search

openwrt / packages

Community maintained packages for OpenWrt. Documentation for submitting pull requests is in CONTRIBUTING.md
GNU General Public License v2.0
3.88k stars 3.4k forks source link

miniupnpd-nftables: rules are created but no traffic is being forwarded #17871

Closed escape0707 closed 1 year ago

escape0707 commented 2 years ago

Maintainer

@stintel @ldir-EDB0 @neheb

Environment

Description

As the title says, miniupnpd can't map requested ports successfully for applications and shows "There are no active redirects." in the LuCI web interface.

I setup this environment by:

  1. Flashed the official snapshot version just after I got my hand on this Redmi Router, with the official guide provided method.
  2. Setup 2.4G & 5G WiFi.
  3. Setup PPPoE on WAN.
  4. Installed luci-app-upnp through opkg.

I don't know where to continue the troubleshooting. If any additional information is needed, please let me know. I do have a dynamic global IPv4 address on my router, and I disguised it. If that's needed, please also let me know.

Latest release version 21.02.1 with miniupnpd_2.2.1-3 doesn't have this problem but can't support Xbox / Windows teredo UPnP.

More logs / configs

qbittorrent_download qbittorrent_log.txt logread.txt teredo_log.txt etc_config_upnpd.txt ip_addr_show.txt nftables.txt opkg_info_miniupnpd.txt

stintel commented 2 years ago

Redirects are there:

table inet miniupnpd {
    chain forward {
        type filter hook forward priority -25; policy accept;
        iif "pppoe-wan" th dport 49965 @nh,128,32 0xc0a8010b @nh,72,8 0x11 accept
        iif "pppoe-wan" th dport 9564 @nh,128,32 0xc0a8010b @nh,72,8 0x6 accept
        iif "pppoe-wan" th dport 9564 @nh,128,32 0xc0a8010b @nh,72,8 0x11 accept
    }
}
table ip miniupnpd {
    chain prerouting {
        type nat hook prerouting priority dstnat; policy accept;
        iif "pppoe-wan" udp dport 49965 dnat to 192.168.1.11:49965
        iif "pppoe-wan" tcp dport 9564 dnat to 192.168.1.11:9564
        iif "pppoe-wan" udp dport 9564 dnat to 192.168.1.11:9564
    }

    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
    }
}
table ip6 miniupnpd {
    chain prerouting {
        type nat hook prerouting priority dstnat; policy accept;
    }

    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
    }
}

Please report a LuCI issue instead.

escape0707 commented 2 years ago

Thanks for your quick reply.

Redirects are there

That's what confused me, too. As application's like qbittorrent and windows teredo all say that they can't be connected from outside.

If I manually forward all ports to my testing machine, without the assist of UPnP, then they both report cone or public connectable.

Also, I tested this with canyouseeme.org and the listening port of qbittorrent. UPnP get connection refused, manually forwarding ports works as intended. This is tested on both Windows 10 LTSC 2021 and latest ArchLinux.

escape0707 commented 2 years ago

@stintel Could you suggest me some more accurate ways to test which part is malfunctioning? Thanks!

stintel commented 2 years ago

That's what confused me, too. As application's like qbittorrent and windows teredo all says they can't be connected from outside.

Don't trust the application, trust tcpdump. I actually verified miniupnpd-nftables like that recently, because somewhere in some horrible 1500+ message thread in the forum where different issues are discussed, making it impossible to follow anything, and reminding me why I used to stay away from forums, someone complained that it didn't work.

On a remote host:

$ echo foo | nc -u 87.227.x.x 3074

On my OpenWrt router running miniupnpd-nftables:

# tcpdump -ni switch.54 port 3074
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on switch.54, link-type EN10MB (Ethernet), capture size 262144 bytes
16:40:37.990057 IP 94.225.x.x.38515 > 192.168.54.35.3074: UDP, length 4
escape0707 commented 2 years ago

trust tcpdump

I'll go and learn about this tool now! Thanks for the information!

stintel commented 2 years ago

If in fact that confirms the port forward doesn't work, please change the title of this issue to reflect just that. The fact that LuCI doesn't show the redirects should be fixed in LuCI so is not relevant for this issue (tracker).

escape0707 commented 2 years ago

The fact that LuCI doesn't show the redirects should be fixed in LuCI so is not relevant for this issue (tracker).

Duly noted, I'll file another issue later on.

escape0707 commented 2 years ago

I used my phone's standalone cell data and in it's terminal run: 

$ echo foo | nc -u 111.226.<my public ipv4> 9564

Then on my router, run:

# tcpdump -ni pppoe-wan port 9564
......
15:03:51.885771 IP 106.119.<my phone cell data ipv4>.41998 > 111.226.<my public ipv4>.9564: UDP, length 4
......

