Howdy ya’ll. Long time user, but new to UPNP. I’m having trouble with get a stable connection. As far as I can tell its not the firewall — I have tested with some allow all rules. And the connections still close.
I have enabled uPnP — I see the rule populate in NAT — But I only see one or two packets flow across. connection last about 30s - 60s and then drops
Sorry my firewall was more collected — but I have been trying some other peoples rules. To see if it is a rule thing. Also still trying to move in.
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 X chain=input action=accept src-address=192.168.1.0/24 log=no log-prefix=""
2 X chain=forward action=accept src-address=192.168.1.0/24 log=no log-prefix=""
3 X chain=forward action=accept connection-nat-state=dstnat log=no log-prefix=""
4 X chain=input action=accept log=no log-prefix=""
5 X ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related log=no
log-prefix=""
6 X ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related log=no log-prefix=""
7 X ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related log=no log-prefix=""
8 X chain=forward action=accept src-address=192.168.1.0/24 in-interface=Bridge out-interface-list=WAN log=no
log-prefix=""
9 X chain=forward action=jump jump-target=icmp protocol=icmp log=no log-prefix=""
10 X chain=input action=accept protocol=icmp log=no log-prefix=""
11 X chain=forward action=accept protocol=icmp log=no log-prefix=""
12 X chain=input action=accept protocol=udp dst-port=88,3074,53,800,3544,4500,500 log=no log-prefix=""
13 X chain=forward action=accept protocol=udp dst-port=88,3074,53,800,3544,4500,500 log=no log-prefix=""
14 X chain=forward action=accept protocol=tcp dst-port=3074,80,53,7680,23 log=no log-prefix=""
15 X chain=input action=accept protocol=tcp dst-port=3074,80,53,7680,23 log=no log-prefix=""
16 X chain=forward action=accept protocol=udp in-interface-list=LAN log=no log-prefix=""
17 X chain=input action=accept protocol=udp in-interface-list=LAN log=no log-prefix=""
18 X chain=input action=accept protocol=udp in-interface-list=WAN log=no log-prefix=""
19 X ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no
log-prefix="not des"
20 X ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
21 X ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
22 X chain=input action=drop protocol=tcp src-address-list=FTP brute force in-interface-list=WAN dst-port=21
log=no log-prefix=""
23 X chain=input action=drop src-address-list=not_in_internet in-interface-list=WAN log=no log-prefix=""
24 X chain=forward action=drop src-address-list=not_in_internet in-interface-list=WAN log=no log-prefix=""
25 X chain=forward action=drop dst-address-list=not_in_internet in-interface-list=LAN out-interface-list=WAN
log=yes log-prefix="not in lan"
26 X chain=input action=accept src-address=192.168.1.0/24 in-interface=!ether1 log=no log-prefix=""
27 X ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp in-interface-list=LAN log=no log-prefix=""
28 X ;;; drop foward not from lan
chain=forward action=drop src-address=!192.168.1.0/24 in-interface-list=LAN log=no log-prefix=""
29 X ;;; drop new dst nat connections
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no
log-prefix=""
30 X ;;; Drop not unicasted
chain=input action=drop src-address-type=!unicast log=no log-prefix=""
31 X chain=forward action=jump jump-target=tcp protocol=tcp log=no log-prefix=""
32 X chain=forward action=jump jump-target=udp protocol=udp log=no log-prefix=""
33 X chain=tcp action=drop connection-state=invalid protocol=tcp connection-type="" log=no log-prefix=""
34 X ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1 log=no log-prefix=""
35 X ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=yes log-prefix="not from lan"
36 X ;;; defconf: accept in ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec
