escape0707 commented 2 years ago

Maintainer

@stintel @ldir-EDB0 @neheb

Environment

Model | Xiaomi Redmi Router AC2100
Architecture | MediaTek MT7621 ver:1 eco:3
Target Platform | ramips/mt7621
Firmware Version | OpenWrt SNAPSHOT r18806-2120cad38d / LuCI Master git-22.025.79016-22e2bfb
Kernel Version | 5.10.100

Description

As the title says, miniupnpd can't map requested ports successfully for applications and shows "There are no active redirects." in the LuCI web interface.

I setup this environment by:

Flashed the official snapshot version just after I got my hand on this Redmi Router, with the official guide provided method.
Setup 2.4G & 5G WiFi.
Setup PPPoE on WAN.
Installed luci-app-upnp through opkg.

I don't know where to continue the troubleshooting. If any additional information is needed, please let me know. I do have a dynamic global IPv4 address on my router, and I disguised it. If that's needed, please also let me know.

Latest release version 21.02.1 with miniupnpd_2.2.1-3 doesn't have this problem but can't support Xbox / Windows teredo UPnP.

More logs / configs

qbittorrent_download qbittorrent_log.txt logread.txt teredo_log.txt etc_config_upnpd.txt ip_addr_show.txt nftables.txt opkg_info_miniupnpd.txt

Dopam-IT commented 2 years ago

Yes thanks for the response i will replace the files with winscp 👍

ok for be sure the files with patch make exactly 11347 b ? is right

sorry but he doesn't work i has modified like this `{% endif %} {% for (let zone in fw4.zones()): %} chain input{{ zone.name }} { {% for (let rule in fw4.rules("input"+zone.name)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} ct status dnat accept comment "!fw4: Accept port redirections" jump {{ zone.input }}from{{ zone.name }} }

chain output_{{ zone.name }} {

{% for (let rule in fw4.rules("output_"+zone.name)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} jump {{ zone.output }}to{{ zone.name }} }

chain forward_{{ zone.name }} {

{% for (let rule in fw4.rules("forward_"+zone.name)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} ct status dnat accept comment "!fw4: Accept port forwards" jump {{ zone.forward }}to{{ zone.name }} }

{% for (let verdict in ["accept", "reject", "drop"]): %} {% if (zone.sflags[verdict]): %} chain {{ verdict }}from{{ zone.name }} { {% for (let rule in zone.match_rules): %} {%+ include("zone-verdict.uc", { fw4, zone, rule, egress: false, verdict }) %} {% endfor %} }

{% endif %} {% if (zone.dflags[verdict]): %} chain {{ verdict }}to{{ zone.name }} { {% for (let rule in zone.match_rules): %} {%+ include("zone-verdict.uc", { fw4, zone, rule, egress: true, verdict }) %} {% endfor %} } `

nicefile commented 2 years ago

@not-the-nrc I can also confirm this patch open ports without adding any manual port forward . This is easy fix for already flashed devices . Tested witu build r18809 @dir-853-r1

Dopam-IT commented 2 years ago

Yes the patch work 👌 thanks for all

jckefan commented 1 year ago

For this bug, please try https://git.openwrt.org/38423fae4ba0 For the miniupnpd error, please report them upstream, or update miniupnp/miniupnp#582 and optionally create a new issue here to track those. And I would prefer not to have to resort to using custom scripts at all for adding nftables rules. The less custom code we have to maintain, the better.

Also fixed my UPnP issue thanks.

firstred commented 1 year ago

For this bug, please try https://git.openwrt.org/38423fae4ba0 For the miniupnpd error, please report them upstream, or update miniupnp/miniupnp#582 and optionally create a new issue here to track those. And I would prefer not to have to resort to using custom scripts at all for adding nftables rules. The less custom code we have to maintain, the better.

