Solved upnp throwing ConflictInMappingEntry even though port is free, target is local host

[mvadu]

I am trying to get a simple port forwarding to a raspberrypi. I am not trying to forward to a different host, I am running the upnp client from pi, and I keep getting ConflictInMappingEntry, which per old threads comes only if the port is already taken or if the target is different from the IP where command is issued. Neither are the the case here. But the pi is indeed hooked to ai mesh node (ac86U master, ac3100 node Running Firmware Version:386.2_4).

upnpc -a 192.168.1.15 6000 6000 TCP
upnpc : miniupnpc library test client, version 2.1.
(c) 2005-2018 Thomas Bernard.
Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
desc: http://192.168.1.1:51660/rootDesc.xml
st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.1.1:51660/ctl/IPConn
Local LAN ip address : 192.168.1.15
ExternalIPAddress = 14.12.25.141
AddPortMapping(6000, 6000, 192.168.1.15) failed with code 718 (ConflictInMappingEntry)

Target port is within the range.

 

[Vexira]

Does your main router support full cone Nat option try to set symetric to full cone under wan if it's available.

 

[mvadu]

Does your main router support full cone Nat option try to set symetric to full cone under wan if it's available.

I am not an expert, but I have bunch of servers that are purely internal. I only want to expose this one raspberry pi, that too on an on demand basis. Enabling Full cone will make all my servers available from external , which is much larger exposure than I am ready for. In the past I have used this upnpc approach, to map local port forwarding rules via upnp, and either cleaning up after I am done, or allowing it to expire (when router will clean it for me).

 

[john9527]

Wonder if it's an endpoint comparison bug....does it work if you use port 5999?

 

[mvadu]

No luck.. I am using this script to automatically map it (https://gist.github.com/mvadu/44c55b05d4614cf07d9833e0b44bf27a) which was working until few months ago, and seems to have been broken in last few firmware upgrades.

 

[ColinTaylor]

Try connecting the Pi directly to the master rather than the node to see if that's the cause.

Otherwise check the contents of /etc/upnp/config

 

[mvadu]

no luck there too.. I went little bit too deep in this rabbit hole.. I ran the daemon in debug mode (-dd is the key)

#start the daemon

killall miniupnpd || miniupnpd -f /etc/upnp/config -dd



#on the client side execute the step to add redirect

upnpc -u  http://192.168.1.1:44228/rootDesc.xml -e "SSH mapping for RaspberryPi" -a  192.168.1.15 443 443 TCP

    upnpc : miniupnpc library test client, version 2.1.
     (c) 2005-2018 Thomas Bernard.
    Go to http://miniupnp.free.fr/ or https://miniupnp.tuxfamily.org/
    for more information.
    Found valid IGD : http://192.168.1.1:44228/ctl/IPConn
    Local LAN ip address : 192.168.1.15
    ExternalIPAddress = x.x.x.x
    AddPortMapping(22, 22, 192.168.1.15) failed with code 718 (ConflictInMappingEntry)
   
#on the server side above flow produced
miniupnpd[23354]: HTTP REQUEST from 192.168.1.15:41846 : GET /rootDesc.xml (HTTP/1.1)
miniupnpd[23354]: Host: 192.168.1.1:444438
miniupnpd[23354]: HTTP REQUEST from 192.168.1.15:41848 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd[23354]: Host: 192.168.1.1:444438
miniupnpd[23354]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#GetExternalIPAddress
miniupnpd[23354]: HTTP REQUEST from 192.168.1.15:41850 : POST /ctl/IPConn (HTTP/1.1)
miniupnpd[23354]: Host: 192.168.1.1:444438
miniupnpd[23354]: SOAPAction: urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping
miniupnpd[23354]: AddPortMapping: ext port 443 to 192.168.1.15:443 protocol TCP for: SSH mapping for RaspberryP leaseduration=0 rhost=
miniupnpd[23354]: UPnP permission rule 0 matched : port mapping rejected
miniupnpd[23354]: redirection permission check failed for 443->192.168.1.15:443 TCP
miniupnpd[23354]: Returning UPnPError 718: ConflictInMappingEntry

