UPnP bug in OpenWrt

AlanDias17 · September 6, 2019, 9:20pm

Router: TP-Link TL-WR841N/ND v8 4MB ROM with 32 MB RAM
Firmware Version: OpenWrt SNAPSHOT r10863-e1dcfe02b2 / LuCI Master (git-19.243.51105-2fab0ad)
Kernel Version: 4.14.138
Issue: Every time I launch qBitorrent software I get to see "Failed to add NAT-PMP" error in the system log.
Is this a known bug for a long time? I haven't found much info about it online, so I hope anyone here knows about this?
Also, my public IP address isn't static. I've forwarded all ports in firewall. Default firewall rules + Added rules for DSCP tagging but nothing else to interfere UPnP modules (as per my knowledge)
Log:

Sat Sep 7 01:38:45 2019 user.notice SQM: layer_cake.qos was started on pppoe-wan successfully
Sat Sep 7 01:38:46 2019 user.notice firewall: Reloading firewall due to ifup of wan (pppoe-wan)
Sat Sep 7 01:38:47 2019 daemon.err uhttpd[1575]: luci: accepted login on / for root from [192.168.1.101](https://192.168.1.101/)
Sat Sep 7 01:38:49 2019 [daemon.info](https://daemon.info/) dnsmasq[1581]: read /etc/hosts - 4 addresses
Sat Sep 7 01:38:49 2019 [daemon.info](https://daemon.info/) dnsmasq[1581]: read /tmp/hosts/dhcp.cfg01411c - 6 addresses
Sat Sep 7 01:38:49 2019 [daemon.info](https://daemon.info/) dnsmasq-dhcp[1581]: read /etc/ethers - 0 addresses
Sat Sep 7 01:38:49 2019 [daemon.info](https://daemon.info/) dnsmasq[1581]: using local addresses only for domain [zzhc.vnet.cn](https://zzhc.vnet.cn/)
Sat Sep 7 01:38:49 2019 [daemon.info](https://daemon.info/) dnsmasq[1581]: using local addresses only for domain [zy16eoat1w.com](https://zy16eoat1w.com/)
Sat Sep 7 01:38:49 2019 [daemon.info](https://daemon.info/) dnsmasq[1581]: using local addresses only for domain [zumobi.com](https://zumobi.com/)
Sat Sep 7 01:38:49 2019 [daemon.info](https://daemon.info/) dnsmasq[1581]: using local addresses only for domain [zqtk.net](https://zqtk.net/)
Sat Sep 7 01:38:49 2019 [daemon.info](https://daemon.info/) dnsmasq[1581]: using local addresses only for domain [zmedia.com](https://zmedia.com/)
Sat Sep 7 01:38:49 2019 [daemon.info](https://daemon.info/) dnsmasq[1581]: using local addresses only for domain [zlp6s.pw](https://zlp6s.pw/)
Sat Sep 7 01:38:49 2019 [daemon.info](https://daemon.info/) dnsmasq[1581]: using local addresses only for domain [zintext.com](https://zintext.com/)
Sat Sep 7 01:38:49 2019 [daemon.info](https://daemon.info/) dnsmasq[1581]: using local addresses only for domain [zeusclicks.com](https://zeusclicks.com/)
Sat Sep 7 01:38:49 2019 [daemon.info](https://daemon.info/) dnsmasq[1581]: using nameserver [1.1.1.1#53](https://1.1.1.1/#53)
Sat Sep 7 01:38:49 2019 [daemon.info](https://daemon.info/) dnsmasq[1581]: using 4146 more local addresses
Sat Sep 7 01:38:51 2019 [user.info](https://user.info/) adblock-3.8.4[11611]: blocklist with overall 4147 domains loaded successfully (TP-Link TL-WR841N/ND v8, OpenWrt SNAPSHOT r10863-e1dcfe02b2)
Sat Sep 7 01:41:20 2019 daemon.err miniupnpd[2129]: Failed to add NAT-PMP 8999 tcp->[192.168.1.101:8999](https://192.168.1.101:8999/) 'NAT-PMP 8999 tcp' <-------
Sat Sep 7 01:41:20 2019 daemon.err miniupnpd[2129]: Failed to add NAT-PMP 8999 udp->[192.168.1.101:8999](https://192.168.1.101:8999/) 'NAT-PMP 8999 udp' <------- THIS
Sat Sep 7 01:41:25 2019 daemon.err uhttpd[1575]: luci: accepted login on / for root from [192.168.1.101](https://192.168.1.101/)

