Another UPnP question

Hi,

I’m trying to get UPnP to dynamically open incoming ports, with no luck, for the Transmission torrent client. I think it’s a firewall issue, because in Windows, routers and gateways (even those not mine) show up in my laptop’s Windows Explorer Network “Network Infrastructure” page.

Here’s my router’s configuration:

[admin@MikroTik] /ip> upnp print 
                           enabled: yes
  allow-disable-external-interface: no
                   show-dummy-rule: yes

[admin@MikroTik] /ip> upnp interfaces print 
Flags: X - disabled, D - dynamic 
 #   INTERFACE                                                TYPE     FORCED-IP      
 0   ether2-master                                            internal
 1   ether1                                                   external

[admin@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 

[admin@MikroTik] /ip> firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 2    ;;; defconf: accept established,related
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 3    ;;; IP address of public bandwidth tester
      chain=input action=accept protocol=udp src-address=207.32.195.2 log=no 

 4    ;;; defconf: drop all from WAN
      chain=input action=drop tcp-flags="" in-interface=ether1 log=no log-prefix="WANDrop " 

 5    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 6    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 7    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 8 XI  ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""

Which RouterOS version? Have you tried latest bugfix (6.36.4)?

Can you post /Ip address print?

6.37.1

Can you post /Ip address print?

admin@MikroTik] /system routerboard settings> /ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                        
 0   ;;; defconf
     192.168.1.1/24     192.168.1.0     ether2-master                                                                                                                                    
 1 D xx.yy.109.83/21  xx.yy.104.0    ether1

Maybe the network type you have chosen for the network on your laptop is “Public” rather than “Private”? I think “Public” would not attempt to communicate with uPnP devices.

ether1 is definitely the WAN port and ether2-master definitely the LAN port:

Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete 
 #    ADDRESS         MAC-ADDRESS       INTERFACE 
 0 DC 192.168.1.10    BC:5F:F4:57:8D:F8 ether2-master 
 1 DC 192.168.1.127   E4:9A:79:79:72:26 ether2-master 
 2 DC 192.168.1.129   00:18:F8:85:90:35 ether2-master 
 3 DC xx.yy.104.1    60:73:5C:72:23:D9 ether1 
 4 DC 192.168.1.125   90:FD:61:E3:8A:A1 ether2-master 
 5 DC 192.168.1.123   F8:CA:B8:52:4F:39 ether2-master

I mean on your Windows computer itself. When you first connect to a network, Windows asks you if it is a private network or a public network. If you choose “public”, or do not choose anything, it will assume public, and will not attempt to look for or interact with uPnP devices.

Ah. This is a Linux desktop, and I’ve never heard of notion of Public, Private or Work networks there.

(And UPnP worked fine when my (old) router ran Tomato.)

Well you did mention your laptop’s Windows Explorer Network “Network Infrastructure page” in your opening post

Since you have a WAN subnet, you could try explicitly setting a forced wan ip, like:

/ip upnp interfaces
set 1 forced-ip=xx.yy.109.84

(or whatever the router’s IP address is).

Also, I see that your last firewall rule ( no 8 ) is disabled, leaving your internal network unprotected.

Could you try running the following file on your Windows laptop, it can be run using LINQPad which can be downloaded here:
http://www.linqpad.net/

(this script uses the NuGet package Open.Nat)

// Find router
var discoverer = new Open.Nat.NatDiscoverer();
var device = await discoverer.DiscoverDeviceAsync();
device.ToString().Dump("Router information");

// Show mappings (before)
await device.GetAllMappingsAsync().Dump("Mappings (Before)", 1);

// Create mapping
var mapping = new Open.Nat.Mapping(Protocol.Tcp, 1337, 1337);
await device.CreatePortMapAsync(mapping);

// Show mappings (after)
await device.GetAllMappingsAsync().Dump("Mappings (After)", 1);

// Show external IP
(await device.GetExternalIPAsync()).ToString().Dump("My external IP");

Download the code: http://share.linqpad.net/6s78vu.linq

Result:

My bad for the confusion.

I’ve got two computers: a Windows laptop (where enabling UPnP and adding the interfaces allowed the Explorer Network Infrastructure page to see the RB750G) and a Linux desktop where I run a torrent client.

It’s the torrent client on Linux that can’t dynamically find an open port.

Since you have a WAN subnet, you could try explicitly setting a forced wan ip, like:

/ip upnp interfaces
set 1 forced-ip=xx.yy.109.84

>
> (or whatever the router's IP address is).

I'd have to change that every time that my ISP sends me a new address (often, since I must regularly reboot the modem).

> Also, I see that your last firewall rule ( no 8 ) is disabled, leaving your internal network unprotected.

From what?  (This is a small, trusted LAN.)

> Could you try running the following file on your Windows laptop, it can be run using LINQPad which can be downloaded here:
> http://www.linqpad.net/
> <snip>
![Linqpad results.jpg|950x898](upload://4gekAxwfNQoO4GJQ5uJcAKHgBTW.jpeg)

You’re right. I thought you had been assigned a /21 subnet but this is just the provider’s subnet not yours.

From what? (This is a small, trusted LAN.)

