Closed escape0707 closed 1 year ago
Yes thanks for the response i will replace the files with winscp 👍
ok for be sure the files with patch make exactly 11347 b ? is right
sorry but he doesn't work i has modified like this `{% endif %} {% for (let zone in fw4.zones()): %} chain input{{ zone.name }} { {% for (let rule in fw4.rules("input"+zone.name)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} ct status dnat accept comment "!fw4: Accept port redirections" jump {{ zone.input }}from{{ zone.name }} }
chain output_{{ zone.name }} {
{% for (let rule in fw4.rules("output_"+zone.name)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} jump {{ zone.output }}to{{ zone.name }} }
chain forward_{{ zone.name }} {
{% for (let rule in fw4.rules("forward_"+zone.name)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} ct status dnat accept comment "!fw4: Accept port forwards" jump {{ zone.forward }}to{{ zone.name }} }
{% for (let verdict in ["accept", "reject", "drop"]): %} {% if (zone.sflags[verdict]): %} chain {{ verdict }}from{{ zone.name }} { {% for (let rule in zone.match_rules): %} {%+ include("zone-verdict.uc", { fw4, zone, rule, egress: false, verdict }) %} {% endfor %} }
{% endif %} {% if (zone.dflags[verdict]): %} chain {{ verdict }}to{{ zone.name }} { {% for (let rule in zone.match_rules): %} {%+ include("zone-verdict.uc", { fw4, zone, rule, egress: true, verdict }) %} {% endfor %} } `
@not-the-nrc I can also confirm this patch open ports without adding any manual port forward . This is easy fix for already flashed devices . Tested witu build r18809 @dir-853-r1
Yes the patch work 👌 thanks for all
For this bug, please try https://git.openwrt.org/38423fae4ba0 For the miniupnpd error, please report them upstream, or update miniupnp/miniupnp#582 and optionally create a new issue here to track those. And I would prefer not to have to resort to using custom scripts at all for adding nftables rules. The less custom code we have to maintain, the better.
Also fixed my UPnP issue thanks.
For this bug, please try https://git.openwrt.org/38423fae4ba0 For the miniupnpd error, please report them upstream, or update miniupnp/miniupnp#582 and optionally create a new issue here to track those. And I would prefer not to have to resort to using custom scripts at all for adding nftables rules. The less custom code we have to maintain, the better.
I can confirm that the patch works, although I had to update the line numbers for 22.03.0-rc6 (patch placed in package/network/config/firewall4/patches/
folder of OpenWrt src):
From 38423fae4ba0f116ae7b5853b1c459202fe2c9a4 Mon Sep 17 00:00:00 2001
From: Stijn Tintel <stijn@linux-ipv6.be>
Date: Tue, 22 Mar 2022 21:20:40 +0200
Subject: [PATCH] test: unconditionally allow ct status dnat
---
root/usr/share/firewall4/templates/ruleset.uc | 4 ----
1 file changed, 4 deletions(-)
diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index b402315..c7121aa 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -214,9 +214,7 @@
{% for (let rule in fw4.rules(`input_${zone.name}`)): %}
{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
-{% if (zone.dflags.dnat): %}
ct status dnat accept comment "!fw4: Accept port redirections"
-{% endif %}
{% fw4.includes('chain-append', `input_${zone.name}`) %}
jump {{ zone.input }}_from_{{ zone.name }}
}
@@ -235,9 +233,7 @@
{% for (let rule in fw4.rules(`forward_${zone.name}`)): %}
{%+ include("rule.uc", { fw4, rule }) %}
{% endfor %}
-{% if (zone.dflags.dnat): %}
ct status dnat accept comment "!fw4: Accept port forwards"
-{% endif %}
{% fw4.includes('chain-append', `forward_${zone.name}`) %}
jump {{ zone.forward }}_to_{{ zone.name }}
}
--
2.30.2
Thanks, also for me the path has solved the problem.
I've just compiled 22.03.0-rc6 with miniupnpd 2.3.0 (modified the Makefile to download the latest version) and applied the patch but I'm still not getting any open ports nor anything show under the 'Active UPnP Redirects' table.
... but I'm still not getting any open ports nor anything show under the 'Active UPnP Redirects' table.