At the meanwhile:

# tcpdump -ni br-lan port 9564

doesn't show my phone's ipv4 address, albeit other IP addresses that are currently transferring torrents with my qbittorrent client got captured. And those packets are sent from / to my laptop's LAN ipv4 192.168.1.11

stintel commented 2 years ago

My gut feeling says it's related to using ppp. @dangowrt reported a similar problem here.

escape0707 commented 2 years ago

My gut feeling says it's related to using ppp.

Do you think if I "use another router to do the PPPoE dial up, connect my Redmi OpenWRT router to the first one's LAN port and use DHCP to connect to the Internet, then manually forward all ports from the first router to OpenWRT" will help diagnose this problem?

escape0707 commented 2 years ago

I'll have to try that tomorrow, parents are about to sleep. Thank you for helping me trouble shooting, nice sir!

escape0707 commented 2 years ago

Sadly, with this config, I get a lot of:

Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.info miniupnpd[6819]: HTTP REQUEST from [::ffff:192.168.1.11]:33287 : POST /ctl/IPConn (HTTP/1.1)
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: Host: 192.168.1.1:5000
Wed Feb 16 02:45:44 2022 daemon.info miniupnpd[6819]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:2#AddPortMapping
Wed Feb 16 02:45:44 2022 daemon.info miniupnpd[6819]: AddPortMapping: ext port 10659 to 192.168.1.11:10659 protocol TCP for: qBittorrent/4.5.0alpha1 leaseduration=604800 rhost=
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: UPnP permission rule 0 matched : port mapping accepted
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: Check protocol tcp for port 10659 on ext_if wan 192.168.2.116, 7402A8C0
Wed Feb 16 02:45:44 2022 daemon.info miniupnpd[6819]: redirecting port 10659 to 192.168.1.11:10659 protocol TCP for: qBittorrent/4.5.0alpha1
Wed Feb 16 02:45:44 2022 daemon.info miniupnpd[6819]: Returning UPnPError 501: ActionFailed
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.info miniupnpd[6819]: HTTP REQUEST from [::ffff:192.168.1.11]:33957 : POST /ctl/IPConn (HTTP/1.1)
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: Host: 192.168.1.1:5000

full_system_log.txt

The first level router is set to dial up through PPPoE, then set the OpenWrt router as DMZ. When I manually forward all ports also in OpenWrt, I can connect to my machine from the Internet. But when I switch to UPnP, UPnP just won't work, and applications reports so, too.

etc_config_upnpd.txt

ip_addr_show.txt

snakwu commented 2 years ago

Sadly, with this config, I get a lot of:

Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.info miniupnpd[6819]: HTTP REQUEST from [::ffff:192.168.1.11]:33287 : POST /ctl/IPConn (HTTP/1.1)
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: Host: 192.168.1.1:5000
Wed Feb 16 02:45:44 2022 daemon.info miniupnpd[6819]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:2#AddPortMapping
Wed Feb 16 02:45:44 2022 daemon.info miniupnpd[6819]: AddPortMapping: ext port 10659 to 192.168.1.11:10659 protocol TCP for: qBittorrent/4.5.0alpha1 leaseduration=604800 rhost=
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: UPnP permission rule 0 matched : port mapping accepted
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: Check protocol tcp for port 10659 on ext_if wan 192.168.2.116, 7402A8C0
Wed Feb 16 02:45:44 2022 daemon.info miniupnpd[6819]: redirecting port 10659 to 192.168.1.11:10659 protocol TCP for: qBittorrent/4.5.0alpha1
Wed Feb 16 02:45:44 2022 daemon.info miniupnpd[6819]: Returning UPnPError 501: ActionFailed
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: rule with label 'qBittorrent Enhanced/4.4.0.10' is not a IGD pinhole
Wed Feb 16 02:45:44 2022 daemon.info miniupnpd[6819]: HTTP REQUEST from [::ffff:192.168.1.11]:33957 : POST /ctl/IPConn (HTTP/1.1)
Wed Feb 16 02:45:44 2022 daemon.debug miniupnpd[6819]: Host: 192.168.1.1:5000

The first level router is set to dial up through PPPoE, then set the OpenWrt router as DMZ. When I manually forward all ports also in OpenWrt, I can connect to my machine from the Internet. But when I switch to UPnP, UPnP just won't work, and applications reports so, too.

etc_config_upnpd.txt

ip_addr_show.txt

me too!openwrt pppoe

escape0707 commented 2 years ago

@snakwu I think you are facing a completely different problem. You should open an independent issue addressing it.

escape0707 commented 2 years ago

Actually, I don't know what's the meaning of this table:

table inet miniupnpd {
    chain forward {
        type filter hook forward priority -25; policy accept;
        iif "pppoe-wan" th dport 49965 @nh,128,32 0xc0a8010b @nh,72,8 0x11 accept
        iif "pppoe-wan" th dport 9564 @nh,128,32 0xc0a8010b @nh,72,8 0x6 accept
        iif "pppoe-wan" th dport 9564 @nh,128,32 0xc0a8010b @nh,72,8 0x11 accept
    }
}

