UPnP bug in OpenWrt

# Generated by iptables-save v1.8.3 on Sun Sep  8 03:15:01 2019
*raw
:PREROUTING ACCEPT [17950:5167079]
:OUTPUT ACCEPT [7535:2616772]
:zone_lan_helper - [0:0]
-A PREROUTING -i br-lan -m comment --comment "!fw3: lan CT helper assignment" -j zone_lan_helper
COMMIT
# Completed on Sun Sep  8 03:15:01 2019
# Generated by iptables-save v1.8.3 on Sun Sep  8 03:15:01 2019
*nat
:PREROUTING ACCEPT [809:137095]
:INPUT ACCEPT [277:23792]
:OUTPUT ACCEPT [184:17495]
:POSTROUTING ACCEPT [55:8363]
:MINIUPNPD - [0:0]
:MINIUPNPD-POSTROUTING - [0:0]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
-A PREROUTING -m comment --comment "!fw3: Custom prerouting rule chain" -j prerouting_rule
-A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
-A PREROUTING -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_prerouting
-A POSTROUTING -m comment --comment "!fw3: Custom postrouting rule chain" -j postrouting_rule
-A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
-A POSTROUTING -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_postrouting
-A zone_lan_postrouting -m comment --comment "!fw3: Custom lan postrouting rule chain" -j postrouting_lan_rule
-A zone_lan_prerouting -m comment --comment "!fw3: Custom lan prerouting rule chain" -j prerouting_lan_rule
-A zone_wan_postrouting -m comment --comment "!fw3: Custom wan postrouting rule chain" -j postrouting_wan_rule
-A zone_wan_postrouting -j MINIUPNPD-POSTROUTING
-A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
-A zone_wan_prerouting -m comment --comment "!fw3: Custom wan prerouting rule chain" -j prerouting_wan_rule
-A zone_wan_prerouting -p tcp -m tcp -m comment --comment "!fw3: DMZ" -j REDIRECT --to-ports 0-65535
-A zone_wan_prerouting -p udp -m udp -m comment --comment "!fw3: DMZ" -j REDIRECT --to-ports 0-65535
-A zone_wan_prerouting -j MINIUPNPD
COMMIT
# Completed on Sun Sep  8 03:15:01 2019
# Generated by iptables-save v1.8.3 on Sun Sep  8 03:15:01 2019
*mangle
:PREROUTING ACCEPT [17973:5167999]
:INPUT ACCEPT [6423:572579]
:FORWARD ACCEPT [11540:4595063]
:OUTPUT ACCEPT [7558:2621244]
:POSTROUTING ACCEPT [19099:7216359]
:dscp_mark - [0:0]
:qos_Default - [0:0]
:qos_Default_ct - [0:0]
-A FORWARD -j dscp_mark
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A dscp_mark -p icmp -j DSCP --set-dscp 0x28
-A dscp_mark -p udp -m udp --sport 6015 -j DSCP --set-dscp 0x2e
-A dscp_mark -p udp -m udp --sport 3074 -j DSCP --set-dscp 0x2e
-A dscp_mark -p udp -m udp --sport 10000:10099 -j DSCP --set-dscp 0x2e
-A dscp_mark -p udp -m udp --dport 6015 -j DSCP --set-dscp 0x2e
-A dscp_mark -p udp -m udp --dport 3074 -j DSCP --set-dscp 0x2e
-A dscp_mark -p udp -m udp --dport 10000:10099 -j DSCP --set-dscp 0x2e
-A qos_Default -j CONNMARK --restore-mark --nfmask 0xf --ctmask 0xf
-A qos_Default -m mark --mark 0x0/0xf -j qos_Default_ct
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m length --length 0:500 -j MARK --set-xmark 0x22/0xff
-A qos_Default -p icmp -j MARK --set-xmark 0x11/0xff
-A qos_Default -p tcp -m mark --mark 0x0/0xf0 -m tcp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -p udp -m mark --mark 0x0/0xf0 -m udp --sport 1024:65535 --dport 1024:65535 -j MARK --set-xmark 0x44/0xff
-A qos_Default -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 22,53 -m comment --comment "ssh, dns" -j MARK --set-xmark 0x11/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 20,21,25,80,110,443,993,995 -m comment --comment "ftp, smtp, http(s), imap" -j MARK --set-xmark 0x33/0xff