Yes. As I've noted in Issue 5678, both the Luci status -> overview page’s “Active UPnP Redirects” as well as luci-app-upnp package’s “Active UPnP Redirects” sections are empty.
I believe that these two issues are going to cause confusion if 22.03 is released without these 2 GUI fixes.
—-
edit note this PR for luci upnp app: https://github.com/openwrt/luci/pull/5839
https://github.com/miniupnp/miniupnp/commit/b8d66c5f7c7cad61241eca5332fda49b242de664
rules suppose to be deleted
Hi guys, can you please give this a test? it should fix and improve the functionality of miniupnpd. https://github.com/openwrt/packages/pull/19154
Hi guys, can you please give this a test? it should fix and improve the functionality of miniupnpd. #19154
@tiagogaspar8 I removed the patch above from @stintel and applied your pull request. I'm now running miniupnpd-nftables_2022-08-06-fa42d8f9
on r20381-fe86b2ffaa
. After booting my Xbox, I can see the redirect in /var/run/miniupnpd.leases
and when running nft list ruleset
, and my Xbox reports that my NAT type is open ("Your network is behind a cone NAT").
That's good right @not-the-nrc ? Please test it out so we can close this issue, as this commit is merged and should fix all issues
That's good right @not-the-nrc ? Please test it out so we can close this issue, as this commit is merged and should fix all issues
Yes, that is good. Your patch works for me and my Xbox.
good evening do the rules appear in luci-app-upnp
I download first miniupnp nftables then luci-app-upnp is it right ?
good evening do the rules appear in luci-app-upnp
No, the rules do not appear in luci-app-upnp. There's a separate bug for that. Bug
I download first miniupnp nftables then luci-app-upnp is it right ?
The pull request was just merged 9 hours ago as I write this. The build bots may not have built it yet.
ok thank you for your answer i am on belkin rt3200 in 22.03 rc6 do i just need to update the packets or will it be only on snapshot?
i has apply the patch but don't work in my console
`{% let flowtable_devices = fw4.resolve_offload_devices(); -%}
table inet fw4 flush table inet fw4 {% if (fw4.check_flowtable()): %} delete flowtable inet fw4 ft {% endif %}
table inet fw4 { {% if (length(flowtable_devices) > 0): %} #
#
flowtable ft {
hook ingress priority 0;
devices = {{ fw4.set(flowtable_devices, true) }};
{% if (fw4.default_option("flow_offloading_hw")): %} flags offload; {% endif %} }
{% endif %} #
#
{% for (let set in fw4.ipsets()): %} set {{ set.name }} { type {{ fw4.concat(set.types) }} {% if (set.maxelem > 0): %} size {{ set.maxelem }} {% endif %} {% if (set.timeout >= 0): %} timeout {{ set.timeout }}s {% endif %} {% if (set.interval): %} flags interval auto-merge {% endif %} {% fw4.print_setentries(set) %} }
{% endfor %}
#
# Defines
#
{% for (let zone in fw4.zones()): %} {% if (length(zone.match_devices)): %} define {{ zone.name }}_devices = {{ fw4.set(zone.match_devices, true) }} {% endif %} {% if (length(zone.match_subnets)): %} define {{ zone.name }}_subnets = {{ fw4.set(zone.match_subnets, true) }} {% endif %} {% endfor %}
#
# User includes
#
include "/etc/nftables.d/*.nft"
#
# Filter rules
#
chain input {
type filter hook input priority filter; policy {{ fw4.input_policy(true) }};
iifname "lo" accept comment "!fw4: Accept traffic from loopback"
ct state established,related accept comment "!fw4: Allow inbound established and related flows"
{% if (fw4.default_option("drop_invalid")): %} ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state" {% endif %} {% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): %} tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets" {% endif %} {% for (let rule in fw4.rules("input")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} {% for (let zone in fw4.zones()): for (let rule in zone.match_rules): %} {%+ include("zone-jump.uc", { fw4, zone, rule, direction: "input" }) %} {% endfor; endfor %} {% if (fw4.input_policy() == "reject"): %} jump handle_reject {% endif %} }
chain forward {
type filter hook forward priority filter; policy {{ fw4.forward_policy(true) }};
