GCNAT

Rafumfps · July 10, 2024, 12:31am

Hi everyone,

I wanted to share that my UPnP works with the original firmware on my TP-Link Archer C6 v3, even though I am behind a CGNAT from my ISP. However, I can't get it to work on OpenWrt. Can anyone help me out? I'll share my current configuration below.

Thanks in advance!

config upnpd config
	option enabled		1
	option enable_natpmp	1
	option enable_upnp	1
	option secure_mode	1
	option log_output	0
	option download		1024
	option upload		512
#by default, looked up dynamically from ubus
#	option external_iface	wan
	option internal_iface	lan
	option port		5000
	option upnp_lease_file	/var/run/miniupnpd.leases
	option igdv1		1

config perm_rule
	option action		allow
	option ext_ports	1024-65535
	option int_addr		0.0.0.0/0	# Does not override secure_mode
	option int_ports	1024-65535
	option comment		"Allow high ports"

config perm_rule
	option action		deny
	option ext_ports	0-65535
	option int_addr		0.0.0.0/0
	option int_ports	0-65535
	option comment		"Default deny"


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'wan'
	option proto 'pppoe'
	option username '*********'
	option password '**********'
	option ipv6 'auto'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

psherman · July 10, 2024, 1:09am

Are you certain that you are behind CG-NAT in general?

CG-NAT (assuming no special provisions/allowances from the ISP) will not allow you to have any inbound ports from the internet due to the fact that you share one or many public IP addresses with many subscribers (often it is a pool of many, but it is not a 1:1 subscriber:publicIP arrangement). Therefore, unpn should not have worked ever, regardless if you were using the original firmware or now OpenWrt?

How did you determine that:

you're behind CG-NAT
that were behind CG-NAT with the original firmware
that upnp was actually working while behind CG-NAT (with the original firmware).

For starters, though, let's see the first two octets of your current wan IP address (in bold: aaa.bbb.ccc.ddd) from this command: ifstatus wan | grep address.

Rafumfps · July 10, 2024, 1:19am

here it is

root@OpenWrt:~# ifstatus wan | grep address.
"addresses",
"ipv4-address": [
"address": "100.90.93.208",
"ptpaddress": "143.208.125.253"
"ipv6-address": [
"address": "fe80::7c07:aeb4:245c:66f3",
"ipv4-address": [
"ipv6-address": [

psherman · July 10, 2024, 1:21am

What happens if you check your IP with an external site/service? (google "what's my IP")

Rafumfps · July 10, 2024, 1:23am

at this moment this meuip.com is My ip is 170.84.219.12

psherman · July 10, 2024, 1:26am

That all checks out as CG-NAT.

Is it possible that you were issued a true public IP when you were using the previous firmware (this change could happen if the MAC address the router uses on its wan is different based on the firmware in use)?

Alternatively, could your result previously have been IPv6 based?

Rafumfps · July 10, 2024, 1:31am

but how could I have received a public address in the original Tp-link firmware, that wouldn't make sense, what would be the solution for this, should I get the tp-link mac and put it here in openwrt? Could you please give me more details.

psherman · July 10, 2024, 1:32am

If the MAC address presented to the ISP was different when it was running the vendor firmware, that could possibly explain it.
(that said, I've never used PPPoE and I might be wrong here -- with DHCP this is certainly a thing, but maybe not PPPoE).

Rafumfps · July 10, 2024, 1:38am

but I'm sure that in the original firmware, upnp works normally and the address established by the ISP was in Cgnat and upnp was working perfectly.

psherman · July 10, 2024, 1:41am

How did you determine that upnp was working previously? And for that matter, what address did you use as your public address such that you could access your internally hosted services?

Rafumfps · July 10, 2024, 1:43am

I can go back to the original firmware here now and take screenshots, just tell me which screenshots you need.

psherman · July 10, 2024, 1:44am

I don't know what the original firmware looks like...

But importantly, how did you know that upnp was working? What was the method you used to test previously? Or what services were you hosting that used upnp for inbound connections?

Rafumfps · July 10, 2024, 1:48am

When I activate upnp, I checked in call of duty, my nat was open, and in the original tp link firmware it displays the log of the open port, I only need upnp to open game ports.

psherman · July 10, 2024, 1:49am

Were you hosting the CoD server on your network and inviting others to join your server? Or were you connecting to other servers?

Rafumfps · July 10, 2024, 1:51am

I play warzone, I just want upnp to open the doors to have nat open, I'm not creating any servers

psherman · July 10, 2024, 1:53am

If you're not hosting servers, you do not need upnp or any open ports.

Put another way, are you unable to play the game normally?

Rafumfps · July 10, 2024, 2:00am

I know I can forward port 3074 manually in Port Forwards, and I’ve done this several times on OpenWrt. When I do, my NAT type becomes open instead of moderate, which allows me to find matches faster. However, I really want UPnP to work on OpenWrt.

Two weeks ago, my ISP gave me a public IP for testing, and the UPnP on OpenWrt worked perfectly. But when they reverted to CGNAT, it stopped working again.

psherman · July 10, 2024, 2:13am

As I stated previously, upnp doesn't work with CG-NAT. This is not an issue with OpenWrt. To be clear, upnp can be up and running and doing its thing, it will just have no effect because there is no inbound path from the internet > ISP > you (it's the ISP that is the limiting factor here).

This is my point, exactly... you need a public IP if you want this capability. This is not within your control if you have a CG-NAT. It doesn't matter what firmware you are running, this will always be true.

As an aside... upnp is actually not recommended because it actually creates potential security vulnerabilities in your network. This is because it operates silently without user/admin interaction/knowledge/notification. Although irrelevant in the case of CG-NAT, in general the recommendation is to manually configure port forwards so that you (as the administrator) know exactly what ports have been opened and for what purpose.

timur.davletshin · July 10, 2024, 7:59am

Specify STUN server in your UPnP settings (e.g.: stun.l.google.com, port: 19302). Should work after that.

Rafumfps · July 10, 2024, 3:15pm

I did what you told me but I still haven't been successful, maybe I'm missing something in my settings.

config upnpd 'config'
	option enabled '1'
	option download '1024'
	option upload '512'
	option internal_iface 'lan'
	option port '5000'
	option upnp_lease_file '/var/run/miniupnpd.leases'
	option igdv1 '1'
	option use_stun '1'
	option stun_host 'stun.l.google.com'
	option stun_port '19302'
	option uuid 'b0c14653-c6b9-42f8-b8f9-97c72629c896'

config perm_rule
	option action 'allow'
	option ext_ports '1024-65535'
	option int_addr '0.0.0.0/0'
	option int_ports '1024-65535'
	option comment 'Allow high ports'

config perm_rule
	option action 'deny'
	option ext_ports '0-65535'
	option int_addr '0.0.0.0/0'
	option int_ports '0-65535'
	option comment 'Default deny'