miniupnp.tuxfamily.org Forum Index miniupnp.tuxfamily.org
The forum about miniupnp and libnatpmp
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 

Configuration for IPv6 on openwrt / lede

 
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Compilation/Installation
View previous topic :: View next topic  
Author Message
LinuxfarmerHH
Guest





PostPosted: Fri Aug 25, 2017 2:17 pm    Post subject: Configuration for IPv6 on openwrt / lede Reply with quote

Seems that i have miniupnpd 2.0.20170421-2 on my lede router.

The graphical Luci frontend in LEDE and OpenWRT does not offer miniupnpd support for IPv6, But it should be possible to configure that from the ssh login. There is no help for the IPv6 side at openwrt and lede, No offered config file to look inside.

But as so called ds-lite internet access is spreading here, port forward must be done at the IPv6 level, because IPv4 is shared. -> RFC6598

For testing reasons i tried this without success.

config upnpd 'config'
option download '1024'
option upload '512'
option internal_iface 'lan'
option port '5000'
option upnp_lease_file '/var/upnp.leases'
option enabled '1'
option uuid '8ddee5c9-1afd-4244-9c7c-1acebce29'
option enable_natpmp '0'

config perm_rule
option action 'allow'
option ext_ports '1025-65535'
option int_addr '::/a7f'
option int_ports '1025-65535'
option comment 'Windows IPv6 PC'

config perm_rule
option action 'deny'
option ext_ports '0-65535'
option int_addr '::/0'
option int_ports '0-65535'
option comment 'Default deny IPv6'

config perm_rule
option action 'deny'
option ext_ports '0-65535'
option int_addr '0.0.0.0/0'
option int_ports '0-65535'
option comment 'Default deny IPv4'
Back to top
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Sat Sep 02, 2017 9:48 am    Post subject: Reply with quote

I don't undestand what you are trying to do.
Does miniupnpd responds to IPv6 SSDP queries ?
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
LinuxfarmerHH
Guest





PostPosted: Sat Sep 02, 2017 8:14 pm    Post subject: Reply with quote

Like to have miniupnpd to only pinhole for the ::e7e computer in the IPv6 Range. Tried with scan6 but got no response as result, because there is some kind of config error.

parsing error file /var/etc/miniupnpd.conf line 13 : allow 1025
parsing error file /var/etc/miniupnpd.conf line 14 : deny 0

Found that in this config file.

ext_ifname=eth0.2
listening_ip=br-lan
port=5000
enable_natpmp=no
enable_upnp=yes
secure_mode=yes
pcp_allow_thirdparty=no
system_uptime=yes
lease_file=/var/upnp.leases
bitrate_down=8388608
bitrate_up=4194304
uuid=8ddee5c9-1afd-4244-9c7c-1acf302936d9
allow 1025-65535 ::/e7e 1025-65535
deny 0-65535 ::/0 0-65535

How should that lines look like?
Back to top
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Sun Sep 03, 2017 2:43 pm    Post subject: Reply with quote

Quote:
allow 1025-65535 ::/e7e 1025-65535
deny 0-65535 ::/0 0-65535

allow / deny are only used for IPv4 port mappings.
If you need IPv6 "Firewall pinholes" support, please make sure miniupnpd is compiled with support for it. That means IGDv2 support and IPv6 support.
Code:
./genconfig.sh --ipv6 --igd2


http://upnp.org/specs/gw/UPnP-gw-WANIPv6FirewallControl-v1-Service.pdf
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
LinuxfarmerHH
Guest





PostPosted: Sun Sep 03, 2017 3:14 pm    Post subject: Reply with quote

Checked that it is compiled with --IGD2 and -IPV6, now with more logging i can see this.

Sun Sep 3 14:55:48 2017 daemon.info miniupnpd[2917]: system uptime is 414602 seconds
Sun Sep 3 14:55:48 2017 daemon.info miniupnpd[2917]: Reloading rules from lease file
Sun Sep 3 14:55:48 2017 daemon.info miniupnpd[2917]: version 2.0 starting UPnP-IGD ext if eth0.2 BOOTID=1504450548
Sun Sep 3 14:55:48 2017 daemon.notice miniupnpd[2917]: HTTP listening on port 5000
Sun Sep 3 14:55:48 2017 daemon.notice miniupnpd[2917]: HTTP IPv6 address given to control points : [2a02:2028:cb80:2e00::1]

Is there any example for the ipv6 ACL lines?
Back to top
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Sun Sep 03, 2017 7:27 pm    Post subject: Reply with quote

There is no ACL for IPv6 pin holes.
That feature is rarely used. Most users stick to IGD1 as IGD2 cause compatibility issues
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
LinuxfarmerHH
Guest





PostPosted: Tue Oct 03, 2017 7:41 am    Post subject: Reply with quote

Is it possible to limit the port forward range to the upper ports from 1024 for security reasons?
Please insert config examples into the readme or howto file.
Back to top
miniupnp
Site Admin


Joined: 14 Apr 2007
Posts: 1589

PostPosted: Mon Oct 23, 2017 9:37 am    Post subject: Reply with quote

I think you need to patch at source level to do so.
_________________
Main miniUPnP author.
https://miniupnp.tuxfamily.org/
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    miniupnp.tuxfamily.org Forum Index -> miniupnpd Compilation/Installation All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group
Protected by Anti-Spam ACP
© 2007 Thomas Bernard, author of MiniUPNP.