{% if (length(flowtable_devices) > 0): %} meta l4proto { tcp, udp } flow offload @ft; {% endif %} ct state established,related accept comment "!fw4: Allow forwarded established and related flows" {% if (fw4.default_option("drop_invalid")): %} ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state" {% endif %} {% for (let rule in fw4.rules("forward")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} {% for (let zone in fw4.zones()): for (let rule in zone.match_rules): %} {%+ include("zone-jump.uc", { fw4, zone, rule, direction: "forward" }) %} {% endfor; endfor %} {% if (fw4.forward_policy() == "reject"): %} jump handle_reject {% endif %} }
chain output {
type filter hook output priority filter; policy {{ fw4.output_policy(true) }};
oifname "lo" accept comment "!fw4: Accept traffic towards loopback"
ct state established,related accept comment "!fw4: Allow outbound established and related flows"
{% if (fw4.default_option("drop_invalid")): %} ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state" {% endif %} {% for (let rule in fw4.rules("output")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} {% for (let zone in fw4.zones()): for (let rule in zone.match_rules): %} {%+ include("zone-jump.uc", { fw4, zone, rule, direction: "output" }) %} {% endfor; endfor %} {% if (fw4.output_policy() == "reject"): %} jump handle_reject {% endif %} }
chain handle_reject {
meta l4proto tcp reject with {{
(fw4.default_option("tcp_reject_code") != "tcp-reset")
? "icmpx type " + fw4.default_option("tcp_reject_code")
: "tcp reset"
}} comment "!fw4: Reject TCP traffic"
reject with {{
(fw4.default_option("any_reject_code") != "tcp-reset")
? "icmpx type " + fw4.default_option("any_reject_code")
: "tcp reset"
}} comment "!fw4: Reject any other traffic"
}
{% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): let r = fw4.default_option("synflood_rate"); let b = fw4.default_option("synflood_burst"); %} chain syn_flood { limit rate {{ r.rate }}/{{ r.unit }} {%- if (b): %} burst {{ b }} packets{% endif %} return comment "!fw4: Accept SYN packets below rate-limit" drop comment "!fw4: Drop excess packets" }
{% endif %} {% for (let zone in fw4.zones()): %} chain input{{ zone.name }} { {% for (let rule in fw4.rules("input"+zone.name)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %}
ct status dnat accept comment "!fw4: Accept port redirections"
jump {{ zone.input }}_from_{{ zone.name }}
}
chain output_{{ zone.name }} {
{% for (let rule in fw4.rules("output_"+zone.name)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} jump {{ zone.output }}to{{ zone.name }} }
chain forward_{{ zone.name }} {
{% for (let rule in fw4.rules("forward_"+zone.name)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %}
ct status dnat accept comment "!fw4: Accept port forwards"
jump {{ zone.forward }}_to_{{ zone.name }}
}
{% for (let verdict in ["accept", "reject", "drop"]): %} {% if (zone.sflags[verdict]): %} chain {{ verdict }}from{{ zone.name }} { {% for (let rule in zone.match_rules): %} {%+ include("zone-verdict.uc", { fw4, zone, rule, egress: false, verdict }) %} {% endfor %} }
{% endif %} {% if (zone.dflags[verdict]): %} chain {{ verdict }}to{{ zone.name }} { {% for (let rule in zone.match_rules): %} {%+ include("zone-verdict.uc", { fw4, zone, rule, egress: true, verdict }) %} {% endfor %} }
{% endif %} {% endfor %} {% endfor %}
#
# NAT rules
#
chain dstnat {
type nat hook prerouting priority dstnat; policy accept;
{% for (let zone in fw4.zones()): %} {% if (zone.dflags.dnat): %} {% for (let rule in zone.match_rules): %} {%+ include("zone-jump.uc", { fw4, zone, rule, direction: "dstnat" }) %} {% endfor %} {% endif %} {% endfor %} }
chain srcnat {
type nat hook postrouting priority srcnat; policy accept;
{% for (let redirect in fw4.redirects("srcnat")): %} {%+ include("redirect.uc", { fw4, redirect }) %} {% endfor %} {% for (let zone in fw4.zones()): %} {% if (zone.dflags.snat): %} {% for (let rule in zone.match_rules): %} {%+ include("zone-jump.uc", { fw4, zone, rule, direction: "srcnat" }) %} {% endfor %} {% endif %} {% endfor %} }
{% for (let zone in fw4.zones()): %} {% if (zone.dflags.dnat): %} chain dstnat{{ zone.name }} { {% for (let redirect in fw4.redirects("dstnat"+zone.name)): %} {%+ include("redirect.uc", { fw4, redirect }) %} {% endfor %} }
