Forums

Simon
Simon
Offline
Resolved
0 votes
I've installed ClearOS 7.5 and the miniupnpd app. I've spent a while trying to get open nat (showing moderate on xbox) but unfortunately have failed and cannot think of what else to try :(
Content filter, web proxy and nearly every other app stopped, still no joy :( Some games will work fine with moderate nat but some won't work.

There's going to be more than 1 xbox one on the network which is why I'm trying to get upnp working. Any ideas would be greatly welcomed.

Here's some details on the setup.

ifconfig | egrep "^(e|p)" -A 1

enp2s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 94.aaa.bbb.ccc netmask 255.255.255.0 broadcast 94.196.228.255
--
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.1 netmask 255.255.255.0 broadcast 10.10.10.255


route -n
 
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.8.1 0.0.0.0 UG 0 0 0 enp2s0
10.10.10.0 0.0.0.0 255.255.255.0 U 0 0 0 enp3s0
94.aaa.bbb.ccc 0.0.0.0 255.255.255.0 U 0 0 0 enp2s0
192.168.8.1 0.0.0.0 255.255.255.255 UH 0 0 0 enp2s0


iptables -L MINIUPNPD -n -v
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.10.10.240 udp dpt:3074


iptables -L MINIUPNPD -n -v
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 10.10.10.240 udp dpt:3074


miniupnpd.conf
# WAN network interface
#ext_ifname=eth1
#ext_ifname=xl1
# if the WAN interface has several IP addresses, you
# can specify the one to use below
#ext_ip=

# LAN network interfaces IPs / networks
# there can be multiple listening ips for SSDP traffic.
# should be under the form nnn.nnn.nnn.nnn/nn
# HTTP is available on all interfaces
# When MULTIPLE_EXTERNAL_IP is enabled, the external ip
# address associated with the subnet follows. for example :
# listening_ip=192.168.0.1/24 88.22.44.13
#listening_ip=192.168.0.1/24
#listening_ip=192.168.1.1/24
#listening_ip=
# port for HTTP (descriptions and SOAP) traffic. set 0 for autoselect.
port=0

# path to the unix socket used to communicate with MiniSSDPd
# If running, MiniSSDPd will manage M-SEARCH answering.
# default is /var/run/minissdpd.sock
#minissdpdsocket=/var/run/minissdpd.sock

# enable NAT-PMP support (default is no)
enable_natpmp=yes

# enable UPNP support (default is yes)
enable_upnp=yes

# chain names for netfilter (not used for pf or ipf).
# default is MINIUPNPD for both
#upnp_forward_chain=forwardUPnP
#upnp_nat_chain=UPnP

# lease file location
lease_file=/var/lib/miniupnpd/upnp.leases

# bitrates reported by daemon in bits per second
bitrate_up=1000000
bitrate_down=10000000

# "secure" mode : when enabled, UPnP client are allowed to add mappings only
# to their IP.
secure_mode=yes
#secure_mode=no

# default presentation url is http address on port 80
# If set to an empty string, no presentationURL element will appear
# in the XML description of the device, which prevents MS Windows
# from displaying an icon in the "Network Connections" panel.
#presentation_url=http://www.mylan/index.php

# report system uptime instead of daemon uptime
system_uptime=yes

# notify interval in seconds. default is 30 seconds.
#notify_interval=240
notify_interval=60

# unused rules cleaning.
# never remove any rule before this threshold for the number
# of redirections is exceeded. default to 20
#clean_ruleset_threshold=10
# clean process work interval in seconds. default to 0 (disabled).
# a 600 seconds (10 minutes) interval makes sense
clean_ruleset_interval=600

# log packets in pf
#packet_log=no

# ALTQ queue in pf
# filter rules must be used for this to be used.
# compile with PF_ENABLE_FILTER_RULES (see config.h file)
#queue=queue_name1

# tag name in pf
#tag=tag_name1

# make filter rules in pf quick or not. default is yes
# active when compiled with PF_ENABLE_FILTER_RULES (see config.h file)
#quickrules=no

# uuid : generate your own with "make genuuid"
uuid=60943e58-b9ff-42bc-a825-5cd04c359f57

# serial and model number the daemon will report to clients
# in its XML description
serial=12345678
model_number=1

# UPnP permission rules
# (allow|deny) (external port range) ip/mask (internal port range)
# A port range is <min port>-<max port> or <port> if there is only
# one port in the range.
# ip/mask format must be nn.nn.nn.nn/nn
# it is advised to only allow redirection of port above 1024
# and to finish the rule set with "deny 0-65535 0.0.0.0/0 0-65535"
allow 1024-65535 10.10.10.240/24 1024-65535
#allow 1024-65535 192.168.0.0/16 1024-65535
#allow 1024-65535 10.0.0.0/8 1024-65535
#allow 1024-65535 172.16.0.0/12 1024-65535
deny 0-65535 0.0.0.0/0 0-65535