This I traced it back to

AddPortMapping -> upnp_redirect -> check_upnp_rule_against_permissions -> match_permission

match_permission(const struct upnpperm * perm,
                 u_short eport, struct in_addr address, u_short iport)
{
    if( (eport < perm->eport_min) || (perm->eport_max < eport))
        return 0;
    if( (iport < perm->iport_min) || (perm->iport_max < iport))
        return 0;
    if( (address.s_addr & perm->mask.s_addr)
       != (perm->address.s_addr & perm->mask.s_addr) )
        return 0;
    return 1;
}

Now I am not sure how the ip mask is getting calculated, which seems to be the source of the problem in my case..


IN the mean time any members here, can you please try my script on any linux repo's and report back if this works in latest firmware, its just my problem?

 

[ColinTaylor]

Post the contents of /etc/upnp/config

Test again using something other than 443 as that is used by the router for webdav.

#on the client side execute the step to add redirect

upnpc -u  http://192.168.23.1:44228/rootDesc.xml -e "SSH mapping for RaspberryPi" -a  192.168.1.15 443 443 TCP

Is this a typo or are you altering the output? http://192.168.23.1:44228?

 

[mvadu]

Here is the config.. my network is on 192.168.23 segment, and I obviously let that cat out by forgetting to update that command before I pasted it here.

ext_ifname=ppp0
listening_ip=br0
port=0
enable_upnp=yes
enable_natpmp=yes
secure_mode=yes
upnp_nat_postrouting_chain=PUPNP
upnp_forward_chain=FUPNP
upnp_nat_chain=VUPNP
notify_interval=60
system_uptime=yes
friendly_name=RT-AC86U
model_name=RT-AC86U
model_description=ASUS Wireless Router
model_number=386.2
serial=0c:99:99:99:c6:b0
uuid=3ddcd1d3-2380-45f5-b069-0c9d922dc6b0
lease_file=/tmp/upnp.leases
clean_ruleset_interval=600
clean_ruleset_threshold=20
presentation_url=http://192.168.1.1:80/
allow 22-6000 /255.255.255.255 22-6000
min_lifetime=120
max_lifetime=86400

deny 0-65535 0.0.0.0/0 0-65535

 

[dave14305]

Here is the config.. my network is on 192.168.23 segment, and I obviously let that cat out by forgetting to update that command before I pasted it here.

Your LAN subnet doesn’t need to be a secret. Trying to hide it in your posts probably hinders a solution. Your config above is missing a LAN IP in the allow line, and showing a bad netmask. Is it really the config or are you editing it before posting?

allow 22-6000 /255.255.255.255 22-6000

 

[mvadu]

sorry about that.. coming from IT service background we always try to mask internal IPs and mac address in public forums. checking the config now.

 

[dave14305]

If for any reason your router’s LAN subnet mask is accidentally set as 255.255.255.255 (/32) that could certainly cause the failure in match_permission().

 

[mvadu]

@dave14305 you brought up a good point. I totally forgot that I have a upnp.postcof script which was suppose to block all hosts except this one raspberrypi. For some reason on the router its not finding the local clients and my script basically screwed up the config.

cat /jffs/scripts/upnp.postconf
#!/bin/sh
echo updating upnp rules; updating "$1" | tee /dev/kmsg


CONFIG=$1
source /usr/sbin/helper.sh

rasp="raspberrypi.local"

resolvedip=$(nslookup $rasp | grep $rasp -A1 | awk '/^Address / {print $3}')

echo allowing only for "$rasp" currently on "$resolvedip" | tee /dev/kmsg


pc_replace "192.168.23.1/255.255.255.0" "$resolvedip/255.255.255.255" $CONFIG


----------------------
# nslookup raspberrypi
Server:    207.164.234.193
Address 1: 207.164.234.193 toroon63dnsvp1.srvr.bell.ca

nslookup: can't resolve 'raspberrypi'

I disabled the replace line, and restarted the upnp process. Now I am able to get my script work as before.. Sorry for all the confusion, and thanks for the guidance.

