[SOLVED] UPnP seems not working with PPPoE

stunpix · December 15, 2015, 1:47pm

Hi,

I need advice about my network configuration. For me it looks like I have not working UPnP over PPPoE despite I have set internet access correctly and all my devices in LAN have access to internet.

Configuration looks OK (I’ve compared it with different guides), but it doesn’t work: all my torrent clients in LAN are failing to check incoming connections. Of course all of them have UPnP NAT settings enabled.

I’d added firewall rules to log these incoming connections from PPPoE iface and they were captured, but never reached LAN clients.

RouterOS and H/W:

        routerboard: yes
             model: 951G-2HnD
     serial-number: XXXXXX
     firmware-type: ar9344
  current-firmware: 3.24
  upgrade-firmware: 3.24
  
[admin@MikroTik] > system package print 
Flags: X - disabled 
 #   NAME                   VERSION      SCHEDULED              
 0   routeros-mipsbe        6.33.3
 1   system                 6.33.3
 2 X wireless-cm2           6.33.3
 3 X ipv6                   6.33.3
 4   wireless-fp            6.33.3
 5   hotspot                6.33.3
 6   dhcp                   6.33.3
 7   mpls                   6.33.3
 8   routing                6.33.3
 9   ppp                    6.33.3
10   security               6.33.3
11   advanced-tools         6.33.3

Here is interface list:

[admin@MikroTik] > interface print                                                         
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                 TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  ether1-gateway        ether       1500     1598       4074 
 1  RS ether2-master-local   ether       1500     1598       4074 
 2  RS ether3-slave-local    ether       1500     1598       4074 
 3   S ether4-slave-local    ether       1500     1598       4074 
 4   S ether5-slave-local    ether       1500     1598       4074 
 5  XS wlan1                 wlan        1500     1600            
 6  R  bridge-local          bridge      1500     1598            
 7  R  pppoe-isp             pppoe-out   1480

PPP interface and profiles:

[admin@MikroTik] > interface pppoe-client print
Flags: X - disabled, R - running 
 0  R name="pppoe-isp" max-mtu=1480 max-mru=1480 mrru=1600 interface=ether1-gateway user="XXXX" password="XXXXX" profile=enc-mss-upnp-comp keepalive-timeout=60 service-name="" ac-name="" add-default-route=yes 
      default-route-distance=1 dial-on-demand=no use-peer-dns=yes allow=pap,chap,mschap1,mschap2 

[admin@MikroTik] > ppp profile print
Flags: * - default 
 0 * name="default" use-mpls=default use-compression=yes use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=yes address-list="" on-up="" on-down="" 

 1   name="enc-mss-upnp-comp" use-mpls=default use-compression=yes use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down="" 

 2 * name="default-encryption" use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list="" on-up="" on-down=""

UPnP settings:

[admin@MikroTik] > ip upnp print 
                           enabled: yes
  allow-disable-external-interface: yes
                   show-dummy-rule: yes

[admin@MikroTik] > ip upnp interfaces print 
Flags: X - disabled, D - dynamic 
 #   INTERFACE          TYPE     FORCED-IP      
 0   bridge-local       internal
 1   pppoe-isp          external

Firewall and NAT rules:

[admin@MikroTik] > ip firewall filter print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 1    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 2    ;;; default configuration
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 3    ;;; default configuration
      chain=input action=drop in-interface=ether1-gateway log=no log-prefix="" 

 4    chain=input action=drop in-interface=all-ppp log=no log-prefix="" 

 5    ;;; default configuration
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 6    ;;; default configuration
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

 7    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 8    ;;; default configuration
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix="" 

[admin@MikroTik] > ip firewall nat print       
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; default configuration
      chain=srcnat action=masquerade out-interface=ether1-gateway log=no log-prefix="" 

 1    chain=srcnat action=masquerade out-interface=all-ppp log=no log-prefix="

You can notice rules 3 and 4 in input chain to “drop incoming connections”, but I’d tried to turn them off and on without success.

Could someone point me, please, what is wrong with my configuration?

Thanks!

pukkita · December 15, 2015, 3:13pm

 chain=input action=drop in-interface=all-ppp log=no log-prefix=""

and

chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1-gateway log=no log-prefix=""

You should change in-interface on those to pppoe-isp.

Can you post interfaces and ip address export outputs?

stunpix · December 16, 2015, 10:54pm

Sorry, I missed your message, because forum has disabled notifications by default.

I’ve tried different configurations with firewall drop filters (changed, enabled/disabled them), but nothing was helping me.

Suddenly I fixed up my upnp: I deleted all upnp internal/external interfaces, then I disabled upnp by unchecking it and finally I pushed Apply button in upnp dialog. Then I enabled upnp, pushed Apply button and only then re-added internal/external upnp interfaces and magically everything started working! With same setup!

Most interesting that I did same steps earlier, but without success. This time it helped me and now I see dynamic dst-nat rules added by UPnP to Firewall NAT table.

I didn’t figured out what caused this issue: order of actions for enabling upnp and adding upnp interfaces or something else, because I was unable to reproduce this issue again. This is definetely a kind of bug, because configuration I posted in first post is my current configuration, but now upnp is working. On other forums I found similar discussions that upnp settings reset helps sometimes.

For me I’m closing this thread as solved.

inteq · April 28, 2019, 9:35pm

Thank you for the info @stunpix
It is a bug indeed, because only by following your steps it started working for me.
“I deleted all upnp internal/external interfaces, then I disabled upnp by unchecking it and finally I pushed Apply button in upnp dialog. Then I enabled upnp, pushed Apply button and only then re-added internal/external upnp interfaces and magically everything started working! With same setup!”

stunpix · April 29, 2019, 7:56am

Sadly bug exists 4.5 years later after I posted here.

colin · May 15, 2019, 12:15am

Some times if i disable upnp, and reenable it, the upnp will still keep disabled(you can check the tcp port 2828 by tcping, it was closed.).
After disable it and reenable again and again, it still disabled, then i find your solution and try it, and it worked again.
So thanks to your solution.

But most time it works as normal behavior(uncheck upnp it disable upnp, check upnp it enable),
So may be it’s a bug not easy to find the reason.

my ros version: CHR 6.44.3

aditrodostress · September 13, 2019, 12:14pm

yeah i’m still cant enable or see the dynamic rule of upnp seems upnp not working on me

Xtreme512 · March 26, 2020, 10:52pm

I can see the rules added by uPnP automatically, but there is no logged data exchange (counter is at 0 bytes always). My WISP’s CPE (also a mikrotik device) acts like a router it seems. Can this be an issue due to double-NAT? Will asking ISP to enable uPnP in CPE solve this or I need CPE in bridge mode?

Sob · March 26, 2020, 11:09pm

There’s no UPnP chaining in RouterOS. So if client is connected to router which doesn’t have public address itself (or NAT 1:1 from upstream router, but then client can’t ask router for public address and needs to find it elsewhere), UPnP is useless.

Xtreme512 · March 28, 2020, 5:07pm

I see now, thanks. Most probably I’m behind CG-NAT and the CPE device has 10.0.0.0 or 172.16.0.0 IP behind the WAN. I need them to provide me public dynamic IP or buy a static IP, and then tell them to bridge mode the CPE for just peace of mind.

pukkita · April 20, 2020, 5:40pm

A thing I’d check is you have actually a “drop by default” default firewall filter rule on forward chain which upnp relies on:

filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

The connection-nat-state=!dstnat is the key, and what “automatically” opens the firewall to any dst-nats, as the ones created by uPNP; without this (or specific allow rules for each uPNP dynamically generated dst-nats) the firewall will block them.