I can confirm that the patch works, although I had to update the line numbers for 22.03.0-rc6 (patch placed in package/network/config/firewall4/patches/ folder of OpenWrt src):

From 38423fae4ba0f116ae7b5853b1c459202fe2c9a4 Mon Sep 17 00:00:00 2001
From: Stijn Tintel <stijn@linux-ipv6.be>
Date: Tue, 22 Mar 2022 21:20:40 +0200
Subject: [PATCH] test: unconditionally allow ct status dnat

---
 root/usr/share/firewall4/templates/ruleset.uc | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc
index b402315..c7121aa 100644
--- a/root/usr/share/firewall4/templates/ruleset.uc
+++ b/root/usr/share/firewall4/templates/ruleset.uc
@@ -214,9 +214,7 @@
 {%  for (let rule in fw4.rules(`input_${zone.name}`)): %}
        {%+ include("rule.uc", { fw4, rule }) %}
 {%  endfor %}
-{%  if (zone.dflags.dnat): %}
        ct status dnat accept comment "!fw4: Accept port redirections"
-{%  endif %}
 {%  fw4.includes('chain-append', `input_${zone.name}`) %}
        jump {{ zone.input }}_from_{{ zone.name }}
    }
@@ -235,9 +233,7 @@
 {%  for (let rule in fw4.rules(`forward_${zone.name}`)): %}
        {%+ include("rule.uc", { fw4, rule }) %}
 {%  endfor %}
-{%  if (zone.dflags.dnat): %}
        ct status dnat accept comment "!fw4: Accept port forwards"
-{%  endif %}
 {%  fw4.includes('chain-append', `forward_${zone.name}`) %}
        jump {{ zone.forward }}_to_{{ zone.name }}
    }
-- 
2.30.2

mastum commented 1 year ago

Thanks, also for me the path has solved the problem.

firewire10000 commented 1 year ago

I've just compiled 22.03.0-rc6 with miniupnpd 2.3.0 (modified the Makefile to download the latest version) and applied the patch but I'm still not getting any open ports nor anything show under the 'Active UPnP Redirects' table.

edrikk commented 1 year ago

... but I'm still not getting any open ports nor anything show under the 'Active UPnP Redirects' table.

Yes. As I've noted in Issue 5678, both the Luci status -> overview page’s “Active UPnP Redirects” as well as luci-app-upnp package’s “Active UPnP Redirects” sections are empty.

I believe that these two issues are going to cause confusion if 22.03 is released without these 2 GUI fixes.

—-

edit note this PR for luci upnp app: https://github.com/openwrt/luci/pull/5839

axet commented 1 year ago

https://github.com/miniupnp/miniupnp/commit/b8d66c5f7c7cad61241eca5332fda49b242de664

rules suppose to be deleted

tiagogaspar8 commented 1 year ago

Hi guys, can you please give this a test? it should fix and improve the functionality of miniupnpd. https://github.com/openwrt/packages/pull/19154

not-the-nrc commented 1 year ago

Hi guys, can you please give this a test? it should fix and improve the functionality of miniupnpd. #19154

@tiagogaspar8 I removed the patch above from @stintel and applied your pull request. I'm now running miniupnpd-nftables_2022-08-06-fa42d8f9 on r20381-fe86b2ffaa. After booting my Xbox, I can see the redirect in /var/run/miniupnpd.leases and when running nft list ruleset, and my Xbox reports that my NAT type is open ("Your network is behind a cone NAT").

tiagogaspar8 commented 1 year ago

That's good right @not-the-nrc ? Please test it out so we can close this issue, as this commit is merged and should fix all issues

not-the-nrc commented 1 year ago

That's good right @not-the-nrc ? Please test it out so we can close this issue, as this commit is merged and should fix all issues

Yes, that is good. Your patch works for me and my Xbox.

Dopam-IT commented 1 year ago

good evening do the rules appear in luci-app-upnp

I download first miniupnp nftables then luci-app-upnp is it right ?

not-the-nrc commented 1 year ago

good evening do the rules appear in luci-app-upnp

No, the rules do not appear in luci-app-upnp. There's a separate bug for that. Bug

I download first miniupnp nftables then luci-app-upnp is it right ?

The pull request was just merged 9 hours ago as I write this. The build bots may not have built it yet.

