UPnP issues: port forwarding page not updating properly, and the UPnP config file retains old "deny" entries after removing static port mappings

[theirongiant]

I seem to be having some issue with UPnP for a couple of builds now.

I have an AX88U running firmware 388.1, production build. The page "Advanced_VirtualServer_Content.asp" shows several applications with static port definitions that I set.

One application on my Mac has an option to automatically map ports / NAT Traversal using NAT-PMP or UPnP. When I first used this app I did not enable this option, but manually forwarded the ports via the router. For a long time I set it to port 43451, then changed it to 43450 in the port forwarding page. Then I decided later to use the UPnP feature after all. So I deleted 43450 from the router's Port Forwarding page, but now the application cannot map it. I should note that deleting a port from this page does not trigger a reboot or update; in fact, there is no 'Save' or 'Update' button, as is normally the case on other pages.

I dug a little deeper into the router and found that the file /tmp/etc/upnp/config is not reflecting my changes from the port forwarding screen.

admin@RT-AX88U-27B8:/tmp/home/root# cat /tmp/etc/upnp/config
ext_ifname=eth0
listening_ip=br0
port=0
enable_upnp=yes
enable_natpmp=yes
secure_mode=no
upnp_nat_postrouting_chain=PUPNP
upnp_forward_chain=FUPNP
upnp_nat_chain=VUPNP
notify_interval=60
system_uptime=yes
friendly_name=RT-AX88U-27B8
model_name=RT-AX88U
model_description=ASUS Wireless Router
model_number=388.1
serial=0c:9d:92:XX:XX:XX
uuid=XXXXXXXX-2380-45f5-b069-0c9d92XXXXXX
lease_file=/tmp/upnp.leases
clean_ruleset_interval=600
clean_ruleset_threshold=20
presentation_url=http://192.168.11.1:80/
deny 19424 0.0.0.0/0 0-65535
deny 8443 0.0.0.0/0 0-65535
deny 43450 0.0.0.0/0 0-65535         // this seems to be the problematic line
deny 40960 0.0.0.0/0 0-65535
deny 19267 0.0.0.0/0 0-65535
deny 10443 0.0.0.0/0 0-65535
allow 1024-65535 192.168.11.1/255.255.255.0 1024-65535
min_lifetime=120
max_lifetime=86400

The file /tmp/upnp.leases does update when I change the setting in the application. Configuring port 43449, for instance, causes the upnp.leases file to remove a line, then add a new one:

admin@RT-AX88U-27B8:/tmp# cat /tmp/upnp.leases
TCP:45633:192.168.11.99:45633:99000000:NAT-PMP 45633 tcp
TCP:19124:192.168.11.5:32400:604800:Plex Media Server
TCP:43449:192.168.11.99:43449:3600:NAT-PMP 43449 tcp

The lease time is 3600 (1 hour). Is this a firmware default, or did the application only request a 1 hour lease time? Plex, for instance, requests a lease time of one week (604800 seconds). Port 45633 is another application with UPnP enabled, which has requested 1,145 days, or a little over 3 years. This seems excessive, but is apparently permissible?

Am I looking at a bug with the Port Forwarding page vs. the UPNP config file?

Is this a problem with Asus' stock firmware, or with a change made to the Asuswrt-Merlin code? (if this behavior is seen on Merlin, I'll post it there instead).

 

[ColinTaylor]

Yes it does appear to be an oversight (@RMerlin ?). Changes to the port forwarding list affects the iptables rules but doesn't restart miniupnpd (service restart_upnp). Presumably restarting your router would have also fixed the problem.

 

[theirongiant]

Yes - the upnp config file last refreshed at 4AM on Sunday, which is my scheduled reboot time.