 

[dave14305]

@dave14305 you brought up a good point. I totally forgot that I have a upnp.postcof script which was suppose to block all hosts except this one raspberrypi. For some reason on the router its not finding the local clients and my script basically screwed up the config.

cat /jffs/scripts/upnp.postconf
#!/bin/sh
echo updating upnp rules; updating "$1" | tee /dev/kmsg


CONFIG=$1
source /usr/sbin/helper.sh

rasp="raspberrypi.local"

resolvedip=$(nslookup $rasp | grep $rasp -A1 | awk '/^Address / {print $3}')

echo allowing only for "$rasp" currently on "$resolvedip" | tee /dev/kmsg


pc_replace "192.168.23.1/255.255.255.0" "$resolvedip/255.255.255.255" $CONFIG


----------------------
# nslookup raspberrypi
Server:    207.164.234.193
Address 1: 207.164.234.193 toroon63dnsvp1.srvr.bell.ca

nslookup: can't resolve 'raspberrypi'

I disabled the replace line, and restarted the upnp process. Now I am able to get my script work as before.. Sorry for all the confusion, and thanks for the guidance.

Try forcing your nslookup to use the local dnsmasq.

nslookup $rasp 127.0.0.1

 

[sfx2000]

miniupnpd in secure mode will not allow you to map to a different LAN host from the requester - this is forbidden...

In your config -- secure_mode=yes

Fail Example...

sfx@nano2:~$ upnpc -a 192.168.1.15 6000 6000 TCP
upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.10.1:5000/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.10.1:5000/ctl/IPConn
Local LAN ip address : 192.168.10.120
ExternalIPAddress = 192.168.15.49
AddPortMapping(6000, 6000, 192.168.1.15) failed with code 718 (ConflictInMappingEntry)
GetSpecificPortMappingEntry() failed with code 714 (NoSuchEntryInArray)

Good Example - note that the mapping is 1:1 to map the host/port and this works...

sfx@nano2:~$ upnpc -a 192.168.10.120 6000 6000 TCP
upnpc : miniupnpc library test client. (c) 2005-2014 Thomas Bernard
Go to http://miniupnp.free.fr/ or http://miniupnp.tuxfamily.org/
for more information.
List of UPNP devices found on the network :
 desc: http://192.168.10.1:5000/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.10.1:5000/ctl/IPConn
Local LAN ip address : 192.168.10.120
ExternalIPAddress = 192.168.15.49
InternalIP:Port = 192.168.10.120:6000
external 192.168.15.49:6000 TCP is redirected to internal 192.168.10.120:6000 (duration=604800)

 

[mvadu]

Try forcing your nslookup to use the local dnsmasq.

nslookup $rasp 127.0.0.1

Thank you.. that seems to be working. Let me add it to the script, and "pretend it never even happened"

 

[dave14305]

Thank you.. that seems to be working. Let me add it to the script, and "pretend it never even happened"

And test that it is not empty before running the pc_replace.

if [ -n "$resolvedip" ]; then
  pc_replace ...
fi

 

[mvadu]

I did add that check when I found out the upnp.postconf was the creator of this problem. but without local dnsmasq it was always skipping.

 

[sfx2000]

Try not to play games with miniupnpd - trying to 'trick' it will lead to security issues.

@mvadu - run the request from the pi itself, it'll be fine.

 

[mvadu]

@sfx2000 I am running the miniupnpc on raspberrypi itself.. but as you can see in above comments, I had a post conf script in router (Which runs on router startup) which was screwing up the config, causing it to miss the allowed subnet. Probably I should open an issue in github for miniupnpd. If it had failed to start with this f'ed up config it would have saved some time.