Problem authorizing Spotify app

Hi,

Using GL.iNet Flint2 (GL-MT6000) with Openwrt 23.05.3.

On my homeserver, I've set up Logitech Media Server (LMS) with a sqeezelite server. I've installed a Spotify plugin, but it fails to authorize since using my new openwrt-based router. (This wasn't a problem with my previous ISP supplied router which I believe had upnp).

On the spotify LMS plugin page it says:

Spotify uses a random port for listening for connections that changes after reboot ... If running a firewall on the host you may need to disable or come up with a way to dynamically update your rules.

How can I do this?

Thanks

This is very unlikely to be related to openwrt, but let’s check your config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

If you need to enable upnp, look at miniupnpd

https://openwrt.org/docs/guide-user/firewall/upnp/miniupnpd

1 Like

I'd want to avoid resorting to upnp.

Here's what you asked for:

ubus call system board:

"kernel": "5.15.150",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "GL.iNet GL-MT6000",
	"board_name": "glinet,gl-mt6000",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "23.05.3",
		"revision": "r23809-234f1a2efa",
		"target": "mediatek/filogic",
		"description": "OpenWrt 23.05.3 r23809-234f1a2efa"

cat /etc/config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd70:aad0:aed6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config device
	option name 'lan1'
	option macaddr 'xxx'

config device
	option name 'lan2'
	option macaddr 'xxx'

config device
	option name 'lan3'
	option macaddr 'xxx'

config device
	option name 'lan4'
	option macaddr 'xxx'

config device
	option name 'lan5'
	option macaddr 'xxx'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'eth1'
	option macaddr 'xxx'

config interface 'wan'
	option device 'eth1'
	option proto 'pppoe'
	option username 'xxx'
	option password 'xxx'
	option ipv6 'auto'
	option peerdns '0'
	list dns '1.1.1.2'
	list dns '1.0.0.2'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config interface 'guest2'
	option proto 'static'
	option ipaddr '192.168.8.1'
	option netmask '255.255.255.0'

cat /etc/config/wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option channel '2'
	option band '2g'
	option htmode 'HT20'
	option country 'GB'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'nomad_home2G'
	option encryption 'psk2'
	option key 'xxx'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option channel '140'
	option band '5g'
	option htmode 'HE20'
	option country 'GB'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'nomad_home5G'
	option encryption 'psk2'
	option key 'xxx'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'nomad_guest'
	option encryption 'psk2'
	option isolate '1'
	option key 'xxx'
	option network 'guest2'

cat /etc/config/dhcp:

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '0'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'
	option serversfile '/var/run/adblock-fast/dnsmasq.servers'
	option noresolv '0'
	option port '54'
	list server '192.168.1.1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	list dhcp_option '6,192.168.1.1'
	list dhcp_option '3,192.168.1.1'
	list dns 'fd70:aad0:aed6::1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config host
	option ip '192.168.1.100'
	option leasetime 'infinite'
	option name 'ss-mx-desktop'
	option duid '0004a1001e992d3d858538871ea133f9119e'
	list mac 'xxx'

config host
	option name 'pCP'
	option ip '192.168.1.117'
	list mac 'xxx'
	option leasetime 'infinite'

config host
	option name 'osmc'
	option ip '192.168.1.153'
	option mac 'xxx'

config host
	option name 'BRW0C96E62C311A'
	option ip '192.168.1.119'
	option mac 'xxx'

config dhcp 'guest2'
	option interface 'guest2'
	option start '100'
	option limit '150'
	option leasetime '12h'
	list dhcp_option '6,192.168.1.1'

cat /etc/config/firewall:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'guestwifi'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'guestwifi'
	option dest 'wan'

config rule
	option name 'guest-adguard'
	option src 'guestwifi'
	option dest 'lan'
	list dest_ip '192.168.1.1'
	option dest_port '53'
	option target 'ACCEPT'
	option enabled '0'

config zone
	option name 'guest2'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest2'

config forwarding
	option src 'guest2'
	option dest 'wan'

config rule
	option name 'guest2-dhcp'
	list proto 'udp'
	option src 'guest2'
	option dest_port '67'
	option target 'ACCEPT'

config rule
	option name 'guest2-dns'
	option src 'guest2'
	option dest_port '53'
	option target 'ACCEPT'

Looks like you have installed adguard. That may be blocking the services.

Ah yes, I forgot to mention, I'm also using Adguard Home. Though turned off the protection and it made no difference to the spotify app not authorizing. And I couldn't see anything being blocked in it's query logs

There is nothing else in your configuration that would cause any such issues. So it is either something with adguard or a system that actually needs upnp.

reach the internet on ports 80, 443, and 4070! You might have to add `5353/UDP

think that is all the author has stated as being required.

Reaching the internet does not require anything special. Being reachable from the internet would require adjustments. It isn’t clear what the system actually requires.

What I posted is what the author has stated are the requirements, so seems clear, unless mherger likes to obfuscate; but that would not be my take on that individual.

Edit: apropos ?

I wasn't paying attention to the last part of the instructions on the Spotty plugin.
To achieve authorization, I port forward 4070 (both tcp & udp?) and possibly 5353 udp? I tried this, but still have same problem.

Though do I also need to port forward 80 and 443 (tcp and udp)?
I'm a noob when it comes to routers and thought that these ports are already 'open' for applications.

EDIT:
What I did for port forwarding, for example 4070:

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'LMS-Spotty'
	option src 'wan'
	option src_dport '4070'
	option dest_ip '192.168.1.150'
	option dest_port '4070'
	list proto 'tcp'

92.168.1.150 is where LMS is located

I think you need to install miniupnpd-nftables (not iptables version) and luci-app-upnp and enable upnp. At least you said that way old router worked.

After doing all sorts of digging around, and visiting the LMS forum, it turned out to be a DNS problem!

Cloudflare for families (1.1.1.2) causes problems LMS accessing their github repos, though if use regular 1.1.1.1 it's fine.

Therefore, no need to open ports or use upnp :slight_smile:

That was my thinking. I was surprised that upnp was apparently recommended, given that this does not usually require an inbound listening connection.

Glad that it is working!

Yeah, that was rude to ask for UPNP in post.

upnp was neither recommended nor asked for; seems to rude to state that was actually the case.

This was the comment that I was referring to. Sorry if my mention about it as a possible request/requirement came across as rude or otherwise inappropriate or inaccurate.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.