Hi, I have miniupnpd and luci-app-miniupnpd packages installed. However, I cannot get the UPnP to work, as it shows no active redirects even though all the necessary toggles are on. UPnP did in fact work on the MiWIFI software that this router came with, so it's unusual for me to not be able to use it on OpenWrt. I do understand the security concerns of using it.
{
"kernel": "5.15.134",
"hostname": "OpenWrt",
"system": "Qualcomm Atheros QCA956X ver 1 rev 0",
"model": "Xiaomi AIoT AC2350",
"board_name": "xiaomi,aiot-ac2350",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.0",
"revision": "r23497-6637af95aa",
"target": "ath79/generic",
"description": "OpenWrt 23.05.0 r23497-6637af95aa"
}
}
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '-'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config device
option name 'eth0.1'
option macaddr '-'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
option peerdns '0'
list dns '8.8.8.8'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
option reqaddress 'try'
option reqprefix 'auto'
option peerdns '0'
list dns '8.8.8.8'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
config interface 'antizapret'
option proto 'none'
option device 'tun0'
config wifi-device 'radio0'
option type 'mac80211'
option path 'pci0000:00/0000:00:00.0'
option channel 'auto'
option band '5g'
option htmode 'VHT80'
option country 'RU'
option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option ssid 'HackNet_5G'
option encryption 'psk2'
option key '-'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/ahb/18100000.wmac'
option channel 'auto'
option band '2g'
option htmode 'HT40'
option country 'RU'
option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ssid 'HackNet_2.4G'
option encryption 'psk2'
option key '-'
config dnsmasq
option domainneeded '1'
option localise_queries '1'
option rebind_protection '0'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option localservice '1'
option ednspacket_max '1232'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
option ra_slaac '1'
list ra_flags 'managed-config'
list ra_flags 'other-config'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'ovpn_fw'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'antizapret'
config forwarding
option src 'lan'
option dest 'ovpn_fw'
Most likely you're just behind CGNAT. Are you getting real IP from your ISP?
i'm not sure what you mean by a "real ip" but my isp does not provide static/"white" ips unless paid for which i do not do. i might actually be behind cgnat, however upnp did in fact work on xiaomi software, so that's most likely not the issue.
Most likely it is. If you're behind CGNAT and your ISP doesn't support some sort of NAT port mapping on its side you're not gonna get through. Try specifying STUN server in miniupnpd settings. Google STUN works fine: stun.l.google.com:19302
See here for similar problem:
i did try stun with different hosts, it's not working, heres my log with google stun:
daemon.notice miniupnpd[10154]: perform_stun: #0 external address or port changed
Wed Aug 21 13:12:24 2024 daemon.notice miniupnpd[10154]: perform_stun: #1 external address or port changed
Wed Aug 21 13:12:24 2024 daemon.notice miniupnpd[10154]: perform_stun: #2 external address or port changed
Wed Aug 21 13:12:24 2024 daemon.notice miniupnpd[10154]: perform_stun: #3 external address or port changed
Wed Aug 21 13:12:24 2024 daemon.warn miniupnpd[10154]: STUN: ext interface eth0.2 with private IP address 10.79.96.9 is now behind restrictive or symmetric NAT with public IP address 185.15.63.73 which does not support port forwarding
Wed Aug 21 13:12:24 2024 daemon.warn miniupnpd[10154]: NAT on upstream router blocks incoming connections set by miniupnpd
Wed Aug 21 13:12:24 2024 daemon.warn miniupnpd[10154]: Turn off NAT on upstream router or change it to full-cone NAT 1:1 type
Wed Aug 21 13:12:24 2024 daemon.warn miniupnpd[10154]: Port forwarding is now disabled
Wed Aug 21 13:12:24 2024 daemon.notice miniupnpd[10154]: HTTP listening on port 5000
