UPnP won't work after literal hours of trying - help pls!

BinaryTB · Tue Mar 19, 2024 7:05 am

I'm trying to get UPnP working on my RB5009 (just got it last weekend). Been testing it with upnpc on my desktop and UPnP Explorer (by Samuel Huff) on my Android phone. The firewall filter does nothing, won't block or otherwise, packets always remain at 0, almost like the RB5009 doesn't have UPnP working. Nothing changes even when I disable those two filters.

I'm not on CGNAT
MyWANIP list points to the Mikrotik domain in ip/cloud
UPnPdevices list is 192.168.1.70-192.168.1.79 (which is a list of static DHCP ip addresses that point to consoles

Here is the relevant info (do I need more?):

[admin@MikroTik] /ip/upnp> print
                           enabled: yes
  allow-disable-external-interface: no
                   show-dummy-rule: yes

[admin@MikroTik] /ip/upnp/interfaces> print
Columns: INTERFACE, TYPE
# INTERFACE  TYPE    
0 ether1     external
1 bridge     internal

[admin@MikroTik] /ip/firewall> filter print
Flags: X - disabled, I - invalid; D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked 

 2    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 3    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 4    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

 5    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN log=no log-prefix="" 

 6    ;;; UPnP Devices (1900)
      chain=input action=drop protocol=udp src-address-list=!UPnPdevices dst-port=1900 log=no log-prefix="" 

 7    ;;; UPnP Devices (2828)
      chain=input action=drop protocol=tcp src-address-list=!UPnPdevices dst-port=2828 log=no log-prefix="" 

 8    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 9    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

10    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no log-prefix="" 

11    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

12    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

13    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix="" 

[admin@MikroTik] /ip/firewall> nat print
Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none 

 1    ;;; Hairpin NAT
      chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.0/24 out-interface-list=LAN log=no log-prefix="" 

 2    ;;; Caddy
      chain=dstnat action=dst-nat to-addresses=192.168.1.50 to-ports=50443 protocol=tcp dst-address-list=MyWANIP dst-port=443 log=no log-prefix="" 

 3    ;;; Plex
      chain=dstnat action=dst-nat to-addresses=192.168.1.50 to-ports=32400 protocol=tcp in-interface-list=WAN dst-port=42300 log=no log-prefix="" 

 4    ;;; Wireguard UDP
      chain=dstnat action=dst-nat to-addresses=192.168.1.50 to-ports=51820 protocol=udp dst-address-list=MyWANIP dst-port=443 log=no log-prefix="" 

 5    ;;; Mumble TCP
      chain=dstnat action=dst-nat to-addresses=192.168.1.50 protocol=tcp dst-address-list=MyWANIP dst-port=64738 log=no log-prefix="" 

 6    ;;; Mumble UDP
      chain=dstnat action=dst-nat to-addresses=192.168.1.50 protocol=udp dst-address-list=MyWANIP dst-port=64738 log=no log-prefix="" 

 7    ;;; Syncthing TCP
      chain=dstnat action=dst-nat to-addresses=192.168.1.51 protocol=tcp dst-address-list=MyWANIP dst-port=22000 log=no log-prefix="" 

 8    ;;; Syncthing UDP
      chain=dstnat action=dst-nat to-addresses=192.168.1.51 protocol=udp dst-address-list=MyWANIP dst-port=22000 log=no log-prefix="" 

 9    ;;; SFTP
      chain=dstnat action=dst-nat to-addresses=192.168.1.51 protocol=tcp dst-address-list=MyWANIP dst-port=60222 log=no log-prefix=""

rplant · Tue Mar 19, 2024 10:00 am

Make the input action for 1900 and 2828 accept and log (for all devices) initially.
Mostly just to see if they count, and what is attempting to send UPNP packets.

Then Reboot the router.

anav · Tue Mar 19, 2024 2:36 pm

I dont see any input chain rules for UPNP on the mikrotik example??

