uPNP not working IPv4

I am trying to get uPNP working on IPv4 but something in the mix is not working.
For testing I am using the upnpc client on a host on the 'LAN' zone. LAN zone has input accept to the router.

upnpc output is:

seb@DESKTOP:~$ upnpc -r 2222 TCP
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
No IGD UPnP Device found on the network !

First thought was whether it's getting blocked at the switch as it's got Multicast snooping enabled and is also set as my querier. However the switch seems to be dealing with this just fine, and has setup the multicast group for 239.255.255.250 which is the address used by SSDP for uPNP.

SSH@switch2#show ip multicast group
Display all groups for all vlans on all ports.
p-:physical, ST:static, QR:querier, EX:exclude, IN:include, Y:yes, N:no
VL10 : 4 groups, 9 group-port
      group            p-port      ST     QR     life  mode    source
1     239.255.255.253  e1/1/2      no     yes    220   EX      0
2     224.0.1.127      e1/1/2      no     yes    220   EX      0
3     224.0.1.55       e1/1/1      no     yes    240   EX      0
4     239.255.255.250  e1/1/3      no     yes    220   EX      0
5     239.255.255.250  e1/1/11     no     yes    240   EX      0
6     239.255.255.250  e1/3/1      no     yes    240   EX      0
7     239.255.255.250  e1/3/2      no     yes    240   EX      0
8     239.255.255.250  e1/1/2      no     yes    220   EX      0
9     239.255.255.250  e1/1/10     no     yes    240   EX      0

Verbose logging on miniupnpd seems to confirm no packets are making it to the daemon (i.e. there is no log entry at the time the upnpc request is sent). In fact the only log chatter from miniupnpd is IPv6 related, nothing on IPv4 interfaces.

What else could be stopping this from working?

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
{
        "kernel": "5.15.162",
        "hostname": "router",
        "system": "Intel(R) Xeon(R) CPU D-1521 @ 2.40GHz",
        "model": "Supermicro X10SDV-4C-TLN2F",
        "board_name": "supermicro-x10sdv-4c-tln2f",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.4",
                "revision": "r24012-d8dd03c46f",
                "target": "x86/64",
                "description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
        }
}
config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'
        option ula_prefix 'fd21:89e4:4d76::/48'
        option packet_steering '1'

config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.1.1'
        option device 'br-lan'

config interface 'wan'
        option proto 'pppoe'
        option peerdns '0'
        list dns '127.0.0.1'
        option device 'eth0'
        option ipv6 '0'

config route
        option interface 'br-lan'
        option target '192.168.1.0'
        option netmask '255.255.255.0'
        option metric '200'
        option table '60'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'
        list ports 'eth3.10'
        option mtu '9000'

No wireless config, as no wireless interfaces.

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option localservice '1'
        option port '53'
        option noresolv '1'
        option dnssec '1'
        option cachesize '5000'
        option quietdhcp '1'
        option enable_tftp '1'
        option dhcp_boot 'pxelinux.0'
        option tftp_root '/tftp'
        list server '127.0.0.1#5453'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        list dhcp_option 'option:dns-server,192.168.1.1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option synflood_protect '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'
        option log '1'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config redirect 'dnsint'
        option name 'Intercept-DNS'
        option src 'lan'
        option src_dport '53'
        option family 'ipv4'
        option proto 'tcpudp'
        option target 'DNAT'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'

Could you draw diagram of yor network? No openwrt in the first post?

Are you just trolling now? It's two zones WAN and LAN, how is a diagram going to assist?

INTERNET <--pppoe--> WAN (eth0) <--> ROUTER <--> LAN (eth3.10) <--VLAN10--> SWITCH <--> CLIENTS

Clients have VLAN10 untagged on the egress ports.

One things that does raise an eyebrow is the the firewall entry

option path '/usr/share/miniupnpd/firewall.include'

Seems to be something that should be configured be miniupnpd but that file no longer exists?

EDIT- nevermind, it's a carryover from the old iptables implementation and harmless.

You need miniupnpd-nftables flavour

yes that is installed seems the old iptables reference never got removed, but it's harmless

root@router:~# opkg info miniupnpd-nftables
Package: miniupnpd-nftables
Version: 2.3.3-2
Depends: libc, libcap-ng, libmnl0, libuuid1, libnftnl11
Provides: miniupnpd
Conflicts: miniupnpd-iptables
Status: install user installed
Section: net
Architecture: x86_64
Size: 83730
Filename: miniupnpd-nftables_2.3.3-2_x86_64.ipk
Conffiles:
 /etc/config/upnpd 2645931c86316c8e46f5f0a6e1e322b2e2fd82cad38be2acca76a8f106892f52
Description: Lightweight UPnP IGD, NAT-PMP & PCP daemon (nftables)
Installed-Time: 1721081658

And enable in config file and carryover fw4 include?

yes its running and responding to IPv6 requests as noted, just nothing on IPv4

Tue Aug 20 10:29:44 2024 daemon.info miniupnpd[14528]: Received UDP Packet (IPv6)
Tue Aug 20 10:29:44 2024 daemon.debug miniupnpd[14528]: ST: urn:dial-multiscreen-org:service:dial:1 (ver=1)
Tue Aug 20 10:29:44 2024 daemon.info miniupnpd[14528]: SSDP M-SEARCH from [::ffff:192.168.1.240]:52708 ST: urn:dial-multiscreen-org:service:dial:1

Tcpdump on lan interface if packet are not eaten by switch.

Packets are hitting the interface

seb@DESKTOP:~$ upnpc -r 2222 TCP
upnpc : miniupnpc library test client, version 2.2.3.
 (c) 2005-2021 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
No IGD UPnP Device found on the network !
root@router:~# tcpdump -i eth3.10 port 1900
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth3.10, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:27:15.190743 IP 192.168.1.240.65140 > 239.255.255.250.1900: UDP, length 176
13:27:16.195866 IP 192.168.1.240.65140 > 239.255.255.250.1900: UDP, length 176
13:27:17.208854 IP 192.168.1.240.65140 > 239.255.255.250.1900: UDP, length 176
13:27:18.210834 IP 192.168.1.240.65140 > 239.255.255.250.1900: UDP, length 176
1 Like

It is not enabled by default, install luci-app- and check it.

1 Like