Giters

miniupnp / miniupnp

UPnP IGD implementation

Home Page:http://miniupnp.free.fr/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

miniupnpd: Unable to make STUN work in a full-cone NAT environment.

daiaji opened this issue · comments

commented 
venv/bin/pystun3 -H stun.qq.com
NAT Type: Full Cone
External IP: 124.228.2.2
External Port: 19485
Press any key to continue

Sat Jan  6 23:30:13 2024 daemon.warn miniupnpd[6990]: SSDP packet sender [::ffff:192.168.1.11]:34247 (if_index=-1) not from a LAN, ignoring
Sat Jan  6 23:30:13 2024 daemon.warn miniupnpd[6990]: SSDP packet sender [::ffff:192.168.1.11]:53105 (if_index=-1) not from a LAN, ignoring
Sat Jan  6 23:30:13 2024 daemon.warn miniupnpd[6990]: HTTP Connection from 192.168.0.192 closed unexpectedly
Sat Jan  6 23:30:13 2024 daemon.warn miniupnpd[6990]: HTTP Connection from 192.168.0.192 closed unexpectedly
Sat Jan  6 23:30:13 2024 daemon.warn miniupnpd[6990]: HTTP Connection from 192.168.0.192 closed unexpectedly
Sat Jan  6 23:30:13 2024 daemon.warn miniupnpd[6990]: HTTP Connection from 192.168.0.192 closed unexpectedly
Sat Jan  6 23:30:13 2024 daemon.warn miniupnpd[6990]: HTTP Connection from 192.168.0.192 closed unexpectedly
Sat Jan  6 23:30:13 2024 daemon.warn miniupnpd[6990]: HTTP Connection from 192.168.0.192 closed unexpectedly
Sat Jan  6 23:35:16 2024 daemon.notice miniupnpd[6990]: shutting down MiniUPnPd
Sat Jan  6 23:35:16 2024 daemon.notice miniupnpd[7443]: perform_stun: #0 external address or port changed
Sat Jan  6 23:35:16 2024 daemon.notice miniupnpd[7443]: perform_stun: #1 external address or port changed
Sat Jan  6 23:35:16 2024 daemon.notice miniupnpd[7443]: perform_stun: #2 external address or port changed
Sat Jan  6 23:35:16 2024 daemon.notice miniupnpd[7443]: perform_stun: #3 external address or port changed
Sat Jan  6 23:35:16 2024 daemon.warn miniupnpd[7443]: STUN: ext interface pppoe-wan with private IP address 100.71.176.201 is now behind restrictive or symmetric NAT with public IP address 124.228.2.2 which does not support port forwarding
Sat Jan  6 23:35:16 2024 daemon.warn miniupnpd[7443]: NAT on upstream router blocks incoming connections set by miniupnpd
Sat Jan  6 23:35:16 2024 daemon.warn miniupnpd[7443]: Turn off NAT on upstream router or change it to full-cone NAT 1:1 type
Sat Jan  6 23:35:16 2024 daemon.warn miniupnpd[7443]: Port forwarding is now disabled
Sat Jan  6 23:35:16 2024 daemon.notice miniupnpd[7443]: HTTP listening on port 5000
Sat Jan  6 23:35:16 2024 daemon.notice miniupnpd[7443]: HTTP IPv6 address given to control points : [fd9a:3bc:fc3::1]
Sat Jan  6 23:35:16 2024 daemon.notice miniupnpd[7443]: Listening for NAT-PMP/PCP traffic on port 5351

Using miniupnpd nftables 2.3.3-2
Essentially, I have enabled STUN in miniupnp on OpenWrt, but as you can see, STUN is not functioning.

commented

@daiaji you have the same results with another stun server ?

commented

@pali

Sat Jan  6 23:35:16 2024 daemon.notice miniupnpd[7443]: perform_stun: #0 external address or port changed
Sat Jan  6 23:35:16 2024 daemon.notice miniupnpd[7443]: perform_stun: #1 external address or port changed
Sat Jan  6 23:35:16 2024 daemon.notice miniupnpd[7443]: perform_stun: #2 external address or port changed
Sat Jan  6 23:35:16 2024 daemon.notice miniupnpd[7443]: perform_stun: #3 external address or port changed

that'es symetric NAT, right ?

commented

OK, I'll try.
And on openwrt, do you need to open up additional ports for STUN?
This NAT Type test result was obtained on a virtual machine with Manjaro Linux installed using a PPPoE dial-up network.

commented

The answer from @pali :

I have looked at the logs in the issue and upnpd detected symmetric NAT.
It is not full cone NAT for sure, as author of the issue thinks.

STUN is correctly functioning, it just detected UPNP incompatible
network setup. With symmetric NAT, miniupnpd cannot do anything, port
forwarding would never work on such NAT type.

What is needed for UPNP working is to run miniupnpd on that box which is
doing symmetric NAT. Or to change symmetric NAT type to Full cone NAT.