Dopam-IT commented 1 year ago

ok thank you for your answer i am on belkin rt3200 in 22.03 rc6 do i just need to update the packets or will it be only on snapshot?

i has apply the patch but don't work in my console

`{% let flowtable_devices = fw4.resolve_offload_devices(); -%}

table inet fw4 flush table inet fw4 {% if (fw4.check_flowtable()): %} delete flowtable inet fw4 ft {% endif %}

table inet fw4 { {% if (length(flowtable_devices) > 0): %} #

Flowtable

#

flowtable ft {
    hook ingress priority 0;
    devices = {{ fw4.set(flowtable_devices, true) }};

{% if (fw4.default_option("flow_offloading_hw")): %} flags offload; {% endif %} }

{% endif %} #

Set definitions

{% for (let set in fw4.ipsets()): %} set {{ set.name }} { type {{ fw4.concat(set.types) }} {% if (set.maxelem > 0): %} size {{ set.maxelem }} {% endif %} {% if (set.timeout >= 0): %} timeout {{ set.timeout }}s {% endif %} {% if (set.interval): %} flags interval auto-merge {% endif %} {% fw4.print_setentries(set) %} }

{% endfor %}

#
# Defines
#

{% for (let zone in fw4.zones()): %} {% if (length(zone.match_devices)): %} define {{ zone.name }}_devices = {{ fw4.set(zone.match_devices, true) }} {% endif %} {% if (length(zone.match_subnets)): %} define {{ zone.name }}_subnets = {{ fw4.set(zone.match_subnets, true) }} {% endif %} {% endfor %}

#
# User includes
#

include "/etc/nftables.d/*.nft"

#
# Filter rules
#

chain input {
    type filter hook input priority filter; policy {{ fw4.input_policy(true) }};

    iifname "lo" accept comment "!fw4: Accept traffic from loopback"

    ct state established,related accept comment "!fw4: Allow inbound established and related flows"

{% if (fw4.default_option("drop_invalid")): %} ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state" {% endif %} {% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): %} tcp flags & (fin | syn | rst | ack) == syn jump syn_flood comment "!fw4: Rate limit TCP syn packets" {% endif %} {% for (let rule in fw4.rules("input")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} {% for (let zone in fw4.zones()): for (let rule in zone.match_rules): %} {%+ include("zone-jump.uc", { fw4, zone, rule, direction: "input" }) %} {% endfor; endfor %} {% if (fw4.input_policy() == "reject"): %} jump handle_reject {% endif %} }

chain forward {
    type filter hook forward priority filter; policy {{ fw4.forward_policy(true) }};

{% if (length(flowtable_devices) > 0): %} meta l4proto { tcp, udp } flow offload @ft; {% endif %} ct state established,related accept comment "!fw4: Allow forwarded established and related flows" {% if (fw4.default_option("drop_invalid")): %} ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state" {% endif %} {% for (let rule in fw4.rules("forward")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} {% for (let zone in fw4.zones()): for (let rule in zone.match_rules): %} {%+ include("zone-jump.uc", { fw4, zone, rule, direction: "forward" }) %} {% endfor; endfor %} {% if (fw4.forward_policy() == "reject"): %} jump handle_reject {% endif %} }

chain output {
    type filter hook output priority filter; policy {{ fw4.output_policy(true) }};

    oifname "lo" accept comment "!fw4: Accept traffic towards loopback"

    ct state established,related accept comment "!fw4: Allow outbound established and related flows"

{% if (fw4.default_option("drop_invalid")): %} ct state invalid drop comment "!fw4: Drop flows with invalid conntrack state" {% endif %} {% for (let rule in fw4.rules("output")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} {% for (let zone in fw4.zones()): for (let rule in zone.match_rules): %} {%+ include("zone-jump.uc", { fw4, zone, rule, direction: "output" }) %} {% endfor; endfor %} {% if (fw4.output_policy() == "reject"): %} jump handle_reject {% endif %} }

chain handle_reject {
    meta l4proto tcp reject with {{
        (fw4.default_option("tcp_reject_code") != "tcp-reset")
            ? "icmpx type " + fw4.default_option("tcp_reject_code")
            : "tcp reset"
    }} comment "!fw4: Reject TCP traffic"
    reject with {{
        (fw4.default_option("any_reject_code") != "tcp-reset")
            ? "icmpx type " + fw4.default_option("any_reject_code")
            : "tcp reset"
    }} comment "!fw4: Reject any other traffic"
}