From malicious traffic Anyone in your provider’s subnet could send malicious traffic to your internal network. Even if your house is small, you shouldn’t leave the doors wide open..

The LINQPad example shows that the UPnP interface is running and accepting commands. So the question is; what isn’t working correctly?
Do you see the dnat entries appearing in the firewall NAT table? If so, check the counters and run packet sniffer to determine where the traffic is blocked.
If the dnat entries are not there, you’d better create a supout.rif and send it to MikroTik.

(If the dnat entries appear only when using the LINQPad example and not when running your torrent app, try restarting this application and/or the pc).

From what? (This is a small, trusted LAN.)

From malicious traffic Anyone in your provider’s subnet could send malicious traffic to your internal network. Even if your house is small, you shouldn’t leave the doors wide open..[/quote]

I thought that was what the rule “chain=input action=drop tcp-flags=“” in-interface=ether1 log=no” did. Whenever I enable logging, I see scads of blocked traffic.

(If the dnat entries appear only when using the LINQPad example and not when running your torrent app

That’s the case.

try restarting this application

Did that many times when trying various permutations of settings.

and/or the pc.

That makes me sad…

That rule only blocks traffic targeted at the router itself, rather than traffic passing through the router, towards your internal computers.

chain = input is for traffic arriving at the router (as its final destination)
chain = forward is for traffic passing through the router (something else is the final destination)

Demonstrating how much I don’t know what I don’t know: how does someone outside of my router’s WAN know what to target behind my router?

To some extent, it is a guess. However, 192.168.1.0/24 is the most commonly used private subnet for home users, so the odds of this guess being accurate are fairly high. There are only 254 potential devices on this subnet, and so it doesn’t take long to try accessing all 254 IPs to determine if there is a response. If someone on the same ISP (and same public subnet) as you wanted to try to hack into your system, it would be relatively easy without that firewall rule protecting you. They could configure their router with a static route to 192.168.1.0/24 with your public IP as the next hop, and, without the ‘forward’ chain rule blocking, any packets they send to 192.168.1.x addresses would be delivered to your internal devices, and they would reply.

Understood. Thanks. (I’ll enable logging, and give it a prefix to see how often it occurs.)

It is somewhat unlikely you will see anything in the log (especially in comparison to attempts on the input chain itself), but that doesn’t mean that you shouldn’t protect yourself from that attack vector. All it takes is one hacker on your ISP subnet who tries your IP to take advantage of this open door (which hackers elsewhere do not have access to) and they can have full access to your internal systems. Most home routers protect against this attack vector by default, so without a rule blocking incoming forwarded packets, your router is less secure than a typical D-Link or similar consumer router.

Sorry for playing the “have you tried turning it off and on again” - card.. But really before starting the process elimination you should’ve checked the obvious.

Please take the time to follow my steps. I have installed transmission on Ubuntu and tested UPnP. It seems to be working well:

dnet entries are created:

UPnP traffic is visible by sniffing traffic (could’ve filtered on port 2828):

Filter on http traffic (enter “http” as display filter without quotes)

Select one of the packets (preferably one of the subsequent POSTs), open context menu and go to Follow => TCP Stream (as displayed above)

Here you can see the request:

POST /upnp/control/okgmrxpsbp/wanipconn-1 HTTP/1.1
Host: 192.168.88.1:2828
User-Agent: Debian/jessie/sid, UPnP/1.0, MiniUPnPc/1.6
Content-Length: 607
Content-Type: text/xml
SOAPAction: "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
Connection: Close
Cache-Control: no-cache
Pragma: no-cache

<?xml version="1.0"?>
<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><s:Body><u:AddPortMapping xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"><NewRemoteHost></NewRemoteHost><NewExternalPort>51413</NewExternalPort><NewProtocol>TCP</NewProtocol><NewInternalPort>51413</NewInternalPort><NewInternalClient>192.168.88.237</NewInternalClient><NewEnabled>1</NewEnabled><NewPortMappingDescription>Transmission at 51413</NewPortMappingDescription><NewLeaseDuration>0</NewLeaseDuration></u:AddPortMapping></s:Body></s:Envelope>

And response (in blue):

HTTP/1.1 200 OK
CONTENT-LENGTH: 282
CONTENT-TYPE: text/xml; charset="utf-8"
DATE: Mon, 07 Nov 2016 08:41:11 GMT
EXT: 
SERVER: RouterOS/6.38rc24UPnP/1.0 MikroTik UPnP/1.0

<s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/" s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
  <s:Body>
    <u:AddPortMappingResponse xmlns:u="urn:schemas-upnp-org:service:WANIPConnection:1"></u:AddPortMappingResponse>
  </s:Body>
</s:Envelope>

I agree that it “should just work” but since it doesn’t.. you’d better find out why. Let us know whether you get similar results.

@nescafe: did you use 6.37.1?

@rohnjohn63: try downgrading to bugfix channel, 6.36.4. Do the linux host uPNP properly creates the dynamic dst-nat on IP > Firewall > Filter in this case?

One thing I notice is that you have a “bridge-local” interface. Do I need one? If so, what does it bridge from/to?

No.