The default policy in its base chain is ACCEPT, while all rules in it says ACCEPT, too. What does the @nh filters verifies? This table currently does nothing because so far there isn't anything malicious that needed to be rejected, yet?

escape0707 commented 2 years ago

I manually specified my external_ip in /etc/config/upnpd and UPnP set up the firewall rules successfully now. But I'm still getting the similar behavior that tcpdump shows incoming testing packets only on wan not br-lan. Manually forwarding still works.

escape0707 commented 2 years ago

I think I know where the problem is. If I add any port forward rule manually and UPnP seems to work. But I still need to do more tests.

jow- commented 2 years ago

When at least one port forward is defined, certain additional rules are enabled by firewall4, like the rule that automatically accepts all inbound traffic that is related to a DNAT'ed connection

escape0707 commented 2 years ago

Yes, I diffed those nft rulesets and saw several ct status dnat accept. That is the reason why only enabling miniupnpd is not working.

escape0707 commented 2 years ago

After set up UPnP and add any firewall rules through LuCI, everything works just fine, for both DHCP and PPPoE.

The display issue of luci-app-upnp is already reported here https://github.com/openwrt/luci/issues/5678

jow- commented 2 years ago

What do you mean specifically with "add any firewall rules through LuCI"? I am looking at miniupnpd atm and try to figure out how to improve it

escape0707 commented 2 years ago

@jow- I mean, when I only installed luci-app-upnp and enabled UPnP, then launch an app (qbittorrent) to make UPnP port forward request, I will get a nftables rule set like this: nftables_without_manually_port_forwarding.txt

At this time, the port forward rules made by miniupnpd won't work. I can now add a non-related port's forward rule manually from LuCI, and this time I get the following nftables rule set: nftables_with_manually_port_forwarding.txt

A diff between those two shows that two

ct status dnat accept

rules were inserted just before 

jump reject_from_wan

and

jump reject_to_wan

which I believe are what make the port forwarded by miniupnpd works again.

dangowrt commented 2 years ago

@stintel I'm not using PPPoE, got IPoE FTTH with the ISP-provided router operating in bridge-mode and OpenWrt device connected to it receiving a public IPv4 via DHCP. Yet rules added by miniupnpd didn't have any effect.

tiagogaspar8 commented 2 years ago

Same here, but my issue is with PCP and ipv6. I see miniupnpd responding to the port open request, and I see the rules in nftables yet they do nothing.

Also, the lease file stays empty (I believe this is another separate issue)

stintel commented 2 years ago

@jow already explained the reason here I have static port forwards so I have that rule and that's why things work for me.

tiagogaspar8 commented 2 years ago

I'm sorry, I'm confused, do we need to add something then?

I also saw that miniupnpd v2.3.0 fixes some issues with nftables and might be related to this, no?

escape0707 commented 2 years ago

@tiagogaspar8 https://github.com/openwrt/packages/issues/17871#issuecomment-1042615077

I think those rules added by luci firewall setting is the key point.

tiagogaspar8 commented 2 years ago

Yes, but what I mean is that I bleive the new release of miniupnpd fixes this issue because it corrects the location and the jumps that are currently broken.

Also, the port forwarding rules don't explain the reason why ipv6 PCP doesn't work.

escape0707 commented 2 years ago

Oh, I don't have IPv6 currently. And i guess i should update my OpenWrt and miniupnpd to test it again.

tiagogaspar8 commented 2 years ago

@escape0707 Yeah, I wanted to update my miniupnpd version too to see if this issue is fixed magically (hoping)

If you'd like you can try ipv6 with a he.net free tunnel 😁

tiagogaspar8 commented 2 years ago

So, I updated upnpd to the latest version and it built without issue. Yet, now it is giving me errors:

Fri Feb 18 12:53:16 2022 daemon.notice miniupnpd[9995]: Listening for NAT-PMP/PCP traffic on port 5351
Fri Feb 18 12:53:18 2022 daemon.err miniupnpd[9995]: Failed to remove PCP mapping internal port 31425, protocol TCP
Fri Feb 18 12:53:18 2022 daemon.err miniupnpd[9995]: Failed to remove PCP mapping internal port 31425, protocol TCP
Fri Feb 18 12:53:18 2022 daemon.err miniupnpd[9995]: Failed to remove PCP mapping internal port 31425, protocol UDP
Fri Feb 18 12:53:18 2022 daemon.err miniupnpd[9995]: Failed to remove PCP mapping internal port 31425, protocol UDP
Fri Feb 18 12:53:18 2022 daemon.err miniupnpd[9995]: Failed to remove PCP mapping internal port 31425, protocol TCP
Fri Feb 18 12:53:18 2022 daemon.err miniupnpd[9995]: Failed to remove PCP mapping internal port 31425, protocol UDP
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: send_batch: mnl_cb_run returned -1
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: nft_send_rule(0xb6f59c60, 6, 0) send_batch failed -4
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: PCP MAP: failed to add mapping TCP 31425->IPV6_address 'PCP MAP ec0ac7716fc4d8826bae8213'
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: send_batch: mnl_cb_run returned -1
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: nft_send_rule(0xb6f59c50, 6, 0) send_batch failed -4
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: PCP MAP: failed to add mapping TCP 31425->IPV6_address 'PCP MAP 9cc757b08ef14bd005bbfe9f'
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: send_batch: mnl_cb_run returned -1
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: nft_send_rule(0xb6f59c60, 6, 0) send_batch failed -4
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: PCP MAP: failed to add mapping TCP 31425->IPV6_address 'PCP MAP 3e9a7f85248a0d9649c4c34d'
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: send_batch: mnl_cb_run returned -1
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: nft_send_rule(0xb6f59c50, 6, 0) send_batch failed -4
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: PCP MAP: failed to add mapping UDP 31425->IPV6_address 'PCP MAP e5cb295fb65fe8c9a5534f47'
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: send_batch: mnl_cb_run returned -1
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: nft_send_rule(0xb6f59c60, 6, 0) send_batch failed -4
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: PCP MAP: failed to add mapping UDP 31425->IPV6_address 'PCP MAP fb06d932a8c33d937f52b9f1'
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: send_batch: mnl_cb_run returned -1
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: nft_send_rule(0xb6f59c50, 6, 0) send_batch failed -4
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: PCP MAP: failed to add mapping UDP 31425->IPV6_address 'PCP MAP d305d6a5b481f8b4769d21ac'

Just to clarify, these errors are new:

Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: send_batch: mnl_cb_run returned -1
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: nft_send_rule(0xb6f59c50, 6, 0) send_batch failed -4
Fri Feb 18 12:53:26 2022 daemon.err miniupnpd[9995]: PCP MAP: failed to add mapping UDP 31425->IPV6_address 'PCP MAP d305d6a5b481f8b4769d21ac'

And these were present in the previous version: Fri Feb 18 12:53:18 2022 daemon.err miniupnpd[9995]: Failed to remove PCP mapping internal port 31425, protocol TCP

tiagogaspar8 commented 2 years ago

Another update, managed to get miniupnp to work with the 2.3 version, I had to add the following lines to the configuration file:

upnp_table_name=fw4
upnp_nat_table_name=fw4
upnp_forward_chain=forward_wan

That fixed the forwarding and the "new" issues with the miniupnpd adding the rules, yet it didn't fix the failed to remove error. Now, we can't just add these lines like they are to the config file, because the "forwarding" section must be obtained dynamically from the firewall config. Also, I'm not sure if there should be a table just for miniupnpd or if it should just hook itself onto the default forwarding tables.

nicefile commented 2 years ago

Adding valid manual portforward via "http://router/cgi-bin/luci/admin/network/firewall/forwards" make upnpd-nftables start to actually forward traffic. I learned this by accident now confirmed in this thread . Without it it only shows entries in nft but not accuall traffic is forwarded.

table ip miniupnpd {
        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                iif 265 udp dport 9308 dnat to 192.168.1.98:9308
        }

        chain postrouting {
                type nat hook postrouting priority srcnat; policy accept;
        }
}
table inet miniupnpd {
        chain forward {
                type filter hook forward priority -25; policy accept;
                iif 265 th dport 9308 @nh,128,32 0xc0a80162 @nh,72,8 0x11 accept
        }
}

OpenWrt SNAPSHOT, r18809-5a0975f7ef @mt7621

trippleflux commented 2 years ago

Does anyone have any progress?

@tiagogaspar8

Another update, managed to get miniupnp to work with the 2.3 version, I had to add the following lines to the configuration file:

upnp_table_name=fw4
upnp_nat_table_name=fw4
upnp_forward_chain=forward_wan

I assume the configuration file that you were referring is ../files/miniupnpd.init?

stintel commented 2 years ago

upnp_table_name=fw4 upnp_nat_table_name=fw4 upnp_forward_chain=forward_wan

This is a bad idea, as restarting fw4 will result in all rules added by miniupnpd being removed. One of the advantages that nftables brings is that you do not need to use the same table.

trippleflux commented 2 years ago

My WAN is a PPPOE client, when miniupnpd-nftables bring up somehow my ext_ifname inside /var/etc/miniupnpd.conf is "br-lan", after quick search, found out the following to fixes my ext_ifname & ext_ifname6 (/etc/init.d/miniupnpd) (Revised) :

    else
        local tmpconf="/var/etc/miniupnpd.conf"
        conf="$tmpconf"
        mkdir -p /var/etc

        {
                ifname=$(ubus call network.interface.wan status | grep \"l3_device\" | grep -oE '[^:]+$' | grep -o '"[^"]\+"' | sed 's/"//g' 2>/dev/null | head -1)

        echo "ext_ifname=$ifname"
        echo "ext_ifname6=$ifname6"

The workaround above is doesn't work when router goes up after a reboot, somehow a race condition? between miniupnpd init script and PPPOE client in OpenWRT?.