P.S. My router's CPU supports 533 MHz & have plentyyy of free RAM for other modules to work properly (minimum total available is always 5 MB). Will the CPU cause even slight bottleneck to day to day surfing & watching videos? Especially sending & receiving game UDP packets?

eduperez · September 6, 2019, 10:12pm

Can you post your firewall config here, please? I suspect your "I've forwarded all ports in firewall" could be the issue.

AlanDias17 · September 7, 2019, 2:09pm

Sorry for the delay I've only added port forwarding rule DMZ 0-65535 for both TCP/UDP from Luci-GUI (For a test)
Firewall:

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config redirect
	option src 'wan'
	option name 'DMZ'
	option src_dport '0-65535'
	option target 'DNAT'
	option dest 'lan'
	option proto 'tcp udp'

lleachii · September 7, 2019, 2:36pm

@AlanDias17, welcome to the community!

This "DMZ rule" would definitely conflict with any other port you attempt to open, correct?

Have you tried disabling it?

AlanDias17 · September 7, 2019, 3:19pm

Tried disabling DMZ rule. Didn't help it still shows same "Failed to add NAT-PMP" error after launching qBitorrent

lleachii · September 7, 2019, 4:53pm

You have NAT-PMP installed?

AlanDias17 · September 7, 2019, 5:12pm

How I can verify that? While making custom build I made sure I've selected all necessary modules & their dependencies.

stangri · September 7, 2019, 5:26pm

cat /etc/config/upnpd

Ah, but also, opkg list-installed miniupnpd

AlanDias17 · September 7, 2019, 5:29pm

cat /etc/config/upnpd
Ouput :

config upnpd 'config'
        option download '1024'
        option upload '512'
        option internal_iface 'lan'
        option port '5000'
        option upnp_lease_file '/var/run/miniupnpd.leases'
        option enabled '1'
        option uuid 'cb8afc63-f9f0-420f-9bc4-36dc9e842cb0'

config perm_rule
        option action 'allow'
        option ext_ports '1024-65535'
        option int_addr '0.0.0.0/0'
        option int_ports '1024-65535'
        option comment 'Allow high ports'

config perm_rule
        option action 'deny'
        option ext_ports '0-65535'
        option int_addr '0.0.0.0/0'
        option int_ports '0-65535'
        option comment 'Default deny'

Edit: Well, "opkg list-installed" didn't give me any output. I remember I had enabled 'remove ipkg/opkg status data files in final images'

stangri · September 7, 2019, 5:30pm

uci set upnpd.config.enable_natpmp='1'; uci commit; /etc/init.d/miniupnpd restart

AlanDias17 · September 7, 2019, 5:36pm

Tried & now the output is:

config upnpd 'config'
        option download '1024'
        option upload '512'
        option internal_iface 'lan'
        option port '5000'
        option upnp_lease_file '/var/run/miniupnpd.leases'
        option enabled '1'
        option uuid 'cb8afc63-f9f0-420f-9bc4-36dc9e842cb0'
        option enable_natpmp '1'             <------- New entry added
config perm_rule
        option action 'allow'
        option ext_ports '1024-65535'
        option int_addr '0.0.0.0/0'
        option int_ports '1024-65535'
        option comment 'Allow high ports'

config perm_rule
        option action 'deny'
        option ext_ports '0-65535'
        option int_addr '0.0.0.0/0'
        option int_ports '0-65535'
        option comment 'Default deny'

Will restart my router & update the status
Update: Didn't work. "Failed to add NAT-PMP" same thing. Btw does this have to do this with my dynamic public address?