Are there still programs in 2024 requiring UPNP???

Port forwarding fw rule needs work..

BinaryTB · Tue Mar 19, 2024 6:23 pm

Then Reboot the router.

Literally all I did and voila, it all worked, no changes needed. Is that normal for RouterOS/RB5009? I've only had it a week.

BinaryTB · Tue Mar 19, 2024 6:26 pm

I dont see any input chain rules for UPNP on the mikrotik example??

Works without them, I just have drop actions for non-approved IP addresses.

Are there still programs in 2024 requiring UPNP???

Gaming consoles, especially if I use them wired and wireless (e.g., Switch). Or when friends come over with their own.

Port forwarding fw rule needs work..

Can you explain how so? Still figuring things out.

anav · Tue Mar 19, 2024 6:57 pm

In terms of firewall rules I prescribe to only allowing traffic and the dropping all else.
I also dont think its prudent that all users have access to config the router when they only need access for DNS services.
Looking at rules, I have no clue why in heck you are port forwarding wireguard ?????
If you have a public IP, or an upstream router that you can port forward a port, you can setup wireguard directly......

It would seem your ISP does not allow any other port than 443 ???
what the heck is going on at 192.168.1.50

/ip firewall address-list { from statically set dhcp leases }
add address=192.168.1.X list=Authorized comment="admin desktop"
add address=192.168.1.Y list=Authorized comment="admin laptop"
add address=192.168.1.Z list=Authorized comment="admin smartphone/ipad"
add address=roadwarrior-wireguard-IP list=Authorized comment="remote admin access"
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked comment="accept established,related,untracked"
add action=drop chain=input connection-state=invalid comment="drop connection-state=invalid"
add action=accept chain=input protocol=icmp comment="check ICMP"
add action=accept chain=input in-interface-list=Authorized comment="Allow admin"
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp comment="accept DNS"
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp comment="accept DNS"
add action=drop chain=input comment="Drop all else" { put this rule in last or you will lock yourself out }
add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid comment="drop connection-state=invalid"
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN comment=" internet traffic"
add action=accept chain=forward connection-nat-state=dstnat comment="port forwarding"
add action=drop chain=forward comment="Drop all else"
/ip firewall nat
add chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none
add chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.0/24 { no need for LAN identification }

anav · Tue Mar 19, 2024 6:59 pm

yeah full config. things are not clear.
/export file=anynameyouwish ( minus router serial number, any public WANIP info, keys, long dhcp lease lists etc.)

Assuming dst-address-list=MyWANIP is a firewall address list entry of either your dyndns URL service, or the iP Cloud service on the router.
This should be used for all port forwarding rules, replace any in-interface-list=WAN entries with that.

Amm0 · Tue Mar 19, 2024 7:04 pm

Are there still programs in 2024 requiring UPNP???

Well, ZeroTier will use uPnP to determine its paths too.

And importantly most modern VoIP things follow the ICE RFC scheme, so not just games. While uPnP is not an RFC (NAT-PMP or PCP are the RFC-way), a lot of VoIP/video things will try uPnP to determine the public IP and allowed in RFCs - https://www.rfc-editor.org/rfc/rfc6314. ... on-4.2.3.3 :

ICE is a methodology for using existing
technologies such as STUN, TURN, and any other protocol compliant
with Unilateral Self-Address Fixing (NSAF) [RFC3424] to provide a
unified solution. This is achieved by obtaining as many
representative IP address/port combinations as possible using
technologies such as STUN/TURN (note: an ICE endpoint can also use
other mechanisms (e.g., the NAT Port Mapping Protocol [NAT-PMP],
Universal Plug and Play Internet Gateway Device [UPnP-IGD]) to learn
public IP addresses and ports, and populate a=candidate lines with
that information).

And the ICE decision is up the client on how to actually deal with the NAT for the app/game, so it may not use uPnP in the end.

So it's a bit more subtle if it's working – since you may not always see a dst-nat added even if uPnP is under-the-covers used. Now some android app would tell you if it's working for sure.