{% endif %} {% if (zone.dflags.snat): %} chain srcnat{{ zone.name }} { {% for (let redirect in fw4.redirects("srcnat"+zone.name)): %} {%+ include("redirect.uc", { fw4, redirect }) %} {% endfor %} {% if (zone.masq): %} {% for (let saddrs in zone.masq4_src_subnets): %} {% for (let daddrs in zone.masq4_dest_subnets): %} {%+ include("zone-masq.uc", { fw4, zone, family: 4, saddrs, daddrs }) %} {% endfor %} {% endfor %} {% endif %} {% if (zone.masq6): %} {% for (let saddrs in zone.masq6_src_subnets): %} {% for (let daddrs in zone.masq6_dest_subnets): %} {%+ include("zone-masq.uc", { fw4, zone, family: 6, saddrs, daddrs }) %} {% endfor %} {% endfor %} {% endif %} }
{% endif %} {% endfor %}
#
# Raw rules (notrack & helper)
#
chain raw_prerouting {
type filter hook prerouting priority raw; policy accept;
{% for (let target in ["helper", "notrack"]): %} {% for (let zone in fw4.zones()): %} {% if (zone.dflags[target]): %} {% for (let rule in zone.match_rules): %} {% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, false); %} {% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, false); %} {% if (rule.devices_neg || rule.subnets_neg || devices_pos || subnets_pos): %} {%+ if (rule.family): -%} meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} {%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnetspos } }) -%} jump {{ target }}{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} {{ (target == "helper") ? "CT helper assignment" : "CT bypass" }}" {% endif %} {% endfor %} {% endif %} {% endfor %} {% endfor %} }
chain raw_output {
type filter hook output priority raw; policy accept;
{% for (let target in ["helper", "notrack"]): %} {% for (let zone in fw4.zones()): %} {% if (zone.dflags[target]): %} {% for (let rule in zone.match_rules): %} {% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, true); %} {% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, true); %} {% if (devices_pos || subnets_pos): %} {%+ if (rule.family): -%} meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} {%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnetspos } }) -%} jump {{ target }}{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} {{ (target == "helper") ? "CT helper assignment" : "CT bypass" }}" {% endif %} {% endfor %} {% endif %} {% endfor %} {% endfor %} }
{% for (let helper in fw4.helpers()): %} {% if (helper.available): %} {% for (let proto in helper.proto): %} ct helper {{ helper.name }} { type {{ fw4.quote(helper.name, true) }} protocol {{ proto.name }}; }
{% endfor %} {% endif %} {% endfor %} {% for (let target in ["helper", "notrack"]): %} {% for (let zone in fw4.zones()): %} {% if (zone.dflags[target]): %} chain {{ target }}{{ zone.name }} { {% for (let rule in fw4.rules(target+""+zone.name)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} }
{% endif %} {% endfor %} {% endfor %}
#
# Mangle rules
#
chain mangle_prerouting {
type filter hook prerouting priority mangle; policy accept;
{% for (let rule in fw4.rules("mangle_prerouting")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} }
chain mangle_postrouting {
type filter hook postrouting priority mangle; policy accept;
{% for (let rule in fw4.rules("mangle_postrouting")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} }
chain mangle_input {
type filter hook input priority mangle; policy accept;
{% for (let rule in fw4.rules("mangle_input")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} }
chain mangle_output {
type filter hook output priority mangle; policy accept;
{% for (let rule in fw4.rules("mangle_output")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} }
chain mangle_forward {
type filter hook forward priority mangle; policy accept;
{% for (let rule in fw4.rules("mangle_forward")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} {% for (let zone in fw4.zones()): %} {% if (zone.mtu_fix): %} {% for (let rule in zone.match_rules): %} {%+ include("zone-mssfix.uc", { fw4, zone, rule, egress: false }) %} {%+ include("zone-mssfix.uc", { fw4, zone, rule, egress: true }) %} {% endfor %} {% endif %} {% endfor %} } } `
My patch is currently on snapshot, but if openwrt maintainers feel like it should be backported too it can be done, since miniupnpd in the latest release is broken because it uses firewall4.