AlanDias17 · September 7, 2019, 6:05pm

This is my menu config file:
Config.txt
Files in "/lib/modules/4.14.138/"

act_connmark.ko            sch_htb.ko
act_mirred.ko              sch_ingress.ko
act_skbedit.ko             sch_tbf.ko
cls_basic.ko               slhc.ko
cls_flow.ko                ts_bm.ko
cls_fw.ko                  ts_fsm.ko
cls_matchall.ko            ts_kmp.ko
cls_route.ko               x_tables.ko
cls_tcindex.ko             xt_CLASSIFY.ko
cls_u32.ko                 xt_CT.ko
compat_xtables.ko          xt_DSCP.ko
crc-ccitt.ko               xt_FLOWOFFLOAD.ko
crypto_acompress.ko        xt_HL.ko
em_u32.ko                  xt_IPMARK.ko
gpio-button-hotplug.ko     xt_LOG.ko
ifb.ko                     xt_NETMAP.ko
ip_tables.ko               xt_NFQUEUE.ko
ipt_ECN.ko                 xt_REDIRECT.ko
ipt_MASQUERADE.ko          xt_TCPMSS.ko
ipt_REJECT.ko              xt_TEE.ko
ipt_ah.ko                  xt_addrtype.ko
iptable_filter.ko          xt_bpf.ko
iptable_mangle.ko          xt_cluster.ko
iptable_nat.ko             xt_comment.ko
iptable_raw.ko             xt_condition.ko
lz4.ko                     xt_connbytes.ko
lz4_compress.ko            xt_connlimit.ko
lz4_decompress.ko          xt_connmark.ko
lzo.ko                     xt_conntrack.ko
lzo_compress.ko            xt_dscp.ko
lzo_decompress.ko          xt_ecn.ko
nf_conntrack.ko            xt_esp.ko
nf_conntrack_ipv4.ko       xt_helper.ko
nf_conntrack_rtcache.ko    xt_hl.ko
nf_defrag_ipv4.ko          xt_iprange.ko
nf_dup_ipv4.ko             xt_length.ko
nf_flow_table.ko           xt_limit.ko
nf_flow_table_hw.ko        xt_mac.ko
nf_log_common.ko           xt_mark.ko
nf_log_ipv4.ko             xt_multiport.ko
nf_nat.ko                  xt_nat.ko
nf_nat_ipv4.ko             xt_owner.ko
nf_nat_masquerade_ipv4.ko  xt_pkttype.ko
nf_nat_redirect.ko         xt_quota.ko
nf_reject_ipv4.ko          xt_recent.ko
nfnetlink.ko               xt_state.ko
nfnetlink_queue.ko         xt_statistic.ko
ppp_async.ko               xt_string.ko
ppp_generic.ko             xt_tcpmss.ko
pppoe.ko                   xt_tcpudp.ko
pppox.ko                   xt_time.ko
sch_cake.ko                zram.ko
sch_hfsc.ko                zsmalloc.ko

Am I missing something?

AlanDias17 · September 7, 2019, 7:48pm

Haven't installed that specific module. Is it required? Bcz in Luci-app-upnp page it hasn't listed in the dependencies.

Dependencies:libc, libssp, miniupnpd

stangri · September 7, 2019, 7:50pm

Still have that DMZ redirect in the firewall?

AlanDias17 · September 7, 2019, 7:55pm

Toggled it & restarted the router. Didn't work
As lleachii pointed out, do I need to install baresip-mod-natpmp?