Another workaround, is to restart miniupnpd services after OpenWRT reboot.

Environments : 

OpenWrt SNAPSHOT, r19053-921392e216 on x86-64, NFTABLES

Also does anyone working on fully supports miniupnpd with nftables?, luci-upnp seems needs a fixes, somehow "Active UPnP Redirects" doesn't showing up on my Status->Overview

Another issue found : 

Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: send_batch: mnl_cb_run returned -1
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: nft_send_rule(0x5573f734e0a0, 6, 2) send_batch failed -4
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: PCP MAP: failed to add mapping TCP 15555->10.10.8.142:15555'PCP MAP 7656cbfa2ca35ea9624ec1ef'
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: send_batch: mnl_cb_run returned -1
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: nft_send_rule(0x5573f734e640, 6, 2) send_batch failed -4
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: PCP MAP: failed to add mapping UDP 15555->10.10.8.142:15555'PCP MAP fae45c180e87e4e90525794c'
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: send_batch: mnl_cb_run returned -1
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: nft_send_rule(0x5573f734e640, 6, 2) send_batch failed -4
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: send_batch: mnl_cb_run returned -1
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: nft_send_rule(0x5573f734f4c0, 6, 2) send_batch failed -4
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: send_batch: mnl_cb_run returned -1
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: nft_send_rule(0x5573f734f840, 6, 2) send_batch failed -4
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: send_batch: mnl_cb_run returned -1
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: nft_send_rule(0x5573f734f840, 6, 2) send_batch failed -4
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: send_batch: mnl_cb_run returned -1
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: nft_send_rule(0x5573f734f840, 6, 2) send_batch failed -4
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: send_batch: mnl_cb_run returned -1
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: nft_send_rule(0x5573f734f840, 6, 2) send_batch failed -4
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: send_batch: mnl_cb_run returned -1
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: nft_send_rule(0x5573f734f840, 6, 2) send_batch failed -4
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: send_batch: mnl_cb_run returned -1
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: nft_send_rule(0x5573f734f840, 6, 2) send_batch failed -4
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: send_batch: mnl_cb_run returned -1
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: nft_send_rule(0x5573f734f840, 6, 2) send_batch failed -4
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: send_batch: mnl_cb_run returned -1
Wed Mar  9 01:39:01 2022 daemon.err miniupnpd[9446]: nft_send_rule(0x5573f734f840, 6, 2) send_batch failed -4

Going back into 21.02 SNAPSHOT until miniupnpd-nftables becoming stable.

ptpt52 commented 2 years ago

to follow this thread

escape0707 commented 2 years ago

to follow this thread

Just click subscribe button, no need to add a comment here that everyone will get an email notification of.

tiagogaspar8 commented 2 years ago

I assume the configuration file that you were referring is ../files/miniupnpd.init?

Nop, I actually meant I created another config file manually and started miniupnpd manually.

This is a bad idea, as restarting fw4 will result in all rules added by miniupnpd being removed. One of the advantages that nftables brings is that you do not need to use the same table.

True, that's an issue I thought of, but I currently don't see a way of adding a jump to the miniupnpd section before all of the rules that fw4 usually creates. Or is there a way I don't know about?

Another issue found

I have mentioned this before, I also have no idea of what it is and I'm honestly scared to ask upstream 😅

Sorry for the delay btw guys.

msylgj commented 2 years ago

Hello Everyone. I've just modify the miniupnp-nftables package to use nft while create firewall rules. And uploaded it to this repo: https://github.com/msylgj/miniupnpd.git Seems to be worked.😅 However, would you like to have a test? Snipaste_2022-03-20_00-09-19

escape0707 commented 2 years ago

@msylgj It will be better for you to fork from the miniupnpd project and then commit your patches, rather than download a snapshot to you local drive then start a git repo afresh.

msylgj commented 2 years ago

@msylgj It will be better for you to fork from the miniupnpd project and then commit your patches, rather than download a snapshot to you local drive then start a git repo afresh.