Some miniupnp debug data
May 11 12:41:33 server.local miniupnpd[26464]: parsing lease file line 'UDP:3074:10.10.10.240:3074:0:Teredo 10.10.10.240:3074->3074 UDP
'
May 11 12:41:33 server.local miniupnpd[26464]: miniupnpd[26464]: UPnP permission rule 0 matched : port mapping accepted
May 11 12:41:33 server.local miniupnpd[26464]: UPnP permission rule 0 matched : port mapping accepted
May 11 12:41:33 server.local miniupnpd[26464]: miniupnpd[26464]: redirecting port 3074 to 10.10.10.240:3074 protocol UDP for: Teredo 10.10.10.240:3074->3074 UDP
May 11 12:41:33 server.local miniupnpd[26464]: redirecting port 3074 to 10.10.10.240:3074 protocol UDP for: Teredo 10.10.10.240:3074->3074 UDP
May 11 12:41:33 server.local miniupnpd[26464]: version 2.1 starting NAT-PMP/PCP UPnP-IGD ext if enp2s0 BOOTID=1557574893
May 11 12:41:33 server.local miniupnpd[26464]: miniupnpd[26464]: version 2.1 starting NAT-PMP/PCP UPnP-IGD ext if enp2s0 BOOTID=1557574893
May 11 12:41:33 server.local miniupnpd[26464]: miniupnpd[26464]: HTTP listening on port 37124
May 11 12:41:33 server.local miniupnpd[26464]: miniupnpd[26464]: Listening for NAT-PMP/PCP traffic on port 5351
May 11 12:41:33 server.local miniupnpd[26464]: HTTP listening on port 37124
May 11 12:41:33 server.local miniupnpd[26464]: Listening for NAT-PMP/PCP traffic on port 5351
May 11 12:41:34 server.local miniupnpd[26464]: HTTP REQUEST from 10.10.10.240:49427 : GET /rootDesc.xml (HTTP/1.1)
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: HTTP REQUEST from 10.10.10.240:49427 : GET /rootDesc.xml (HTTP/1.1)
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: Host: 10.10.10.1:37124
May 11 12:41:34 server.local miniupnpd[26464]: Host: 10.10.10.1:37124
May 11 12:41:34 server.local miniupnpd[26464]: HTTP REQUEST from 10.10.10.240:49428 : GET /L3F.xml (HTTP/1.1)
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: HTTP REQUEST from 10.10.10.240:49428 : GET /L3F.xml (HTTP/1.1)
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: Host: 10.10.10.1:37124
May 11 12:41:34 server.local miniupnpd[26464]: Host: 10.10.10.1:37124
May 11 12:41:34 server.local miniupnpd[26464]: HTTP REQUEST from 10.10.10.240:50688 : SUBSCRIBE /evt/L3F (HTTP/1.1)
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: HTTP REQUEST from 10.10.10.240:50688 : SUBSCRIBE /evt/L3F (HTTP/1.1)
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: Host: 10.10.10.1:37124
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: ProcessHTTPSubscribe /evt/L3F
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: Callback '<http://10.10.10.240:2869/upnp/eventing/gpjhusovkb>" target="_blank">http://10.10.10.240:2869/upnp/eventing/gpjhusovkb>;' Timeout=1800
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: SID ''
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: addSubscriber(/evt/L3F, http://10.10.10.240:2869/upnp/eventing/gpjhusovkb, 1800)
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: generated sid=uuid:60943e58-b9ff-42bc-a825-5cd04c35524f
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: upnpevents_selectfds: 0x25b1560 1 10
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: upnp_event_notify_connect: '10.10.10.240' 2869 '/upnp/eventing/gpjhusovkb'
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: upnpevents_processfds: 0x25b1560 2 10 0 1
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: upnp_event_send: sending event notify message to 10.10.10.240:2869
May 11 12:41:34 server.local miniupnpd[26464]: miniupnpd[26464]: upnp_event_send: msg: NOTIFY /upnp/eventing/gpjhusovkb HTTP/1.1
May 11 12:41:34 server.local miniupnpd[26464]: Host: 10.10.10.240:2869
May 11 12:41:34 server.local miniupnpd[26464]: Content-Type: text/xml; charset="utf-8"
May 11 12:41:34 server.local miniupnpd[26464]: Content-Length: 249
May 11 12:41:34 server.local miniupnpd[26464]: NT: upnp:event
May 11 12:41:34 server.local miniupnpd[26464]: NTS: upnp:propchange
May 11 12:41:34 server.local miniupnpd[26464]: SID: uuid:60943e58-b9ff-42bc-a825-5cd04c35524f
May 11 12:41:34 server.local miniupnpd[26464]: SEQ: 0
May 11 12:41:34 server.local miniupnpd[26464]: Connection: close
May 11 12:41:34 server.local miniupnpd[26464]: Cache-Control: no-cache
Saturday, May 11 2019, 12:48 PM
Share this post:
Responses (8)
  • Accepted Answer