AlanDias17 · September 7, 2019, 9:31pm

So I enabled 'Enable additional logging' option in UPnP. Cleared all the log, restarted qBitorrent client & kept it open.
Extra Log:

Sun Sep  8 02:52:09 2019 daemon.err uhttpd[1614]: luci: accepted login on / for root from 192.168.1.101
Sun Sep  8 02:52:17 2019 daemon.debug miniupnpd[10441]: level=0 type=8
Sun Sep  8 02:52:17 2019 daemon.debug miniupnpd[10441]: ifindex = 6  192.168.1.1
Sun Sep  8 02:52:17 2019 daemon.debug miniupnpd[10441]: ST: urn:dial-multiscreen-org:service:dial:1 (ver=1)
Sun Sep  8 02:52:17 2019 daemon.info miniupnpd[10441]: SSDP M-SEARCH from 192.168.1.101:53881 ST: urn:dial-multiscreen-org:service:dial:1
Sun Sep  8 02:52:18 2019 daemon.debug miniupnpd[10441]: level=0 type=8
Sun Sep  8 02:52:18 2019 daemon.debug miniupnpd[10441]: ifindex = 6  192.168.1.1
Sun Sep  8 02:52:18 2019 daemon.debug miniupnpd[10441]: ST: urn:dial-multiscreen-org:service:dial:1 (ver=1)
Sun Sep  8 02:52:18 2019 daemon.info miniupnpd[10441]: SSDP M-SEARCH from 192.168.1.101:53881 ST: urn:dial-multiscreen-org:service:dial:1
Sun Sep  8 02:52:19 2019 daemon.debug miniupnpd[10441]: level=0 type=8
Sun Sep  8 02:52:19 2019 daemon.debug miniupnpd[10441]: ifindex = 6  192.168.1.1
Sun Sep  8 02:52:19 2019 daemon.debug miniupnpd[10441]: ST: urn:dial-multiscreen-org:service:dial:1 (ver=1)
Sun Sep  8 02:52:19 2019 daemon.info miniupnpd[10441]: SSDP M-SEARCH from 192.168.1.101:53881 ST: urn:dial-multiscreen-org:service:dial:1
Sun Sep  8 02:52:20 2019 daemon.debug miniupnpd[10441]: level=0 type=8
Sun Sep  8 02:52:20 2019 daemon.debug miniupnpd[10441]: ifindex = 6  192.168.1.1
Sun Sep  8 02:52:20 2019 daemon.debug miniupnpd[10441]: ST: urn:dial-multiscreen-org:service:dial:1 (ver=1)
Sun Sep  8 02:52:20 2019 daemon.info miniupnpd[10441]: SSDP M-SEARCH from 192.168.1.101:53881 ST: urn:dial-multiscreen-org:service:dial:1
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: level=0 type=8
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: ifindex = 6  192.168.1.1
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: ST: upnp:rootdevice (ver=0)
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: SSDP M-SEARCH from 192.168.1.101:59798 ST: upnp:rootdevice
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: Single search found
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: SendSSDPResponse(): 0 bytes to 192.168.1.101:59798 ST: HTTP/1.1 200 OK
 CACHE-CONTROL: max-age=120
 ST: upnp:rootdevice
 USN: uuid:cb8afc63-f9f0-420f-9bc4-36dc9e842cb0::upnp:rootdevice
 EXT:
 SERVER: OpenWRT/SNAPSHOT UPnP/1.1 MiniUPnPd/2.1
 LOCATION: http://192.168.1.1:5000/rootDesc.xml
 OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
 01-NLS: 1567891141
 BOOTID.UPNP.ORG: 1567891141
 CONFIGID.UPNP.ORG: 1337
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: NAT-PMP request received from 192.168.1.101:59800 2bytes
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: NAT-PMP public address request
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: level=0 type=8
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: ifindex = 6  192.168.1.1
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: ST: upnp:rootdevice (ver=0)
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: SSDP M-SEARCH from 192.168.1.101:1900 ST: upnp:rootdevice
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: Single search found
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: SendSSDPResponse(): 0 bytes to 192.168.1.101:1900 ST: HTTP/1.1 200 OK
 CACHE-CONTROL: max-age=120
 ST: upnp:rootdevice
 USN: uuid:cb8afc63-f9f0-420f-9bc4-36dc9e842cb0::upnp:rootdevice
 EXT:
 SERVER: OpenWRT/SNAPSHOT UPnP/1.1 MiniUPnPd/2.1
 LOCATION: http://192.168.1.1:5000/rootDesc.xml
 OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
 01-NLS: 1567891141
 BOOTID.UPNP.ORG: 1567891141
 CONFIGID.UPNP.ORG: 1337
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: NAT-PMP request received from 192.168.1.101:59800 12bytes
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: NAT-PMP port mapping request : 8999->192.168.1.101:8999 tcp lifetime=3600s
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: UPnP permission rule 0 matched : port mapping accepted
