UPnP port forwarding not working with Merlin

[RMerlin]

Yeah - there's been a few comments against the move there, and it's been there for a while now...

I'm not sure this is a battle worth fighting as there is always the overriding concern of upnp/nat-pmp opening ports on a dynamic basis...

There is always the option to static port forward - this still works...

I used to override that change, however it was always a pain whenever I wanted to update miniupnpd as I needed to adjust my patch, so I eventually gave up and dropped it.

 

[drinkingbird]

Why doesn't upnp port forwarding take effect when I use the merlin version? There is no problem if I use the official version.
This problem has appeared very early, and even after updating to multiple versions, this error cannot be solved.

Long story short, if your ISP router allows you to put a device in DMZ, and choose a LAN subnet:

-Make ISP router LAN 240.0.0.1 mask 255.255.255.0
-Make Asus wan 240.0.0.2 (either through setting a static on the Asus or a DHCP reservation on the ISP router if it supports it)
-If doing static on the Asus WAN, gateway will be 240.0.0.1 and DNS will be whatever you have in there before changing to static.
-Put 240.0.0.2 as DMZ on ISP router.

uPNP should now work

 

[Yota]

I talked about this 1 year ago and found the solution, read here:

Solved - UPnP doesn't work on CGNAT/Double NAT

On one of my networks running RT-AC86U it has CGNAT. But my ISP allows hole punching in firewalls using protocols like UPnP and PCP. When I enable UPnP and try hole punching with PlayStation or qBittorrent, I get this error in the log: miniupnpd: private/reserved address 100.x.x.x is not...

www.snbforums.com

 

[ColinTaylor]

I used to override that change, however it was always a pain whenever I wanted to update miniupnpd as I needed to adjust my patch, so I eventually gave up and dropped it.

Isn't it still fixed in the config file rather than hacking miniupnpd?

https://github.com/RMerl/asuswrt-merlin.ng/blob/312ed2c0d8642abef3fd8621d94095f2cba7702a/release/src/router/rc/services.c#L7025

 

[RMerlin]

Isn't it still fixed in the config file rather than hacking miniupnpd?

https://github.com/RMerl/asuswrt-merlin.ng/blob/312ed2c0d8642abef3fd8621d94095f2cba7702a/release/src/router/rc/services.c#L7025

I haven't looked at that in a long time, so I no longer remember the details, just that I used to have to disable miniupnpd code that would refuse to run if the WAN IP wasn't public.

 

[Tech9]

I don't know how more secure the newer versions are, but this is an example of lost functionality and limitation to people with no bridge mode option. It was working before, now it doesn't. Constant updating of components turns Asuswrt-Merlin users in perpetual beta testers of whatever new shows up. I remember Dnsmasq 2.86 and 2.89 issues. One had to be reverted to previous version, the other needed a fix upstream. Newer is not necessarily better.

 

[bluepoint]

I don't know how more secure the newer versions are, but this is an example of lost functionality and limitation to people with no bridge mode option. It was working before, now it doesn't. Constant updating of components turns Asuswrt-Merlin users in perpetual beta testers of whatever new shows up. I remember Dnsmasq 2.86 and 2.89 issues. One had to be reverted to previous version, the other needed a fix upstream. Newer is not necessarily better.

I don't agree with you, RMerlin is not that careless updating components. His constant updates has good purposes specially when security is involve, if you do not agree with the way he shares his free fork feel free to not use it and stop criticizing his works. Why do I feel you are just around to annoy him.

 

[sfx2000]

I haven't looked at that in a long time, so I no longer remember the details, just that I used to have to disable miniupnpd code that would refuse to run if the WAN IP wasn't public.

Again - bears repeating that I agree here - if the WAN interface isn't a public IP, then upnpd can't really do it's function, which is to open ports based on a LAN client request.

The LAN client has no indication of what the WAN interface is - e.g. is it public, or is it behind a NAT, CGNAT, or other mechanism such as 464XLAT (which provides a private IPv4 address, and no IPv6 PD).

 

[Tech9]

I don't agree with you

You don't have to agree with me. Share your opinion and skip personal comments.

The fact is a gamer with common network configuration purchased a gaming router and can't use it for games with port forwarding needs. This same configuration used to work before and still works with stock firmware. Even though @sfx2000 is technically correct, this change causes issues.

 

[sfx2000]

This same configuration used to work before and still works with stock firmware. Even though @sfx2000 is technically correct, this change causes issues.

Ok - then run stock firmware...

Problem solved

 

[Tech9]

Problem solved.

I guess, you have to stick to Asuswrt if you need UPnP working in double NAT environment.

 

[drinkingbird]

Ok - then run stock firmware...

Problem solved

If you want to run Merlin and not have to deal with scripts or config files, my workaround posted should work fine. One person even had it working with CGNAT, but the Class E space should work if that doesn't.

 

[bluepoint]

You don't have to agree with me. Share your opinion and skip personal comments.

I just have to say something cause I feel your criticism of RMerlin's work is unfair. Constructive criticism is welcome and I think is the mature way of communicating. One only thing I can say, respect other people's work specially when it's free.

 

[RMerlin]

Constant updating of components turns Asuswrt-Merlin

I don't do "constant updating of components". I update curl about once every 6 months on average, for example. I update things like lzo, wget or nettle once in a blue moon. Components like miniupnpd, openvpn and openssl are the exceptions, not the norm. These are kept up to date as they are critical component when it comes to security. Running old versions of these critical component is not a realistic option.

 

[Tech9]

respect other people's work specially when it's free

I did quite long free testing, perhaps the most everyone around did. My work wasn't always respected, but at the end produced positive results for the users of firmware I don't use myself. In this specific case the fact the manufacturer did't update a component tells me they have good reasons to hold.

 

[littlepopkaka]

天朝的电信全是nat1 开upnp还是有用。。所以说我用ax86u不带pro可以开nat1模式， 直接把upnp关了。lz解决了吗

 

[Tech9]

请只提供英语。如果需要，请使用谷歌翻译。

(English only, please. Use Google translator, if needed.)