{% if (fw4.default_option("synflood_protect") && fw4.default_option("synflood_rate")): let r = fw4.default_option("synflood_rate"); let b = fw4.default_option("synflood_burst"); %} chain syn_flood { limit rate {{ r.rate }}/{{ r.unit }} {%- if (b): %} burst {{ b }} packets{% endif %} return comment "!fw4: Accept SYN packets below rate-limit" drop comment "!fw4: Drop excess packets" }

{% endif %} {% for (let zone in fw4.zones()): %} chain input{{ zone.name }} { {% for (let rule in fw4.rules("input"+zone.name)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %}

    ct status dnat accept comment "!fw4: Accept port redirections"

    jump {{ zone.input }}_from_{{ zone.name }}
}

chain output_{{ zone.name }} {

{% for (let rule in fw4.rules("output_"+zone.name)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} jump {{ zone.output }}to{{ zone.name }} }

chain forward_{{ zone.name }} {

{% for (let rule in fw4.rules("forward_"+zone.name)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %}

    ct status dnat accept comment "!fw4: Accept port forwards"

    jump {{ zone.forward }}_to_{{ zone.name }}
}

{% for (let verdict in ["accept", "reject", "drop"]): %} {% if (zone.sflags[verdict]): %} chain {{ verdict }}from{{ zone.name }} { {% for (let rule in zone.match_rules): %} {%+ include("zone-verdict.uc", { fw4, zone, rule, egress: false, verdict }) %} {% endfor %} }

{% endif %} {% if (zone.dflags[verdict]): %} chain {{ verdict }}to{{ zone.name }} { {% for (let rule in zone.match_rules): %} {%+ include("zone-verdict.uc", { fw4, zone, rule, egress: true, verdict }) %} {% endfor %} }

{% endif %} {% endfor %} {% endfor %}

#
# NAT rules
#

chain dstnat {
    type nat hook prerouting priority dstnat; policy accept;

{% for (let zone in fw4.zones()): %} {% if (zone.dflags.dnat): %} {% for (let rule in zone.match_rules): %} {%+ include("zone-jump.uc", { fw4, zone, rule, direction: "dstnat" }) %} {% endfor %} {% endif %} {% endfor %} }

chain srcnat {
    type nat hook postrouting priority srcnat; policy accept;

{% for (let redirect in fw4.redirects("srcnat")): %} {%+ include("redirect.uc", { fw4, redirect }) %} {% endfor %} {% for (let zone in fw4.zones()): %} {% if (zone.dflags.snat): %} {% for (let rule in zone.match_rules): %} {%+ include("zone-jump.uc", { fw4, zone, rule, direction: "srcnat" }) %} {% endfor %} {% endif %} {% endfor %} }

{% for (let zone in fw4.zones()): %} {% if (zone.dflags.dnat): %} chain dstnat{{ zone.name }} { {% for (let redirect in fw4.redirects("dstnat"+zone.name)): %} {%+ include("redirect.uc", { fw4, redirect }) %} {% endfor %} }

{% endif %} {% if (zone.dflags.snat): %} chain srcnat{{ zone.name }} { {% for (let redirect in fw4.redirects("srcnat"+zone.name)): %} {%+ include("redirect.uc", { fw4, redirect }) %} {% endfor %} {% if (zone.masq): %} {% for (let saddrs in zone.masq4_src_subnets): %} {% for (let daddrs in zone.masq4_dest_subnets): %} {%+ include("zone-masq.uc", { fw4, zone, family: 4, saddrs, daddrs }) %} {% endfor %} {% endfor %} {% endif %} {% if (zone.masq6): %} {% for (let saddrs in zone.masq6_src_subnets): %} {% for (let daddrs in zone.masq6_dest_subnets): %} {%+ include("zone-masq.uc", { fw4, zone, family: 6, saddrs, daddrs }) %} {% endfor %} {% endfor %} {% endif %} }

{% endif %} {% endfor %}

#
# Raw rules (notrack & helper)
#

chain raw_prerouting {
    type filter hook prerouting priority raw; policy accept;

