uPnP help --- connects then drops

biostein · March 14, 2022, 2:20am

Hi all. I have been running in circles the last few days and I am at my wits end.

I have gotten uPnP to run. But it only last for about a 1-2 min’s before it just drops the connection.

My firewall is a mess right now— mainly cause I am at the point of throw everything at it. I dont think its a firewall thing— mainly cause as a why the f not. I opened the router up 100%.

Any input would be greatly apricated.

# mar/13/2022 20:59:27 by RouterOS 7.1.3
# software id = 56LU-W8EI
#
# model = RB4011iGS+
# serial number = B8F40B74C8FF
/interface bridge
add admin-mac=C4:AD:34:33:F1:63 auto-mac=no comment=defconf igmp-snooping=yes multicast-querier=yes name=Bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.1.20-192.168.1.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp insert-queue-before=bottom interface=Bridge name=defconf
/ipv6 dhcp-server
add address-pool="" interface=Bridge name=server1
/port
set 0 name=serial0
set 1 name=serial1
/queue simple
add burst-limit=0/50M burst-time=0s/5s max-limit=0/50M name="download max" target=ether1
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" disabled=yes disabled=yes name=zt1 \
    port=9993
/interface bridge port
add bridge=Bridge comment=defconf interface=ether2
add bridge=Bridge comment=defconf interface=ether3
add bridge=Bridge comment=defconf interface=ether4
add bridge=Bridge comment=defconf interface=ether5
add bridge=Bridge comment=defconf interface=ether6
add bridge=Bridge comment=defconf interface=ether7
add bridge=Bridge comment=defconf interface=ether8
add bridge=Bridge comment=defconf interface=ether9
add bridge=Bridge comment=defconf interface=ether10
add bridge=Bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set icmp-rate-limit=100 rp-filter=loose tcp-syncookies=yes
/ipv6 settings
set accept-router-advertisements=no disable-ipv6=yes
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=Bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=Bridge network=192.168.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.253 client-id=1:f0:9f:c2:76:1b:72 mac-address=F0:9F:C2:76:1B:72 server=defconf
add address=192.168.1.63 client-id=1:70:5a:f:42:a3:d2 mac-address=70:5A:0F:42:A3:D2 server=defconf
add address=192.168.1.74 client-id=1:10:7b:44:4b:46:c8 mac-address=10:7B:44:4B:46:C8 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=192.168.1.1 gateway=192.168.1.1 netmask=24 ntp-server=\
    192.168.1.1,132.163.96.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.1.0/24 list=UPnPdevices
add address=192.168.1.0/24 list=allowed_to_router
/ip firewall filter
add action=drop chain=input connection-state=new in-interface-list=WAN protocol=tcp src-port=53
add action=drop chain=input connection-state=new in-interface-list=WAN protocol=udp src-port=53
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    disabled=yes hw-offload=yes
add action=accept chain=input in-interface=Bridge src-address=192.168.1.0/24
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related
add action=accept chain=input dst-port=88,3074,53,800,3544,4500,500,1900,8291,37008 protocol=udp
add action=accept chain=input dst-port=3074,80,53,7680,23,5000,8291,2828 protocol=tcp
add action=accept chain=forward dst-port=88,3074,53,800,3544,4500,500,1900,8291,37008 protocol=udp
add action=accept chain=forward dst-port=3074,80,53,7680,23,5000,8291,2828 protocol=tcp
add action=drop chain=input comment="INPUT Drop Invalid" connection-state=invalid log-prefix=\
    "invalid connection"
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2d chain=input comment=\
    "INPUT Telnet Port Scans" dst-port=23 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="INPUT DROP Rogue VPN Hosts" in-interface=ether1 log=yes log-prefix=\
    rogue_vpn_hosts src-address-list=rogue_vpn_hosts
add action=accept chain=input dst-port=500 in-interface=ether1 protocol=udp
add action=accept chain=input dst-port=4500 in-interface=ether1 log=yes log-prefix=who_is_this protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input in-interface=ether1 protocol=ipsec-ah
add action=accept chain=input comment="INPUT Allow UPnP port 1900 udp" dst-port=1900 log-prefix=UPnP protocol=\
    udp src-address-list=UPnPdevices
add action=accept chain=input comment="INPUT Allow UPnP port 2828 tcp" dst-port=2828 log-prefix=UPnP protocol=\
    tcp src-address-list=UPnPdevices
add action=accept chain=input comment="INPUT Allow to Router from address list" src-address-list=\
    allowed_to_router
add action=accept chain=input comment="INPUT ICMP" protocol=icmp
add action=drop chain=input comment="INPUT DROP ALL"
add action=accept chain=forward comment="FORWARD Accept in IPsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="FORWARD Accept out IPsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="FORWARD Accept FastTrack Established, Related" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="FORWARD Accept Established, Related" connection-state=\
    established,related
add action=drop chain=forward comment="FORWARD Drop invalid" connection-state=invalid log-prefix=invalid
add action=drop chain=forward comment="FORWARD Drop incoming from internet which is not public IP" \
    in-interface=ether1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="FORWARD Drop incoming packets that are not NATted" connection-nat-state=\
    !dstnat connection-state=new in-interface=ether1 log=yes log-prefix=!NAT
/ip firewall nat
add action=redirect chain=dstnat disabled=yes dst-address=!192.168.1.1 dst-address-list=192.168.1.1 dst-port=53 \
    in-interface=!ether1 in-interface-list=!WAN protocol=udp to-ports=53
add action=redirect chain=dstnat disabled=yes dst-address=!192.168.1.1 dst-address-list=192.168.1.1 dst-port=53 \
    protocol=tcp to-ports=53
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN \
    src-address=192.168.1.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=Bridge type=internal
add interface=ether1 type=external
/ipv6 address
add address=fd12:672e:6f65:8899:: interface=Bridge
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/routing igmp-proxy interface
add interface=Bridge upstream=yes
/system clock
set time-zone-name=America/Chicago
/system identity
set name=home
/system logging
add topics=upnp
/system ntp server
set broadcast=yes broadcast-addresses=192.168.1.1 enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set file-name=test streaming-server=192.168.1.74