    Sunday, May 26 2019, 03:29 AM - #Permalink
    Resolved
    0 votes
    try expanding your ports "allow 0-65535 10.10.10.240/24 0-65535"
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, May 25 2019, 08:36 PM - #Permalink
    Resolved
    0 votes
    Working out if you ISP is blocking something is difficult. The best tool is tcpdump but you get too much information. You have to watch the outgoing packets and try to work out which don't have return packets. If it is packets initiated by the remote end to your DLNA ports that are missing, you have no chance of deternining these. All you can do is research your game and console and see if you can find out what theit servers are.
    The reply is currently minimized Show
  • Accepted Answer

    Simon
    Simon
    Offline
    Saturday, May 25 2019, 05:53 PM - #Permalink
    Resolved
    0 votes
    Hi Nick, thanks for your help on this. I've managed to finally nail down the issue.

    ClearOS and miniupnp are working fine, turns out that there was an issue with the firmware in the network box. It allowed incoming connections when clearos was put in DMZ (Initial testing for external web access) but when put into bridge mode it seemed to go into lockdown and block all incoming.

    Once I'd updated the firmware on the mobile box I could then get NAT to be open, but still having issues with one of the game servers which I now suspect is IP blocked by the mobile operator. Not sure how to go about that as I'd need to find out the IP involved and I don't really know how to pull these details.

    Thanks again for your help.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, May 11 2019, 04:48 PM - #Permalink
    Resolved
    0 votes
    OK so I've misunderstood the set up and it is good that the IP is routable. It has not been the case for me on a couple of conections I've tried.

    Can you do:
    grep miniupnp-options /var/log/messages
    It will show the miniupnp startup options used. It does look like I am going to have to add a listener for network changes.

    I think on the old xbox you had to change the low port from 1024 to 0 in the "allow" line in miniupnpd.conf. It is worth trying.

    There is a miniupnp tester on the miniupnp site here which you can run on a Windows box to check it is working. Deom the zip file, run:
    upnpc-static -l
    You should get output like this and there is a bit more debugging info in the thread.
    The reply is currently minimized Show
  • Accepted Answer

    Simon
    Simon
    Offline
    Saturday, May 11 2019, 03:44 PM - #Permalink
    Resolved
    0 votes
    Google reports the same IP as the bridge assigns. I managed to bring up the clearOS web interface over the internet when I first set it up, and then I quickly turned that access off :)
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, May 11 2019, 03:13 PM - #Permalink
    Resolved
    0 votes
    I don't want to be the bearer of bad news but I think you are doomed. If you google "what is my IP" you'll probably find it is not the 94.aaa.bbb.ccc because, after that it goes via a load of private IP's. Similarly, if you do a traceroute to 8.8.8.8 you'll go via private IP's. This means you need to control all the part forwarding through all the private networks to the IP address that google returns and that is beyond the scope of uPnP. It also means you won't be able to access anything on ClearOS from the internet. On the plus side, you don't need to munge your WAN IP!
    The reply is currently minimized Show
  • Accepted Answer

    Simon
    Simon
    Offline
    Saturday, May 11 2019, 01:55 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    192.168.8.1 is a 4G box set in bridge mode. (Phone line adsl is 3Mbps, 4G is 50+Mbps so you can see why I use it)
    10.10.10.1 is the ClearOS box
    10.10.10.240 is the xbox one
    94.aaa.bbb.ccc is from the internet connection (In ifconfig it actually shows as 94.aaa.bbb.0)

    WAN = enp2s0
    LAN = enp3s0

    On the LAN side is a wireless access point that issues DHCP on the 10.10.10.0 network and those devices access the internet fine. I'd just like to get the xbox with an open nat, which should happen with miniupnpd?
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, May 11 2019, 01:17 PM - #Permalink
    Resolved
    0 votes
    I am curious about your WAN. ifconfig gives it a public IP so what is 192.168.8.1? This is a private, non-routeable IP. Are you using something like 4G to connect to the internet?
    The reply is currently minimized Show
Your Reply