{% for (let target in ["helper", "notrack"]): %} {% for (let zone in fw4.zones()): %} {% if (zone.dflags[target]): %} {% for (let rule in zone.match_rules): %} {% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, false); %} {% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, false); %} {% if (rule.devices_neg || rule.subnets_neg || devices_pos || subnets_pos): %} {%+ if (rule.family): -%} meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} {%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnetspos } }) -%} jump {{ target }}{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} {{ (target == "helper") ? "CT helper assignment" : "CT bypass" }}" {% endif %} {% endfor %} {% endif %} {% endfor %} {% endfor %} }

chain raw_output {
    type filter hook output priority raw; policy accept;

{% for (let target in ["helper", "notrack"]): %} {% for (let zone in fw4.zones()): %} {% if (zone.dflags[target]): %} {% for (let rule in zone.match_rules): %} {% let devices_pos = fw4.filter_loopback_devs(rule.devices_pos, true); %} {% let subnets_pos = fw4.filter_loopback_addrs(rule.subnets_pos, true); %} {% if (devices_pos || subnets_pos): %} {%+ if (rule.family): -%} meta nfproto {{ fw4.nfproto(rule.family) }} {%+ endif -%} {%+ include("zone-match.uc", { fw4, egress: false, rule: { ...rule, devices_pos, subnetspos } }) -%} jump {{ target }}{{ zone.name }} comment "!fw4: {{ zone.name }} {{ fw4.nfproto(rule.family, true) }} {{ (target == "helper") ? "CT helper assignment" : "CT bypass" }}" {% endif %} {% endfor %} {% endif %} {% endfor %} {% endfor %} }

{% for (let helper in fw4.helpers()): %} {% if (helper.available): %} {% for (let proto in helper.proto): %} ct helper {{ helper.name }} { type {{ fw4.quote(helper.name, true) }} protocol {{ proto.name }}; }

{% endfor %} {% endif %} {% endfor %} {% for (let target in ["helper", "notrack"]): %} {% for (let zone in fw4.zones()): %} {% if (zone.dflags[target]): %} chain {{ target }}{{ zone.name }} { {% for (let rule in fw4.rules(target+""+zone.name)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} }

{% endif %} {% endfor %} {% endfor %}

#
# Mangle rules
#

chain mangle_prerouting {
    type filter hook prerouting priority mangle; policy accept;

{% for (let rule in fw4.rules("mangle_prerouting")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} }

chain mangle_postrouting {
    type filter hook postrouting priority mangle; policy accept;

{% for (let rule in fw4.rules("mangle_postrouting")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} }

chain mangle_input {
    type filter hook input priority mangle; policy accept;

{% for (let rule in fw4.rules("mangle_input")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} }

chain mangle_output {
    type filter hook output priority mangle; policy accept;

{% for (let rule in fw4.rules("mangle_output")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} }

chain mangle_forward {
    type filter hook forward priority mangle; policy accept;

{% for (let rule in fw4.rules("mangle_forward")): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} {% for (let zone in fw4.zones()): %} {% if (zone.mtu_fix): %} {% for (let rule in zone.match_rules): %} {%+ include("zone-mssfix.uc", { fw4, zone, rule, egress: false }) %} {%+ include("zone-mssfix.uc", { fw4, zone, rule, egress: true }) %} {% endfor %} {% endif %} {% endfor %} } } `

tiagogaspar8 commented 1 year ago

My patch is currently on snapshot, but if openwrt maintainers feel like it should be backported too it can be done, since miniupnpd in the latest release is broken because it uses firewall4.

firewire10000 commented 1 year ago

I can confirm that the patch from @tiagogaspar8 works! I've tested this on a Sony PlayStation 4 I'm now able to achieve open NAT type.

axet commented 1 year ago

Port forwarding still not working with or without https://github.com/openwrt/packages/issues/17871#issuecomment-1207162628 patch.