-A qos_Default_ct -p tcp -m mark --mark 0x0/0xf -m tcp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -p udp -m mark --mark 0x0/0xf -m udp -m multiport --ports 5190 -m comment --comment "AOL, iChat, ICQ" -j MARK --set-xmark 0x22/0xff
-A qos_Default_ct -j CONNMARK --save-mark --nfmask 0xff --ctmask 0xff
COMMIT
# Completed on Sun Sep  8 03:15:01 2019
# Generated by iptables-save v1.8.3 on Sun Sep  8 03:15:01 2019
*filter
:INPUT ACCEPT [26:4238]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:MINIUPNPD - [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
-A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
-A INPUT -m comment --comment "!fw3: Custom input rule chain" -j input_rule
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
-A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
-A INPUT -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_input
-A FORWARD -m comment --comment "!fw3: Custom forwarding rule chain" -j forwarding_rule
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
-A FORWARD -i pppoe-wan -m comment --comment "!fw3" -j zone_wan_forward
-A FORWARD -m comment --comment "!fw3" -j reject
-A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -m comment --comment "!fw3: Custom output rule chain" -j output_rule
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
-A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
-A OUTPUT -o pppoe-wan -m comment --comment "!fw3" -j zone_wan_output
-A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
-A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
-A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
-A syn_flood -m comment --comment "!fw3" -j DROP
-A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3: Custom lan forwarding rule chain" -j forwarding_lan_rule
-A zone_lan_forward -m comment --comment "!fw3: Zone lan to wan forwarding policy" -j zone_wan_dest_ACCEPT
-A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_input -m comment --comment "!fw3: Custom lan input rule chain" -j input_lan_rule
-A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
-A zone_lan_output -m comment --comment "!fw3: Custom lan output rule chain" -j output_lan_rule
-A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
-A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_ACCEPT -o pppoe-wan -m conntrack --ctstate INVALID -m comment --comment "!fw3: Prevent NAT leakage" -j DROP
-A zone_wan_dest_ACCEPT -o pppoe-wan -m comment --comment "!fw3" -j ACCEPT
-A zone_wan_dest_REJECT -o pppoe-wan -m comment --comment "!fw3" -j reject
-A zone_wan_forward -m comment --comment "!fw3: Custom wan forwarding rule chain" -j forwarding_wan_rule
-A zone_wan_forward -p esp -m comment --comment "!fw3: Allow-IPSec-ESP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "!fw3: Allow-ISAKMP" -j zone_lan_dest_ACCEPT
-A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
-A zone_wan_forward -j MINIUPNPD
-A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
-A zone_wan_input -m comment --comment "!fw3: Custom wan input rule chain" -j input_wan_rule
-A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
-A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
-A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
-A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
-A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
-A zone_wan_output -m comment --comment "!fw3: Custom wan output rule chain" -j output_wan_rule
-A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
-A zone_wan_src_REJECT -i pppoe-wan -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Sep  8 03:15:01 2019

