UPnP dynamic NAT rules have wrong dst-address field

anddam · August 5, 2014, 2:49pm

Hello,
I’m using a RB951G-2HnD v5.26 device with a Transmission bittorrent client, Transmission is using miniupnpc and I read threads on this forum and Transmission and miniupnpc’s tickets about issues in past with RouterOS.

This seems to not be the case anymore as Transmission and miniupnpc command line client are able to create dynamic rules. However even if the web interface shows the TCP dynamic rules the port is actually closed from the outside.
I check the port using both Transmission’s builtin checker and canyouseeme.org service and infobyip.com’s web services.

If I create a static TCP rule with the same exact values of the dynamic rule then the port correctly results open.

The only difference I can see is the destination address field that in the dynamic rule is “0.0.0.0” while in the manually added rule is just skipped.

Is the upnp client wrong in using an external address 0.0.0.0 or is there something in my config that is preventing it from working as expected?

Also I see the dynamic rules listed in web interface but not listed by ip firewall nat print, is this expected? How can I list the dynamically created rules from command line?

Here’s the output of command line before and after starting the UPnP client:

~> ssh router ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0   chain=srcnat action=masquerade out-interface=pppoe-out1

 1 X chain=dstnat action=dst-nat to-addresses=192.168.0.188 to-ports=7999 protocol=tcp dst-port=7999
~> # starting the client here
~> ssh router ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0   chain=srcnat action=masquerade out-interface=pppoe-out1

 1 X chain=dstnat action=dst-nat to-addresses=192.168.0.188 to-ports=7999
     protocol=tcp dst-port=7999

and here’s the web interface after starting the client, before the dynamic rules aren’t there:

Notice that I disabled the static rule to check if the dynamic ones worked, deleting it produces the same effect.

Here’s my /ip firewall filter content:

> ssh router ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=input action=accept protocol=icmp

 1   ;;; default configuration
     chain=input action=accept connection-state=established

 2   ;;; default configuration
     chain=input action=accept connection-state=related

 3   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway

 4   ;;; default configuration
     chain=forward action=accept connection-state=established

 5   ;;; default configuration
     chain=forward action=accept connection-state=related

 6   ;;; default configuration
     chain=forward action=drop connection-state=invalid

Any hint appreciated

anddam · August 5, 2014, 4:32pm

On Freenode it’s been pointed out to me that print has arguments, in my case print dynamic or print dynamic did the job.

Also I manually checked the dst-address=0.0.0.0 thing and that’s preventing any packet matching.

Nevertheless I see it’s MiniUPnP’s standard behavior when creating a rule with the command line client.
Is this a RouterOS or MiniUPnP’s issue?

anddam · August 11, 2014, 6:29am

I got an answer from support and I’m reporting it here as future reference.

My issue was due to a bad configuration in UPnP service, I had ether1-gateway as external interface but port 1 was using PPPoE client since it’s connected to the ADSL modem.

Once I set the external interface to pppoe-out1 the dynamic rules show the correct dst-address.