Why a reboot fixed, I dunno. uPnP is "server" of sorts so perhaps it got confused in the process of changing config/firewall/etc. and/or stuff can get cached either in uPnP or firewall connection. But if it's working &you reboot once more and still working in your test app, you'd know change was for sure sticky. Normally once things are working on RouterOS, they do stay working* *unless you upgrade and happen to run into a bug.

BinaryTB · Tue Mar 19, 2024 7:09 pm

x.50 is my homelab server, it's running all the services I'm port forwarding to in docker containers, which includes Wireguard, et al. I prefer to run things containerized rather than on the router, thus the forwarding, which can have local port conflicts with other docker containers. I keep the default ports on the containers so that the number of changes needed from the default config is minimal.

I'm not too worried about others accessing the router config, nobody else here will know what that means, but I will look into it since it's safer. I'm traveling for a bit starting tomorrow, so will have to look into this and the uploading configs later.

While "only allowing traffic and the dropping all else" makes sense, I prefer to just have as much security as needed without constantly updating configs/forwards whenever something needs access or something isn't working, especially if I'm not around or busy and others just need things to work.

anav · Tue Mar 19, 2024 7:10 pm

So AMMO, reading the needle in the haystack are you saying, the OP should not use UPNP but should be using nat-pmp??

https://help.mikrotik.com/docs/display/ROS/NAT-PMP

Amm0 · Tue Mar 19, 2024 7:13 pm

So AMMO, reading the needle in the haystack are you saying, the OP should not use UPNP but should be using nat-pmp??

https://help.mikrotik.com/docs/display/ROS/NAT-PMP

Likely not. See while NAT-PMP is an RFC, it's more an Apple thing. So it's mainly Bonjour (e.g. DNS-SD part of "mDNS") will prefer NAT-PMP AFAIK.

If I had to guess way more stuff uses uPnP or will be prefer it. But using BOTH might give apps/games more things to consider – but kinda duplicative since Mikrotik just provide same info/abilities twice regardless of uPnP or NAT-PMP.

rplant · Fri Mar 22, 2024 7:23 am

Literally all I did and voila, it all worked, no changes needed. Is that normal for RouterOS/RB5009? I've only had it a week.

Most things work immediately, but there is a small number (Mostly I seem to find by trial and error) where a reboot is required.
Perhaps where some service now needs to be running.

Amm0 · Fri Mar 22, 2024 7:38 am

The application/game controls how often it calls uPnP. And may not use uPnP if the random port assignment was acceptable on far-end, or have a low update interval. Possible there is bug/logic error in how uPnP works specifically on RouterOS with some application(s). Hard one to troubleshoot.

About only thing you can do is add more logging to uPnP and/or add firewall filter rules that just action=log on traffic to port 1900/udp and 5000/tcp on chain=input. Might give some clues or pattern in logging.

Also, if there is Double-NAT, uPnP may not be so helpful and interfere some app/games's logic (where it might use TURN/similar if there was NO uPnP, than deal with double-NAT "hidden" by uPnP).

UPnP won't work after literal hours of trying - help pls!

UPnP won't work after literal hours of trying - help pls!

Re: UPnP won't work after literal hours of trying - help pls!

Re: UPnP won't work after literal hours of trying - help pls!

Re: UPnP won't work after literal hours of trying - help pls!

Re: UPnP won't work after literal hours of trying - help pls!

Re: UPnP won't work after literal hours of trying - help pls!

Re: UPnP won't work after literal hours of trying - help pls!

Re: UPnP won't work after literal hours of trying - help pls!

Re: UPnP won't work after literal hours of trying - help pls!

Re: UPnP won't work after literal hours of trying - help pls!

Re: UPnP won't work after literal hours of trying - help pls!

Re: UPnP won't work after literal hours of trying - help pls!

Re: UPnP won't work after literal hours of trying - help pls!

Who is online