Unable to start Upnpd on Openwrt 22.03.5 failing with /etc/init.d/miniupnpd start

I'm using
ubus call system board


{
        "kernel": "5.10.176",
        "hostname": "OpenWrt",
        "system": "Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz",
        "model": "innotek GmbH VirtualBox",
        "board_name": "innotek-gmbh-virtualbox",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "22.03.5",
                "revision": "r20134-5f15225c1e",
                "target": "x86/64",
                "description": "OpenWrt 22.03.5 r20134-5f15225c1e"
        }
}

netstat -lnp | grep 137; netstat -lnp | grep 1900

shows empty

Output of upnpd


config upnpd 'config'
        option enabled '1'
        option enable_natpmp '1'
        option enable_upnp '1'
        option secure_mode '1'
        option log_output '0'
        option download '1024'
        option upload '512'
        option external_iface 'wan'
        option internal_iface 'lan'
        option port '5000'
        option upnp_lease_file '/var/run/miniupnpd.leases'
        option igdv1 '1'
        option uuid 'df6ac405-1934-4ba1-a078-f9f88368c694'

config perm_rule
        option action 'allow'
        option ext_ports '1024-65535'
        option int_addr '0.0.0.0/0'
        option int_ports '0-65535'
        option comment 'Allow all ports'

config perm_rule
        option action 'deny'
        option ext_ports '0-65535'
        option int_addr '0.0.0.0/0'
        option int_ports '0-65535'
        option comment 'Default deny'

Output of firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'mng'
        option name 'mng'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

this version is EOL and unsupported.
You should upgrade to 23.05.

1 Like

to be clear, this will only happen if and when a client device on your network requests that a port be opened/forwarded. Have you initiated such an application/service that will sent a upnp call to the router?

is there an easy path for upgrade like using luci webui? or do I need to reinstall the whole VM, can I just upload the .img file , thank you for your reply.

Yes nmap on 1900 port is not picking it up, says it as closed, the service should show as open or listening, and it should respond to discovery messages (active/passive) via MSEARCH command.

Service should not respond to unicast like nmap , and diverts are not in netstat but in conntrack -L

Also the link https://archive.openwrt.org/releases/23.05.0/targets/x86/64/openwrt-23.05.0-x86-64-generic-ext4-combined.img.gz is showing as broken as the file it download is corrupted.

https://firmware-selector.openwrt.org/?version=23.05.3&target=x86%2F64&id=generic

1 Like

I don't have 'conntrack -L' installed. Also this is failing on openwrt

echo -ne "M-SEARCH * HTTP/1.1\r\nHost: 239.255.255.250:1900\r\nMan: "ssdp:discover"\r\nMX: 5\r\nST: ssdp:all\r\n\r\n" | nc -u 192.168.0.168 1900

On my main router, the service is responding as expected. Also I'm doing UDP scanning only on 1900 port it gives the same answer, plus I'm having error on starting the deamon so I don't have reason to believe the service is ready at socket level

Thank you but I'm getting same errors

root@OpenWrt:~# /etc/init.d/miniupnpd restart
Section @rule[7] (Allow-IPSec-ESP) option 'dest' specifies invalid value 'lan'
Section @rule[7] (Allow-IPSec-ESP) skipped due to invalid options
Section @rule[8] (Allow-ISAKMP) option 'dest' specifies invalid value 'lan'
Section @rule[8] (Allow-ISAKMP) skipped due to invalid options
Section @forwarding[0] option 'src' specifies invalid value 'lan'
Section @forwarding[0] skipped due to invalid options
Section miniupnpd option 'family' is not supported by fw4
Section miniupnpd option 'reload' is not supported by fw4

Include '/usr/share/miniupnpd/firewall.include' failed with exit code -9
root@OpenWrt:~#

Let's see the upnp config file again as well as the /etc/config/network file.

FWIW, I have never used upnp (I consider it a security threat vector that I prefer to avoid), but I'll try to help where I can.

1 Like

I agree with your viewpoint, I'm doing some security testing for UPNP that is the reason I want to configure it,

cat /etc/config/network
root@OpenWrt:~# cat /etc/config/upnpd 
config upnpd 'config'
        option enabled '1'
        option enable_natpmp '1'
        option enable_upnp '1'
        option secure_mode '0'
        option log_output '0'
        option download '1024'
        option upload '512'
        option external_iface 'wan'
        option internal_iface 'lan'
        option port '5000'
#       option upnp_lease_file '/var/run/miniupnpd.leases'
        option igdv1 '1'
        option uuid 'df6ac405-1934-4ba1-a078-f9f88368c694'

config perm_rule
        option action 'allow'
        option ext_ports '1024-65535'
        option int_addr '0.0.0.0/0'
        option int_ports '0-65535'
        option comment 'Allow all ports'

config perm_rule
        option action 'deny'
        option ext_ports '0-65535'
        option int_addr '0.0.0.0/0'
        option int_ports '0-65535'
        option comment 'Default deny'

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'mng'
        option name 'mng'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'


let's try again...

cat /etc/config/network
1 Like

I shared you the fresh copy of the network config after upgrade, its above your post

Please check... what's there is not the network file.

sorry, it was not updated, I pasted fresh copy now

still not there... you've got the upnp and firewall files... not the network file.

1 Like

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdc6:80e1:666e::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config interface 'mng'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.56.2'
        option netmask '255.255.255.0'