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Check protocol tcp for port 8999 on ext_if pppoe-wan **Hidden Public IP**, AC101594
Sun Sep  8 02:52:22 2019 daemon.err miniupnpd[10441]: Failed to add NAT-PMP 8999 tcp->192.168.1.101:8999 'NAT-PMP 8999 tcp'
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: NAT-PMP request received from 192.168.1.101:59800 12bytes
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: NAT-PMP port mapping request : 8999->192.168.1.101:8999 udp lifetime=3600s
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: UPnP permission rule 0 matched : port mapping accepted
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Check protocol udp for port 8999 on ext_if pppoe-wan **Hidden Public IP**, AC101594
Sun Sep  8 02:52:22 2019 daemon.err miniupnpd[10441]: Failed to add NAT-PMP 8999 udp->192.168.1.101:8999 'NAT-PMP 8999 udp'
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: HTTP REQUEST from 192.168.1.101:58437 : GET /rootDesc.xml (HTTP/1.1)
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Host: 192.168.1.1:5000
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: HTTP REQUEST from 192.168.1.101:58438 : POST /ctl/IPConn (HTTP/1.1)
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Host: 192.168.1.1:5000
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:2#GetExternalIPAddress
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: Returning UPnPError 501: Action Failed
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: HTTP REQUEST from 192.168.1.101:58439 : POST /ctl/IPConn (HTTP/1.1)
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Host: 192.168.1.1:5000
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:2#AddPortMapping
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: AddPortMapping: ext port 8999 to 192.168.1.101:8999 protocol TCP for: qBittorrent/4.1.7 at 192.168.1.101:8999 leaseduration=604800 rhost=
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: UPnP permission rule 0 matched : port mapping accepted
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Check protocol tcp for port 8999 on ext_if pppoe-wan **Hidden Public IP**, AC101594
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: redirecting port 8999 to 192.168.1.101:8999 protocol TCP for: qBittorrent/4.1.7 at 192.168.1.101:8999
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: Returning UPnPError 501: ActionFailed
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: HTTP REQUEST from 192.168.1.101:58440 : POST /ctl/IPConn (HTTP/1.1)
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Host: 192.168.1.1:5000
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:2#AddPortMapping
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: AddPortMapping: ext port 49334 to 192.168.1.101:8999 protocol TCP for: qBittorrent/4.1.7 at 192.168.1.101:8999 leaseduration=604800 rhost=
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: UPnP permission rule 0 matched : port mapping accepted
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Check protocol tcp for port 49334 on ext_if pppoe-wan **Hidden Public IP**, AC101594
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: redirecting port 49334 to 192.168.1.101:8999 protocol TCP for: qBittorrent/4.1.7 at 192.168.1.101:8999
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: Returning UPnPError 501: ActionFailed
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: HTTP REQUEST from 192.168.1.101:58441 : POST /ctl/IPConn (HTTP/1.1)
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Host: 192.168.1.1:5000
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:2#AddPortMapping
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: AddPortMapping: ext port 49525 to 192.168.1.101:8999 protocol TCP for: qBittorrent/4.1.7 at 192.168.1.101:8999 leaseduration=604800 rhost=
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: UPnP permission rule 0 matched : port mapping accepted
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Check protocol tcp for port 49525 on ext_if pppoe-wan **Hidden Public IP**, AC101594
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: redirecting port 49525 to 192.168.1.101:8999 protocol TCP for: qBittorrent/4.1.7 at 192.168.1.101:8999
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: Returning UPnPError 501: ActionFailed