Thank you. I know that and the repo is just for test before a PR

tiagogaspar8 commented 2 years ago

@msylgj I gotta say you're close to the solution! Indeed port forwardings work! Yet when qbittorrent tries to remove them this happens:

Mon Mar 21 21:46:10 2022 daemon.err miniupnpd[6032]: Failed to remove PCP mapping internal port 31425, protocol TCP
Mon Mar 21 21:46:10 2022 daemon.err miniupnpd[6032]: Failed to remove PCP mapping internal port 31425, protocol UDP
Mon Mar 21 21:46:10 2022 daemon.err miniupnpd[6032]: Failed to remove PCP mapping internal port 31425, protocol TCP
Mon Mar 21 21:46:10 2022 daemon.err miniupnpd[6032]: Failed to remove PCP mapping internal port 31425, protocol UDP
Mon Mar 21 21:46:10 2022 daemon.err miniupnpd[6032]: Failed to remove PCP mapping internal port 31425, protocol TCP
Mon Mar 21 21:46:10 2022 daemon.err miniupnpd[6032]: Failed to remove PCP mapping internal port 31425, protocol UDP

And no rules are removed. Also, when a reboot is performed on the firewall tis happens:

root@router1:~# /etc/init.d/firewall restart
Section @rule[9] (Support-UDP-Traceroute) is disabled, ignoring section
Section @rule[10] (31425) is disabled, ignoring section
Hardware flow offloading unavailable, falling back to software offloading
/proc/self/fd/0:51:45-55: Error: Could not process rule: Not supported

/proc/self/fd/0:150:45-57: Error: Could not process rule: Not supported

/proc/self/fd/0:156:46-58: Error: Could not process rule: Not supported

And firewall4 doesn't start...

Yet, you're closer than ever, do you have any idea of what this can be?

msylgj commented 2 years ago

Thanks for your feedback.@tiagogaspar8 I also see those 'Failed to remove PCP mapping' errors, and duplicate rules will be add. For the second, if use 'fw4 reload' replace of '/etc/init.d/firewall restart'(after restart miniupnpd), everything is ok. However, I push a new commit to my test repo, no hook on fw4, so the second error will be gone. But it still far away from really work, Because there has been a big problem like below, all the time. I'm trying to read the source code of miniupnpd, and find the reason.

Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: level=0 type=8
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: ifindex = 5  192.168.2.1
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: ST: upnp:rootdevice (ver=0)
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: SSDP M-SEARCH from 192.168.2.3:1900 ST: upnp:rootdevice
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: Single search found
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: SendSSDPResponse(): 0 bytes to 192.168.2.3:1900 ST: HTTP/1.1 200 OK
 CACHE-CONTROL: max-age=120
 ST: upnp:rootdevice
 USN: uuid:9b1e2954-07c8-4697-ac7f-8b24e082f39a::upnp:rootdevice
 EXT:
 SERVER: OpenWrt/5.15.30 UPnP/1.1 MiniUPnPd/2.3.0
 LOCATION: http://192.168.2.1:5000/rootDesc.xml
 OPT: "http://schemas.upnp.org/upnp/1/0/"; ns=01
 01-NLS: 1647922782
 BOOTID.UPNP.ORG: 1647922782
 CONFIGID.UPNP.ORG: 1337
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: PCP request received from 192.168.2.3:36261 60bytes
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: UPnP permission rule 0 matched : port mapping accepted
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Check protocol tcp for port 6881 on ext_if pppoe-wan <My Public WAN IP>, 0B701424
Tue Mar 22 12:22:03 2022 daemon.err miniupnpd[24500]: PCP MAP: failed to add mapping TCP 6881->192.168.2.3:6881 'PCP MAP c1217244571b6e5699a108ef'
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: PCP request received from 192.168.2.3:36261 60bytes
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: UPnP permission rule 0 matched : port mapping accepted
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Check protocol udp for port 6881 on ext_if pppoe-wan <My Public WAN IP>, 0B701424
Tue Mar 22 12:22:03 2022 daemon.err miniupnpd[24500]: PCP MAP: failed to add mapping UDP 6881->192.168.2.3:6881 'PCP MAP d92ad01048919d21eded711c'
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: PCP request received from 192.168.2.3:36261 60bytes
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: UPnP permission rule 0 matched : port mapping accepted
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Check protocol tcp for port 8083 on ext_if pppoe-wan <My Public WAN IP>, 0B701424
Tue Mar 22 12:22:03 2022 daemon.err miniupnpd[24500]: PCP MAP: failed to add mapping TCP 8083->192.168.2.3:8083 'PCP MAP a4b5478e687e11137efe4662'
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: HTTP REQUEST from 192.168.2.3:34810 : GET /rootDesc.xml (HTTP/1.1)
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Host: 192.168.2.1:5000
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: HTTP REQUEST from 192.168.2.3:34812 : POST /ctl/IPConn (HTTP/1.1)
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Host: 192.168.2.1:5000
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: HTTP REQUEST from 192.168.2.3:35302 : POST /ctl/IPConn (HTTP/1.1)
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Host: 192.168.2.1:5000
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: AddPortMapping: ext port 6881 to 192.168.2.3:6881 protocol TCP for: qBittorrent Enhanced/4.3.9.10 leaseduration=604800 rhost=
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: UPnP permission rule 0 matched : port mapping accepted
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Check protocol tcp for port 6881 on ext_if pppoe-wan <My Public WAN IP>, 0B701424
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: redirecting port 6881 to 192.168.2.3:6881 protocol TCP for: qBittorrent Enhanced/4.3.9.10
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: Returning UPnPError 501: ActionFailed
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: HTTP REQUEST from 192.168.2.3:55095 : POST /ctl/IPConn (HTTP/1.1)
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Host: 192.168.2.1:5000
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: AddPortMapping: ext port 45368 to 192.168.2.3:6881 protocol TCP for: qBittorrent Enhanced/4.3.9.10 leaseduration=604800 rhost=
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: UPnP permission rule 0 matched : port mapping accepted
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Check protocol tcp for port 45368 on ext_if pppoe-wan <My Public WAN IP>, 0B701424
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: redirecting port 45368 to 192.168.2.3:6881 protocol TCP for: qBittorrent Enhanced/4.3.9.10
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: Returning UPnPError 501: ActionFailed
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: HTTP REQUEST from 192.168.2.3:54567 : POST /ctl/IPConn (HTTP/1.1)
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Host: 192.168.2.1:5000
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: AddPortMapping: ext port 41009 to 192.168.2.3:6881 protocol TCP for: qBittorrent Enhanced/4.3.9.10 leaseduration=604800 rhost=
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: UPnP permission rule 0 matched : port mapping accepted
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Check protocol tcp for port 41009 on ext_if pppoe-wan <My Public WAN IP>, 0B701424
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: redirecting port 41009 to 192.168.2.3:6881 protocol TCP for: qBittorrent Enhanced/4.3.9.10
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: Returning UPnPError 501: ActionFailed
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: HTTP REQUEST from 192.168.2.3:49545 : POST /ctl/IPConn (HTTP/1.1)
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Host: 192.168.2.1:5000
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: AddPortMapping: ext port 46199 to 192.168.2.3:6881 protocol TCP for: qBittorrent Enhanced/4.3.9.10 leaseduration=604800 rhost=
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: UPnP permission rule 0 matched : port mapping accepted
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Check protocol tcp for port 46199 on ext_if pppoe-wan <My Public WAN IP>, 0B701424
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: redirecting port 46199 to 192.168.2.3:6881 protocol TCP for: qBittorrent Enhanced/4.3.9.10
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: Returning UPnPError 501: ActionFailed
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: HTTP REQUEST from 192.168.2.3:51799 : POST /ctl/IPConn (HTTP/1.1)
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Host: 192.168.2.1:5000
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: AddPortMapping: ext port 48692 to 192.168.2.3:6881 protocol TCP for: qBittorrent Enhanced/4.3.9.10 leaseduration=604800 rhost=
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: UPnP permission rule 0 matched : port mapping accepted
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Check protocol tcp for port 48692 on ext_if pppoe-wan <My Public WAN IP>, 0B701424
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: redirecting port 48692 to 192.168.2.3:6881 protocol TCP for: qBittorrent Enhanced/4.3.9.10
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: Returning UPnPError 501: ActionFailed
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: HTTP REQUEST from 192.168.2.3:45397 : POST /ctl/IPConn (HTTP/1.1)
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Host: 192.168.2.1:5000
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: AddPortMapping: ext port 6881 to 192.168.2.3:6881 protocol UDP for: qBittorrent Enhanced/4.3.9.10 leaseduration=604800 rhost=
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: UPnP permission rule 0 matched : port mapping accepted
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Check protocol udp for port 6881 on ext_if pppoe-wan <My Public WAN IP>, 0B701424
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: redirecting port 6881 to 192.168.2.3:6881 protocol UDP for: qBittorrent Enhanced/4.3.9.10
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: Returning UPnPError 501: ActionFailed
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: HTTP REQUEST from 192.168.2.3:38029 : POST /ctl/IPConn (HTTP/1.1)
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Host: 192.168.2.1:5000
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: AddPortMapping: ext port 47128 to 192.168.2.3:6881 protocol UDP for: qBittorrent Enhanced/4.3.9.10 leaseduration=604800 rhost=
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: UPnP permission rule 0 matched : port mapping accepted
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Check protocol udp for port 47128 on ext_if pppoe-wan <My Public WAN IP>, 0B701424
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: redirecting port 47128 to 192.168.2.3:6881 protocol UDP for: qBittorrent Enhanced/4.3.9.10
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: Returning UPnPError 501: ActionFailed
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: HTTP REQUEST from 192.168.2.3:40342 : POST /ctl/IPConn (HTTP/1.1)
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Host: 192.168.2.1:5000
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: AddPortMapping: ext port 46971 to 192.168.2.3:6881 protocol UDP for: qBittorrent Enhanced/4.3.9.10 leaseduration=604800 rhost=
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: UPnP permission rule 0 matched : port mapping accepted
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Check protocol udp for port 46971 on ext_if pppoe-wan <My Public WAN IP>, 0B701424
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: redirecting port 46971 to 192.168.2.3:6881 protocol UDP for: qBittorrent Enhanced/4.3.9.10
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: Returning UPnPError 501: ActionFailed
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: HTTP REQUEST from 192.168.2.3:60035 : POST /ctl/IPConn (HTTP/1.1)
Tue Mar 22 12:22:03 2022 daemon.debug miniupnpd[24500]: Host: 192.168.2.1:5000
Tue Mar 22 12:22:03 2022 daemon.info miniupnpd[24500]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
tiagogaspar8 commented 2 years ago