I can confirm that the patch from @tiagogaspar8 works! I've tested this on a Sony PlayStation 4 I'm now able to achieve open NAT type.
Port forwarding still not working with or without https://github.com/openwrt/packages/issues/17871#issuecomment-1207162628 patch.
Release 22.03.0
miniupnp rules are still not removed (/tmp/upnp.leases cleared properly tho)
@axet Take a look at this commit that hasn't been pulled into 22.03.0 if you feel like testing.
@Strasedon Thanks. I cherry-pick this commit into trunk/feeds/packages. Same - port is closed. Applying patch from https://github.com/openwrt/packages/issues/17871#issuecomment-1207162628 make it works again!
it's not work in Release 22.03.0,Has this patch been merge into release 22.03.0?
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label 'NAT-PMP 6888 tcp' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label 'NAT-PMP 6887 tcp' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label 'NAT-PMP 6886 tcp' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label 'NAT-PMP 6885 tcp' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label 'mandela' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label '2731c90e' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label '2731c90e' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label '2731c90e' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label 'ZeroTier/a4a7a830e6@55405' is not a IGD pinhole
Interestingly enough, I got upnp working on 22.03.0 but not on recent 22.03.1, got tons of logs like:
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: level=0 type=8 Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: ifindex = 10 192.168.57.99 Sat Oct 15 15:24:37 2022 daemon.info miniupnpd[24166]: Received UDP Packet (IPv6) Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: level=0 type=8 Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: ifindex = 10 192.168.57.99 Sat Oct 15 15:24:37 2022 daemon.info miniupnpd[24166]: Received UDP Packet (IPv6) Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: level=0 type=8 Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: ifindex = 10 192.168.57.99 Sat Oct 15 15:24:37 2022 daemon.info miniupnpd[24166]: Received UDP Packet (IPv6) Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
version info:
miniupnpd --version
miniupnpd 2.3.0 v22.03.1 Oct 7 2022
using netfilter(nftables) backend
config:
config upnpd 'config'
option upload '512'
option internal_iface 'LANex lan'
option port '5000'
option upnp_lease_file '/var/run/miniupnpd.leases'
option uuid 'uuid'
option download '10240'
option clean_ruleset_interval '86400'
option enable_natpmp '1'
option enabled '1'
option external_iface 'wan'
option log_output '1'
22.03.2 has exactly the same issue with upnp.
miniupnpd 2.3.0 v22.03.2 Oct 14 2022
using netfilter(nftables) backend
While miniupnpd in 22.03 rc5 works fine, though Luci has no port mapping showing.
miniupnpd 2.2.3 v22.03.0-rc5 Jul 6 2022
using netfilter(nftables) backend
22.03.3, still the same, applications complained no upnp support, and when enable extra log, "xxx is not a IGD pinhole" is shown. any updates?
miniupnpd --version
miniupnpd 2.3.0 v22.03.3 Jan 3 2023
using netfilter(nftables) backend
Upstream issue closed including traffic forwarding / duplicate rules / non removable rules. Thanks to the author.
Working commit:
https://github.com/miniupnp/miniupnp/commit/904dda47ed67def29a9cfece592637c6777fc54b
miniupnp 2.3.3 has been released - would be great if could be backported to close the issue: https://github.com/miniupnp/miniupnp/commit/e439318cf782e30066d430f27a1365e013a5ab94
Patch still not merged?
This problem is already fixed in the current version of miniupnpd, both in master and OpenWrt 22.03.
But now everytime the firewall is reloaded all the rules are deleted and not reverted
@tiagogaspar8 my rules are ok. At least all rules from /etc/config/firewall
I was talking about the miniupnpd created port forwarding rules, every time I reload the firewall they're deleted
Maintainer
@stintel @ldir-EDB0 @neheb
Environment
Description
As the title says, miniupnpd can't map requested ports successfully for applications and shows "There are no active redirects." in the LuCI web interface.
I setup this environment by:
luci-app-upnp
throughopkg
.I don't know where to continue the troubleshooting. If any additional information is needed, please let me know. I do have a dynamic global IPv4 address on my router, and I disguised it. If that's needed, please also let me know.
Latest release version
21.02.1
withminiupnpd_2.2.1-3
doesn't have this problem but can't support Xbox / Windows teredo UPnP.More logs / configs