Release 22.03.0

miniupnp rules are still not removed (/tmp/upnp.leases cleared properly tho)

Strasedon commented 1 year ago

@axet Take a look at this commit that hasn't been pulled into 22.03.0 if you feel like testing.

axet commented 1 year ago

@Strasedon Thanks. I cherry-pick this commit into trunk/feeds/packages. Same - port is closed. Applying patch from https://github.com/openwrt/packages/issues/17871#issuecomment-1207162628 make it works again!

skill7899 commented 1 year ago

it's not work in Release 22.03.0，Has this patch been merge into release 22.03.0?

Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label 'NAT-PMP 6888 tcp' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label 'NAT-PMP 6887 tcp' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label 'NAT-PMP 6886 tcp' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label 'NAT-PMP 6885 tcp' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label 'mandela' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label '2731c90e' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label '2731c90e' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label '2731c90e' is not a IGD pinhole
Sun Sep 11 11:39:03 2022 daemon.debug miniupnpd[46701]: rule with label 'ZeroTier/a4a7a830e6@55405' is not a IGD pinhole

Neverends4 commented 1 year ago

Interestingly enough, I got upnp working on 22.03.0 but not on recent 22.03.1, got tons of logs like:

Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: level=0 type=8
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: ifindex = 10  192.168.57.99
Sat Oct 15 15:24:37 2022 daemon.info miniupnpd[24166]: Received UDP Packet (IPv6)
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: level=0 type=8
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: ifindex = 10  192.168.57.99
Sat Oct 15 15:24:37 2022 daemon.info miniupnpd[24166]: Received UDP Packet (IPv6)
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: level=0 type=8
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: ifindex = 10  192.168.57.99
Sat Oct 15 15:24:37 2022 daemon.info miniupnpd[24166]: Received UDP Packet (IPv6)
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole
Sat Oct 15 15:24:37 2022 daemon.debug miniupnpd[24166]: rule with label 'a9301fd0' is not a IGD pinhole

Neverends4 commented 1 year ago

version info:

miniupnpd --version
miniupnpd 2.3.0 v22.03.1 Oct  7 2022
using netfilter(nftables) backend

config:

config upnpd 'config'
    option upload '512'
    option internal_iface 'LANex lan'
    option port '5000'
    option upnp_lease_file '/var/run/miniupnpd.leases'
    option uuid 'uuid'
    option download '10240'
    option clean_ruleset_interval '86400'
    option enable_natpmp '1'
    option enabled '1'
    option external_iface 'wan'
    option log_output '1'

Neverends4 commented 1 year ago

22.03.2 has exactly the same issue with upnp.

miniupnpd 2.3.0 v22.03.2 Oct 14 2022
using netfilter(nftables) backend

While miniupnpd in 22.03 rc5 works fine, though Luci has no port mapping showing.


miniupnpd 2.2.3 v22.03.0-rc5 Jul  6 2022
using netfilter(nftables) backend

Neverends4 commented 1 year ago

22.03.3, still the same, applications complained no upnp support, and when enable extra log, "xxx is not a IGD pinhole" is shown. any updates?

miniupnpd --version
miniupnpd 2.3.0 v22.03.3 Jan  3 2023
using netfilter(nftables) backend

axet commented 1 year ago

Upstream issue closed including traffic forwarding / duplicate rules / non removable rules. Thanks to the author.

Working commit:

https://github.com/miniupnp/miniupnp/commit/904dda47ed67def29a9cfece592637c6777fc54b

edrikk commented 1 year ago

miniupnp 2.3.3 has been released - would be great if could be backported to close the issue: https://github.com/miniupnp/miniupnp/commit/e439318cf782e30066d430f27a1365e013a5ab94

fryderykhuang commented 1 year ago

Patch still not merged?

stintel commented 1 year ago

This problem is already fixed in the current version of miniupnpd, both in master and OpenWrt 22.03.

tiagogaspar8 commented 1 year ago

But now everytime the firewall is reloaded all the rules are deleted and not reverted

axet commented 1 year ago

@tiagogaspar8 my rules are ok. At least all rules from /etc/config/firewall

tiagogaspar8 commented 1 year ago

I was talking about the miniupnpd created port forwarding rules, every time I reload the firewall they're deleted

openwrt / packages

miniupnpd-nftables: rules are created but no traffic is being forwarded #17871

Maintainer

Environment

Description

More logs / configs

Flowtable

Set definitions