This will ofc show me on Luci status>firewall right?
I can see 'MINIUPNPD' entry in multiple chains BUT 'Chain MINIUPNPD' & 'Chain MINIUPNPD-POSTROUTING' entries are empty. Means it didn't add 8999 port at all

Edited:

Did you consider to add a static port redirect?

Yes I did. As I've mentioned my internal IP is static but not the public IP.

1 Like

It doesn't matter whether your WAN IP is static or not, but LAN IP matters.
UPnP is only useful when your LAN client doesn't have a static IP or when you need many dynamic redirects.

Ah yes for dynamic redirects but what do you think where the problem lies? I've uploaded my menu config if possible can you compare it with your config? Am I missing any dependency? :thinking:

I suppose, those might be relevant to the problem:

CONFIG_KERNEL_IP_PNP
CONFIG_PACKAGE_kmod-nf-nathelper
CONFIG_PACKAGE_kmod-nf-nathelper-extra
CONFIG_PACKAGE_libnatpmp
CONFIG_PACKAGE_libupnp
CONFIG_PACKAGE_libupnpp
CONFIG_PACKAGE_natpmpc

But I don't use this feature.

Alright I'll give it a try

1 Like

Okay so I tried adding those modules except the last

CONFIG_PACKAGE_libupnpp
CONFIG_PACKAGE_natpmpc

because they were taking so much space & couldn't build the final image (Even though I excluded as many as not so important modules I could)
So I'm outta options. Whereas I tried LEDE version build 17.1.06 from here [UPDATE] LEDE 17.01.6 custom builds for TP-LINK WR841N(D) WR941N(D) WR743N(D) WR741N(D) WR740N(D) All Versions
in his LEDE build UPnP worked!
So I just want to make it work in the latest OpenWrt build :relieved:

Isn't a resource/perf issue? 841 is low end he, which does not guarantee basic stability - qbittotrent can be beyond threshold.

1 Like

I did the tests & it's fine for my daily internet speed. It'll only struggle if my speed is beyond 10 MBPS. UPnP gives me 501 Action Failed error. I think it's bcz I'm behind double NAT.

You should have opened with that. Do you have any sort of control over the higher link router?

My ISP is lying to me. I've been after them about this double NAT issue since two years & they said everything is fine on their side. They never block any port, that's what they say (lie). In fact they are basically putting pressure on me to buy a static public IP from them. But that's a story for another day; I'll try to look into it.
Although, on LEDE UPnP module works flawlessly. It just doesn't work on latest build of OpenWrt :thinking:

If you don't have a public IP, then that's the issue. This [slightly] conflicts with your first post (since it doesn't make much scene for an ISP to double NAT 2+ public IPs.

This struck my curiosity, since "public" and "NAT" are different things. Although, it's possible they're using a NAT pool with their publicly-issued IPs at a customer aggregation router, it just wastes more public IPs. Are you sure your IP doenst begin with 100.x.x.x?

This would more align with ISP using Carrier-grade NAT.

Then, that doesn't seem to be an issue; and you likely do have a public IP address. For testing, did you re-install that previous version?

On WAN the IP starts with 172 & if I google "What Is My IP Address" it starts with 103.
Yes I've tested LEDE version last week, UPnP absolutely works.
Here's my post where one user had the similar problem & tried Stun server to fix it.
UPNP bug in OpenWrt

172.16.0.0/12 (172.16.0.0 to 172.31.255.255) would be a private IP (RFC1918). While this range could be used for cgNAT, your ISP would deserve a whack over the head if they steal this range from their customers - that's what 100.64.0.0/10 is reserved for.

That however doesn't change the fact that you don't have a globally routable ('public') IP, but are behind some kind of (cg)NAT, which means there is no way to open ports to the outside or to access your router from the open internet. In the least bad case, you'd at least have an IPv6 prefix (DS-Lite) as well, which might give you at least the opportunity to use your device's IPv6 address instead.

1 Like

Agreed. BUT is there a way I can compile older version of UPnP module with the latest OpenWrt build?

You can build it, but it won't (can't) work (without a public IP address).

1 Like

Then how come it works in LEDE version?

Maybe a bit off topic...
But I leave this here for people that have to use a double NAT setup.
For example if you have to use your ISP router and your OpenWRT box behind it.

UPNP also passes the public IP as info to the clients.
(I'm sure PS4 uses this info)
In a double NAT setup this will not work. (Because a private IP is passed over to the clients)
To fix this, change/add
option external_ip 'your public ip address'
to your miniupnpd conf.
It also possible to modify the miniupnpd init script to automatically get the public IP address.
And enable DMZ mode on your ISP router. (to the IP address of your OpenWRT box)
Or forward all high ports (1024-65535) to your OpenWRT box.
But for cgNAT, your ISP has to open/forward the ports or to give a public IP.

3 Likes

Thank you that was very informative shm0. Probably it won't work in my case but I'll definitely try & update the forum.

Finally it worked! Just added
option external_ip 'your public ip address'
in my miniupnpd conf. Thank you so much :slight_smile:

I'm glad you got it working!

1 Like