@msylgj OK, if you find anything and need some testing tell me! BTW, I have disabled upnp, I only use PCP because I only have IPv6 with NAT64 in my network.

msylgj commented 2 years ago

@tiagogaspar8 Good news. When I disable the 'use_STUN' config and remove-cflag-patch for Makefile.linux.nft, everything seems to be OK! Some remaining problems in my mind: The 'inet' family of nftables con't set nat rule both ipv4 and ipv6. But I con't use ip&ip6 table for rule sets.(miniupnpd doesn't support, throw errors.) So we can see only ipv4 redirect rules in the nat table.I've no more idea. Look like this: 

table inet miniupnpd_filter {
    chain forward {
        type filter hook forward priority -25; policy accept;
        jump miniupnpd
    }

    chain miniupnpd {
        iif "pppoe-wan" th dport 6881 @nh,128,32 0x<ipv4 public ip> @nh,72,8 0x6 accept
        iif "pppoe-wan" th dport 6881 @nh,192,128 0x<ipv6 public ip> @nh,48,8 0x6 accept
        iif "pppoe-wan" th dport 6881 @nh,128,32 0x<ipv4 public ip> @nh,72,8 0x11 accept
        iif "pppoe-wan" th dport 6881 @nh,192,128 0x<ipv6 public ip> @nh,48,8 0x11 accept
        iif "pppoe-wan" th dport 8083 @nh,128,32 0x<ipv4 public ip> @nh,72,8 0x6 accept
        iif "pppoe-wan" th dport 8083 @nh,192,128 0x<ipv6 public ip> @nh,48,8 0x6 accept
    }
}
table inet miniupnpd_nat {
    chain prerouting {
        type nat hook prerouting priority dstnat; policy accept;
        jump prerouting_miniupnpd
    }

    chain postrouting {
        type nat hook postrouting priority srcnat; policy accept;
        jump postrouting_miniupnpd
    }

    chain prerouting_miniupnpd {
        iif "pppoe-wan" @nh,72,8 0x6 th dport 6881 dnat ip to 192.168.2.3:6881
        iif "pppoe-wan" @nh,72,8 0x11 th dport 6881 dnat ip to 192.168.2.3:6881
        iif "pppoe-wan" @nh,72,8 0x6 th dport 8083 dnat ip to 192.168.2.3:8083
    }

    chain postrouting_miniupnpd {
    }
}
stintel commented 2 years ago

For this bug, please try https://git.openwrt.org/38423fae4ba0 For the miniupnpd error, please report them upstream, or update https://github.com/miniupnp/miniupnp/issues/582 and optionally create a new issue here to track those. And I would prefer not to have to resort to using custom scripts at all for adding nftables rules. The less custom code we have to maintain, the better.

not-the-nrc commented 2 years ago

For this bug, please try https://git.openwrt.org/38423fae4ba0

@stintel I'm running the latest miniupnpd-nftables_2.3.0-1. Without your patch, my Xbox Series X reports that my NAT type is moderate (Your network is behind a UPnP port-restricted NAT).

With your patch, my Xbox reports that my NAT type is open (Your network is behind a cone NAT).

Dopam-IT commented 2 years ago

hi how apply the patch on belkin rt3200 please is complicate you think ? thanks

not-the-nrc commented 2 years ago

hi how apply the patch on belkin rt3200 please is complicate you think ? thanks

@neilsan1366 If you compile OpenWrt yourself, you can download the patch above at https://git.openwrt.org/?p=project/firewall4.git;a=patch;h=38423fae4ba0f116ae7b5853b1c459202fe2c9a4 and place it in package/network/config/firewall4/patches.

If you don't compile OpenWrt yourself, install a text editor on your router, like nano. Then, on your router, edit the file /usr/share/firewall4/templates/ruleset.uc and delete the 4 lines deleted by the patch. Reboot your router for the changes to take effect. You will lose these changes every time you flash a new version of OpenWrt on your router, so you'll have to modify the file each time.

Please note that they recently reverted the latest changes to miniupnpd and downgraded it to the previous version. I'm currently waiting for the build to finish to see if the results are the same.

Update: I get the same results with miniupnpd-nftables_2.2.3-1. Moderate NAT without the patch. Open NAT with the patch.