Hopes this helps.

commented

@miniupnp
openwrt/packages#21841

I think OpenWrt's firewall blocked the incoming STUN packets, because the same had happened when I tested the NAT type on Windows: it does not detect the fullcone type unless I disabled the firewall or add the detection tool to the firewall allow list.

fw input policy drop

daemon.info miniupnpd[21033]: STUN: Performing with host=stun.qq.com and port=3478 ...
daemon.debug miniupnpd[21033]: resolve_stun_host: stun.qq.com:3478 => 101.43.100.186:3478
daemon.info miniupnpd[21033]: perform_stun: local ports 41836 52113 46924 33768
daemon.debug miniupnpd[21033]: wait_for_stun_responses: waiting 3 secs and 0 usecs
daemon.debug miniupnpd[21033]: wait_for_stun_responses: received responses: 1
daemon.debug miniupnpd[21033]: wait_for_stun_responses: waiting 3 secs and 0 usecs
daemon.debug miniupnpd[21033]: wait_for_stun_responses: select(): no more responses
daemon.debug miniupnpd[21033]: wait_for_stun_responses: waiting 3 secs and 0 usecs
daemon.debug miniupnpd[21033]: wait_for_stun_responses: select(): no more responses
daemon.debug miniupnpd[21033]: wait_for_stun_responses: waiting 3 secs and 0 usecs
daemon.debug miniupnpd[21033]: wait_for_stun_responses: select(): no more responses
daemon.debug miniupnpd[21033]: table_cb(0x7fda169580, 0x7fda16a5e0) fw4 upnp_forward 2
...
daemon.debug miniupnpd[21033]: parse_stun_response: Type 0x0101, Length 36, Magic Cookie 2112a442
daemon.debug miniupnpd[21033]: parse_stun_response: MAPPED-ADDRESS *:41836
daemon.debug miniupnpd[21033]: parse_stun_response: SOURCE-ADDRESS 101.43.100.186:3478
daemon.debug miniupnpd[21033]: parse_stun_response: CHANGED-ADDRESS 124.223.71.113:8000
daemon.notice miniupnpd[21033]: perform_stun: 1 response out of 4 received
daemon.warn miniupnpd[21033]: STUN: ext interface eth1 with private IP address 192.168.1.2 is now behind restrictive or symmetric NAT with public IP address * which does not support port forwarding

fw input policy accept

daemon.info miniupnpd[20519]: STUN: Performing with host=stun.qq.com and port=3478 ...
daemon.debug miniupnpd[20519]: resolve_stun_host: stun.qq.com:3478 => 101.43.100.186:3478
daemon.info miniupnpd[20519]: perform_stun: local ports 38893 41757 44410 45482
daemon.debug miniupnpd[20519]: wait_for_stun_responses: waiting 3 secs and 0 usecs
daemon.debug miniupnpd[20519]: wait_for_stun_responses: received responses: 1
daemon.debug miniupnpd[20519]: wait_for_stun_responses: waiting 3 secs and 0 usecs
daemon.debug miniupnpd[20519]: wait_for_stun_responses: received responses: 2
daemon.debug miniupnpd[20519]: wait_for_stun_responses: waiting 3 secs and 0 usecs
daemon.debug miniupnpd[20519]: wait_for_stun_responses: received responses: 3
daemon.debug miniupnpd[20519]: wait_for_stun_responses: waiting 3 secs and 0 usecs
daemon.debug miniupnpd[20519]: wait_for_stun_responses: received responses: 4
daemon.debug miniupnpd[20519]: table_cb(0x7fc461a0c0, 0x7fc461b120) fw4 upnp_forward 2
...
daemon.debug miniupnpd[20519]: parse_stun_response: Type 0x0101, Length 36, Magic Cookie 2112a442
daemon.debug miniupnpd[20519]: parse_stun_response: MAPPED-ADDRESS *:38893
daemon.debug miniupnpd[20519]: parse_stun_response: SOURCE-ADDRESS 101.43.100.186:3478
daemon.debug miniupnpd[20519]: parse_stun_response: CHANGED-ADDRESS 124.223.71.113:8000
daemon.debug miniupnpd[20519]: parse_stun_response: Type 0x0101, Length 36, Magic Cookie 2112a442
daemon.debug miniupnpd[20519]: parse_stun_response: MAPPED-ADDRESS *:41757
daemon.debug miniupnpd[20519]: parse_stun_response: SOURCE-ADDRESS 101.43.100.186:8000
daemon.debug miniupnpd[20519]: parse_stun_response: CHANGED-ADDRESS 124.223.71.113:8000
daemon.debug miniupnpd[20519]: parse_stun_response: Type 0x0101, Length 36, Magic Cookie 2112a442
daemon.debug miniupnpd[20519]: parse_stun_response: MAPPED-ADDRESS *:44410
daemon.debug miniupnpd[20519]: parse_stun_response: SOURCE-ADDRESS 124.223.71.113:3478
daemon.debug miniupnpd[20519]: parse_stun_response: CHANGED-ADDRESS 124.223.71.113:8000
daemon.debug miniupnpd[20519]: parse_stun_response: Type 0x0101, Length 36, Magic Cookie 2112a442
daemon.debug miniupnpd[20519]: parse_stun_response: MAPPED-ADDRESS *:45482
daemon.debug miniupnpd[20519]: parse_stun_response: SOURCE-ADDRESS 124.223.71.113:8000
daemon.debug miniupnpd[20519]: parse_stun_response: CHANGED-ADDRESS 124.223.71.113:8000
daemon.info miniupnpd[20519]: STUN: ext interface eth1 with IP address 192.168.1.2 is now behind unrestricted full-cone NAT 1:1 with public IP address * and firewall does not block incoming connections set by miniupnpd
daemon.info miniupnpd[20519]: Port forwarding is now enabled

maybe the firewall rules should put to chain input rather than upnp_forward?
miniupnpd 2.3.6 nft
perform_stun -> add_filter_rule2 -> rule_set_filter -> rule_set_filter_common
nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, nft_forward_chain);

commented

I also suspect it's an issue with some firewall rules, because if I dial directly on Manjaro now, I can use Full Cone normally.

commented

I won't be of any help about this.

commented

use miniupnpd-iptables and it work for me.

commented

use miniupnpd-iptables and it work for me.

Essentially, miniupnpd-iptables causes two different errors on fw3 and fw4, and still does not work. I am using the mainline version of OpenWRT.
add_filter_rule() : chain MINIUPNPD not found
add_filter_rule() : chain upnp_forward not found