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: HTTP REQUEST from 192.168.1.101:58442 : POST /ctl/IPConn (HTTP/1.1)
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Host: 192.168.1.1:5000
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:2#AddPortMapping
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: AddPortMapping: ext port 44906 to 192.168.1.101:8999 protocol TCP for: qBittorrent/4.1.7 at 192.168.1.101:8999 leaseduration=604800 rhost=
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: UPnP permission rule 0 matched : port mapping accepted
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Check protocol tcp for port 44906 on ext_if pppoe-wan **Hidden Public IP**, AC101594
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: redirecting port 44906 to 192.168.1.101:8999 protocol TCP for: qBittorrent/4.1.7 at 192.168.1.101:8999
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: Returning UPnPError 501: ActionFailed
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: HTTP REQUEST from 192.168.1.101:58443 : POST /ctl/IPConn (HTTP/1.1)
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Host: 192.168.1.1:5000
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:2#AddPortMapping
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: AddPortMapping: ext port 40718 to 192.168.1.101:8999 protocol TCP for: qBittorrent/4.1.7 at 192.168.1.101:8999 leaseduration=604800 rhost=
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: UPnP permission rule 0 matched : port mapping accepted
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Check protocol tcp for port 40718 on ext_if pppoe-wan **Hidden Public IP**, AC101594
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: redirecting port 40718 to 192.168.1.101:8999 protocol TCP for: qBittorrent/4.1.7 at 192.168.1.101:8999
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: Returning UPnPError 501: ActionFailed
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: HTTP REQUEST from 192.168.1.101:58444 : POST /ctl/IPConn (HTTP/1.1)
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Host: 192.168.1.1:5000
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:2#AddPortMapping
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: AddPortMapping: ext port 8999 to 192.168.1.101:8999 protocol UDP for: qBittorrent/4.1.7 at 192.168.1.101:8999 leaseduration=604800 rhost=
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: UPnP permission rule 0 matched : port mapping accepted
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Check protocol udp for port 8999 on ext_if pppoe-wan **Hidden Public IP**, AC101594
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: redirecting port 8999 to 192.168.1.101:8999 protocol UDP for: qBittorrent/4.1.7 at 192.168.1.101:8999
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: Returning UPnPError 501: ActionFailed
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: HTTP REQUEST from 192.168.1.101:58445 : POST /ctl/IPConn (HTTP/1.1)
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Host: 192.168.1.1:5000
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:2#AddPortMapping
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: AddPortMapping: ext port 48831 to 192.168.1.101:8999 protocol UDP for: qBittorrent/4.1.7 at 192.168.1.101:8999 leaseduration=604800 rhost=
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: UPnP permission rule 0 matched : port mapping accepted
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Check protocol udp for port 48831 on ext_if pppoe-wan **Hidden Public IP**, AC101594
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: redirecting port 48831 to 192.168.1.101:8999 protocol UDP for: qBittorrent/4.1.7 at 192.168.1.101:8999
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: Returning UPnPError 501: ActionFailed
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: HTTP REQUEST from 192.168.1.101:58446 : POST /ctl/IPConn (HTTP/1.1)
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Host: 192.168.1.1:5000
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:2#AddPortMapping
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: AddPortMapping: ext port 46066 to 192.168.1.101:8999 protocol UDP for: qBittorrent/4.1.7 at 192.168.1.101:8999 leaseduration=604800 rhost=