Wed Aug 21 13:12:24 2024 daemon.notice miniupnpd[10154]: HTTP IPv6 address given to control points : [fd88:4a0c:727c::1]
Wed Aug 21 13:12:24 2024 daemon.notice miniupnpd[10154]: Listening for NAT-PMP/PCP traffic on port 5351
Wed Aug 21 13:12:40 2024 daemon.notice miniupnpd[10154]: shutting down MiniUPnPd
Wed Aug 21 13:12:40 2024 daemon.notice miniupnpd[10255]: perform_stun: #0 external address or port changed
Wed Aug 21 13:12:40 2024 daemon.notice miniupnpd[10255]: perform_stun: #1 external address or port changed
Wed Aug 21 13:12:40 2024 daemon.notice miniupnpd[10255]: perform_stun: #2 external address or port changed
Wed Aug 21 13:12:40 2024 daemon.notice miniupnpd[10255]: perform_stun: #3 external address or port changed
Wed Aug 21 13:12:40 2024 daemon.warn miniupnpd[10255]: STUN: ext interface eth0.2 with private IP address 10.79.96.9 is now behind restrictive or symmetric NAT with public IP address 185.15.63.73 which does not support port forwarding
Wed Aug 21 13:12:40 2024 daemon.warn miniupnpd[10255]: NAT on upstream router blocks incoming connections set by miniupnpd
Wed Aug 21 13:12:40 2024 daemon.warn miniupnpd[10255]: Turn off NAT on upstream router or change it to full-cone NAT 1:1 type
Wed Aug 21 13:12:40 2024 daemon.warn miniupnpd[10255]: Port forwarding is now disabled
Wed Aug 21 13:12:40 2024 daemon.notice miniupnpd[10255]: HTTP listening on port 5000
Wed Aug 21 13:12:40 2024 daemon.notice miniupnpd[10255]: HTTP IPv6 address given to control points : [fd88:4a0c:727c::1]
Wed Aug 21 13:12:40 2024 daemon.notice miniupnpd[10255]: Listening for NAT-PMP/PCP traffic on port 5351
might the issue be in ACLs internal ports? it seems like my router dhcp is leasing ips like 192.168.1.0/24, but in ACL the internal ports are 0.0.0.0/0. and again, UPnP DID work on router's original firmware
I have no idea how it worked in original firmware, but log message is pretty self-explanatory. As I said, you're behind CGNAT and your ISP doesn't support port forwarding. You can roll back to original firmware and try to figure out how it works with Wireshark or tcpdump. It will be pretty interesting for everybody how one can open ports on your ISP's equipment without support on its side.
Port Control Protocol support - #2 by stokito - this one explains in detail.
This guy's suggestion worked! Need Help with UPnP on Tp-Link Archer C6 V3 GCNAT - #24 by Liegt
Strange that STUN doesn't. Essentially it guesses same IP from your ISP's range.
Can you try STUN and disable "Enable UPnP functionality" leaving just "Enable NAT-PMP functionality"? Opening Transmission BT should be fine to test.
It indeed is strange. I have no idea even looking at the log.
nope, doesn't work with stun at all
https://github.com/miniupnp/miniupnp/issues/705 - probably you can join this discussion as well. Similar to your case.
It would be interesting if you can try miniupnpd-iptables (I know it will install all compatibility layer) instead of default miniupnpd-nftables. Just to rule out errors during iptables->nftables transition.
Do I just install the miniupnpd-iptables package via opkg or do I need to do something else specific?
Delete nftables variant first.
Wed Aug 21 15:14:33 2024 daemon.err miniupnpd[8105]: set_rdr_name(): tried to set invalid string parameter: 0
Wed Aug 21 15:14:33 2024 daemon.err miniupnpd[8105]: set_rdr_name(): tried to set invalid string parameter: 1
Wed Aug 21 15:14:33 2024 daemon.err miniupnpd[8105]: iptc_init() failed : Table does not exist (do you need to insmod?)
Wed Aug 21 15:14:33 2024 daemon.err miniupnpd[8105]: Failed to init redirection engine. EXITING
Wed Aug 21 15:14:44 2024 daemon.err miniupnpd[8199]: set_rdr_name(): tried to set invalid string parameter: 0
Wed Aug 21 15:14:44 2024 daemon.err miniupnpd[8199]: set_rdr_name(): tried to set invalid string parameter: 1
Wed Aug 21 15:14:44 2024 daemon.err miniupnpd[8199]: iptc_init() failed : Table does not exist (do you need to insmod?)
Wed Aug 21 15:14:44 2024 daemon.err miniupnpd[8199]: Failed to init redirection engine. EXITING
Did you reboot?
I did, no effect