Sob · March 14, 2022, 7:30pm

What do you mean by “just drops the connection”? UPnP simply adds dynamic dstnat rules, and that’s it, there’s no special handling for connections that use them.

anav · March 14, 2022, 9:44pm

Sob its a bot… that is like the fourth post of same thing…
Go here…
http://forum.mikrotik.com/t/upnp-help/156483/1
or here
http://forum.mikrotik.com/t/upnp-help-connects-but-then-drops/156520/1

biostein · March 14, 2022, 9:56pm

So I am not sure if it ever connects via UPnP

I can get the nat rule to appear ---- but since the response is on a different port — it does not work

Also I forgot I had an account — it was not allowed to post — and then it was. Hence the double post.

Sob · March 14, 2022, 10:41pm

Don’t stop, what exactly you mean by “but since the response is on a different port”?

biostein · March 15, 2022, 12:14am

Microsoft takes a request out on 50000 range port. But responds on 3074.

From what I can’t tell it also changes protocol. From udp to tcp.

Long story short. I am trying to use the PC Xbox party chat. And a Xbox chat function at the same time.

I have tried doing a static dst-nat. But I am missing something. Even with a static nat. Or uPnP. I get no traffic across nat. Minus my masquerade.

Even without uPnP. I get response back. But because they are not being recognized as related. They are not passing Thur.

The flood of return starts with tcp 443 and once it fails they try a different port. So on for a good 10 seconds.

Hopefully that makes sense.

Sob · March 15, 2022, 12:38am

No, connection can’t change port or protocol. If it does, it’s not the same connection. So do dstnat rules (UPnP or static) get any hits at all (check their packet counters)? If not, do you have public IP address? If you check some online “what is my IP address” service, do you get the same one as you see on router (IP->Addresses)?

biostein · March 15, 2022, 3:27am

So up scan matches what the router reports.

Have internet – internet becomes unstable when uPnP is turned on. Requiring a reset back to before uPnP.

When uPnP makes the dummy rule. I get one packet back. Would a bridge across all my lan ports block that ?

When. I make a dstnat rule. I get no packets. I also could be making the rule wrong.

I did find something in a dd wrt fourm that might work. Just need to translate what the kid does.

Link below. Who knows he might make more sense then me. For what I’m a trying todo

https://youtu.be/LZLdkJ1KuVw

Buckeye · March 15, 2022, 5:01am

Did you even watch the video you posted a link to?

He is not using uPnP at all. He is using port forwarding to alternate ports.

biostein · March 15, 2022, 12:09pm

Completely aware. Giving up on uPnp. Mainly cause every time I enable it. It makes my network unstable

Buckeye · March 15, 2022, 12:27pm

The documentation you need to read: https://help.mikrotik.com/docs/display/ROS/NAT
More info easily found with google port forwarding mikrotik

biostein · March 15, 2022, 1:40pm

Thanks Buckeye! I see one of the many flaws — i thought dst - nat was always up stream of the firewall.

biostein · March 15, 2022, 4:21pm

Marking as solved — I was missing the connection that dst nat was downstream of the firewall. I thought it was all upstream. I thought I had restored the default firewall but missed the dst nat rule.

Thanks