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: UPnP permission rule 0 matched : port mapping accepted
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Check protocol udp for port 46066 on ext_if pppoe-wan **Hidden Public IP**, AC101594
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: redirecting port 46066 to 192.168.1.101:8999 protocol UDP for: qBittorrent/4.1.7 at 192.168.1.101:8999
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: Returning UPnPError 501: ActionFailed
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: HTTP REQUEST from 192.168.1.101:58447 : POST /ctl/IPConn (HTTP/1.1)
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Host: 192.168.1.1:5000
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:2#AddPortMapping
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: AddPortMapping: ext port 42935 to 192.168.1.101:8999 protocol UDP for: qBittorrent/4.1.7 at 192.168.1.101:8999 leaseduration=604800 rhost=
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: UPnP permission rule 0 matched : port mapping accepted
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Check protocol udp for port 42935 on ext_if pppoe-wan **Hidden Public IP**, AC101594
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: redirecting port 42935 to 192.168.1.101:8999 protocol UDP for: qBittorrent/4.1.7 at 192.168.1.101:8999
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: Returning UPnPError 501: ActionFailed
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: HTTP REQUEST from 192.168.1.101:58448 : POST /ctl/IPConn (HTTP/1.1)
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Host: 192.168.1.1:5000
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:2#AddPortMapping
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: AddPortMapping: ext port 42045 to 192.168.1.101:8999 protocol UDP for: qBittorrent/4.1.7 at 192.168.1.101:8999 leaseduration=604800 rhost=
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: UPnP permission rule 0 matched : port mapping accepted
Sun Sep  8 02:52:22 2019 daemon.debug miniupnpd[10441]: Check protocol udp for port 42045 on ext_if pppoe-wan **Hidden Public IP**, AC101594
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: redirecting port 42045 to 192.168.1.101:8999 protocol UDP for: qBittorrent/4.1.7 at 192.168.1.101:8999
Sun Sep  8 02:52:22 2019 daemon.info miniupnpd[10441]: Returning UPnPError 501: ActionFailed
Sun Sep  8 02:52:24 2019 daemon.debug miniupnpd[10441]: level=0 type=8
Sun Sep  8 02:52:24 2019 daemon.debug miniupnpd[10441]: ifindex = 6  192.168.1.1
Sun Sep  8 02:52:24 2019 daemon.debug miniupnpd[10441]: ST: upnp:rootdevice (ver=0)
Sun Sep  8 02:52:24 2019 daemon.info miniupnpd[10441]: SSDP M-SEARCH from 192.168.1.101:59798 ST: upnp:rootdevice
Sun Sep  8 02:52:24 2019 daemon.info miniupnpd[10441]: Single search found
Sun Sep  8 02:52:24 2019 daemon.debug miniupnpd[10441]: SendSSDPResponse(): 0 bytes to 192.168.1.101:59798 ST: HTTP/1.1 200 OK
 CACHE-CONTROL: max-age=120
 ST: upnp:rootdevice
 USN: uuid:cb8afc63-f9f0-420f-9bc4-36dc9e842cb0::upnp:rootdevice
 EXT:
 SERVER: OpenWRT/SNAPSHOT UPnP/1.1 MiniUPnPd/2.1
 LOCATION: http://192.168.1.1:5000/rootDesc.xml
 OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
 01-NLS: 1567891141
 BOOTID.UPNP.ORG: 1567891141
 CONFIGID.UPNP.ORG: 1337
Sun Sep  8 02:52:24 2019 daemon.debug miniupnpd[10441]: level=0 type=8
Sun Sep  8 02:52:24 2019 daemon.debug miniupnpd[10441]: ifindex = 6  192.168.1.1
Sun Sep  8 02:52:24 2019 daemon.debug miniupnpd[10441]: ST: upnp:rootdevice (ver=0)
Sun Sep  8 02:52:24 2019 daemon.info miniupnpd[10441]: SSDP M-SEARCH from 192.168.1.101:1900 ST: upnp:rootdevice
Sun Sep  8 02:52:24 2019 daemon.info miniupnpd[10441]: Single search found
Sun Sep  8 02:52:24 2019 daemon.debug miniupnpd[10441]: SendSSDPResponse(): 0 bytes to 192.168.1.101:1900 ST: HTTP/1.1 200 OK
 CACHE-CONTROL: max-age=120
 ST: upnp:rootdevice
 USN: uuid:cb8afc63-f9f0-420f-9bc4-36dc9e842cb0::upnp:rootdevice
 EXT:
 SERVER: OpenWRT/SNAPSHOT UPnP/1.1 MiniUPnPd/2.1
 LOCATION: http://192.168.1.1:5000/rootDesc.xml
 OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
 01-NLS: 1567891141
 BOOTID.UPNP.ORG: 1567891141
 CONFIGID.UPNP.ORG: 1337