37 X ;;; defconf: accept out ipsec policy
chain=forward action=accept log=no log-prefix="" ipsec-policy=out,ipsec
38 X chain=input action=drop log=no log-prefix=""
39 X chain=tcp action=drop protocol=tcp in-interface-list=WAN
dst-port=69,111,135,137-139,445,2049,12345-12346,20034,67-68 log=no log-prefix=""
40 X chain=udp action=drop protocol=udp in-interface-list=WAN dst-port=69,111,135,137-139,2049,3133 log=no
log-prefix=""
41 X chain=icmp action=accept protocol=icmp in-interface=ether1 in-interface-list=WAN icmp-options=0:0 log=no
log-prefix=""
42 X chain=icmp action=accept protocol=icmp in-interface=ether1 in-interface-list=WAN icmp-options=3:0 log=no
log-prefix=""
43 X chain=icmp action=accept protocol=icmp in-interface=ether1 in-interface-list=WAN icmp-options=8:0 log=no
log-prefix=""
44 X chain=icmp action=accept protocol=icmp in-interface=ether1 in-interface-list=WAN icmp-options=3:1 log=no
log-prefix=""
45 X chain=icmp action=accept protocol=icmp in-interface=ether1 in-interface-list=WAN icmp-options=3:4 log=no
log-prefix=""
46 X chain=icmp action=accept protocol=icmp in-interface=ether1 in-interface-list=WAN icmp-options=12:0 log=no
log-prefix=""
47 X chain=icmp action=accept protocol=icmp in-interface=ether1 in-interface-list=WAN icmp-options=11:0 log=no
log-prefix=""
48 X chain=icmp action=drop protocol=icmp in-interface-list=WAN log=no log-prefix=""
49 X chain=forward action=drop log=yes log-prefix="drop all"
50 ;;; INPUT Established, Related
chain=input action=accept connection-state=established,related,untracked
51 ;;; INPUT Drop Invalid
chain=input action=drop connection-state=invalid log-prefix="invalid connection"
52 ;;; INPUT Telnet Port Scans
chain=input action=add-src-to-address-list protocol=tcp address-list=Port Scanners
address-list-timeout=2d in-interface=ether1 dst-port=23
53 ;;; INPUT DROP Rogue VPN Hosts
chain=input action=drop src-address-list=rogue_vpn_hosts in-interface=ether1 log=yes
log-prefix="rogue_vpn_hosts"
54 chain=input action=accept protocol=udp in-interface=ether1 dst-port=500
55 chain=input action=accept protocol=udp in-interface=ether1 dst-port=4500 log=yes log-prefix="who_is_this"
56 chain=input action=accept protocol=ipsec-esp in-interface=ether1
57 chain=input action=accept protocol=ipsec-ah in-interface=ether1
58 ;;; INPUT Allow UPnP port 1900 udp
chain=input action=accept protocol=udp src-address-list=UPnPdevices dst-port=1900 log-prefix="UPnP"
59 ;;; INPUT Allow UPnP port 2828 tcp
chain=input action=accept protocol=tcp src-address-list=UPnPdevices dst-port=2828 log-prefix="UPnP"
60 ;;; INPUT Allow to Router from address list
chain=input action=accept src-address-list=allowed_to_router
61 ;;; INPUT ICMP
chain=input action=accept protocol=icmp
62 ;;; INPUT DROP ALL
chain=input action=drop
63 ;;; FORWARD Accept in IPsec policy
chain=forward action=accept ipsec-policy=in,ipsec
64 ;;; FORWARD Accept out IPsec policy
chain=forward action=accept ipsec-policy=out,ipsec
65 ;;; FORWARD Accept FastTrack Established, Related
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
66 ;;; FORWARD Accept Established, Related
chain=forward action=accept connection-state=established,related
67 ;;; FORWARD Drop invalid
chain=forward action=drop connection-state=invalid log-prefix="invalid"
68 ;;; FORWARD Drop incoming from internet which is not public IP
chain=forward action=drop src-address-list=not_in_internet in-interface=ether1 log=yes
log-prefix="!public"
69 ;;; FORWARD Drop incoming packets that are not NATted
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1 log=yes
log-prefix="!NAT"
70 ;;; FORWARD Allow Access for AP's
chain=forward action=accept src-address-list=access_points
71 ;;; FORWARD ALLOW Linux station access to printers
chain=forward action=accept src-address=192.168.40.50 dst-address-list=Printers