Any thoughts?

vgaetera · September 7, 2019, 9:37pm

Did you consider to add a static port redirect?

Check the runtime configuration:

iptables-save; lsmod

AlanDias17 · September 7, 2019, 9:53pm

# Generated by iptables-save v1.8.3 on Sun Sep  8 03:15:01 2019
*raw
:PREROUTING ACCEPT [17950:5167079]
:OUTPUT ACCEPT [7535:2616772]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Sun Sep  8 03:15:01 2019
# Generated by iptables-save v1.8.3 on Sun Sep  8 03:15:01 2019
*nat
:PREROUTING ACCEPT [809:137095]
:INPUT ACCEPT [277:23792]
:OUTPUT ACCEPT [184:17495]
:POSTROUTING ACCEPT [55:8363]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp -m comment --comment "!fw3: DMZ" -j REDIRECT --to-ports 0-65535
-A zone_wan_prerouting -p udp -m udp -m comment --comment "!fw3: DMZ" -j REDIRECT --to-ports 0-65535
-A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Sun Sep  8 03:15:01 2019
# Generated by iptables-save v1.8.3 on Sun Sep  8 03:15:01 2019
*mangle
:PREROUTING ACCEPT [17973:5167999]
:INPUT ACCEPT [6423:572579]
:FORWARD ACCEPT [11540:4595063]
:OUTPUT ACCEPT [7558:2621244]
:POSTROUTING ACCEPT [19099:7216359]
:dscp_mark - [0:0]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
-A FORWARD -j dscp_mark
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A dscp_mark -p icmp -j DSCP --set-dscp 0x28
-A dscp_mark -p udp -m udp --sport 6015 -j DSCP --set-dscp 0x2e
-A dscp_mark -p udp -m udp --sport 3074 -j DSCP --set-dscp 0x2e
-A dscp_mark -p udp -m udp --sport 10000:10099 -j DSCP --set-dscp 0x2e
-A dscp_mark -p udp -m udp --dport 6015 -j DSCP --set-dscp 0x2e
-A dscp_mark -p udp -m udp --dport 3074 -j DSCP --set-dscp 0x2e
-A dscp_mark -p udp -m udp --dport 10000:10099 -j DSCP --set-dscp 0x2e
-A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
-A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
-A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
-A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
COMMIT
# Completed on Sun Sep  8 03:15:01 2019
# Generated by iptables-save v1.8.3 on Sun Sep  8 03:15:01 2019
*filter
:INPUT ACCEPT [26:4238]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Sep  8 03:15:01 2019

This will ofc show me on Luci status>firewall right?
I can see 'MINIUPNPD' entry in multiple chains BUT 'Chain MINIUPNPD' & 'Chain MINIUPNPD-POSTROUTING' entries are empty. Means it didn't add 8999 port at all

Edited:

Did you consider to add a static port redirect?

Yes I did. As I've mentioned my internal IP is static but not the public IP.

vgaetera · September 8, 2019, 12:45am

It doesn't matter whether your WAN IP is static or not, but LAN IP matters.
UPnP is only useful when your LAN client doesn't have a static IP or when you need many dynamic redirects.

AlanDias17 · September 8, 2019, 3:12pm

Ah yes for dynamic redirects but what do you think where the problem lies? I've uploaded my menu config if possible can you compare it with your config? Am I missing any dependency?